Mutual SSL with WSO2 Enterprise Service Bus

Lets try to simply understand what is this Mutual SSL

I hope the following diagram will draw a good image in your brain to understand this

-------------------------------------------------------------------------------------------------------

Okay, lets see what happens in each step of the SSL handshake :-

(1) Client says hello and request for the Server certificate
(2) Server says hello with the certificate

That is the first handshake that happens , but when you enable mutual SSL there is a another handshake happens.

(3) Server says hello with requesting for the client certificate
(4) Client says hello back with the certificate

ONCE BOTH THE PARTIES TRUST EACH OTHER THEY ESTABLISH THE CONNECTION FOR FURTHER ACTIONS BETWEEN CLIENT AND THE SERVER.

Now lets look at what requirements should be completed into order for this to happen :)

(1) Client trust store should have the CA certificate / server certificate - signed by CA of the server - 

FOR THE CLIENT TO TRUST THE SERVER

(2) Server trust store should contain the CA certificate / client certificate - signed by CA of the client - 

FOR SERVER TO TRUST THE CLIENT

(3) The Certificate Authority who have signed the certificate should be trusted by both the parties


Now that you have an understanding of what is mutual SSL and what are the requirements needed, please have a look at the following important blog post by Asela in order to how to check the mutual SSL capability of the WSO2 ESB with an example java client :-

Enable Mutual SSL for Proxy services in WSO2ESB - I

Mutual SSL also called as two way SSL :)

THANKS !

Connecting an external LDAP as the primary LDAP for WSO2 Identity Server

Hi All,

Today I am writing this blog to clear some doubting areas on the mentioned topic.

Lets see how to connect OpenLDAP as the primary LDAP for IS.

1) Download the OpenLDAP for your O/S and install according to the steps mentioned here. [INSTALLATION STEPS HERE FOR LINUX BASED SYSTEMS]

Special Note :- Please save the configuration details somewhere you can access and remember :)

2) And connect to the OpenLDAP via Apache Directory Studio.

3) Download WSO2 Identity Server.

Please not that you only have to change configurations of two files in order to connect this ldap as the primary one.

4) Now lets go and disable the embedded ldap that comes OOTB with IS.

Go to [IS_HOME]/repository/conf/embedded-ldap.xml and set the following configuration.

<EmbeddedLDAP>

    <Property name="enable">false</Property>

    .......................

  </EmbeddedLDAP>



5) Then go to IS_HOME/repository/conf / user-mgt.xml and disable the embedded ldap by commenting out the class="org.wso2.carbon.user.core.ldap.ReadWriteLDAPUserStoreManage.



6) Select whether to connect to the external ldap as Read / Write or only Read and select the proper class settings.

Read / Write - class="org.wso2.carbon.user.core.ldap.ReadWriteLDAPUserStoreManager"



Read - class="org.wso2.carbon.user.core.ldap.ReadOnlyLDAPUserStoreManager"



7) Follow following detailed blog for configurations setting on each of the classes according to your need which describes the properties in details.


Configuring OpenLDAP as external user store of WSO2 IS


8) Pay special attention to the following settings because you need to match these settings according to your newly created OpenLDAP in order to proper integrate.

<Property name="ConnectionURL">ldap://localhost:389</Property>


<Property name="ConnectionName">cn=admin,dc=wso2,dc=com</Property>





 <Property name="ConnectionPassword">password</Property>





<Property name="UserSearchBase">ou=Users,dc=wso2qa,dc=com</Property>





<Property name="GroupSearchBase">ou=Groups,dc=wso2,dc=com</Property>





<Property name="SharedGroupSearchBase">ou=SharedGroups,dc=wso2,dc=com</Property>



9) Follow the following blog to proper creation of user and groups in your ldap.





LDAP - Apache Directory Studio: A Basic Tutorial




Hope the above helps to anyone who are confused in this area.



Bye bye for now from Sri Lanka :)

How to simply setup centralized logging with WSO2 Business Activity Monitor

Hi All,

Today lets look at the following simple problem:-

We have two products of WSO2 running in an environment. When we have to check events loggs we have to separately log into those two products to check the relevant events. Say we have more products running and then we will have to log in to all the product management consoles to achieve the motive.

Simple Solution:-

We can setup WSO2 BAM for centralized logging therefore that when you log into the management console of WSO2 BAM, you can check for event logs of both / several WSO2 servers in your environment setup.

The following diagram will draw a clear picture of the solution
-------------------------------------------------------------------------------

 Say in our sample scenario we have WSO2 IS and WSO2 ESB, we can save the event logs to BAM Cassandra database , therefore the logs are accessible from a central location.

Simple Steps to achieve above:-
-------------------------------------------

1. Go to the [IS HOME] / repository / conf / log4j.properties file and add the following LOGEVENT to the log4j.rootLogger

log4j.rootLogger=INFO, CARBON_CONSOLE, CARBON_LOGFILE, CARBON_MEMORY, LOGEVENT


2. Then go to [IS HOME] / repository / conf / etc / logging - config .xml and set the <archivedHost>hdfs://localhost:9000/</archivedHost>

3. Start the BAM server and then start the IS server. You can see the event logs for IS in BAM when you go to Home > Tools > Cassandra Explorer > Connect to Cluster > Explore Cluster

4 . You can follow the same steps for ESB as well to set up the above scenario

Note :-

Connect to Cassandra with following details

Connection Url* localhost:9160
User Name         admin
Password          admin


Please refer to the following detailed blog for in depth details for centralized logging with BAM 

How Distributed Logging Works in WSO2 Stratos.