Forum Discussion

Olivier_Beytrison's avatar
May 02, 2023

Allowing JNLP access to an application protected by APM/Oauth2

In order to protect a critical application (Oracle EBS), we went the AzureAD/OAuth2 pre-authentication way.

This mean that the users needs to have a valid M365 session in their browser to reach the application. They can then log in (again) and use the application.

The issue I'm facing is that Oracle EBS makes a large usage of java applications through JNLP. Once you download and launch the jnlp, the application doesn't start, because it cannot reach the application endpoint. This is caused by java not having the "oauth session" needed to access the application. the java application is actually redirected to the Microsoft login page. (The web-base application use the same url as the java applications. both uses for example https://my-ebs-app.organization.com/)

So I need a form of "App Tunnel" or ACL to allow thos JNLP to actually reach the application server for the users who have a valid oauth2 session. 

Any Idea on a solution to this issue ?

 

  • Hi  Olivier_Beytrison  , 

    Could you please try and have a look at this F5 KB article which matches to your situation, please check if it helps:

    K01781182: Not able to access Oracle ERP applications via BIG-IP APM.

    https://my.f5.com/manage/s/article/K01781182

    K01781182: Not able to access Oracle ERP applications via BIG-IP APM.

    • Olivier_Beytrison's avatar
      Olivier_Beytrison
      Icon for Cirrus rankCirrus

      Hello,

      Thanks for the link and the hint. I've tried setting up the App Tunnel feature but it seems I'm missing something in the process.

      I've asked our integrator to help me with this point, so hopefully it will be sorted shortly.

      Regards,

      Olivier B.

  • Hi Olivier_Beytrison - hopefully someone from the community will answer first, but just in case nobody has helped by Monday, I'll feature your question in the weekly Highlights article in order to boost visibility to increase the chances someone will reply. 

  • 423685's avatar
    423685
    Icon for Nimbostratus rankNimbostratus

    one possible solution to the issue you're facing is to use a reverse proxy or application gateway that can handle the authentication and forwarding of requests to the Oracle EBS application server. This allows you to establish a secure connection between the client and the reverse proxy, while the proxy handles the authentication and forwards the requests to the application server. 

    Here's a high-level overview of how this solution could work:

    1. Set up a reverse proxy or application gateway (e.g., Nginx, Apache HTTP Server, Azure Application Gateway) in front of the Oracle EBS application server.

    2. Configure the reverse proxy to handle the authentication part using Azure AD and OAuth2. This typically involves configuring the proxy to validate the OAuth2 access tokens or session cookies from the M365 session.

    3. When a client tries to access the Oracle EBS application through the JNLP, they will be redirected to the reverse proxy for authentication.

    4. Once the client's M365 session is validated and authenticated, the reverse proxy can create a separate session or token specific to the Oracle EBS application.

    5. The reverse proxy then forwards the requests from the client to the Oracle EBS application server, including the necessary authentication information (e.g., session token) required by the Java applications in the JNLP.

      (Edited by Leslie Hubertus to remove spam link)

    • Olivier_Beytrison's avatar
      Olivier_Beytrison
      Icon for Cirrus rankCirrus

      Hello,

      Well I have only a single VIP. For now I've setup the APM Policy on the VS that host the Oracle EBS service. Maybe that's not the right way to do it. But as stated above I've asked our integrator to send me someone knowledgeable about APM to help me sort this out.

      Regards,
      Olivier B.