3.1 Configuring OAuth2 in Access Manager for Use with Secure API Manager

You must enable OAuth2 and create an OAuth2 application in Access Manager that Secure API Manager uses to obtain the OAuth tokens for the API authorizations. If you have multiple Identity Server clusters that you want Secure API Manager to reference, you must perform the following steps for each Identity Server cluster in Access Manager.

The Key Manager in the API Gateway uses this OAuth2 application to create, update, and delete OAuth2 applications and to generate tokens. This OAuth2 application must have a scope that allows full access to OAuth2 management (urn:netiq.com:nam:scope:oauth:registration:full) and the user associated with the token must have the roles NAM_OAUTH2_DEVELOPER and NAM_OAUTH2_ADMIN assigned.

Use the following information to enable OAuth2, create an OAuth2 application, and assign the proper rights in Access Manager.

  1. Enable OAuth2 in Access Manager as follows:

    1. Log in to the Access Manager Administration Console.

    2. Click Devices > Identity Servers > IDP Cluster.

    3. In the Enabled Protocols section, select OAuth & OpenID Connect.

    4. Click OK.

    5. Click Update All to update all of the Identity Servers.

    6. Select All Configurations, then click OK to perform the update.

  2. Create a new scope for the OAuth application as follows:

    1. Click Devices > Identity Servers > IDP Cluster.

    2. Click the OAuth & OpenID Connect tab.

    3. Click New to create a custom resource server for Secure API Manager.

    4. Specify a unique name for the resource server.

    5. (Conditional) If you have more than one Identity Cluster, select the appropriate Identity Cluster.

    6. Click Finish.

    7. Click the resource server you just created.

    8. Click the Scope tab, then click New.

    9. Use the following information to create the scope:

      Name

      Specify the name of the scope. For example, am_application_scope.

      Description

      Specify a detailed description to explain what this scope does.

      Includes claims of type

      Select Custom Claims/Permissions to allow Access Manager to provide the authorization tokens for the APIs in Secure API Manager.

      Require user permission

      Deselect this option. By not using this option, the APIs can make the calls and receive the tokens without requiring user interaction.

      Allow modification in consent

      Ensure that this option is not selected. By not using this option, the APIs can make the calls and receive the tokens without requiring user interaction.

    10. Click Next.

  3. Add a new, randomly named claim as follows:

    1. On Step 2 of 2, click New to create a custom claim.

    2. Specify a name for the custom claim. For example,APIGatewayRandomPermission.

    3. Click OK.

    4. Select the new claim.

    5. Click Add > Add to Access Token.

    6. Click Finish, then click OK.

  4. Define the global settings as follows:

    NOTE:You might have already configured the global settings for other OAuth2 applications. The following settings are the minimum settings required for Secure API Manager to work with Access Manager. For more information, see Defining Global Settings in the NetIQ Access Manager 4.5 Administration Guide.

    1. On the OAuth & OpenID Connect tab, click the Global Settings tab.

    2. Use the following information to define the global settings:

      Authorization Grant LDAP Attribute

      Specify an LDAP attribute that stores the token refresh information. This can be any attribute in the LDAP directory that accepts a long text string or use a stream attribute. For example, personalTitle.

      Grant Types

      Select the following options:

      • Authorization Code

      • Implicit

      • Resource Owner Credentials

      • Client Credentials

      Token Types

      Select the following options:

      • Access Token

      • ID Token

      • Refresh Token

      Token Revocation

      Ensure that you deselect this option. It is enabled by default. If you revoke the Access Manager tokens, Secure API Manager cannot validate the API requests.

      Access Token and ID Token Timeouts

      Specify the duration in minutes for the length of time before the access token and ID token becomes invalid. Set this value to what is appropriate for your environment because this is a global setting.

      Refresh Token Timeout

      Specify the duration in minutes for the length of time before the refresh token becomes invalid. Set this value to what is appropriate for your environment because this is a global setting.

    3. Click Apply.

  5. Create an OAuth2 client application as follows:

    1. Click Devices > Identity Servers > Edit > OAuth & OpenID Connect > Client Applications > Register New Client.

    2. Use the following information to create the OAuth2 application:

      Client Name

      Specify a name for the application. For example, Secure API Manager Administration.

      Client Type

      Select Web Based as the client type.

      Redirect URI

      Specify the URI of the Access Manager Identity Server. For example:

      https://IDP-dns=name:port/nidp/oauth2
      Grants Required

      Select all of the options except SAML 2.0 Assertion.

      Token Types

      Select all of the token types listed.

    3. Click OpenID Connect Configuration and configure an algorithm for the Oauth token as follows:

      1. In the ID Token Signed Response Algorithm field, select RS256.

      2. Set the additional fields to what is appropriate for your environment. For more information, see Defining Global Settings in the NetIQ Access Manager 4.5 Administration Guide.

    4. Click Token Timeout Configuration, then set the value of Access Token and ID Token Timeout to be 525600 minutes, which is one year.

    5. Click Register Client.

    6. Record the Client ID and Secret of the newly created client application so you can use them later in the Identity Server configuration in Secure API Manager.

  6. Grant OAuth2 developer and administrative roles to an Access Manager administrator as follows:

    1. Determine which Access Manager user is the designated OAuth2 administrator.

    2. In the Access Manager Administration Console, click Policies > Policies.

    3. Click New to create a new role for the OAuth2 administrator.

      NOTE:You can use an existing role but you must add the following Actions to the role. For more information, see Creating Roles in the NetIQ Access Manager 4.5 Administration Guide.

    4. For the Type, select Identity Server: Roles.

    5. Specify a detailed description for the policy so it is easy to remember that it is the policy for Secure API Manager access.

    6. In the Condition Group, click the New drop-down menu, then select LDAP Attribute.

    7. In the LDAP Attribute field, click GUID, then find and select cn.

    8. In the Value field, click LDAP Attribute, then find and select Data Entry Field.

    9. Specify the name of the administrator user that is the administrator for OAuth in your Access Manager environment.

    10. In the Actions section, select Activate Role, then add the following two roles:

      • NAM_OAUTH2_DEVELOPER

      • NAM_OAUTH2_ADMIN

    11. Click OK twice.

    12. Click Apply Changes, then click Close.

    13. (Conditional) If you created a new policy, click Edit IDP > Roles > Select the new policy > Enable. If the policy does not appear in the list, click Manage Policies, then click the new policy to enable it.

    14. Click Save to create the new policy or enable an existing policy.

  7. Update all Identity Servers with the configuration changes as follows:

    1. In the Access Manager Administration Console, click Identity Servers.

    2. Click Update All to reconfigure all of the nodes in the cluster for the Identity Servers.