b. Using Design Console with NGINX(SSL)

Configure an NGINX ingress (SSL) to allow Design Console to connect to your Kubernetes cluster.

  1. Prerequisites

  2. Setup routing rules for the Design Console ingress

  3. Create the ingress

  4. Update the T3 channel

  5. Restart the OIG Managed Server

  6. Design Console client

    a. Using an on-premises installed Design Console

    b. Using a container image for Design Console

  7. Login to the Design Console

Prerequisites

If you haven’t already configured an NGINX ingress controller (SSL) for OIG, follow Using an Ingress with NGINX (SSL).

Make sure you know the master hostname and ingress port for NGINX before proceeding e.g https://${MASTERNODE-HOSTNAME}:${MASTERNODE-PORT}. Also make sure you know the Kubernetes secret for SSL that was generated e.g governancedomain-tls-cert.

Setup routing rules for the Design Console ingress

  1. Setup routing rules by running the following commands:

    $ cd $WORKDIR/kubernetes/design-console-ingress
    

    Edit values.yaml and ensure that tls: SSL is set. Change domainUID: and secretName: to match the values for your <domain_uid> and your SSL Kubernetes secret, for example:

    # Load balancer type.  Supported values are: NGINX
    type: NGINX
    # Type of Configuration Supported Values are : NONSSL,SSL
    # tls: NONSSL
    tls: SSL
    # TLS secret name if the mode is SSL
    secretName: governancedomain-tls-cert
    
    
    # WLS domain as backend to the load balancer
    wlsDomain:
      domainUID: governancedomain
      oimClusterName: oim_cluster
      oimServerT3Port: 14002
    

Create the ingress

  1. Run the following command to create the ingress:

    $ cd $WORKDIR
    $ helm install governancedomain-nginx-designconsole kubernetes/design-console-ingress  --namespace oigns  --values kubernetes/design-console-ingress/values.yaml
    

    The output will look similar to the following:

    NAME: governancedomain-nginx-designconsole
    <DATE>
    NAMESPACE: oigns
    STATUS: deployed
    REVISION: 1
    TEST SUITE: None
    
  2. Run the following command to show the ingress is created successfully:

    $ kubectl describe ing governancedomain-nginx-designconsole -n <domain_namespace>
    

    For example:

    $ kubectl describe ing governancedomain-nginx-designconsole -n oigns
    

    The output will look similar to the following:

    Name:             governancedomain-nginx-designconsole
    Namespace:        oigns
    Address:
    Default backend:  default-http-backend:80 (<error: endpoints "default-http-backend" not found>)
    Rules:
      Host        Path  Backends
      ----        ----  --------
      *
                     governancedomain-cluster-oim-cluster:14002 (10.244.2.103:14002)
    Annotations:  kubernetes.io/ingress.class: nginx
                  meta.helm.sh/release-name: governancedomain-nginx-designconsole
                  meta.helm.sh/release-namespace: oigns
                  nginx.ingress.kubernetes.io/affinity: cookie
                  nginx.ingress.kubernetes.io/configuration-snippet:
                    more_set_input_headers "X-Forwarded-Proto: https";
                    more_set_input_headers "WL-Proxy-SSL: true";
                  nginx.ingress.kubernetes.io/enable-access-log: false
                  nginx.ingress.kubernetes.io/ingress.allow-http: false
                  nginx.ingress.kubernetes.io/proxy-buffer-size: 2000k
    Events:
      Type    Reason  Age   From                      Message
      ----    ------  ----  ----                      -------
      Normal  Sync    6s    nginx-ingress-controller  Scheduled for sync
    

Update the T3 channel

  1. Log in to the WebLogic Console using https://${MASTERNODE-HOSTNAME}:${MASTERNODE-PORT}/console.

  2. Navigate to Environment, click Servers, and then select oim_server1.

  3. Click Protocols, and then Channels.

  4. Click the default T3 channel called T3Channel.

  5. Click Lock and Edit.

  6. Set the External Listen Address to the ingress controller hostname ${MASTERNODE-HOSTNAME}.

  7. Set the External Listen Port to the ingress controller port ${MASTERNODE-PORT}.

  8. Click Save.

  9. Click Activate Changes.

Restart the OIG Managed Server

Restart the OIG Managed Server for the above changes to take effect:

$ cd $WORKDIR/kubernetes/domain-lifecycle
$ ./restartServer.sh -s oim_server1 -d <domain_uid> -n <domain_namespace>

For example:

$ cd $WORKDIR/kubernetes/domain-lifecycle
./restartServer.sh -s oim_server1 -d governancedomain -n oigns

Make sure the <domain_uid>-oim-server1 has a READY status of 1/1 before continuing:

$ kubectl get pods -n oigns | grep oim-server1   

The output will look similar to the following:

governancedomain-oim-server1                                1/1     Running     0          8m

Design Console Client

It is possible to use Design Console from an on-premises install, or from a container image.

Using an on-premises installed Design Console

The instructions below should be performed on the client where Design Console is installed.

  1. Import the CA certificate into the java keystore

    If in Generate SSL Certificate you requested a certificate from a Certificate Authority (CA), then you must import the CA certificate (e.g cacert.crt) that signed your certificate, into the java truststore used by Design Console.

    If in Generate SSL Certificate you generated a self-signed certicate (e.g tls.crt), you must import the self-signed certificate into the java truststore used by Design Console.

    Import the certificate using the following command:

    $ keytool -import -trustcacerts -alias dc -file <certificate> -keystore $JAVA_HOME/jre/lib/security/cacerts
    

    where <certificate> is the CA certificate, or self-signed certicate.

  2. Once complete follow Login to the Design Console.

Using a container image for Design Console

Using Docker

The Design Console can be run from a container using X windows emulation.

  1. On the parent machine where the Design Console is to be displayed, run xhost +.

  2. Find which worker node the <domain>-oim-server1 pod is running. For example:

    $ kubectl get pods -n oigns -o wide | grep governancedomain-oim-server1 
    

    The output will look similar to the following:

    governancedomain-oim-server1                                1/1     Running     0          31m     10.244.2.98   worker-node2   
    
  3. On the worker node returned above e.g worker-node2, execute the following command to find the OIG container image name:

    $ docker images
    

    Then execute the following command to start a container to run Design Console:

    $ docker run -u root --name oigdcbase -it <image> bash
    

    For example:

    $ docker run -u root -it --name oigdcbase container-registry.oracle.com/middleware/oig_cpu:12.2.1.4-jdk8-ol8-<January'24> bash
    

    This will take you into a bash shell inside the container:

    bash-4.2#
    
  4. Inside the container set the proxy, for example:

    bash-4.2# export https_proxy=http://proxy.example.com:80
    
  5. Install the relevant X windows packages in the container:

    bash-4.2# yum install libXext libXrender libXtst
    
  6. Execute the following outside the container to create a new Design Console image from the container:

    $ docker commit <container_name> <design_console_image_name>
    

    For example:

    $ docker commit oigdcbase oigdc
    
  7. Exit the container bash session:

    bash-4.2# exit
    
  8. Start a new container using the Design Console image:

    $ docker run --name oigdc -it oigdc /bin/bash
    

    This will take you into a bash shell for the container:

    bash-4.2#
    
  9. Copy the Ingress CA certificate into the container

    If in Generate SSL Certificate you requested a certificate from a Certificate Authority (CA), then you must copy the CA certificate (e.g cacert.crt) that signed your certificate, into the container

    If in Generate SSL Certificate you generated a self-signed certicate (e.g tls.crt), you must copy the self-signed certificate into the container

    Note: You will have to copy the certificate over to the worker node where the oigdc image is created before running the following.

    Run the following command outside the container:

    $ cd <workdir>/ssl
    $ docker cp <certificate> <container_name>:/u01/jdk/jre/lib/security/<certificate>
    

    For example:

    $ cd /scratch/OIGK8S/ssl
    $ docker cp tls.crt oigdc:/u01/jdk/jre/lib/security/tls.crt
    
  10. Import the certificate using the following command:

    bash-4.2# /u01/jdk/bin/keytool -import -trustcacerts -alias dc -file /u01/jdk/jre/lib/security/<certificate> -keystore /u01/jdk/jre/lib/security/cacerts
    

    For example:

    bash-4.2# /u01/jdk/bin/keytool -import -trustcacerts -alias dc -file /u01/jdk/jre/lib/security/tls.crt -keystore /u01/jdk/jre/lib/security/cacerts
    
  11. In the container run the following to export the DISPLAY:

    $ export DISPLAY=<parent_machine_hostname:1>
    
  12. Start the Design Console from the container:

    bash-4.2# cd idm/designconsole
    bash-4.2# sh xlclient.sh
    

    The Design Console login should be displayed. Now follow Login to the Design Console.

Using podman
  1. On the parent machine where the Design Console is to be displayed, run xhost +.

  2. Find which worker node the <domain>-oim-server1 pod is running. For example:

    $ kubectl get pods -n oigns -o wide | grep governancedomain-oim-server1 
    

    The output will look similar to the following:

    governancedomain-oim-server1                                1/1     Running     0          19h   10.244.2.55   worker-node2   <none> 
    
  3. On the worker node returned above e.g worker-node2, execute the following command to find the OIG container image name:

    $ podman images
    

    Then execute the following command to start a container to run Design Console:

    $ podman run -u root --name oigdcbase -it <image> bash
    

    For example:

    $ podman run -u root -it --name oigdcbase container-registry.oracle.com/middleware/oig_cpu:12.2.1.4-jdk8-ol8-<January'24> bash
    

    This will take you into a bash shell inside the container:

    bash-4.2#
    
  4. Inside the container set the proxy, for example:

    bash-4.2# export https_proxy=http://proxy.example.com:80
    
  5. Install the relevant X windows packages in the container:

    bash-4.2# yum install libXext libXrender libXtst
    
  6. Execute the following outside the container to create a new Design Console image from the container:

    $ podman commit <container_name> <design_console_image_name>
    

    For example:

    $ podman commit oigdcbase oigdc
    
  7. Exit the container bash session:

    bash-4.2# exit
    
  8. Start a new container using the Design Console image:

    $ podman run --name oigdc -it oigdc /bin/bash
    

    This will take you into a bash shell for the container:

    bash-4.2#
    
  9. Copy the Ingress CA certificate into the container

    If in Generate SSL Certificate you requested a certificate from a Certificate Authority (CA), then you must copy the CA certificate (e.g cacert.crt) that signed your certificate, into the container

    If in Generate SSL Certificate you generated a self-signed certicate (e.g tls.crt), you must copy the self-signed certificate into the container

    Note: You will have to copy the certificate over to the worker node where the oigdc image is created before running the following.

    Run the following command outside the container:

    $ cd <workdir>/ssl
    $  podman cp <certificate> <container_name>:/u01/jdk/jre/lib/security/<certificate>
    

    For example:

    $ cd /scratch/OIGK8S/ssl
    $ podman cp tls.crt oigdc:/u01/jdk/jre/lib/security/tls.crt
    
  10. Inside the container, import the certificate using the following command:

    bash-4.2# /u01/jdk/bin/keytool -import -trustcacerts -alias dc -file /u01/jdk/jre/lib/security/<certificate> -keystore /u01/jdk/jre/lib/security/cacerts
    

    For example:

    bash-4.2# /u01/jdk/bin/keytool -import -trustcacerts -alias dc -file /u01/jdk/jre/lib/security/tls.crt -keystore /u01/jdk/jre/lib/security/cacerts
    
  11. In the container run the following to export the DISPLAY:

    $ export DISPLAY=<parent_machine_hostname:1>
    
  12. Start the Design Console from the container:

    bash-4.2# cd idm/designconsole
    bash-4.2# sh xlclient.sh
    

    The Design Console login should be displayed. Now follow Login to the Design Console.

Login to the Design Console

  1. Launch the Design Console and in the Oracle Identity Manager Design Console login page enter the following details:

    Enter the following details and click Login:

    • Server URL: <url>
    • User ID: xelsysadm
    • Password: <password>.

    where <url> is where <url> is https://${MASTERNODE-HOSTNAME}:${MASTERNODE-PORT}.

  2. If successful the Design Console will be displayed.