How to pass the ITIL4 easily?

 Hello all, how you guys are doing? I am coming here after a long hiatus !!

I promise to be consistent this time onwards :D

I am sure most of you in technical operations are quite familiar with ITIL ??, is that even a question ?? right? ;)

At the start of this year, I became a technical writer for technical operations in a software company, and it was quite important for me to learn the domain and be familiar with the tech ops vernacular. Hence, I started looking at the ITIL path and decided to do the ITIL4 exam.

So as a start I wanted to go through proper training conducted by a certified trainer. Did that work for me? yes but let me tell you how to pass the exam easily without much hassle and this is from personal experience.

Please follow the steps below:

1) Go to Coursera and register for the course https://www.coursera.org/learn/itil-4-exam-preparation/home/welcome. Now you might be thinking you will have to spend a lot on this course, actually not at all. You can audit this course to get the knowledge. (Of course, it is much better if you can register for a subscription and do all the activities and exams. However, auditing the course will give you enough knowledge and experience for the exam - in fact, I also only audited the course).

2) Please remember to do the two practice exams provided by the above course to test your knowledge and evaluate your as-is status.

3) Then, go here and download this cram card - https://pdfcoffee.com/itil-4-foundation-cram-card-pdf-free.html (This is super useful whenever you want to recall a definition because these definitions are very important for exam questions).

4) Whilst referring to the cram card every three days (yes it is very important to refresh your memory every three days to make things remember more permanently).

5) The most important step is to do as much as the exam preparation question - you can find loads of these on the internet. (Try to get to the score of pass 90 and you will be safe in the exam)

Vola! you are ready for the exam. (Give yourself at least two good weeks of prep work according to the above steps)

Well of course it would be really nice if you have a lot of practical experience in technical operations, but hey, who has all that luck and luxury ;)

With a couple of weeks of preparation and a bit of common sense, you can easily pass the exam :) but do not forget your knowledge and the application of it is the most important thing of all - not just the certification - of course, the certification will be the icing on the cake :D

Good luck ya'll!!

Replace your chat buddy with an AI bot ?

Hey Guys,

It has been quite a sometime since I last blogged. Today, I bumped on to this tweet by Dr Richard Wallace and it got me looking back at year 2010

Retweeted Thomas Baekdal (@baekdal):

Here is what we have been able to do with chat robots since 2001:... https://t.co/zRk9bbaHPU

— Dr. Richard Wallace (@drwallace) March 24, 2016

year 2010 was the time for my final year thesis and I remember taking the challenge of developing an AI bot to answer the prospective student queries above APIIT (my undergraduate institute) courses. I named my AIBOT - Virtual Intelligent Student Counselor for APIIT - http://umeshagunasinghe.blogspot.com/2013/09/virtual-inteligent-student-counselor.html. I was quite passionate about the whole AI world, and the research took me in to another dimension. 

It is simply amazing how Alan Turin's inception of the idea of a Chatterbot with a question of "Whether the computers have the ability to think" revolutionized the world of chatterbots with its first generation bots (ELIZA - used simple pattern matching techniques), then the second generation(learnign from the conversations with using AI techniques) and the third generation using AIML - complicated pattern matching techniques.

A chatterbot has its own brain, and using different techniques the brain of knowledge can be expanded. I feel and learnt through my research and implementation, its like a human brain that from a little age we learn word by word, the more the conversation you have with the bot, the more and more decent the conversation would be with the chatterbot with the expanding techniques of the knowledgebase.

If you have a conversation with ALICE, http://alice.pandorabots.com/, you can experience the level of maturity it has gotten over the years where now it can keep a good smooth conversation going with a human being without going out of topic.

With the growth of the technology and with people are glued to computers and hand-phones, chatting has become an important part of daily life. There are different kinds of people chat with different kind of purposes. There are people who needs a companion to chat with. With a growth of the technology and looking at the evolution of AIBOTS, its is highly likely that an AI webbot might become your chatting pal sooner than later.

Is this a good change, or a bad change ???- is a topic to argue about , but honestly the technology should receive a standing ovation

#randomThoughts

WSO2 Identity Server - How to add new attributes to the XACML Policy Editor

Hi All,

This is a very quick tutorial on how to add new attribute to the XACML policy editor.

1) I have a newly introduced  claim as special name and I need to add this to the XACML policy editor

2) Go to Policy Administration -> Add new entitlement policy and you can see all the policy editors

3) Click 'here' link on the Standard Policy Editor description

4) First you need to add SpecialName as an <attributeId> as follows :-

5) Then add the arrtibute description under <attributeIds>

6) Once you update you can see this new attribute in the relevant areas of the policy editor as follows :-

Cheers..!!

How to apply security policies with WSO2 ESB 4.9.0

Hi All,

Here is a quick tutorial on how to create a secured service in WSO2 ESB 4.9.0. As QoS is removed from the admin console, now you will have to use WSO2 Developer Studio to apply the relevant security policies for the proxy services.

1) Download WSO2 ESB 4.9.0 and WSO2 Developer Studio 3.8.0
2) Extract these into folders
3) First we need to create a policy using the developer studio
Please refer following URL on creating a new policy - here we can use UsernamToken Policy
policy https://docs.wso2.com/display/DVS380/Applying+Security+for+a+Service#ApplyingSecurityforaService-Creatingthesecuritypolicy

4) Then you need to create the proxy service - for this first create an ESB Config Project from the Developer Studio Dashboard - then right click on the project name and add a proxy service

5) For this scenario lets create a simple Pass through proxy- lets use StockQuote Sample as the sample endpoint

Please follow the following link on how to startup the sample services https://docs.wso2.com/display/ESB490/Setting+Up+the+ESB+Samples#SettingUptheESBSamples-StartingtheAxis2server

6) After creating the proxy , you need to add the previously created security policy to the proxy service

Please refer the following guide on how to do that  https://docs.wso2.com/display/DVS380/Applying+Security+for+a+Service#ApplyingSecurityforaService-Applyingsecurityforaproxyservice

7) After creating both proxy service and the policy , you need to deploy this into the ESB. For this purpose lets create a composite application First

8) Go to the Developer studio dashboard and Click on Composite Application Project - there give a name to the project and select both the proxy service project and the policy project you have created and click on Finish

9) Now right click on the created composite application project and click on Export Composite Application Project

10) Now startup the ESB server and Login - then go to Carbon Applications from the right side menu and upload the car file by clicking on Add

11) After the successful deployment of the .car file when you go to list the proxy services you can see the created Proxy Service with Security Applied

12) Click on Try this Service and the following window will be opened

Note :- please enter the username and password and select the https endpoint as shown above and invoke the service with a parameter ex:- IBM

You will get the relevant response :)

Cheers...!!

WSO2 Identity Server - Quick tutorial on how to invoke Authentication admin Login via SOAPUI

1. Download WSO2 Identity Server latest version (in this blog I have used 5.0.0)
2. Extract the .zip file and go to  <PRODUCT_HOME>/repository/conf/carbon.xml file.
3. Change <HideAdminServiceWSDLs> element to false 
4. Start the Identity Server by running the wso2server.bat (in windows environment .sh in linux) file in the bin folder
5.You can access the Authentication admin wsdl by typing the following into the browser url https://localhost:9443/services/AuthenticationAdmin?wsdl
6. Please refer this url for how to list all the admin services offered by WSO2 IS 
https://docs.wso2.com/display/IS500/Calling+Admin+Services
7. Now copy the wsdl url and create a new project in SOAPUI

8. Then double click on the login request and fill in the parameters for the login request as below

9. Once you invoke it you can see the response as true of false in the SOAPUI and also on the console of Identity Server as 

[2015-11-13 16:53:21,451]  INFO {org.wso2.carbon.core.services.util.CarbonAuthenticationUtil} -  'hasini@carbon.super [-1234]' logged in at [2015-11-13 16:53:21,451+


cheers...!!!

Learning WSO2 Identity Server - MIND MAP

Learning WSO2 API Manager - MIND MAP

OAuth2 Playground app with WSO2 Identity Server 5.0.0

This is basically a how to reference post ...:)

1) Download the playground app from here and build using maven
2) Get the .war app and deploy on tomcat server
3) Download the  WSO2 Identity Server.

Now we need to configure the Playground app in the IS.

4) Go do add new service provider
5) Give a name = playground (example)
6) Register the application
7) Now you would be able to see a long list of options for a service provider, and if you expand the inbound authentication tab, you could see the OAuth configuration

8)  Click on configure, and add the relevant configuration and save

callback url :- http://localhost:8080/playground2/oauth2client
select needed oauth grant types , oauth version 2.0

9) This will generate a key and a secret for the application, this can be used to invoke the authorization / token end points on the server (displayed after generation)

10) once done, save the application configs

11) start tomcat server and goto http://localhost:8080/playground2

12) click on import photos , then you can select the relevant grant type and fill in the details as you go in the steps, basically the information needed are at the IS service provider application side (secret, key, urls etc)
13) According to the relevant grant type, you can interact with the oauth handshake relevant to the grant type, after getting the access token , you can import the photos :)

References :-
[1] https://docs.wso2.com/display/IS450/OAuth+2.0+Playground+with+WSO2+Identity+Server

Listen to this awesome webinar for OAuth :-
[2] http://wso2.com/library/webinars/2012/08/oauth-2-the-path-to-heaven-from-hell/

Following is a very useful rescource link :-
[3] https://aaronparecki.com/articles/2012/07/29/1/oauth2-simplified

Use Case scenarios with WSO2 Identity Server 5.0.0 - Part 2

Hi All,

Today lets talk about database connectivity with WSO2 Identity Server.  As you know WSO2 Identity Server can be deployed over any LDAP, AD or JDBC user store. In fact, you can create write a custom user store manager , and connect to any legacy databases.

The WSO2 IS has the concept of primary database and secondary databases. If you are to change the primary database, you will have to change the configuration files and start-up the server. But , if you are going to add the secondary databases, you can do this through the IS management console. This is some background information on the product.

Now, lets talk about a common use case scenario.

Say, you have a need of connecting the IS server to many databases. Clearly you can do this by connecting all the databases as secondary databases. Therefore, if a use is trying to get authenticated, the user will be authenticated against checking all the databases connected.

Solution 1
-------------
If your user bases are located in different geographical locations, say for an example you have three offices located in three countries , and you need to connect Identity Server to the three user databases located in these countries, what  you can do is connecting these databases as secondary databases via VPN connections.

Solutions 2
----------------
Another solution would be to have 3 Identity Servers in each of these countries, and have one central Identity Server where you can provision users from other three servers to the central server where the user will be authenticated against.

Please check on following resource links for implementation of these scenarios :-

[1] https://docs.wso2.com/display/IS500/Working+with+User+Stores
[2] https://docs.wso2.com/display/IS500/Configuring+Primary+User+Stores
[3] https://docs.wso2.com/display/IS500/Configuring+Secondary+User+Stores
[4] https://docs.wso2.com/display/IS500/Identity+Provisioning+Concepts
[5] https://docs.wso2.com/display/IS500/Identity+Provisioning

Cheers ! Last post for year 2014...have a wonderful 2015 ahead...see you in the next year ;)

Product releases, and relevant information - WSO2

This is just a note + anyone who is looking for this information - not a fancy blog post :)
---------------------------------------------------------------------------------


Once a WSO2 product is released,  the release related information is recorded in the release matrix [1] :-

[1] http://wso2.com/products/carbon/release-matrix/

You can refer the relevant release dates , the released chunk , relevant P2 repo link (for feature installations), compatible carbon version, and the platform.

If you click on P2 repo link , it will redirect you to the relevant P2 repo information and the link. We use this for the feature installations for the WSO2 Products. For and example, when you need to install WSO2 Identity Server , Key Manager to WSO2 API-M, then you can install those features to API-M using the relevant P2 repo link.

If you want to refer the relevant source code for a particular release, you can check the the Chunk where the product is released.

Normally, in the WSO2 svn, there will be following categories.

1) trunk  - normal development
2) branch - getting ready for a relase development
3) tag - once released the product is available under the tag


If you want to look for the source code for a particular release you can check under the relevant released , you can check for the chunk the product is released, then check for the relevant feature source code under  components...

For an example :-

API-M 1.8.0 can be found under [1], and you can check relevant source code for API-M : Store at [2].

[1] https://svn.wso2.org/repos/wso2/carbon/platform/tags/turing-chunk14/products/apimgt/1.8.0/
[2] https://svn.wso2.org/repos/wso2/carbon/platform/tags/turing-chunk14/components/apimgt/api-store-web/

Cheers..!!!

How to enable audit logs for WSO2 API-M

In API-M there is no audit logs enabled by default. If you consider IS, start up the server and log-in as admin, you can see under [IS-HOME]/repository/logs folder there is a file called audit.log.

But this is not the case with WSO2 API-M. The audit logs are not enabled by default with API-M. You have to manually enable it in configurations files. But this can be done in few easy steps.

1) Download WSO2 API Manager
2) Then extract it to a folder
3) Go to [API-M HOME]/repository/conf/log4j.properties file and add the following configuration for the log file

log4j.logger.AUDIT_LOG=INFO, AUDIT_LOGFILE


then add the following set of configurations...

# Appender config to AUDIT_LOGFILE
log4j.appender.AUDIT_LOGFILE=org.apache.log4j.DailyRollingFileAppender
log4j.appender.AUDIT_LOGFILE.File=${carbon.home}/repository/logs/audit.log
log4j.appender.AUDIT_LOGFILE.Append=true
log4j.appender.AUDIT_LOGFILE.layout=org.wso2.carbon.utils.logging.TenantAwarePatternLayout
log4j.appender.AUDIT_LOGFILE.layout.ConversionPattern=[%d] %P%5p - %x %m %n
log4j.appender.AUDIT_LOGFILE.layout.TenantPattern=%U%@%D [%T] [%S]
log4j.appender.AUDIT_LOGFILE.threshold=INFO
log4j.additivity.AUDIT_LOG=false

4) Save the configurations and start the server

5) TA-DA now you have the audit logs in API-M :)

Use cases with WSO2 IS 5.0.0 - Part 2 - User Provisioning - Part 1

Lets discuss about a user provisioning use case with regards to the provisioning framework of WSO2 Identity Server 5.0.0.

With the introduction of the the new Identity Server, There are lot of provisioning capabilities available. There are 3 major concepts as Inbound, outbound provisioning and Just-In-Time provisioning. Inbound provisioning means , provisioning users and groups from an external system to IS. Outbound provisioning means , provisioning users from IS to other external systems. JIT provisioning means , once a user tries to login from an external IDP, a user can be created on the fly in IS with JIT. Please read this awesome blog post about Provisioning framework of WSO2 Identity Server.

Now, lets take a sample scenario and talk about provisioning would work using provisioning capabilities of WSO2 IS.

The above diagram depicts a scenario where a user will be provisioned from and external system (Inbound provisioning), and in the same flow once the user is provisioned to the IS - A, this user will be provisioned to the other external systems like Google Apps, or another IS (Out bound provisioning).

From an external system you can provision users with SCIM or SPML connector, as well as you can use SOAP admin services to add a user. Or else another option would be, if none of the above mentioned can be used, you can always write a custom provisioning connector and plug in with WSO2 Identity Server.

For provisioning users to external systems, there are OOTB connectors shipped with WSO2 IS, or else you can always write a custom connector according to your requirement.

Lets talk about how to configure such a provisioning scenario in the next related post .....

Run Time Governance Use Case with WSO2 GREG and ESB - 1

Hi Ya''ll,

Long time ...How are you all doing? It is Christmas time again....Lets try to learn a run time governance scenario with WSO2 Governance Registry today.....:)

Lets start understanding the scenario with a diagram....

We can describe the above diagram as follows :-

1. Custom security policy is uploaded via GREG.
2. GREG is mounted with ESB.
3. Security proxy is created applying the custom policy in the registry (referring the policy in the GREG)
4. Proxy is created for the service hosted in the application server.

Once the service is invoked via SoapUI, since the security policy is applied at ESB , it will refer to the policy in the Governance Registry at the rum-time. Once the security policy is properly validated, the response will be passed back to the invoking party.

In the next post lets talk about how to simply build up the above scenario......

Bye bye for now...:)

Creating a metadata file for WSO2 IS as SP in a federation scenario

In today's' post I would like to share some tips that you will need while creating a metadata file to be used with WSO2 IS.

Use Case :-

With WSO2 IS you have the capability of multiple federation. Some of the IDPs requesting a metadata file in order to register IS as a trusted SP. For this we need to generate a metadata file for IS , but auto generation of metadata file is not available as yet with IS 5.0.0 hence we will have to create this manually.

Following is a general metadata details for IS as SP.

 <EntityDescriptor entityID="carbonServer" xmlns="urn:oasis:names:tc:SAML:2.0:metadata">

    <SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">

        <NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</NameIDFormat>

        <AssertionConsumerService index="1" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"

            Location="https://localhost:9443/commonauth"/>

        <KeyDescriptor>

    <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">

      <ds:X509Data>

        <ds:X509Certificate>

MIICNTCCAZ6gAwIBAgIES343gjANBgkqhkiG9w0BAQUFADBVMQswCQYDVQQGEwJV

UzELMAkGA1UECAwCQ0ExFjAUBgNVBAcMDU1vdW50YWluIFZpZXcxDTALBgNVBAoM

BFdTTzIxEjAQBgNVBAMMCWxvY2FsaG9zdDAeFw0xMDAyMTkwNzAyMjZaFw0zNTAy

MTMwNzAyMjZaMFUxCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJDQTEWMBQGA1UEBwwN

TW91bnRhaW4gVmlldzENMAsGA1UECgwEV1NPMjESMBAGA1UEAwwJbG9jYWxob3N0

MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCUp/oV1vWc8/TkQSiAvTousMzO

M4asB2iltr2QKozni5aVFu818MpOLZIr8LMnTzWllJvvaA5RAAdpbECb+48FjbBe

0hseUdN5HpwvnH/DW8ZccGvk53I6Orq7hLCv1ZHtuOCokghz/ATrhyPq+QktMfXn

RS4HrKGJTzxaCcU7OQIDAQABoxIwEDAOBgNVHQ8BAf8EBAMCBPAwDQYJKoZIhvcN

AQEFBQADgYEAW5wPR7cr1LAdq+IrR44iQlRG5ITCZXY9hI0PygLP2rHANh+PYfTm

xbuOnykNGyhM6FjFLbW2uZHQTY1jMrPprjOrmyK5sjJRO4d1DeGHT/YnIjs9JogR

Kv4XHECwLtIVdAbIdWHEtVZJyMSktcyysFcvuhPQK8Qc/E/Wq8uHSCo=

        </ds:X509Certificate>

      </ds:X509Data>

    </ds:KeyInfo>

  </KeyDescriptor>

    </SPSSODescriptor>

</EntityDescriptor>

However, certain IdPs might request for more details to be included in a metadata file. You can refer the metadata standard specification at http://docs.oasis-open.org/security/saml/v2.0/saml-metadata-2.0-os.pdf . The X509 data in the above example metadata are of the self signed certificate of WSO2 Identity Server. In a production deployment , you might wanna use your own certificate signed by a CA.

Therefore if you want to extract out the X509 information of your certificate , you can use the following command using java keytool :-

keytool export keystore pathToKeystore rfc alias aliasNameForCertificate


And also you might want to sign the metadata file using different algorithms. A very cool tool that you can use for this is the XmlSecTool which has lot of options.

You can check for the tool at https://wiki.shibboleth.net/confluence/display/SHIB2/XmlSecTool#XmlSecToolSigningSAMLMetadata


Use the following command to sign the metadata file using SHA256 algorithem (or you can use another algorithm according to the requirement ) after running the tool :-

--sign --digest SHA256 --inFile metadata.xml --outFile signedmetadata.xml --referenceIdAttributeName ID --keystore keystore.jks --keystorePassword password --key keyname --keyPassword password

Use Case scenarios with WSO2 Identity Server 5.0.0 - Part 1

Hi All,

Lets talk about few use case scenarios with new features of WSO2 IS 5.0.0 

1. Use Case 1 - SAML2 Web browser based SSO 

The above use case is explained in detail in the blog post SAML2 SSO with IS with a sample demo.

2. Use Case 2 – SAML2 Web Browse based SSO + Google authenticator + JIT Provisioning 

Lets try to understand the above scenario.

Lets think of this as an extended version of the use case 1 which would be an easy way to understand.

As I have explained in the post referred  in the use case 1, Web app acts as the SP and IS acts as the IdP. Now think that we want to be able to give access to the web app for the users who are not in the IS user store. These can be separate set of users say. How to tackle this with WSO2 IS server.

WSO2 IS can be set up with the OOTB feature of Google Authenticator for any user who has a Google email account to be logged into the web app. So how does that work?

1. User is trying to log into the web app and he is redirected to the IS login page.

2. Now there is an additional link that would be visible , therefore that as explained in the use case 1, the users who are in the user store of IS can login and also users who are not in user store of IS can also given the option to login using gmail account credentials.

3. Now when the user selects the link to be authenticated with google authenticator, he is redirected to the gmail login page. (Here, the google authenticator is is registered as a trusted IdP for the web application and the multiple login options are given for the webapp - please refer blog post at GoogleOpenId for an example setup)

4. The request that goes from the IS to the Gmail is an OpenIdConnect request and once the user is properly authenticated , an OpenIDConnect response come to the IS.

5. Now in order to be able to access the webbapp, this user must be created in the user store of IS, and this is done using Just In Time Provisioning which is enabled for the Google Authenticator. Therefore according to the response comes form the gmail , a user is created in the user store (one time user creation) with a default password.

6. And the user is given the access to the web application.

Use Case 3 – Multiple IdP federation

Now lets extend the use case 2 more to discuss more of multiple IdP federation features of IS 5.0.0.

Lets think about a scenario where there are no users exist in the IS1 user store for a particular web app, but the users of this web app can be authenticated using Gmail or IS2 IdP.

In the IS1, the Google Authenticator and IS2 can be registered as trusted IdP for IS1. And the webapp can be configured to trust the above 2 IdPs.

Therefore, some of the users can use Gmail for authentication and some can use IS2 for authentication, and some can use both.

There can be scenarios where, if the user is authenticated, he can access only some of the resources of the webapp and IS2 users some other resources depending on the authorization implementation logic of the webapp. 

See y'all!

SAML2 SSO with IS 5.0.0

Lets talk about the simple saml2 sso scenario with WSO2 IS 5.0.0 today.

Simple understanding of the concept can be grabbed with the following diagram.

WSO2 IS provides SAML2 Web browser based SSO acting as IdP or SP. In the above scenario the web app is the service provider and the IS is the identity provider. There is a pre defined trust relationship built between SP and the IdP when enabling SAML2 SSO.

How the above scenario works :-

1. The web app is registered as trusted SP in IS
2. Web app implements the saml2 sso and talks to IS using the assertion consumer url defined

NOTE :- If the authentication request / response signature validation is needed the proper importing / exporting of certificate to the trust-stores are needed.

USE CASE SCENARIO
----------------------------------

1. User comes and tries to log into the web app
2. SAML2 Web browser based SSO is configured for the web app with WSO2 IS
3. User is redirected to the IS login page
4. User enters the login credentials
5. If the user exist in the user store of the trusted IdP (IS) user is allowed to log into the web app


DEMO
---------

Lets check on how to quickly demo this using an example app and WSO2 IS.

Required :-

1. Please download the IS 5.0.0. for the product page. 
2. Checkout the following sample travelocity app and build using maven

Configurations
--------------------

1. Take the .war file of the web app and deploy it on the tomcat server (version 7)
2. Startup WSO2 IS
3. Now lets register the SP in the IS
 A. Go to management console main - > Service Providers -> Add
 B. Give an unique name for the SP and click on register
 C. Then click on the Inbound Authentication Configuration -> Configure
 D. Fill on the details as follows :-

NOTE:- you can change these properties accordingly as expected by the SP. The properties for the webapp can be found at apache-tomcat-7.0.42\webapps\travelocity.com\WEB-INF\classes\travelocity.properties file

The filled in infor in the above example as follows :-

Issuer :- travelocity.com
Assertion Consumer URL :- http://localhost:8080/travelocity.com/home.jsp
User fully qualified username in the NameID :- TRUE
Enable SLO :- TRUE

Once configured click on update on the SAML2 config page as well as the SP information page that comes next. And you are good to go.

Now paste the following url on the browser http://localhost:8080/travelocity.com/index.jsp
and click on SAML login where you will be redirected to IS login page. When you enter admin, admin (the default super user of IS) TADA you are in :)

BYE BYE for now ;)

Mutual SSL with WSO2 Enterprise Service Bus

Lets try to simply understand what is this Mutual SSL

I hope the following diagram will draw a good image in your brain to understand this

-------------------------------------------------------------------------------------------------------

Okay, lets see what happens in each step of the SSL handshake :-

(1) Client says hello and request for the Server certificate
(2) Server says hello with the certificate

That is the first handshake that happens , but when you enable mutual SSL there is a another handshake happens.

(3) Server says hello with requesting for the client certificate
(4) Client says hello back with the certificate

ONCE BOTH THE PARTIES TRUST EACH OTHER THEY ESTABLISH THE CONNECTION FOR FURTHER ACTIONS BETWEEN CLIENT AND THE SERVER.

Now lets look at what requirements should be completed into order for this to happen :)

(1) Client trust store should have the CA certificate / server certificate - signed by CA of the server - 

FOR THE CLIENT TO TRUST THE SERVER

(2) Server trust store should contain the CA certificate / client certificate - signed by CA of the client - 

FOR SERVER TO TRUST THE CLIENT

(3) The Certificate Authority who have signed the certificate should be trusted by both the parties


Now that you have an understanding of what is mutual SSL and what are the requirements needed, please have a look at the following important blog post by Asela in order to how to check the mutual SSL capability of the WSO2 ESB with an example java client :-

Enable Mutual SSL for Proxy services in WSO2ESB - I

Mutual SSL also called as two way SSL :)

THANKS !

Connecting an external LDAP as the primary LDAP for WSO2 Identity Server

Hi All,

Today I am writing this blog to clear some doubting areas on the mentioned topic.

Lets see how to connect OpenLDAP as the primary LDAP for IS.

1) Download the OpenLDAP for your O/S and install according to the steps mentioned here. [INSTALLATION STEPS HERE FOR LINUX BASED SYSTEMS]

Special Note :- Please save the configuration details somewhere you can access and remember :)

2) And connect to the OpenLDAP via Apache Directory Studio.

3) Download WSO2 Identity Server.

Please not that you only have to change configurations of two files in order to connect this ldap as the primary one.

4) Now lets go and disable the embedded ldap that comes OOTB with IS.

Go to [IS_HOME]/repository/conf/embedded-ldap.xml and set the following configuration.

<EmbeddedLDAP>

    <Property name="enable">false</Property>

    .......................

  </EmbeddedLDAP>



5) Then go to IS_HOME/repository/conf / user-mgt.xml and disable the embedded ldap by commenting out the class="org.wso2.carbon.user.core.ldap.ReadWriteLDAPUserStoreManage.



6) Select whether to connect to the external ldap as Read / Write or only Read and select the proper class settings.

Read / Write - class="org.wso2.carbon.user.core.ldap.ReadWriteLDAPUserStoreManager"



Read - class="org.wso2.carbon.user.core.ldap.ReadOnlyLDAPUserStoreManager"



7) Follow following detailed blog for configurations setting on each of the classes according to your need which describes the properties in details.


Configuring OpenLDAP as external user store of WSO2 IS


8) Pay special attention to the following settings because you need to match these settings according to your newly created OpenLDAP in order to proper integrate.

<Property name="ConnectionURL">ldap://localhost:389</Property>


<Property name="ConnectionName">cn=admin,dc=wso2,dc=com</Property>





 <Property name="ConnectionPassword">password</Property>





<Property name="UserSearchBase">ou=Users,dc=wso2qa,dc=com</Property>





<Property name="GroupSearchBase">ou=Groups,dc=wso2,dc=com</Property>





<Property name="SharedGroupSearchBase">ou=SharedGroups,dc=wso2,dc=com</Property>



9) Follow the following blog to proper creation of user and groups in your ldap.





LDAP - Apache Directory Studio: A Basic Tutorial




Hope the above helps to anyone who are confused in this area.



Bye bye for now from Sri Lanka :)

How to simply setup centralized logging with WSO2 Business Activity Monitor

Hi All,

Today lets look at the following simple problem:-

We have two products of WSO2 running in an environment. When we have to check events loggs we have to separately log into those two products to check the relevant events. Say we have more products running and then we will have to log in to all the product management consoles to achieve the motive.

Simple Solution:-

We can setup WSO2 BAM for centralized logging therefore that when you log into the management console of WSO2 BAM, you can check for event logs of both / several WSO2 servers in your environment setup.

The following diagram will draw a clear picture of the solution
-------------------------------------------------------------------------------

 Say in our sample scenario we have WSO2 IS and WSO2 ESB, we can save the event logs to BAM Cassandra database , therefore the logs are accessible from a central location.

Simple Steps to achieve above:-
-------------------------------------------

1. Go to the [IS HOME] / repository / conf / log4j.properties file and add the following LOGEVENT to the log4j.rootLogger

log4j.rootLogger=INFO, CARBON_CONSOLE, CARBON_LOGFILE, CARBON_MEMORY, LOGEVENT


2. Then go to [IS HOME] / repository / conf / etc / logging - config .xml and set the <archivedHost>hdfs://localhost:9000/</archivedHost>

3. Start the BAM server and then start the IS server. You can see the event logs for IS in BAM when you go to Home > Tools > Cassandra Explorer > Connect to Cluster > Explore Cluster

4 . You can follow the same steps for ESB as well to set up the above scenario

Note :-

Connect to Cassandra with following details

Connection Url* localhost:9160
User Name         admin
Password          admin


Please refer to the following detailed blog for in depth details for centralized logging with BAM 

How Distributed Logging Works in WSO2 Stratos.

How to write a multiple Permit rule policy using WSO2 IS PAP simple policy editor - WSO2 IS 4.6.0

Hi All,

Today lets look at how to resolve the following simple problem scenario :-

Problem :-

Using WSO2 IS I want to give certain users the access to a web service that I have exposed.

But the rule must be in a way that one particular user "umesha" will only be having the READ rights, while all the other users will have READ, WRITE, DELETE rights.

How can I do this? of course you might know that you can achieve this with a  XACML policy to enable fine - grained authorization.

another problem - I do not know how to write XACML policies :O

Solution :-

Using WSO2 IS Simple Policy Editor you can write a multiple rule XACML policy, and you do not need to know XACML for this. 
Any novice user can create their own policies that comes with this feature of WSO2 XACML engine :)

Now lets look at how to write this simple policy :-

[You need to have WSO2 IS 4.6.0 downloaded and running]

1. Login to Identity Server Management Console

2. Go to Home > Entitlement > PAP > Policy Administration

3. And select Simple Policy Editor

4. Give the policy a name 

5 . Select what the policy is based on - Resource

6 . The name of the resource 

7. And then we will focus on the first rule

We need to give "umesha" the READ rights and READ rights only.

Select the Child Resource / UserName under User

Give the user name as "umesha"

Give the Action as "READ"

8. Now click on that little plus sign to add the other rule

To give all the other users READ, WRITE and DELETE actions

fill the selected UserName as "{^(?!umesha$).*}" - you should give this as a string regx

then give the actions as "READ | WRITE | DELETE"

9. Save the policy 

The Created policy will look like as follows:-

                 <Policy xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" PolicyId="SimplePolicy" RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable" Version="1.0">  
 <Target>  
 <AnyOf>  
 <AllOf>  
 <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">  
 <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">service</AttributeValue>  
 <AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"/>  
 </Match>  
 </AllOf>  
 </AnyOf>  
 </Target>  
 <Rule Effect="Permit" RuleId="Rule-1">  
 <Target>  
 <AnyOf>  
 <AllOf>  
 <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">  
 <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">READ</AttributeValue>  
 <AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"/>  
 </Match>  
 </AllOf>  
 </AnyOf>  
 </Target>  
 <Condition>  
 <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:any-of">  
 <Function FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal"/>  
 <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">umesha</AttributeValue>  
 <AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"/>  
 </Apply>  
 </Condition>  
 </Rule>  
 <Rule Effect="Permit" RuleId="Rule-2">  
 <Condition>  
 <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:and">  
 <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-at-least-one-member-of">  
 <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag">  
 <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">WRITE</AttributeValue>  
 <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">READ</AttributeValue>  
 <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">DELETE</AttributeValue>  
 </Apply>  
 <AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"/>  
 </Apply>  
 <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:any-of">  
 <Function FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-regexp-match"/>  
 <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">^(?!umesha$).*</AttributeValue>  
 <AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"/>  
 </Apply>  
 </Apply>  
 </Condition>  
 </Rule>  
 <Rule Effect="Deny" RuleId="Deny-Rule"/>  
 </Policy>