Thursday, March 6, 2025

Integrate Oracle APEX with OCI Identity and Access Management

Integrate Oracle APEX with OCI Identity and Access Management

Configure APEX with OCI Identity and Access Management. Here are simple steps.
First I will create a demo application i.e. Sales App in APEX and then will configure the IAM to integrated with APEX.

I am dividing this in two parts.
Part 1: Create application in APEX
Part 2: Integrate Oracle APEX with OCI IAM.

Part 1: Create application in APEX

1) Login to your APEX Application
2) Click on App Builder -> Click on create button.


3) Select option "Create App From a File".

4) Click on "Copy and Paste" tab. Then click on drop down button and select "Sales" application

5) Provide appropriate table name. I have given "SALESTB" in my example. And click on "Load Data" button below the screen.

6) It will load data. Once data loading completed click on "Create Application" button given below the screen.

7) Provide name of you application i.e. "SalesApp". Select Apperance style.

8) Select all the features of the application and click "Create Application" button.


Application creation will be done in 1-2 miniutes.

Once it is completed, you will see the screen as below.


Part 2: Integrate Oracle APEX with OCI IAM.

Once you install/create application in APEX. Now it's time to configure OCI IAM.

1) Navigate to "Identity & Security" -> Under Identity click on "Domains"




2) Here you will see the default domain created for you while you had provisioned the OCI Tenancy.
Click on "Default" domain.


3) Click on "Integrated Applications" and then -> "Add Application" button.


4) Select "Confidential Application" and click "Launch workflow" button. 

5) Provide appropriate application name. Here in my example it is "ApexSalesApp". 
Do not modify any other values and click "Next"


6) Skip the server configuration. For Client configuration click on "Configure this application as a client now" radio button.
Select the "Authorization code" check box and click "Next".


7) Provide Redirect URL and Post-logout redirect URL.

    Here is the syntax of the URLs.
    Redirect URL: https://<myadb>.eu-frankfurt-1.oraclecloudapps.com/ords/apex_authentication.callback
Post-logout redirect URL (optional): https://<myadb>.adb.eu-frankfurt-1.oraclecloudapps.com/ords/home

    In my case Redirect URL is
    https://geb397a43cf343c-cbtapexprod.adb.ap-mumbai-        1.oraclecloudapps.com/ords/apex_authentication.callback

    Post-logout redirect URL is https://geb397a43cf343c-cbtapexprod.adb.ap-mumbai-    1.oraclecloudapps.com/ords/r/cbtapex/salesapp/home



8) We will not configure web tier policy so select "Skip and do later".
    Click on "Finish" button below the screen.


9) After finishing this, you will see the "ApexSalesApp" detail page as below. Application is in INACTIVE state.



10) Click on "Edit application" button.

    Below the edit page, under "Authentication and authorization" click check box of "Enforce Grants as     Authorization" and then Save Changes button.


11) Now click on the "Activate" button 

    Click on Activate application button on confirmation screen

    In no time the application will be activated.

12) Please do note down the Client ID and Secrete code somewhere in your notepad or copy directly from this screen. This will be used to configure the credentials in APEX.


13) Now, come back to the APEX application i.e. "SalesApp", Navigate to "Shared Components"

14) Right hand side below, you will see the "Credential" link, click on that link.


15) Click on "Create" button


16) Now Provide below infomation,
    Name - OCI IAM Sales App Credentials
    Static ID - OCI_IAM_Sales_App_Credentials
    Authentication Type - Basic Authentication
    Client ID or Username- This is the same we collected in previous step of OCI IAM of Client ID.
    Client Secret or Password - This is the same we collected in previous step of OCI IAM of Client Secret.
    Verify Client Secret or Password - This is the same we collected in previous step of OCI IAM of     Client Secret.

    Click Create button to create the credentials.

    You can see the credentials are created.

17) Now go back to the OCI IAM - > ApexSalesApp details page.
      Click on the Users -> Add Users -> select the available Users from the list to whom you want to               grant access to the APEX application. Clicl Assign button.


    In my example I have given access to one user only.


18) Now, Go back to your APEX application -> Shared Components -> Under Security click on "Authentication Schemes"


19) Click on "Create" button to create new schemes.

20) Keep the default option (Based on a pre-configured scheme for the gallery) and click Next

21) Provide below parameter as shown in screenshot.

    Name - OCI IAM SalesApp Auth Scheme
    Scheme Type - Social Sign-In
    Credential Store - OCI IAM Sales App Credentials  -> This we created previously in create cedential     steps. Choose it from the drop down menu.
    Authentication Provider - OpenID Connect Provider
    Discovery URL - https://idcs-a947aa0b126a47fd84b34cc647be6e03.identity.oraclecloud.com:443/.well-known/openid-configuration/
    Scope - profile,email,groups
    Username - #sub# 
    Additional User Attributes - groups

    Click on "Create Authentication Scheme" button.


    Here discovery URL is nothing but your domain URL just append /.well-known/openid-configuration/     at the end of your domain URL.

    Where do you find the domain URL? 
    Go to the Domain - Overview section and you will find the domain URL as shown in below             screenshot.
 


22) Now "OCI IAM SalesApp Auth Scheme" is created. Click on the "OCI IAM SalesApp Auth Scheme" link to edit it.

    Click on "Post-Logout URL" and provide the Logout URL 
    The Post-Logout URL is in the form             https://<host_name>/ords/r/<alias_schema_name>/<app_name>/home and it is the IDCS (now IAM)         URL redirect after logging out (it is optional, however recommended).

    In my case https://geb397a43cf343c-cbtapexprod.adb.ap-mumbai-            1.oraclecloudapps.com/ords/r/cbtapex/salesapp/home is my logout URL which redirect to home page of     my application.

    Click on "Apply Changes" button.


23) Now Click again on the "OCI IAM SalesApp Auth Scheme" link to edit it.
      Make this Scheme as current scheme by clicking "Make Current Scheme" button.

    Click OK.

    Now you can see, "OCI IAM SalesApp Auth Scheme" is the current scheme for this application.

24) Now, go back to the Shared Component -> Under Security -> Click on "Security Attributes"


25) Provide input as follow,
    Under Authentication, 
        Authentication Scheme - OCI IAM SalesApp Auth Scheme

    Under Authorization
        Authorization Scheme - No application authorization required -
        Source for Role or Group Schemes - Custom Code

    Click "Apply Changes" button

    Now Final steps to Run the application and Test if it is working or not.
    Click Run Application button.

You will redirect to OCI Cloud Account form: insert your username and password (in my case is Oracle SSO):

    
    The Integrated Application access page shows up: on this page click Allow


    And you are Logged-In...


Thanks & Regards,
Chandan Tanwani






Thursday, February 13, 2025

Creating a sftp server on Oracle Linux compute instance on OCI

Creating a sftp server on Oracle Linux compute instance on OCI

Installing the SFTP service on Oracle Linux

Use this command to install vsftpd service on Oracle Linux 
dnf install vsftpd -y
Please find below screenshot for the reference.



Configuring SFTP.
Go to the /etc/vsftpd  take a back up of vsftpd.conf file. Open  vsftpd.conf file with vi and add following line at the end of the file.         

userlist_deny=NO


Creating the blftpusr user that we will use to access sftp.


Adding the user blftpusr in user_list file to have access to sftp.

Use below command to add user in user_list file. 
echo "blftpusr" | sudo tee -a /etc/vsftpd/user_list



Enable Password Authentication.

As at OCI we access linux environments with a private key, we will have to adjust it so that the user can access by password and not by private key.

Edit the sshd_config file and make the parameter "PasswordAuthentication yes" as shown in below screenshot.



Add AllowUsers tag in sshd_config file as shown in below screenshot.



Now, restart sshd service with following command.

systemctl restart sshd.service


Enabling and starting the sftp service.

Use systemctl enable vsftpd command to enable the vsftpd service.

Then run the systemctl start vsftpd command to start the vsftpd service.

Next check the status of vsftpd service with systemctl status vsftpd command. Make sure it is in active and running status as shown in below screenshot.
       

Now Test the SFTP

In my environment I am testing access using filezilla with sftp on the public ip of the instance.

Hope this article helps to build sftp server with compute instance on OCI.

Thanks & Regards,
Chandan Tanwani