Copyright © Cloud Software Group, Inc. All Rights Reserved

Configuration Setup of OAuth Server Authorization

This section explains the configuration setup required to use the OAuth server.

Set OAuth Server Properties

To enable the OAuth server, set the OAuth server properties using the Config UI as follows:

1.	Navigate to ASG_HOME/bin directory.

2.	Type asg-configui command to start the Config UI.

3.	Open a browser window and enter the following URL:

   http://localhost:9200/ConfigUI

4.	Log in to the Config UI using your credentials.

5.	On the Home page on the Config UI, select the Gateway Engine Properties from the drop-down list.

6.	Expand the Gateway Engine Properties node.

7.	Click the SECURITY > Security tab.

8.	Expand the OAuth node to see the OAuth server properties.

9.	Set the OAuth server properties, as required. Refer to the OAuth server properties defined in the OAuth section of the Security Properties table..

• The OAuth server properties described in the Security Properties can be set in the ASG_CONFIG_HOME/asg.properties file. See Runtime Properties of Core Engine for OAuth server properties names and description. • The recommended way is to use the Config UI to set the properties. • Refer to the ASG_CONFIG_HOME/asg.properties file for the example values of OAuth server related properties.

Enable OAuth Authorization For Gateway (Set Adapter Properties)

The OAuth server uses the following adapters for authenticating owner, client, and to retrieve the scopes for authorizing the client to access resources.

•	Owner Adapter - To authenticate the owner. See Owner Adapter for details.

•	Client Adapter - To authenticate the client. See Client Adapter for details.

•	Scope Adapter- To retrieve the scopes to authorize the client. See Scope Adapter for details.

Owner Adapter

The OAuth server provides the following options to authenticate the user credentials:

File

By default, the OAuth server provides the file- based owner adapter. To use the file-based owner adapter, follow these steps:

1.	Log in to the Config UI using your credentials.

2.	On the home page on the Config UI, select the Gateway Engine Properties from the drop-down list.

3.	Expand the Gateway Engine Properties node.

4.	Click the SECURITY > Security tab.

5.	Expand the OAuth node.

6.	Set the properties, as follows:

Table 114 Owner Adapter Properties for File

Property	Value
Owner Adapter	com.tibco.asg.oauth.identity.provider.file.OwnerAdapterService
Resource Path Name	/examples/OAuth/resources

7.	Click the Save button to save changes.

8.	Set the owner credentials in the ASG_HOME\examples\OAuth\resources\owner.properties file.

The owner adapter properties can be set in ASG_CONFIG_HOME\asg.properties file, as follows: 1. Navigate to the ASG_CONFIG_HOME directory. 2. Edit the asg.properties file in a text editor. 3. Set the following property:    tibco.clientVar.oauth.owner.adapter.class=com.tibco.asg.oauth.ident   ity.provider.file.OwnerAdapterService 4. Save changes to the asg.properties file.

LDAP

To use the LDAP-based owner adapter, follow these steps:

1.	Navigate to the ASG_CONFIG_HOME directory.

2.	Edit the asg.properties file in a text editor.

3.	Set the following property:

   tibco.clientVar.oauth.owner.adapter.class=com.tibco.asg.oauth.identity.provider.jndildap.OwnerAdapterService

4.	Set the LDAP connection properties, as defined in the following table:

Table 115 LDAP Server Connection Parameters

Property	Description
tibco.clientVar.oauth.identity.provider.ldap.host
	Specifies the hostname or IP address where LDAP directory server runs. This is required. For example, ldapserver.api.tibco.com
tibco.clientVar.oauth.identity.provider.ldap.port
	Specifies the port where LDAP directory server runs. This is required. For example, 10389
tibco.clientVar.oauth.identity.provider.ldap.loginDN
	Specifies the base distinguished name (DN) for the login user. For example, uid=admin,ou=system
tibco.clientVar.oauth.identity.provider.ldap.loginPassword
	Specifies the password for the login user. For example, root@123
tibco.clientVar.oauth.identity.provider.ldap.searchFilter
	Specifies the filter to be used for searching in admin mode against potential user objects. For example, search filter is specified as: Objectclass=*
tibco.clientVar.oauth.identity.provider.ldap.ownerSearchTreeDn
	Specifies the base distinguished name (DN) where the searches for the users begin. You must supply the base DN that narrows the search to the smallest set of objects that includes all valid users. For example, ou=people,ou=na,dc=example,dc=org
tibco.clientVar.oauth.identity.provider.ldap.ownerDnTemplate
	Specifies a template to be used when formatting user's DN before binding. For example, uid={0},ou=employee,ou=tsi,o=tibco In this string, the variable {0} represents the name of the user. The code substitutes the user name for this variable, and passes the resulting boolean expression to the LDAP server. The LDAP server matches that search expression against user objects to find a match. The search result must contain exactly one match. This is required for bind mode (not in admin (search) mode).

5.	Save changes to the asg.properties file.

Client Adapter

The OAuth server provides the following options to validate the client ID and client secret of an application:

File

By default, the OAuth server provides the file- based owner adapter. To use the file-based owner adapter, follow these steps:

1.	Log in to the Config UI using your credentials.

2.	On the home page on the Config UI, select the Gateway Engine Properties from the drop-down list.

3.	Expand the Gateway Engine Properties node.

4.	Click the SECURITY > Security tab.

5.	Expand the OAuth node.

6.	Set the properties as follows:

Table 116 Client Adapter Properties for File

Property	Value
Client Adapter	com.tibco.asg.oauth.identity.provider.file.ClientAdapterService
Resource Path Name	/examples/OAuth/resources

7.	Click the Save button to save changes.

8.	Set the properties for the client adapter in the ASG_HOME\examples\OAuth\resources\client.properties file.

The client adapter properties can also be set in the ASG_CONFIG_HOME/asg.properties file, as follows: 1. Navigate to the ASG_CONFIG_HOME directory. 2. Edit the asg.properties file in a text editor. 3. Set the following property:    tibco.clientVar.oauth.client.adapter.class=com.tibco.asg.oauth.identity.provider.file.ClientAdapterService 4. Save changes to the asg.properties file.

TIBCO API Exchange Manager

To use the portal engine of TIBCO API Exchange Manager as the client adapter for the OAuth server, follow these steps:

1.	Log in to the Config UI using your credentials.

2.	On the home page on the Config UI, select the Gateway Engine Properties from the drop-down list.

3.	Expand the Gateway Engine Properties node.

4.	Click the SECURITY > Security tab.

5.	Expand the OAuth node.

6.	Set the properties as follows:

Table 117 Client Adapter Properties for TIBCO API Exchange Manager

Property	Value
Client Adapter	com.tibco.asg.portal.engine.oauth.identity.provider.ClientAdapterImpl
Engine URL	http://portal_host_name:9122 where, portal_host_name is the name of machine running the portal engine of TIBCO API Exchange Manager

.

The client adapter properties are defined in the ASG_CONFIG_HOME/asg.properties file, as follows: − oauth.client.adapter.class=com.tibco.asg.portal.engine.oauth.identity.provider.ClientAdapterImpl − tibco.clientVar.portal.engine.urlhttp://portal_host_name:9122

Scope Adapter

TIBCO API Exchange Gateway uses the scope adapter to manage the scope for a specific owner. By default, the OAuth server provides the following options for scope adapter:

File

To use the file-based scope adapter, follow these steps:

1.	Log in to the Config UI using your credentials.

2.	On the home page on the Config UI, select the Gateway Engine Properties from the drop-down list.

3.	Expand the Gateway Engine Properties node.

4.	Click the SECURITY > Security tab.

5.	Expand the OAuth node.

6.	Set the properties, as follows:

Table 118 Scope Adapter Properties for File

Property	Value
Scope Adapter	com.tibco.asg.oauth.identity.provider.file.ScopeAdapterService
Resource Path Name	/examples/OAuth/resources

7.	Click the Save button to save changes.

8.	Set the properties for the scope adapter in the ASG_HOME\examples\OAuth\resources\scope.properties file.

The scope adapter properties can also be set in the ASG_CONFIG_HOME/asg.properties file, as follows: 1. Navigate to the ASG_CONFIG_HOME directory. 2. Edit the asg.properties file in a text editor. 3. Set the following property:    tibco.clientVar.oauth.scope.adapter.class=com.tibco.asg.oauth.identity.provider.file.ScopeAdapterService 4. Save changes to the asg.properties file.

LDAP

To use the LDAP-based scope adapter, follow these steps:

1.	Navigate to the ASG_CONFIG_HOME directory.

2.	Edit the asg.properties file in a text editor.

3.	Set the following property:

   tibco.clientVar.oauth.scope.adapter.class=com.tibco.asg.oauth.identity.provider.jndildap.ScopeAdapterService

4.	Set the LDAP connection properties, as defined in LDAP Server Connection Parameters table.

Non-Default (Custom) Adapter For Owner, Client and Scopes

To use the other resources such as database to authenticate the client, owner and manage the scopes, implement the custom adapters, which can be integrated to the interface provided by TIBCO API Exchange Gateway.

See OAuth Service Provider Interface chapter for details.

Start OAuth Server

The OAuth server is integrated within TIBCO API Exchange Gateway. The OAuth server is run as a Core Engine instance.

To start an instance of OAuth server, follow these steps:

1.	Set the OAuth server properties. See Set OAuth Server Properties.

2.	To authenticate owner, client and manage the scopes, configure an adapter and set the properties. See Enable OAuth Authorization For Gateway (Set Adapter Properties) section.

3.	Start a Core Engine instance using the following command:

On the Windows platform, type the following command:

   asg-engine -u asg-caching-core -a ASG_Configuration

On the UNIX platform, type the following command:

   ./asg-engine -u asg-caching-core -a ASG_Configuration

Copyright © Cloud Software Group, Inc. All Rights Reserved