[1.0.1.0 and later][Network Deployment 9.0.5.26 or
later]

Migrating or configuring an OpenID Connect Relying Party

If an existing WebSphere® Application Server Network Deployment OIDC Relying Party TAI configuration is relatively simple, you can migrate the TAI configuration to your managed Liberty servers. You can alternatively configure an OpenID Connect (OIDC) Relying Party (RP or client) to manage Liberty servers in your cell.

To migrate a relatively simple OIDC relying party TAI configuration, use the following information.
  • Review the OIDC known issues and limitations to determine the restrictions for migrating your OIDC configuration.
  • Follow the instructions in Configuring an OpenID Connect Relying Party.
    After you migrate an existing OIDC TAI configuration, for it to be used on the managed Liberty server, you must add a callback URL to your OpenID Provider (OP). Use the following syntax for the callback URL.
    https://(host):(port)/oidcclient/redirect/(providerId)
    .

To configure an OIDC relying party to manage Liberty servers in a cell, complete the following task.

Before you begin

Your keys and certificates must be loaded into keystores and truststores as described in the following information.

About this task

You can create an OIDC configuration that is specific to the managed Liberty servers in your cell. This task uses the administrative console. You can also use the wsadmin command to perform the same function.

Procedure

  1. Determine the key and truststores for your configuration.
    You can use the following short names for well-known keys and truststores:
    • CellDefaultKeyStore
    • CellDefaultTrustStore
    • NodeDefaultKeyStore
    • NodeDefaultTrustStore
    If you want to use any other managed key or truststore, you can use the following format for the value when you configure a key or truststore reference property: name=STORE_NAME managementScope=(cell):CELL_NAME:(node):NODE_NAME. The following code is an example of the format:
    name=myKeyStoreRef managementScope=(cell):myCell:(node):myNode
    To find the value for the managementScope option in the administrative console, select Security > SSL certificate and key management > Key stores and certificates . In the table, find your keystore in the Management Scope column.
  2. Enable the OIDC feature by using the TAI configuration pages in the administrative console.
    1. Click Security > Global security > Web and SIP security > Trust association.
    2. If the Enable trust association field is not checked, check it, and then click Apply.
    3. Click Interceptors.
    4. Click New and enter openidConnectClient-1.0 in the Interceptor class name field.
      When you configure openidConnectClient-1.0 as the class name for a trust association interceptor and the WebSphere Application Server Network Deployment servers start, the following error message is displayed in the SystemOut.log and SystemErr.log files. Disregard the message.
      SECJ0125E: Trust Association Init Unable to load Trust Association class openidConnectClient-1.0.
  3. To customize how the OIDC feature behaves, add Liberty custom properties.
    1. Find the attribute names and values to configure.

      To find the attribute names and values, see the Liberty openidConnectClient properties.

      You can use the following substitution variables:

      • ${BOOTSTRAP_ADDRESS_host} for the hostname
      • ${httpEndpoint_port} for the HTTP port
      • ${httpEndpoint_secure_port} for the HTTPS port
    2. Determine the number of OIDC Relying Party (RP) entries that you want to configure.

      Each RP that you configure migrates to a separate openidConnectClient entry in the managed Liberty server server.xml file.

      Each RP that you configure has an attribute that is specific to the RP, and client_(n) is added as a prefix to each attribute.

      For example, if you have two RPs, add client_1 as a prefix to one RP and client_2 as a prefix to the other RP.
    3. Add the client_(n). prefix to each attribute that you are configuring.
      The following example adds client_(n). as a prefix to the accessTokenCacheEnabled attribute.
      client_1.accessTokenCacheEnabled
      The following example shows how to set values for the authzParameter attribute and the tokenParameter attribute. The example has two authzParameter attributes, which are specified as authzParameter_1 and authzParameter_2.
      • The client_1.authzParameter_1 attribute is set to the following values.
        name=param1, value=param1Value
        .
      • The client_1.authzParameter_2 attribute is set to the following values.
        name=param2, value=param2Value
        .
      • The client_1.tokenParameter_1 attribute is set to the following values.
        name=param1, value=param1Value
  4. To configure the requests that your RPs intercept, add the client_(n).authFilter_(n) properties.

    See the Liberty authFilter properties page to see the attribute names and values that you can configure.

    You can configure more than one authFilter property. The authentication filter conditions are combined together through a logical AND. Example property names are client_1.authFilter_1 and client_1.authFilter_2.

    The value that you enter for the property depends on the filter type that you choose as shown in the following examples.
    • The client_1.authFilter_1 attribute is set to the following value.
      type=requestUrl, urlPattern=/SimpleServlet,
              matchType=contains
    • The client_1.authFilter_2 attribute is set to the following value.
      type=remoteAddress, value=127.0.0.1, matchType=greaterThan
              
    • The client_1.authFilter_3 attribute is set to the following value.
      type=cookie, name=MyCookie, matchType=equals
  5. After you are finished entering properties, click OK and then Save.

    After the configuration is synchronized with each node, your OIDC configuration is available on all managed Liberty servers in your cell.

  6. Configure your OpenID Provider with your new managed Liberty RP.
    Follow the instructions for your OpenID Provider to set the following callback URL, where id is the value for your id property.
    https://(host):(httpsPort)/oidcclient/redirect/(id)

    You can find the HTTPS port of a Liberty server with the following steps.

    1. In the administrative console, click Servers > WebSphere application servers > server_name.
    2. Expand Ports.
      The HTTPS port number is the value for the WC_defaulthost_secure port.