Good morning, I have a large maintain application in 7.7.03....

[Manoj Chaurasia]

Deana

I dont think this is possible with 7.7.03 at some point you are going to have to bite the bullet and upgrade. Double check with techsupport if it is possible or not.

[Deana Goeken]

Chuck, I was afraid you would say that (not possible and bite the bullet ) I will check with tech support. Thank you

[Deana Goeken]

Good morning,

I have a large maintain application in 7.7.03. At this time, we are currently windows user accounts which is a tedious task. In an effort to standardize the login process with other applications, I am trying to figure out how to use OAuth to authenticate the WebFOCUS users. I have read that starting with 7.7.06, the server can be configured to use Cross-Site Request Forgery (CSRF). Is there a way to securely accomplish this functionality in 7.7.03

Thank you,

Deana

[Toby Mills]

Hi Deana

Im not sure what branch youre using in Wyoming - probably San Jose

This is likely a job for Professional Service from IBI (now Tibco). They can write up a Custom Servlet Filter for you to let you use Open ID work with WebFOCUS for authentication.

Youll probably get the same answer from techsupport, but you might go ahead and reach out to your branch to ask if they have any ideas.

Toby

[Toby Mills]

I just had a random thought too Deana - What about setting up Active Directory to use oauth

OpenID Connect authentication with Azure Active Directory | Microsoft Docs

Maybe this would be simpler since it sounds like youre already using AD to authenticate people.

If you can get hold of IBI consultants, they could help you navigate the problem.

[Deana Goeken]

Toby,

I will check into a Custom Servlet Filter. We are actually using windows user accounts and not active directory for authentication. Which is a major reason we want to switch to OAuth . Years ago, Chuck tried to help me configure the WebFOCUS server to use active directory, but we could not get it to work correctly. (I suspect it was due to some firewall rule, but am only guessing.) Most of the users are internal, so ad should work for them.

Thank you for your suggestions.

[Manoj Chaurasia]

Deana

For what it is worth I think Toby has a great suggestion that will not force you to upgrade and should not be expensive to implement.

[Toby Mills]

Hey Deana

Just another idea - I dont know what you use for your Web Server If you secure your Web Server via HTTPS that uses OAuth to Authenticate, you may not really have to have an HTTPS connection between your Web Server and your Application Server. I know several of our customers do it this way.

The feeling is that once you get past the Web Server, youre on an internal network and the communication there does not have to be encrypted.

The advantage of this is that you get to put the work on the people who set up Web Servers for you. Ask them to enable HTTPS on your webserver. Then when the web server redirects to Tomcat (or websphere or whatever), then you dont have to do anything as the WF admin since the call to Tomcat will be using HTTP just like before.

I think Id start that way - first, put the work on your web server people to install a certificate and enable HTTPs. Even if you want to go on and get tomcat to use HTTPS, youll need that certificate anyway.

What OS, Web Server and App Server do you use

[Deana Goeken]

Toby,

This sounds like it would work well. Our WebFOCUS app already uses HTTPs. I am fairly confident the OAuth server is also using HTTPs.

For the WebFOCUS app the OS is Server 2008 R2. WebFOCUS is 7.7.03. As I have been working solely with this 1 WebFOCUS app for the past 10 or 11 years, I dont know any information about the other app server at this time. I am going to reach out to my server staff.

Thank you for the suggestion.

[Toby Mills]

Youre welcome Deana - I think I got my wires crossed on this thread. I started answering an SSL related thread that maybe I invented in my head!

Sorry about that. 2008 R2 is getting long in the tooth. Ive got a couple of those boxes running 8105m here that we are upgrading to windows 2019 servers running 8207. If you decide to go down that road, there are several of us generally doing the same thing.

If its Windows and its old, Ill bet youre using Tomcat as your Web Application Server (not to be confused with a Web Server) and IIS as your Web Server. So WebFOCUS runs on Tomcat, and people reach it by going through IIS (which then points them off to Tomcat, which points them to run WebFOCUS).

Good luck with the OAuth authentication!