Configuring third party OIDC

OIDC is a simple identity protocol and open standard that is built on the OAuth 2.0 protocol. OIDC provides an abstraction between the application server and the underlying authentication mechanism. It enables client applications to rely on authentication that is done by an OIDC Provider to verify the identity of a user. OIDC provides user information encoded in a JSON Web Token or JWT.

About this task

Use this information to configure third party OIDC provider. Examples here show the usage of OIDC from Cloud APM. All the examples in the procedure are given with the assumption that you installed Cloud Application Business Insights server in default location. That is, /opt/icabi.
Note: The date and time stamp must be same on Cloud APM OIDC and Cloud Application Business Insights server systems.

Procedure

  1. Update the prd_config file as follows:
    vi install_dir/prd_config
    Update the following parameter:
    customOIDC=true
  2. Update the bootstrap.properties file in Cloud Application Business Insights server (prdapp) as follows:
    cd install_dir/wlp/usr/servers/prdapp
    vi bootstrap.properties
    
    oidc.rp.id=RP #modification not required
    oidc.rp.clientId=prd # modification not required
    oidc.rp.clientSecret=<your secret key>
    oidc.id=<OIDC_provider_id>
    oidc.hostname=<OIDC hostname>
    oidc.port=<OIDC port>
    oidc.logout.endpoint.path=<OIDC logout endpoint path>
    Where:
    oidc.id
    It must match the ID used in the OIDC. In Cloud APM, it is OP.
    oidc.rp.clientSecret

    Provide the encrypted secret passcode for the OIDC server. You can generate an encoded and encrypted password by using the $install_dir/wlp/usr/servers/prdapp/resources/AES_Encryptor.sh.

    Note: This oidc.rp.clientSecret password must be same on your custom OIDC entry and Cloud Application Business Insights server entry.
    oidc.hostname=<Hostname/IP address>
    The hostname or IP address of your OIDC server. For example, myserver.ibm.com.
    oidc.port=port_number

    OIDC application port number. For example, 8099 for Cloud APM.

    oidc.logout.endpoint.path
    The logout endpoint clears the provider-side session and cookies for a web browser.
  3. Optional: If you want to provide any additional information, update the server-relying-party.xml file as follows:
    cd install_dir/wlp/usr/servers/prdapp
    vi server-relying-party.xml
    Provide the following information:
    
          <openidConnectClient
           id="${oidc.rp.id}"
           clientId="${oidc.rp.clientId}"
           clientSecret="${oidc.rp.clientSecret}"
           authorizationEndpointUrl="https://${oidc.hostname}:${oidc.port}/oidc/endpoint/OP/authorize"
           tokenEndpointUrl="https://${oidc.hostname}:${oidc.port}/oidc/endpoint/OP/token" >
        </openidConnectClient>
    The server-relying-party.xml takes the information that is provided in the bootstrap.properties file in the previous step.
  4. Register Cloud Application Business Insights as a client in your OIDC server as follows:

    Locate the server.xml file in your OIDC server.

    For example, if you are using OIDC from Cloud APM, it is located in /opt/ibm/wlp/usr/servers/oidc path.

    Note: Registering the OIDC client depends on how OIDC server is configured. If you are using WebSphere® Application Server Liberty that is provided with localstore, use following information as an example and add it under the <localStore> tag.
    In the following section, update the following parameters:
    <localStore>
                <!-- The default redirect URL pattern is: https://<hostname>:<sslport>/oidcclient/redirect/<openidConnectClientID> -->
                <client name="${oidc.client1.name}"  
    		 preAuthorizedScope="openid" 
    		 secret="${oidc.client1.secret}" 
    		 scope="${oidc.client1.scope}" 
    		 redirect="https://${oidc.client1.hostname}:${oidc.client1.port}/oidcclient/redirect/${oidc.client1.id}, https://${oidc.client1.ip}:${oidc.client1.port}/oidcclient/redirect/${oidc.client1.id}" />
            </localStore>
    Where:
    ${oidc.client1.name}
    A unique name for client.
    ${oidc.client1.secret}
    A secret password for this client. The same password must be used in Cloud Application Business Insights oidc.rp.clientSecret configuration property.
    ${odic.client1.scope}
    OIDC scope like openid.
    ${oidc.client1.hostname}
    The hostname of Cloud Application Business Insights server.
    ${oidc.client1.port}
    The port number of the Cloud Application Business Insights server.
    ${oidc.client1.id}
    Cloud Application Business Insights ID, which is RP.
    ${oidc.client1.ip}
    The IP address of the server on which Cloud Application Business Insights is running.
  5. Add the signer certificate for the OIDC server to the Cloud Application Business Insights server as a trusted certificate.
    1. Export the personal certificate from the OIDC server keystore by using these commands:
      Go to the keystore file location. In Cloud APM, use the following example:
      
      cd /opt/ibm/wlp/usr/shared/resources/security/
      keytool -exportcert -keystore <keystore_filename> -storepass <keystore_password> -alias <certificate_alias_name> -file <output_certificate_name>
      Where:
      <keystore_filename>
      Name of the keystore file.
      <keystore_password>
      Password for the keystore.
      <certificate_alias_name>
      Alias name for the certificate.
      <output_certificate_name>
      The name of the certificate that is produced. For example, APMOIDC.cer for Cloud APM OIDC.
    2. Import the signer certificate from the OIDC server to the Cloud Application Business Insights server keystore by using the following commands:
      Copy the <output_certificate_name> file to /opt/icabi/wlp/usr/servers/prdapp/resources/security path:
      keytool -importcert -keystore key.jks -storepass <ICABI_keystore_password> 
      -alias <certificate_alias_name> -file <output_certificate_name>.cer -noprompt
      Where:
      <certificate_alias_name>
      Unique name of the alias name for the certificate.
      <ICABI_keystore_password>
      It is persistent123.
      Note: It is recommended that you modify the default password of this keystore. See Configuring the keystore password.
      <output_certificate_name>
      The name of certificate that is generated in the previous step.
  6. Add the signer certificate of Cloud Application Business Insights server to the OIDC provider server as a trusted certificate.
    1. Export the certificate from the Cloud Application Business Insights server keystore by using the following commands:
      
      cd install_dir/wlp/usr/servers/prdapp/resources/security
      keytool -exportcert -keystore key.jks -storepass <ICABI_keystore_password> -alias default -file <ICABI_cert_name>.cer
      Note: The default <ICABI_keystore_password> is persistent123. It is recommended that you modify the default password of this keystore. See Configuring the keystore password.
    2. Import the generated certificate into the third party OIDC that is by using the following command:
      keytool -importcert -keystore <trust_store_filename> -storepass <password> -alias <ICABI_cert_alias> -file <ICABI_cert_name>.cer -noprompt
      Where:
      <trust_store_filename>
      The name of the truststore file.
      <password>
      Password for the truststore.
      <ICABI_cert_alias>
      A unique name of certificate inside the keystore. For example, icabi.
      <ICABI_cert_name>
      The name of certificate generated in the previous step.
  7. Restart the Cloud Application Business Insights server.
  8. Restart the OIDC server.
    If you are using Cloud APM as your OIDC server, use the following command to restart:
    
    apm restart oidc