ORDS/APEX SSO with IDCS (OCI Gen 2 Private Subnet)

ORDS/APEX SSO with IDCS (OCI Gen 2 Private Subnet)

In this BLOG, I will outline steps to achieve Single Sign on with Oracle IDCS while the ORDS/APEX Installation are in OCI Gen2 Private Subnet. There are some additional steps than where APEX is in OCI Cloud and is deployed as APEX Cloud service that is in public domain.

Assumptions:

•          You have installed the DBaas(18c) in OCI Gen2 using Private VCN in OCI Gen2
•          ORDS deployment is in Oracle Weblogic Server 12c that is also installed in private VCN
•          Using Oracle IDCS for SSO
•          Traffic to ORDS is from LBaaS with your company’s own certificate
•          You have developed or created several applications in APEX with APEX app builder
•          You have uninstalled the Default APEX installation from CDB and installed 19.1 in PDB of DBaaS
  
•  You have configured NAT Gateway to talk to world from the private subnet

If you are in same situation as above, here are the steps to achieve the SSO. Please note that you can always use Webogic to authenticate for ORDS which another way of is achieving the same. However, this is simple and effective approach.

Step1: Please create a separate wallet than the default TDE wallet that DBaas already have and is referenced in sqlnet.ora with following command.

     mkdir -p /u01/app/oracle/tools/apex_ords/wallets

orapki wallet create -wallet /u01/app/oracle/tools/apex_ords/wallets -pwd Wha##Passw0rd -auto_login

Step2: This step will download the certificate of your IDCS. There are two ways to do it. However, please make sure that you only do the other certificates than *.identity.oraclecloud.com. What other certificate? You can find the other two certificates with analyzing the site with SSLLabs.com.

     OPENSSL Method:

Use following command as this is very easy and fail-safe method. If you have installed GitBash on your WINDOWS machine, then you could use that otherwise you can make use of the DBaaS server where APEX is installed.  If you have MAC then terminal will do.

openssl s_client -showcerts -connect xxxx.identity.oraclecloud.com:443

Please ignore first certificate and chose second and third and save them in a file call cert1 and cert2. Select or copy starting from BEGIN and ends with END Certificate and save then in two separate file or you can save them together in one file but make sure that there is no space or anything. A single certificate file looks like one shown in the example below.

CONNECTED(000001F8) --- Certificate chain 0 s:/C=US/ST=California/L=Redwood City/O=Oracle Corporation/OU=Oracle PAASCS AMER-CS/CN=*.identity.oraclecloud.com i:/C=US/O=DigiCert Inc/CN=DigiCert SHA2 Secure Server CA -----BEGIN CERTIFICATE----- MIIGXTCCBUWgAwIBAgIQBqKZ/GQ1LEZ+HwTl88Ik7zANBgkqhkiG9w0BAQsFADBN MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMScwJQYDVQQDEx5E aWdpQ2VydCBTSEEyIFNlY3VyZSBTZXJ2ZXIgQ0EwHhcNMTkxMDEwMDAwMDAwWhcN MjEwMTA4MTIwMDAwWjCBmzELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3Ju aWExFTATBgNVBAcTDFJlZHdvb2QgQ2l0eTEbMBkGA1UEChMST3JhY2xlIENvcnBv cmF0aW9uMR4wHAYDVQQLExVPcmFjbGUgUEFBU0NTIEFNRVItQ1MxIzAhBgNVBAMM GiouaWRlbnRpdHkub3JhY2xlY2xvdWQuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOC AQ8AMIIBCgKCAQEAuI+63TUGdPROtguN8uxqvXKIIYTvMV7UtcMi3SUJ+zh+lvi7 jk0NKjBl2IwP0Dg7ogYGIO0G3gJ0lCkZ287VI+7cCmUTbgIXwRy8rNv39fCG2v8y O46KIEiC9rDzatqOTfpkvmbiEyLrVJDV22Tvdw746Kq9P4sdyEQIMUMF98JTVLZ9 YMz/5lw+FZC0iEwI6L1l+0imxrqY5HPJ+67LGDJZA+Oc4sYbbQT0EdaSk9+uZgGR VoGEC9yLr+KvADHxOI3THH0UTsfaoUGBpFF2fDGQPyFsOkCp78/ycobw0w69QBwH KjXfI33zilQTyRgWl5CQROTwxDjqhF38/veMDwIDAQABo4IC6DCCAuQwHwYDVR0j BBgwFoAUD4BhHIIxYdUvKOeNRji0LOHG2eIwHQYDVR0OBBYEFFeEdXdXgVXOiVKj z67W6WoHpsLsMCUGA1UdEQQeMByCGiouaWRlbnRpdHkub3JhY2xlY2xvdWQuY29t MA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIw awYDVR0fBGQwYjAvoC2gK4YpaHR0cDovL2NybDMuZGlnaWNlcnQuY29tL3NzY2Et c2hhMi1nNi5jcmwwL6AtoCuGKWh0dHA6Ly9jcmw0LmRpZ2ljZXJ0LmNvbS9zc2Nh LXNoYTItZzYuY3JsMEwGA1UdIARFMEMwNwYJYIZIAYb9bAEBMCowKAYIKwYBBQUH AgEWHGh0dHBzOi8vd3d3LmRpZ2ljZXJ0LmNvbS9DUFMwCAYGZ4EMAQICMHwGCCsG AQUFBwEBBHAwbjAkBggrBgEFBQcwAYYYaHR0cDovL29jc3AuZGlnaWNlcnQuY29t MEYGCCsGAQUFBzAChjpodHRwOi8vY2FjZXJ0cy5kaWdpY2VydC5jb20vRGlnaUNl cnRTSEEyU2VjdXJlU2VydmVyQ0EuY3J0MAkGA1UdEwQCMAAwggEGBgorBgEEAdZ5 AgQCBIH3BIH0APIAdwCkuQmQtBhYFIe7E6LMZ3AKPDWYBPkb37jjd80OyA3cEAAA AW21ccVJAAAEAwBIMEYCIQDVv05dCevGXG4C0TRtxlGUwJgJRmQZkkd6d/E25r01 iQIhANsWikabmliVEWcG3vd2mszq0IC377daX28g6gl8zArTAHcAh3W/51l8+IxD mV+9827/Vo1HVjb/SrVgwbTq/16ggw8AAAFttXHFogAABAMASDBGAiEA1BT1Q7J0 zO/Y+3QoUcCoazC2zQI8DZYn7PGK5okPzogCIQCIH5I15CqhSMToz4qvbxXQS6AB FzdQ9Hmlx4g77Ep8eDANBgkqhkiG9w0BAQsFAAOCAQEAGumopLvRISn181SOg1U4 DA9K0AbdXR8RSYIc81nH4bUpOFA0flMOIUzeim+zHMXQju0lhkxLs2h0MyVKGeFb +N8HWntKohczFkqPishqcXY5yxqk5PDA3jdLpElAwoRVDcnYSqvvPMn4g887ZKFN xGJcHlNd4IXPt0jKSIjgCW32nFzsxmgkyhfkG8SIoyZoSv/XsGZrPHynt3bgqQv4 3Ju3ycIEsQeJcOpg817OUqRGCX7Ks+pY2YKlX5YfUo6TXa9hY10QPQYAwi7pTJdB G+XQFFnLJN4Qja9thflWitxH612Af7d91onzXpH5YjMOzYp4Bdp+UDYCtEo0IzQP ww== -----END CERTIFICATE----- 1 s:/C=US/O=DigiCert Inc/CN=DigiCert SHA2 Secure Server CA i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root CA -----BEGIN CERTIFICATE----- MIIElDCCA3ygAwIBAgIQAf2j627KdciIQ4tyS8+8kTANBgkqhkiG9w0BAQsFADBh MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3 d3cuZGlnaWNlcnQuY29tMSAwHgYDVQQDExdEaWdpQ2VydCBHbG9iYWwgUm9vdCBD QTAeFw0xMzAzMDgxMjAwMDBaFw0yMzAzMDgxMjAwMDBaME0xCzAJBgNVBAYTAlVT MRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxJzAlBgNVBAMTHkRpZ2lDZXJ0IFNIQTIg U2VjdXJlIFNlcnZlciBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB ANyuWJBNwcQwFZA1W248ghX1LFy949v/cUP6ZCWA1O4Yok3wZtAKc24RmDYXZK83 nf36QYSvx6+M/hpzTc8zl5CilodTgyu5pnVILR1WN3vaMTIa16yrBvSqXUu3R0bd KpPDkC55gIDvEwRqFDu1m5K+wgdlTvza/P96rtxcflUxDOg5B6TXvi/TC2rSsd9f /ld0Uzs1gN2ujkSYs58O09rg1/RrKatEp0tYhG2SS4HD2nOLEpdIkARFdRrdNzGX kujNVA075ME/OV4uuPNcfhCOhkEAjUVmR7ChZc6gqikJTvOX6+guqw9ypzAO+sf0 /RR3w6RbKFfCs/mC/bdFWJsCAwEAAaOCAVowggFWMBIGA1UdEwEB/wQIMAYBAf8C AQAwDgYDVR0PAQH/BAQDAgGGMDQGCCsGAQUFBwEBBCgwJjAkBggrBgEFBQcwAYYY aHR0cDovL29jc3AuZGlnaWNlcnQuY29tMHsGA1UdHwR0MHIwN6A1oDOGMWh0dHA6 Ly9jcmwzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydEdsb2JhbFJvb3RDQS5jcmwwN6A1 oDOGMWh0dHA6Ly9jcmw0LmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydEdsb2JhbFJvb3RD QS5jcmwwPQYDVR0gBDYwNDAyBgRVHSAAMCowKAYIKwYBBQUHAgEWHGh0dHBzOi8v d3d3LmRpZ2ljZXJ0LmNvbS9DUFMwHQYDVR0OBBYEFA+AYRyCMWHVLyjnjUY4tCzh xtniMB8GA1UdIwQYMBaAFAPeUDVW0Uy7ZvCj4hsbw5eyPdFVMA0GCSqGSIb3DQEB CwUAA4IBAQAjPt9L0jFCpbZ+QlwaRMxp0Wi0XUvgBCFsS+JtzLHgl4+mUwnNqipl 5TlPHoOlblyYoiQm5vuh7ZPHLgLGTUq/sELfeNqzqPlt/yGFUzZgTHbO7Djc1lGA 8MXW5dRNJ2Srm8c+cftIl7gzbckTB+6WohsYFfZcTEDts8Ls/3HB40f/1LkAtDdC 2iDJ6m6K7hQGrn2iWZiIqBtvLfTyyRRfJs8sjX7tN8Cp1Tm5gr8ZDOo0rwAhaPit c+LJMto4JQtV05od8GiG7S5BNO98pVAdvzr508EIDObtHopYJeS4d60tbvVS3bR0 j6tJLp07kzQoH3jOlOrHvdPJbRzeXDLz -----END CERTIFICATE----- 2 s:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root CA i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root CA -----BEGIN CERTIFICATE----- MIIDrzCCApegAwIBAgIQCDvgVpBCRrGhdWrJWZHHSjANBgkqhkiG9w0BAQUFADBh MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3 d3cuZGlnaWNlcnQuY29tMSAwHgYDVQQDExdEaWdpQ2VydCBHbG9iYWwgUm9vdCBD QTAeFw0wNjExMTAwMDAwMDBaFw0zMTExMTAwMDAwMDBaMGExCzAJBgNVBAYTAlVT MRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsTEHd3dy5kaWdpY2VydC5j b20xIDAeBgNVBAMTF0RpZ2lDZXJ0IEdsb2JhbCBSb290IENBMIIBIjANBgkqhkiG 9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4jvhEXLeqKTTo1eqUKKPC3eQyaKl7hLOllsB CSDMAZOnTjC3U/dDxGkAV53ijSLdhwZAAIEJzs4bg7/fzTtxRuLWZscFs3YnFo97 nh6Vfe63SKMI2tavegw5BmV/Sl0fvBf4q77uKNd0f3p4mVmFaG5cIzJLv07A6Fpt 43C/dxC//AH2hdmoRBBYMql1GNXRor5H4idq9Joz+EkIYIvUX7Q6hL+hqkpMfT7P T19sdl6gSzeRntwi5m3OFBqOasv+zbMUZBfHWymeMr/y7vrTC0LUq7dBMtoM1O/4 gdW7jVg/tRvoSSiicNoxBN33shbyTApOB6jtSj1etX+jkMOvJwIDAQABo2MwYTAO BgNVHQ8BAf8EBAMCAYYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUA95QNVbR TLtm8KPiGxvDl7I90VUwHwYDVR0jBBgwFoAUA95QNVbRTLtm8KPiGxvDl7I90VUw DQYJKoZIhvcNAQEFBQADggEBAMucN6pIExIK+t1EnE9SsPTfrgT1eXkIoyQY/Esr hMAtudXH/vTBH1jLuG2cenTnmCmrEbXjcKChzUyImZOMkXDiqw8cvpOp/2PV5Adg 06O/nVsJ8dWO41P0jmP6P6fbtGbfYmbW0W5BjfIttep3Sp+dWOIrWcBAI+0tKIJF PnlUkiaY4IBIqDfv8NZ5YBberOgOzW6sRBc4L0na4UU+Krk2U886UAb3LujEV0ls YSEY1QSteDwsOoBrp+uvFRTp2InBuThs4pFsiv9kuXclVzDAGySj4dzp30d8tbQk CAUw7C29C79Fv1C5qfPrmAESrciIxpg0X40KPMbp1ZWVbd4= -----END CERTIFICATE-------- Server certificate subject=/C=US/ST=California/L=edwood City/O=Oracle Corporation/OU=Oracle PAASCS AMER-CS/CN=*.identity.oraclecloud.com issuer=/C=US/O=DigiCert Inc/CN=DigiCert SHA2 Secure Server CA --- No client certificate CA names sent Peer signing digest: SHA512 Server Temp Key: ECDH, P-256, 256 bits --- SSL handshake has read 4461 bytes and written 458 bytes --- New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-RSA-AES256-SHA Session-ID: 82ADE605F6B59D0B61B99043226F0A439155BA22510B519614995F850FAA0FEB Session-ID-ctx: Master-Key: 1A333D707F00888DB9186B0D011C89B0995BFA5E104CB36E4DF58016E00870E06395449EA730EEDBC1542C3181B9FBCF Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None TLS session ticket lifetime hint: 3600 (seconds) TLS session ticket: 0000 - ab 14 a6 60 61 c5 09 f2-35 4f fe fd a5 f8 de f5 ...`a...5O...... 0010 - f6 65 b8 a4 c7 75 31 ee-25 44 44 e9 31 c3 cd e8 .e...u1.%DD.1... 0020 - ed 29 80 2a d1 fa 46 9e-71 92 6f a1 34 e9 e1 41 .).*..F.q.o.4..A 0030 - e6 23 0b 34 18 c0 c7 f1-24 2b 60 8d 11 c7 22 a5 .#.4....$+`...". 0040 - f5 5b 93 89 16 c2 4b 37-89 cb d1 b0 bb fd cb 91 .[....K7........ 0050 - f8 8c af 5a ef e1 35 93-6a a5 4f eb 11 23 85 77 ...Z..5.j.O..#.w 0060 - 69 aa e3 b7 d2 4d 4e d6-6a 1f e2 7e 28 fa 26 77 i....MN.j..~(.&w 0070 - bb ad e5 32 2b 4d 7c 4d-bc 6b 6a cf 9f c8 0f 70 ...2+M|M.kj....p 0080 - 93 db fd 77 fd 74 f9 30-89 35 1a b9 48 94 85 a5 ...w.t.0.5..H... 0090 - c5 14 63 b4 f9 85 d1 b0-5d 2a d9 6a 82 32 3c 9a ..c.....]*.j.2<. 00a0 - f3 bd 0c 28 4b db 13 dc-ff 09 f7 1b 02 20 9c cc ...(K........ .. Start Time: 1576258606 Timeout : 300 (sec) Verify return code: 0 (ok) --- closed depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root CA verify return:1 depth=1 C = US, O = DigiCert Inc, CN = DigiCert SHA2 Secure Server CA verify return:1 depth=0 C = US, ST = California, L = Redwood City, O = Oracle Corporation, OU = Oracle PAASCS AMER-CS, CN = *.identity.oraclecloud.com verify return:1


Example:
-----BEGIN CERTIFICATE----- MIIElDCCA3ygAwIBAgIQAf2j627KdciIQ4tyS8+8kTANBgkqhkiG9w0BAQsFADBh MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3 d3cuZGlnaWNlcnQuY29tMSAwHgYDVQQDExdEaWdpQ2VydCBHbG9iYWwgUm9vdCBD QTAeFw0xMzAzMDgxMjAwMDBaFw0yMzAzMDgxMjAwMDBaME0xCzAJBgNVBAYTAlVT MRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxJzAlBgNVBAMTHkRpZ2lDZXJ0IFNIQTIg U2VjdXJlIFNlcnZlciBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB ANyuWJBNwcQwFZA1W248ghX1LFy949v/cUP6ZCWA1O4Yok3wZtAKc24RmDYXZK83 nf36QYSvx6+M/hpzTc8zl5CilodTgyu5pnVILR1WN3vaMTIa16yrBvSqXUu3R0bd KpPDkC55gIDvEwRqFDu1m5K+wgdlTvza/P96rtxcflUxDOg5B6TXvi/TC2rSsd9f /ld0Uzs1gN2ujkSYs58O09rg1/RrKatEp0tYhG2SS4HD2nOLEpdIkARFdRrdNzGX kujNVA075ME/OV4uuPNcfhCOhkEAjUVmR7ChZc6gqikJTvOX6+guqw9ypzAO+sf0 /RR3w6RbKFfCs/mC/bdFWJsCAwEAAaOCAVowggFWMBIGA1UdEwEB/wQIMAYBAf8C AQAwDgYDVR0PAQH/BAQDAgGGMDQGCCsGAQUFBwEBBCgwJjAkBggrBgEFBQcwAYYY aHR0cDovL29jc3AuZGlnaWNlcnQuY29tMHsGA1UdHwR0MHIwN6A1oDOGMWh0dHA6 Ly9jcmwzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydEdsb2JhbFJvb3RDQS5jcmwwN6A1 oDOGMWh0dHA6Ly9jcmw0LmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydEdsb2JhbFJvb3RD QS5jcmwwPQYDVR0gBDYwNDAyBgRVHSAAMCowKAYIKwYBBQUHAgEWHGh0dHBzOi8v d3d3LmRpZ2ljZXJ0LmNvbS9DUFMwHQYDVR0OBBYEFA+AYRyCMWHVLyjnjUY4tCzh xtniMB8GA1UdIwQYMBaAFAPeUDVW0Uy7ZvCj4hsbw5eyPdFVMA0GCSqGSIb3DQEB CwUAA4IBAQAjPt9L0jFCpbZ+QlwaRMxp0Wi0XUvgBCFsS+JtzLHgl4+mUwnNqipl 5TlPHoOlblyYoiQm5vuh7ZPHLgLGTUq/sELfeNqzqPlt/yGFUzZgTHbO7Djc1lGA 8MXW5dRNJ2Srm8c+cftIl7gzbckTB+6WohsYFfZcTEDts8Ls/3HB40f/1LkAtDdC 2iDJ6m6K7hQGrn2iWZiIqBtvLfTyyRRfJs8sjX7tN8Cp1Tm5gr8ZDOo0rwAhaPit c+LJMto4JQtV05od8GiG7S5BNO98pVAdvzr508EIDObtHopYJeS4d60tbvVS3bR0 j6tJLp07kzQoH3jOlOrHvdPJbRzeXDLz -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- MIIDrzCCApegAwIBAgIQCDvgVpBCRrGhdWrJWZHHSjANBgkqhkiG9w0BAQUFADBh MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3 d3cuZGlnaWNlcnQuY29tMSAwHgYDVQQDExdEaWdpQ2VydCBHbG9iYWwgUm9vdCBD QTAeFw0wNjExMTAwMDAwMDBaFw0zMTExMTAwMDAwMDBaMGExCzAJBgNVBAYTAlVT MRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsTEHd3dy5kaWdpY2VydC5j b20xIDAeBgNVBAMTF0RpZ2lDZXJ0IEdsb2JhbCBSb290IENBMIIBIjANBgkqhkiG 9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4jvhEXLeqKTTo1eqUKKPC3eQyaKl7hLOllsB CSDMAZOnTjC3U/dDxGkAV53ijSLdhwZAAIEJzs4bg7/fzTtxRuLWZscFs3YnFo97 nh6Vfe63SKMI2tavegw5BmV/Sl0fvBf4q77uKNd0f3p4mVmFaG5cIzJLv07A6Fpt 43C/dxC//AH2hdmoRBBYMql1GNXRor5H4idq9Joz+EkIYIvUX7Q6hL+hqkpMfT7P T19sdl6gSzeRntwi5m3OFBqOasv+zbMUZBfHWymeMr/y7vrTC0LUq7dBMtoM1O/4 gdW7jVg/tRvoSSiicNoxBN33shbyTApOB6jtSj1etX+jkMOvJwIDAQABo2MwYTAO BgNVHQ8BAf8EBAMCAYYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUA95QNVbR TLtm8KPiGxvDl7I90VUwHwYDVR0jBBgwFoAUA95QNVbRTLtm8KPiGxvDl7I90VUw DQYJKoZIhvcNAQEFBQADggEBAMucN6pIExIK+t1EnE9SsPTfrgT1eXkIoyQY/Esr hMAtudXH/vTBH1jLuG2cenTnmCmrEbXjcKChzUyImZOMkXDiqw8cvpOp/2PV5Adg 06O/nVsJ8dWO41P0jmP6P6fbtGbfYmbW0W5BjfIttep3Sp+dWOIrWcBAI+0tKIJF PnlUkiaY4IBIqDfv8NZ5YBberOgOzW6sRBc4L0na4UU+Krk2U886UAb3LujEV0ls YSEY1QSteDwsOoBrp+uvFRTp2InBuThs4pFsiv9kuXclVzDAGySj4dzp30d8tbQk CAUw7C29C79Fv1C5qfPrmAESrciIxpg0X40KPMbp1ZWVbd4= -----END CERTIFICATE-----




  Browser Method:
  Use any browser to open the IDCS Console. Example here is from chrome browser. Indicated
  with red square below. I have masked my client’s IDCS for security.

 Now go to Certificate path TAB. Please note the highlighted one.
You will have to do this exercise  twice as indicated in two screen shots below. 

First Selection:

Second Selection:

   Now click “View Certificate”

   Go to detail tab and then copy to file then follow three more next and one finish to complete the
   process. So do it  twice and you will have two certificate.

Step3: Add these cert1 and cert2 to the oracle wallet with following commands.

orapki wallet add -wallet /u01/app/oracle/tools/apex_ords/wallets -trusted_cert -cert /tmp/cert1  -pwd Wha##Passw0rd

Make Sure you got them using following command:

orapki wallet display -wallet /u01/app/oracle/tools/apex_ords/wallets

It will display something like this:

Step4: Please login to the DBaaS PDB DB and apply ACL and Wallet Location with following commands

BEGIN

DBMS_NETWORK_ACL_ADMIN.APPEND_HOST_ACE(host => '*', lower_port => 443,upper_port => 443,ace => xs$ace_type(privilege_list => xs$name_list('http'), principal_name => 'APEX_190100', principal_type => xs_acl.ptype_db));

END;

/

BEGIN

DBMS_NETWORK_ACL_ADMIN.APPEND_HOST_ACE(host => '*', ace => xs$ace_type(privilege_list => xs$name_list('connect','resolve'), principal_name => 'APEX_190100', principal_type => xs_acl.ptype_db));

END;

/

BEGIN

DBMS_NETWORK_ACL_ADMIN.APPEND_WALLET_ACE (

  wallet_path => 'file:/u01/app/oracle/tools/apex_ords/wallets',

  ace         => xs$ace_type(privilege_list => xs$name_list('use_client_certificates'),

                             principal_name => 'APEX_190100',

                             principal_type => xs_acl.ptype_db));

END;

/

You can check the contents before and after as:

SELECT acl, principal, privilege, is_grant,TO_CHAR(start_date, 'DD-MON-YYYY') AS start_date, TO_CHAR(end_date, 'DD-MON-YYYY') AS end_date FROM   dba_network_acl_privileges ORDER BY acl, principal, privilege;

Select * from dba_wallet_acls;

Step5: Now login to your  WLS server where ORDS is deployed and copy wallets from DBaaS server that was created above in Step 2 to the same path in WLS server.

• mkdir -p /u01/app/oracle/tools/apex_ords/wallet


• Using WINSCP with PUTTY(Bastion Server with Tunnels) to download the wallet contents from DBaaS server to your laptop and then upload to WLS server. You can do this directly from DBaaS server to WLS if you have set up the equivalency between some user.

Step6: Login to your ORDS installation with apex_admin and fill in the wallet location in instance setting as:

https://xxx.yourcompany.com/ords/apex_admin

Note: Please make sure that the path entry  should be "file:/u01/app/oracle/tools/apex_ords/wallets"

Step7: Test that your APEX and Wallet works using following commands after connection to PDB in DBaaS

select apex_web_service.make_rest_request('https://idcs-xxxxx.identity.oraclecloud.com/.well-known/openid-configuration/', 'GET') from dual;

This should return something like:

Also you can test UTL_HTTP as:

select utl_http.request(url => 'https://idcs-xxxx.identity.oraclecloud.com/ui/v1/adminconsole/', wallet_path => 'file:/u01/app/oracle/tools/apex_ords/wallets')  from dual;

Step8: Login to ORDS and select the application that your development team deploy and you are planning to connect to SSO with IDCS. You will note the application ID and the URL – such as  https://yourcompanyLBaas.yourdomain.com/ords/f?p=206

Step9: Login to IDCS and navigate to Application tab and then create application. Details below.

Here The example should be for above screen:

Redirect URL: https://LBaaS.yourdomain.com/ords/apex_authentication.callback 

Logout URL: https://idcs-xxx.identity.oraclecloud.com/oauth2/v1/userlogout  

Post Logout URl: https://LBaaS.yourdomain.com/ords/f?p=206

Please note that, I have selected the Trusted application and added the Trust Certificate for our WLS and LBaaS. We are now good to create application. Once done, please add users here from your IDCS to match the user those are authorized in APEX application. You can go group route as well. You will navigate to application then the user or group tab and add the user.

Step10: Please note down your Client ID and Client Secret from the application that you have created in IDCS – weather at the time of creation or later by browsing the IDCS application that was created in step 9. Something like:

Client ID

3c415501ce9c094a8cb0009ebe4f5c894fabc

Client Secret

88994ec41a-4d2e-4708-9416-5a94927c42eezxx

Step11: Login back to your ORDS using workspace administrator user. Here we will create the Web Credentials and an authentication scheme and tie them together.

Create Web Credentials:

https://LBaaS.yourdomain.com/ords/

Here you will provide a name for the Web Credential and copy and paste the Client ID and Client Secret in Red Square below. Once all required information is typed in click create.

Authentication Scheme:

Here I will create authentication scheme for the application ID  - such as 206 and tie it together with Web Credentials created above.

Navigate to App Builder à Application à Shared Components à Authentication Scheme

Details about above Screen(Masked contents are client specific):

Name: Any Name that you will then set as the Authentication Scheme for the Applicatiom – Such as APEXAuthenticationSchemForApp
Scheme Type: Select  “Social Sign In”
Credential Store: Select the one I created before - APEXSSOStore
Authentication Provider: Select  “OpenID Connect Provider”
Discovery URL: https://idcs-xxx.identity.oraclecloud.com/.well-known/openid-configuration/   
Scope: profile
Username Attribute: sub  -- Because we can use the emails and regular username

Once all the information is entered, click create Authentication Scheme at top right.

Step12: Navigate to:  Application Builder à Shared Components àAuthentication Scheme à Select the one was created earlier and make it Current Authentication Scheme

Make sure that you have the users in application at Application Access Control and IDCS application user tab matching.

Navigate to App Builder à Shared Components àApplication Access Control

Check users here:

Step 13: Now you are ready to test the SSO in APEX with the Application that was registered with IDCS.

Login to application directly as:

https://LBaaS.yourdomain.com/ords/f?p=206

and you should see: [The Black out area will be the name of your application that you added in IDCS]

Click allow (Only asks on first attempt) and now you will be directed to IDCS login page as:

Enjoy !!