Thursday, October 29, 2015
Wednesday, September 23, 2015
Sunday, July 26, 2015
Tuesday, March 31, 2015
OAuth2 Playground app with WSO2 Identity Server 5.0.0
This is basically a how to reference post ...:)
1) Download the playground app from here and build using maven
2) Get the .war app and deploy on tomcat server
3) Download the WSO2 Identity Server.
Now we need to configure the Playground app in the IS.
4) Go do add new service provider
5) Give a name = playground (example)
6) Register the application
7) Now you would be able to see a long list of options for a service provider, and if you expand the inbound authentication tab, you could see the OAuth configuration
8) Click on configure, and add the relevant configuration and save
callback url :- http://localhost:8080/playground2/oauth2client
select needed oauth grant types , oauth version 2.0
9) This will generate a key and a secret for the application, this can be used to invoke the authorization / token end points on the server (displayed after generation)
10) once done, save the application configs
11) start tomcat server and goto http://localhost:8080/playground2
12) click on import photos , then you can select the relevant grant type and fill in the details as you go in the steps, basically the information needed are at the IS service provider application side (secret, key, urls etc)
13) According to the relevant grant type, you can interact with the oauth handshake relevant to the grant type, after getting the access token , you can import the photos :)
References :-
[1] https://docs.wso2.com/display/IS450/OAuth+2.0+Playground+with+WSO2+Identity+Server
Listen to this awesome webinar for OAuth :-
[2] http://wso2.com/library/webinars/2012/08/oauth-2-the-path-to-heaven-from-hell/
Following is a very useful rescource link :-
[3] https://aaronparecki.com/articles/2012/07/29/1/oauth2-simplified
1) Download the playground app from here and build using maven
2) Get the .war app and deploy on tomcat server
3) Download the WSO2 Identity Server.
Now we need to configure the Playground app in the IS.
4) Go do add new service provider
5) Give a name = playground (example)
6) Register the application
7) Now you would be able to see a long list of options for a service provider, and if you expand the inbound authentication tab, you could see the OAuth configuration
8) Click on configure, and add the relevant configuration and save
callback url :- http://localhost:8080/playground2/oauth2client
select needed oauth grant types , oauth version 2.0
9) This will generate a key and a secret for the application, this can be used to invoke the authorization / token end points on the server (displayed after generation)
10) once done, save the application configs
11) start tomcat server and goto http://localhost:8080/playground2
12) click on import photos , then you can select the relevant grant type and fill in the details as you go in the steps, basically the information needed are at the IS service provider application side (secret, key, urls etc)
13) According to the relevant grant type, you can interact with the oauth handshake relevant to the grant type, after getting the access token , you can import the photos :)
References :-
[1] https://docs.wso2.com/display/IS450/OAuth+2.0+Playground+with+WSO2+Identity+Server
Listen to this awesome webinar for OAuth :-
[2] http://wso2.com/library/webinars/2012/08/oauth-2-the-path-to-heaven-from-hell/
Following is a very useful rescource link :-
[3] https://aaronparecki.com/articles/2012/07/29/1/oauth2-simplified
Wednesday, December 31, 2014
Use Case scenarios with WSO2 Identity Server 5.0.0 - Part 2
Hi All,
Today lets talk about database connectivity with WSO2 Identity Server. As you know WSO2 Identity Server can be deployed over any LDAP, AD or JDBC user store. In fact, you can create write a custom user store manager , and connect to any legacy databases.
The WSO2 IS has the concept of primary database and secondary databases. If you are to change the primary database, you will have to change the configuration files and start-up the server. But , if you are going to add the secondary databases, you can do this through the IS management console. This is some background information on the product.
Now, lets talk about a common use case scenario.
Say, you have a need of connecting the IS server to many databases. Clearly you can do this by connecting all the databases as secondary databases. Therefore, if a use is trying to get authenticated, the user will be authenticated against checking all the databases connected.
Solution 1
-------------
If your user bases are located in different geographical locations, say for an example you have three offices located in three countries , and you need to connect Identity Server to the three user databases located in these countries, what you can do is connecting these databases as secondary databases via VPN connections.
Solutions 2
----------------
Another solution would be to have 3 Identity Servers in each of these countries, and have one central Identity Server where you can provision users from other three servers to the central server where the user will be authenticated against.
Please check on following resource links for implementation of these scenarios :-
[1] https://docs.wso2.com/display/IS500/Working+with+User+Stores
[2] https://docs.wso2.com/display/IS500/Configuring+Primary+User+Stores
[3] https://docs.wso2.com/display/IS500/Configuring+Secondary+User+Stores
[4] https://docs.wso2.com/display/IS500/Identity+Provisioning+Concepts
[5] https://docs.wso2.com/display/IS500/Identity+Provisioning
Cheers ! Last post for year 2014...have a wonderful 2015 ahead...see you in the next year ;)
Today lets talk about database connectivity with WSO2 Identity Server. As you know WSO2 Identity Server can be deployed over any LDAP, AD or JDBC user store. In fact, you can create write a custom user store manager , and connect to any legacy databases.
The WSO2 IS has the concept of primary database and secondary databases. If you are to change the primary database, you will have to change the configuration files and start-up the server. But , if you are going to add the secondary databases, you can do this through the IS management console. This is some background information on the product.
Now, lets talk about a common use case scenario.
Say, you have a need of connecting the IS server to many databases. Clearly you can do this by connecting all the databases as secondary databases. Therefore, if a use is trying to get authenticated, the user will be authenticated against checking all the databases connected.
Solution 1
-------------
If your user bases are located in different geographical locations, say for an example you have three offices located in three countries , and you need to connect Identity Server to the three user databases located in these countries, what you can do is connecting these databases as secondary databases via VPN connections.
Solutions 2
----------------
Another solution would be to have 3 Identity Servers in each of these countries, and have one central Identity Server where you can provision users from other three servers to the central server where the user will be authenticated against.
Please check on following resource links for implementation of these scenarios :-
[1] https://docs.wso2.com/display/IS500/Working+with+User+Stores
[2] https://docs.wso2.com/display/IS500/Configuring+Primary+User+Stores
[3] https://docs.wso2.com/display/IS500/Configuring+Secondary+User+Stores
[4] https://docs.wso2.com/display/IS500/Identity+Provisioning+Concepts
[5] https://docs.wso2.com/display/IS500/Identity+Provisioning
Cheers ! Last post for year 2014...have a wonderful 2015 ahead...see you in the next year ;)
Tuesday, December 23, 2014
Product releases, and relevant information - WSO2
This is just a note + anyone who is looking for this information - not a fancy blog post :)
---------------------------------------------------------------------------------
Once a WSO2 product is released, the release related information is recorded in the release matrix [1] :-
[1] http://wso2.com/products/carbon/release-matrix/
You can refer the relevant release dates , the released chunk , relevant P2 repo link (for feature installations), compatible carbon version, and the platform.
If you click on P2 repo link , it will redirect you to the relevant P2 repo information and the link. We use this for the feature installations for the WSO2 Products. For and example, when you need to install WSO2 Identity Server , Key Manager to WSO2 API-M, then you can install those features to API-M using the relevant P2 repo link.
If you want to refer the relevant source code for a particular release, you can check the the Chunk where the product is released.
Normally, in the WSO2 svn, there will be following categories.
1) trunk - normal development
2) branch - getting ready for a relase development
3) tag - once released the product is available under the tag
If you want to look for the source code for a particular release you can check under the relevant released , you can check for the chunk the product is released, then check for the relevant feature source code under components...
For an example :-
API-M 1.8.0 can be found under [1], and you can check relevant source code for API-M : Store at [2].
[1] https://svn.wso2.org/repos/wso2/carbon/platform/tags/turing-chunk14/products/apimgt/1.8.0/
[2] https://svn.wso2.org/repos/wso2/carbon/platform/tags/turing-chunk14/components/apimgt/api-store-web/
Cheers..!!!
---------------------------------------------------------------------------------
Once a WSO2 product is released, the release related information is recorded in the release matrix [1] :-
[1] http://wso2.com/products/carbon/release-matrix/
You can refer the relevant release dates , the released chunk , relevant P2 repo link (for feature installations), compatible carbon version, and the platform.
If you click on P2 repo link , it will redirect you to the relevant P2 repo information and the link. We use this for the feature installations for the WSO2 Products. For and example, when you need to install WSO2 Identity Server , Key Manager to WSO2 API-M, then you can install those features to API-M using the relevant P2 repo link.
If you want to refer the relevant source code for a particular release, you can check the the Chunk where the product is released.
Normally, in the WSO2 svn, there will be following categories.
1) trunk - normal development
2) branch - getting ready for a relase development
3) tag - once released the product is available under the tag
If you want to look for the source code for a particular release you can check under the relevant released , you can check for the chunk the product is released, then check for the relevant feature source code under components...
For an example :-
API-M 1.8.0 can be found under [1], and you can check relevant source code for API-M : Store at [2].
[1] https://svn.wso2.org/repos/wso2/carbon/platform/tags/turing-chunk14/products/apimgt/1.8.0/
[2] https://svn.wso2.org/repos/wso2/carbon/platform/tags/turing-chunk14/components/apimgt/api-store-web/
Cheers..!!!
Friday, December 19, 2014
How to enable audit logs for WSO2 API-M
In API-M there is no audit logs enabled by default. If you consider IS, start up the server and log-in as admin, you can see under [IS-HOME]/repository/logs folder there is a file called audit.log.
But this is not the case with WSO2 API-M. The audit logs are not enabled by default with API-M. You have to manually enable it in configurations files. But this can be done in few easy steps.
1) Download WSO2 API Manager
2) Then extract it to a folder
3) Go to [API-M HOME]/repository/conf/log4j.properties file and add the following configuration for the log file
log4j.logger.AUDIT_LOG=INFO, AUDIT_LOGFILE
then add the following set of configurations...
# Appender config to AUDIT_LOGFILE
log4j.appender.AUDIT_LOGFILE=org.apache.log4j.DailyRollingFileAppender
log4j.appender.AUDIT_LOGFILE.File=${carbon.home}/repository/logs/audit.log
log4j.appender.AUDIT_LOGFILE.Append=true
log4j.appender.AUDIT_LOGFILE.layout=org.wso2.carbon.utils.logging.TenantAwarePatternLayout
log4j.appender.AUDIT_LOGFILE.layout.ConversionPattern=[%d] %P%5p - %x %m %n
log4j.appender.AUDIT_LOGFILE.layout.TenantPattern=%U%@%D [%T] [%S]
log4j.appender.AUDIT_LOGFILE.threshold=INFO
log4j.additivity.AUDIT_LOG=false
4) Save the configurations and start the server
5) TA-DA now you have the audit logs in API-M :)
But this is not the case with WSO2 API-M. The audit logs are not enabled by default with API-M. You have to manually enable it in configurations files. But this can be done in few easy steps.
1) Download WSO2 API Manager
2) Then extract it to a folder
3) Go to [API-M HOME]/repository/conf/log4j.properties file and add the following configuration for the log file
log4j.logger.AUDIT_LOG=INFO, AUDIT_LOGFILE
then add the following set of configurations...
# Appender config to AUDIT_LOGFILE
log4j.appender.AUDIT_LOGFILE=org.apache.log4j.DailyRollingFileAppender
log4j.appender.AUDIT_LOGFILE.File=${carbon.home}/repository/logs/audit.log
log4j.appender.AUDIT_LOGFILE.Append=true
log4j.appender.AUDIT_LOGFILE.layout=org.wso2.carbon.utils.logging.TenantAwarePatternLayout
log4j.appender.AUDIT_LOGFILE.layout.ConversionPattern=[%d] %P%5p - %x %m %n
log4j.appender.AUDIT_LOGFILE.layout.TenantPattern=%U%@%D [%T] [%S]
log4j.appender.AUDIT_LOGFILE.threshold=INFO
log4j.additivity.AUDIT_LOG=false
4) Save the configurations and start the server
5) TA-DA now you have the audit logs in API-M :)
Thursday, December 18, 2014
Use cases with WSO2 IS 5.0.0 - Part 2 - User Provisioning - Part 1
Lets discuss about a user provisioning use case with regards to the provisioning framework of WSO2 Identity Server 5.0.0.
With the introduction of the the new Identity Server, There are lot of provisioning capabilities available. There are 3 major concepts as Inbound, outbound provisioning and Just-In-Time provisioning. Inbound provisioning means , provisioning users and groups from an external system to IS. Outbound provisioning means , provisioning users from IS to other external systems. JIT provisioning means , once a user tries to login from an external IDP, a user can be created on the fly in IS with JIT. Please read this awesome blog post about Provisioning framework of WSO2 Identity Server.
Now, lets take a sample scenario and talk about provisioning would work using provisioning capabilities of WSO2 IS.
The above diagram depicts a scenario where a user will be provisioned from and external system (Inbound provisioning), and in the same flow once the user is provisioned to the IS - A, this user will be provisioned to the other external systems like Google Apps, or another IS (Out bound provisioning).
From an external system you can provision users with SCIM or SPML connector, as well as you can use SOAP admin services to add a user. Or else another option would be, if none of the above mentioned can be used, you can always write a custom provisioning connector and plug in with WSO2 Identity Server.
For provisioning users to external systems, there are OOTB connectors shipped with WSO2 IS, or else you can always write a custom connector according to your requirement.
Lets talk about how to configure such a provisioning scenario in the next related post .....
Tuesday, December 16, 2014
Run Time Governance Use Case with WSO2 GREG and ESB - 1
Hi Ya''ll,
Long time ...How are you all doing? It is Christmas time again....Lets try to learn a run time governance scenario with WSO2 Governance Registry today.....:)
Lets start understanding the scenario with a diagram....
We can describe the above diagram as follows :-
1. Custom security policy is uploaded via GREG.
2. GREG is mounted with ESB.
3. Security proxy is created applying the custom policy in the registry (referring the policy in the GREG)
4. Proxy is created for the service hosted in the application server.
Once the service is invoked via SoapUI, since the security policy is applied at ESB , it will refer to the policy in the Governance Registry at the rum-time. Once the security policy is properly validated, the response will be passed back to the invoking party.
In the next post lets talk about how to simply build up the above scenario......
Bye bye for now...:)
Long time ...How are you all doing? It is Christmas time again....Lets try to learn a run time governance scenario with WSO2 Governance Registry today.....:)
Lets start understanding the scenario with a diagram....
We can describe the above diagram as follows :-
1. Custom security policy is uploaded via GREG.
2. GREG is mounted with ESB.
3. Security proxy is created applying the custom policy in the registry (referring the policy in the GREG)
4. Proxy is created for the service hosted in the application server.
Once the service is invoked via SoapUI, since the security policy is applied at ESB , it will refer to the policy in the Governance Registry at the rum-time. Once the security policy is properly validated, the response will be passed back to the invoking party.
In the next post lets talk about how to simply build up the above scenario......
Bye bye for now...:)
Tuesday, September 30, 2014
Creating a metadata file for WSO2 IS as SP in a federation scenario
In today's' post I would like to share some tips that you will need while creating a metadata file to be used with WSO2 IS.
Use Case :-
With WSO2 IS you have the capability of multiple federation. Some of the IDPs requesting a metadata file in order to register IS as a trusted SP. For this we need to generate a metadata file for IS , but auto generation of metadata file is not available as yet with IS 5.0.0 hence we will have to create this manually.
Following is a general metadata details for IS as SP.
And also you might want to sign the metadata file using different algorithms. A very cool tool that you can use for this is the XmlSecTool which has lot of options.
You can check for the tool at https://wiki.shibboleth.net/confluence/display/SHIB2/XmlSecTool#XmlSecToolSigningSAMLMetadata
Use the following command to sign the metadata file using SHA256 algorithem (or you can use another algorithm according to the requirement ) after running the tool :-
Use Case :-
With WSO2 IS you have the capability of multiple federation. Some of the IDPs requesting a metadata file in order to register IS as a trusted SP. For this we need to generate a metadata file for IS , but auto generation of metadata file is not available as yet with IS 5.0.0 hence we will have to create this manually.
Following is a general metadata details for IS as SP.
<EntityDescriptor entityID="carbonServer" xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
<SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</NameIDFormat>
<AssertionConsumerService index="1" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Location="https://localhost:9443/commonauth"/>
<KeyDescriptor>
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
<ds:X509Certificate>
MIICNTCCAZ6gAwIBAgIES343gjANBgkqhkiG9w0BAQUFADBVMQswCQYDVQQGEwJV
UzELMAkGA1UECAwCQ0ExFjAUBgNVBAcMDU1vdW50YWluIFZpZXcxDTALBgNVBAoM
BFdTTzIxEjAQBgNVBAMMCWxvY2FsaG9zdDAeFw0xMDAyMTkwNzAyMjZaFw0zNTAy
MTMwNzAyMjZaMFUxCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJDQTEWMBQGA1UEBwwN
TW91bnRhaW4gVmlldzENMAsGA1UECgwEV1NPMjESMBAGA1UEAwwJbG9jYWxob3N0
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCUp/oV1vWc8/TkQSiAvTousMzO
M4asB2iltr2QKozni5aVFu818MpOLZIr8LMnTzWllJvvaA5RAAdpbECb+48FjbBe
0hseUdN5HpwvnH/DW8ZccGvk53I6Orq7hLCv1ZHtuOCokghz/ATrhyPq+QktMfXn
RS4HrKGJTzxaCcU7OQIDAQABoxIwEDAOBgNVHQ8BAf8EBAMCBPAwDQYJKoZIhvcN
AQEFBQADgYEAW5wPR7cr1LAdq+IrR44iQlRG5ITCZXY9hI0PygLP2rHANh+PYfTm
xbuOnykNGyhM6FjFLbW2uZHQTY1jMrPprjOrmyK5sjJRO4d1DeGHT/YnIjs9JogR
Kv4XHECwLtIVdAbIdWHEtVZJyMSktcyysFcvuhPQK8Qc/E/Wq8uHSCo=
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</KeyDescriptor>
</SPSSODescriptor>
</EntityDescriptor>
However, certain IdPs might request for more details to be included in a metadata file. You can refer the metadata standard specification at http://docs.oasis-open.org/security/saml/v2.0/saml-metadata-2.0-os.pdf . The X509 data in the above example metadata are of the self signed certificate of WSO2 Identity Server. In a production deployment , you might wanna use your own certificate signed by a CA.
Therefore if you want to extract out the X509 information of your certificate , you can use the following command using java keytool :-
Therefore if you want to extract out the X509 information of your certificate , you can use the following command using java keytool :-
keytool
export
keystore
pathToKeystore rfc
alias
aliasNameForCertificate
And also you might want to sign the metadata file using different algorithms. A very cool tool that you can use for this is the XmlSecTool which has lot of options.
You can check for the tool at https://wiki.shibboleth.net/confluence/display/SHIB2/XmlSecTool#XmlSecToolSigningSAMLMetadata
Use the following command to sign the metadata file using SHA256 algorithem (or you can use another algorithm according to the requirement ) after running the tool :-
--sign
--digest
SHA256
--inFile
metadata.xml --outFile
signedmetadata.xml --referenceIdAttributeName
ID --keystore
keystore.jks
--keystorePassword
password --key
keyname --keyPassword
passwordThursday, June 26, 2014
Use Case scenarios with WSO2 Identity Server 5.0.0 - Part 1
Hi All,
Lets talk about few use case scenarios with new features of WSO2 IS 5.0.0
1. Use Case 1 - SAML2 Web browser based SSO
The above use case is explained in detail in the blog post SAML2 SSO with IS with a sample demo.
2. Use Case 2 – SAML2 Web Browse based SSO + Google authenticator + JIT Provisioning
Lets try to understand the above scenario.
Lets think of this as an extended version of the use case 1 which would be an easy way to understand.
As I have explained in the post referred in the use case 1, Web app acts as the SP and IS acts as the IdP. Now think that we want to be able to give access to the web app for the users who are not in the IS user store. These can be separate set of users say. How to tackle this with WSO2 IS server.
WSO2 IS can be set up with the OOTB feature of Google Authenticator for any user who has a Google email account to be logged into the web app. So how does that work?
1. User is trying to log into the web app and he is redirected to the IS login page.
2. Now there is an additional link that would be visible , therefore that as explained in the use case 1, the users who are in the user store of IS can login and also users who are not in user store of IS can also given the option to login using gmail account credentials.
3. Now when the user selects the link to be authenticated with google authenticator, he is redirected to the gmail login page. (Here, the google authenticator is is registered as a trusted IdP for the web application and the multiple login options are given for the webapp - please refer blog post at GoogleOpenId for an example setup)
4. The request that goes from the IS to the Gmail is an OpenIdConnect request and once the user is properly authenticated , an OpenIDConnect response come to the IS.
5. Now in order to be able to access the webbapp, this user must be created in the user store of IS, and this is done using Just In Time Provisioning which is enabled for the Google Authenticator. Therefore according to the response comes form the gmail , a user is created in the user store (one time user creation) with a default password.
6. And the user is given the access to the web application.
Use Case 3 – Multiple IdP federation
Now lets extend the use case 2 more to discuss more of multiple IdP federation features of IS 5.0.0.
Lets think about a scenario where there are no users exist in the IS1 user store for a particular web app, but the users of this web app can be authenticated using Gmail or IS2 IdP.
In the IS1, the Google Authenticator and IS2 can be registered as trusted IdP for IS1. And the webapp can be configured to trust the above 2 IdPs.
Therefore, some of the users can use Gmail for authentication and some can use IS2 for authentication, and some can use both.
There can be scenarios where, if the user is authenticated, he can access only some of the resources of the webapp and IS2 users some other resources depending on the authorization implementation logic of the webapp.
See y'all!
Lets talk about few use case scenarios with new features of WSO2 IS 5.0.0
1. Use Case 1 - SAML2 Web browser based SSO
2. Use Case 2 – SAML2 Web Browse based SSO + Google authenticator + JIT Provisioning
Lets think of this as an extended version of the use case 1 which would be an easy way to understand.
As I have explained in the post referred in the use case 1, Web app acts as the SP and IS acts as the IdP. Now think that we want to be able to give access to the web app for the users who are not in the IS user store. These can be separate set of users say. How to tackle this with WSO2 IS server.
WSO2 IS can be set up with the OOTB feature of Google Authenticator for any user who has a Google email account to be logged into the web app. So how does that work?
1. User is trying to log into the web app and he is redirected to the IS login page.
2. Now there is an additional link that would be visible , therefore that as explained in the use case 1, the users who are in the user store of IS can login and also users who are not in user store of IS can also given the option to login using gmail account credentials.
3. Now when the user selects the link to be authenticated with google authenticator, he is redirected to the gmail login page. (Here, the google authenticator is is registered as a trusted IdP for the web application and the multiple login options are given for the webapp - please refer blog post at GoogleOpenId for an example setup)
4. The request that goes from the IS to the Gmail is an OpenIdConnect request and once the user is properly authenticated , an OpenIDConnect response come to the IS.
5. Now in order to be able to access the webbapp, this user must be created in the user store of IS, and this is done using Just In Time Provisioning which is enabled for the Google Authenticator. Therefore according to the response comes form the gmail , a user is created in the user store (one time user creation) with a default password.
6. And the user is given the access to the web application.
Use Case 3 – Multiple IdP federation
Now lets extend the use case 2 more to discuss more of multiple IdP federation features of IS 5.0.0.
In the IS1, the Google Authenticator and IS2 can be registered as trusted IdP for IS1. And the webapp can be configured to trust the above 2 IdPs.
Therefore, some of the users can use Gmail for authentication and some can use IS2 for authentication, and some can use both.
There can be scenarios where, if the user is authenticated, he can access only some of the resources of the webapp and IS2 users some other resources depending on the authorization implementation logic of the webapp.
See y'all!
SAML2 SSO with IS 5.0.0
Lets talk about the simple saml2 sso scenario with WSO2 IS 5.0.0 today.
Simple understanding of the concept can be grabbed with the following diagram.
WSO2 IS provides SAML2 Web browser based SSO acting as IdP or SP. In the above scenario the web app is the service provider and the IS is the identity provider. There is a pre defined trust relationship built between SP and the IdP when enabling SAML2 SSO.
How the above scenario works :-
1. The web app is registered as trusted SP in IS
2. Web app implements the saml2 sso and talks to IS using the assertion consumer url defined
NOTE :- If the authentication request / response signature validation is needed the proper importing / exporting of certificate to the trust-stores are needed.
USE CASE SCENARIO
----------------------------------
1. User comes and tries to log into the web app
2. SAML2 Web browser based SSO is configured for the web app with WSO2 IS
3. User is redirected to the IS login page
4. User enters the login credentials
5. If the user exist in the user store of the trusted IdP (IS) user is allowed to log into the web app
DEMO
---------
Lets check on how to quickly demo this using an example app and WSO2 IS.
Required :-
1. Please download the IS 5.0.0. for the product page.
2. Checkout the following sample travelocity app and build using maven
Configurations
--------------------
1. Take the .war file of the web app and deploy it on the tomcat server (version 7)
2. Startup WSO2 IS
3. Now lets register the SP in the IS
A. Go to management console main - > Service Providers -> Add
B. Give an unique name for the SP and click on register
C. Then click on the Inbound Authentication Configuration -> Configure
D. Fill on the details as follows :-
NOTE:- you can change these properties accordingly as expected by the SP. The properties for the webapp can be found at apache-tomcat-7.0.42\webapps\travelocity.com\WEB-INF\classes\travelocity.properties file
The filled in infor in the above example as follows :-
Issuer :- travelocity.com
Assertion Consumer URL :- http://localhost:8080/travelocity.com/home.jsp
User fully qualified username in the NameID :- TRUE
Enable SLO :- TRUE
Once configured click on update on the SAML2 config page as well as the SP information page that comes next. And you are good to go.
Now paste the following url on the browser http://localhost:8080/travelocity.com/index.jsp
and click on SAML login where you will be redirected to IS login page. When you enter admin, admin (the default super user of IS) TADA you are in :)
BYE BYE for now ;)
Simple understanding of the concept can be grabbed with the following diagram.
How the above scenario works :-
1. The web app is registered as trusted SP in IS
2. Web app implements the saml2 sso and talks to IS using the assertion consumer url defined
NOTE :- If the authentication request / response signature validation is needed the proper importing / exporting of certificate to the trust-stores are needed.
USE CASE SCENARIO
----------------------------------
1. User comes and tries to log into the web app
2. SAML2 Web browser based SSO is configured for the web app with WSO2 IS
3. User is redirected to the IS login page
4. User enters the login credentials
5. If the user exist in the user store of the trusted IdP (IS) user is allowed to log into the web app
DEMO
---------
Lets check on how to quickly demo this using an example app and WSO2 IS.
Required :-
1. Please download the IS 5.0.0. for the product page.
2. Checkout the following sample travelocity app and build using maven
Configurations
--------------------
1. Take the .war file of the web app and deploy it on the tomcat server (version 7)
2. Startup WSO2 IS
3. Now lets register the SP in the IS
A. Go to management console main - > Service Providers -> Add
B. Give an unique name for the SP and click on register
C. Then click on the Inbound Authentication Configuration -> Configure
D. Fill on the details as follows :-
NOTE:- you can change these properties accordingly as expected by the SP. The properties for the webapp can be found at apache-tomcat-7.0.42\webapps\travelocity.com\WEB-INF\classes\travelocity.properties file
The filled in infor in the above example as follows :-
Issuer :- travelocity.com
Assertion Consumer URL :- http://localhost:8080/travelocity.com/home.jsp
User fully qualified username in the NameID :- TRUE
Enable SLO :- TRUE
Once configured click on update on the SAML2 config page as well as the SP information page that comes next. And you are good to go.
Now paste the following url on the browser http://localhost:8080/travelocity.com/index.jsp
and click on SAML login where you will be redirected to IS login page. When you enter admin, admin (the default super user of IS) TADA you are in :)
BYE BYE for now ;)
Sunday, February 9, 2014
Mutual SSL with WSO2 Enterprise Service Bus
Lets try to simply understand what is this Mutual SSL
I hope the following diagram will draw a good image in your brain to understand this
-------------------------------------------------------------------------------------------------------
.png)
Okay, lets see what happens in each step of the SSL handshake :-
(1) Client says hello and request for the Server certificate
(2) Server says hello with the certificate
That is the first handshake that happens , but when you enable mutual SSL there is a another handshake happens.
(3) Server says hello with requesting for the client certificate
(4) Client says hello back with the certificate
ONCE BOTH THE PARTIES TRUST EACH OTHER THEY ESTABLISH THE CONNECTION FOR FURTHER ACTIONS BETWEEN CLIENT AND THE SERVER.
Now lets look at what requirements should be completed into order for this to happen :)
.png)
(1) Client trust store should have the CA certificate / server certificate - signed by CA of the server -
FOR THE CLIENT TO TRUST THE SERVER
(2) Server trust store should contain the CA certificate / client certificate - signed by CA of the client -
FOR SERVER TO TRUST THE CLIENT
(3) The Certificate Authority who have signed the certificate should be trusted by both the parties
Now that you have an understanding of what is mutual SSL and what are the requirements needed, please have a look at the following important blog post by Asela in order to how to check the mutual SSL capability of the WSO2 ESB with an example java client :-
THANKS !
I hope the following diagram will draw a good image in your brain to understand this
-------------------------------------------------------------------------------------------------------
Okay, lets see what happens in each step of the SSL handshake :-
(1) Client says hello and request for the Server certificate
(2) Server says hello with the certificate
That is the first handshake that happens , but when you enable mutual SSL there is a another handshake happens.
(3) Server says hello with requesting for the client certificate
(4) Client says hello back with the certificate
ONCE BOTH THE PARTIES TRUST EACH OTHER THEY ESTABLISH THE CONNECTION FOR FURTHER ACTIONS BETWEEN CLIENT AND THE SERVER.
Now lets look at what requirements should be completed into order for this to happen :)
(1) Client trust store should have the CA certificate / server certificate - signed by CA of the server -
FOR THE CLIENT TO TRUST THE SERVER
(2) Server trust store should contain the CA certificate / client certificate - signed by CA of the client -
FOR SERVER TO TRUST THE CLIENT
(3) The Certificate Authority who have signed the certificate should be trusted by both the parties
Now that you have an understanding of what is mutual SSL and what are the requirements needed, please have a look at the following important blog post by Asela in order to how to check the mutual SSL capability of the WSO2 ESB with an example java client :-
Enable Mutual SSL for Proxy services in WSO2ESB - I
Mutual SSL also called as two way SSL :)THANKS !
Connecting an external LDAP as the primary LDAP for WSO2 Identity Server
Hi All,
Today I am writing this blog to clear some doubting areas on the mentioned topic.
Lets see how to connect OpenLDAP as the primary LDAP for IS.
1) Download the OpenLDAP for your O/S and install according to the steps mentioned here. [INSTALLATION STEPS HERE FOR LINUX BASED SYSTEMS]
Special Note :- Please save the configuration details somewhere you can access and remember :)
2) And connect to the OpenLDAP via Apache Directory Studio.
3) Download WSO2 Identity Server.
Please not that you only have to change configurations of two files in order to connect this ldap as the primary one.
4) Now lets go and disable the embedded ldap that comes OOTB with IS.
Go to [IS_HOME]/repository/conf/embedded-ldap.xml and set the following configuration.
Today I am writing this blog to clear some doubting areas on the mentioned topic.
Lets see how to connect OpenLDAP as the primary LDAP for IS.
1) Download the OpenLDAP for your O/S and install according to the steps mentioned here. [INSTALLATION STEPS HERE FOR LINUX BASED SYSTEMS]
Special Note :- Please save the configuration details somewhere you can access and remember :)
2) And connect to the OpenLDAP via Apache Directory Studio.
3) Download WSO2 Identity Server.
Please not that you only have to change configurations of two files in order to connect this ldap as the primary one.
4) Now lets go and disable the embedded ldap that comes OOTB with IS.
Go to [IS_HOME]/repository/conf/embedded-ldap.xml and set the following configuration.
<EmbeddedLDAP><Property name="enable">false</Property>.......................</EmbeddedLDAP>5) Then go to IS_HOME/repository/conf / user-mgt.xml and disable the embedded ldap by commenting out the class="org.wso2.carbon.user.core.ldap.ReadWriteLDAPUserStoreManage.6) Select whether to connect to the external ldap as Read / Write or only Read and select the proper class settings.Read / Write - class="org.wso2.carbon.user.core.ldap.ReadWriteLDAPUserStoreManager"Read - class="org.wso2.carbon.user.core.ldap.ReadOnlyLDAPUserStoreManager"7) Follow following detailed blog for configurations setting on each of the classes according to your need which describes the properties in details.8) Pay special attention to the following settings because you need to match these settings according to your newly created OpenLDAP in order to proper integrate.<Property name="ConnectionURL">ldap://localhost:389</Property><Property name="ConnectionName">cn=admin,dc=wso2,dc=com</Property>
<Property name="ConnectionPassword">password</Property>
<Property name="UserSearchBase">ou=Users,dc=wso2qa,dc=com</Property>
<Property name="GroupSearchBase">ou=Groups,dc=wso2,dc=com</Property>
<Property name="SharedGroupSearchBase">ou=SharedGroups,dc=wso2,dc=com</Property>9) Follow the following blog to proper creation of user and groups in your ldap.LDAP - Apache Directory Studio: A Basic Tutorial
Hope the above helps to anyone who are confused in this area.Bye bye for now from Sri Lanka :)
Thursday, February 6, 2014
How to simply setup centralized logging with WSO2 Business Activity Monitor
Hi All,
Today lets look at the following simple problem:-
We have two products of WSO2 running in an environment. When we have to check events loggs we have to separately log into those two products to check the relevant events. Say we have more products running and then we will have to log in to all the product management consoles to achieve the motive.
Simple Solution:-
We can setup WSO2 BAM for centralized logging therefore that when you log into the management console of WSO2 BAM, you can check for event logs of both / several WSO2 servers in your environment setup.
The following diagram will draw a clear picture of the solution
-------------------------------------------------------------------------------
Say in our sample scenario we have WSO2 IS and WSO2 ESB, we can save the event logs to BAM Cassandra database , therefore the logs are accessible from a central location.
Simple Steps to achieve above:-
-------------------------------------------
1. Go to the [IS HOME] / repository / conf / log4j.properties file and add the following LOGEVENT to the log4j.rootLogger
log4j.rootLogger=INFO, CARBON_CONSOLE, CARBON_LOGFILE, CARBON_MEMORY, LOGEVENT
2. Then go to [IS HOME] / repository / conf / etc / logging - config .xml and set the <archivedHost>hdfs://localhost:9000/</archivedHost>
3. Start the BAM server and then start the IS server. You can see the event logs for IS in BAM when you go to Home > Tools > Cassandra Explorer > Connect to Cluster > Explore Cluster
4 . You can follow the same steps for ESB as well to set up the above scenario
Note :-
Connect to Cassandra with following details
Connection Url* localhost:9160
User Name admin
Password admin
Please refer to the following detailed blog for in depth details for centralized logging with BAM
How Distributed Logging Works in WSO2 Stratos.
Today lets look at the following simple problem:-
We have two products of WSO2 running in an environment. When we have to check events loggs we have to separately log into those two products to check the relevant events. Say we have more products running and then we will have to log in to all the product management consoles to achieve the motive.
Simple Solution:-
We can setup WSO2 BAM for centralized logging therefore that when you log into the management console of WSO2 BAM, you can check for event logs of both / several WSO2 servers in your environment setup.
The following diagram will draw a clear picture of the solution
-------------------------------------------------------------------------------
Simple Steps to achieve above:-
-------------------------------------------
1. Go to the [IS HOME] / repository / conf / log4j.properties file and add the following LOGEVENT to the log4j.rootLogger
log4j.rootLogger=INFO, CARBON_CONSOLE, CARBON_LOGFILE, CARBON_MEMORY, LOGEVENT
2. Then go to [IS HOME] / repository / conf / etc / logging - config .xml and set the <archivedHost>hdfs://localhost:9000/</archivedHost>
3. Start the BAM server and then start the IS server. You can see the event logs for IS in BAM when you go to Home > Tools > Cassandra Explorer > Connect to Cluster > Explore Cluster
4 . You can follow the same steps for ESB as well to set up the above scenario
Note :-
Connect to Cassandra with following details
Connection Url* localhost:9160
User Name admin
Password admin
Please refer to the following detailed blog for in depth details for centralized logging with BAM
How Distributed Logging Works in WSO2 Stratos.
Saturday, January 18, 2014
How to write a multiple Permit rule policy using WSO2 IS PAP simple policy editor - WSO2 IS 4.6.0
Hi All,
Today lets look at how to resolve the following simple problem scenario :-
Problem :-
Using WSO2 IS I want to give certain users the access to a web service that I have exposed.
But the rule must be in a way that one particular user "umesha" will only be having the READ rights, while all the other users will have READ, WRITE, DELETE rights.
How can I do this? of course you might know that you can achieve this with a XACML policy to enable fine - grained authorization.
another problem - I do not know how to write XACML policies :O
Solution :-
Using WSO2 IS Simple Policy Editor you can write a multiple rule XACML policy, and you do not need to know XACML for this.
Any novice user can create their own policies that comes with this feature of WSO2 XACML engine :)
Now lets look at how to write this simple policy :-
[You need to have WSO2 IS 4.6.0 downloaded and running]
1. Login to Identity Server Management Console
2. Go to Home > Entitlement > PAP > Policy Administration
Today lets look at how to resolve the following simple problem scenario :-
Problem :-
Using WSO2 IS I want to give certain users the access to a web service that I have exposed.
But the rule must be in a way that one particular user "umesha" will only be having the READ rights, while all the other users will have READ, WRITE, DELETE rights.
How can I do this? of course you might know that you can achieve this with a XACML policy to enable fine - grained authorization.
another problem - I do not know how to write XACML policies :O
Solution :-
Using WSO2 IS Simple Policy Editor you can write a multiple rule XACML policy, and you do not need to know XACML for this.
Any novice user can create their own policies that comes with this feature of WSO2 XACML engine :)
Now lets look at how to write this simple policy :-
[You need to have WSO2 IS 4.6.0 downloaded and running]
1. Login to Identity Server Management Console
2. Go to Home > Entitlement > PAP > Policy Administration
3. And select Simple Policy Editor
4. Give the policy a name
5 . Select what the policy is based on - Resource
6 . The name of the resource
7. And then we will focus on the first rule
We need to give "umesha" the READ rights and READ rights only.
Select the Child Resource / UserName under User
Give the user name as "umesha"
Give the Action as "READ"
8. Now click on that little plus sign to add the other rule
To give all the other users READ, WRITE and DELETE actions
fill the selected UserName as "{^(?!umesha$).*}" - you should give this as a string regx
then give the actions as "READ | WRITE | DELETE"
9. Save the policy
The Created policy will look like as follows:-
<Policy xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" PolicyId="SimplePolicy" RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable" Version="1.0">
<Target>
<AnyOf>
<AllOf>
<Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">service</AttributeValue>
<AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"/>
</Match>
</AllOf>
</AnyOf>
</Target>
<Rule Effect="Permit" RuleId="Rule-1">
<Target>
<AnyOf>
<AllOf>
<Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">READ</AttributeValue>
<AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"/>
</Match>
</AllOf>
</AnyOf>
</Target>
<Condition>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:any-of">
<Function FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal"/>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">umesha</AttributeValue>
<AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"/>
</Apply>
</Condition>
</Rule>
<Rule Effect="Permit" RuleId="Rule-2">
<Condition>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:and">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-at-least-one-member-of">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">WRITE</AttributeValue>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">READ</AttributeValue>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">DELETE</AttributeValue>
</Apply>
<AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"/>
</Apply>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:any-of">
<Function FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-regexp-match"/>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">^(?!umesha$).*</AttributeValue>
<AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"/>
</Apply>
</Apply>
</Condition>
</Rule>
<Rule Effect="Deny" RuleId="Deny-Rule"/>
</Policy>
Saturday, November 30, 2013
Wednesday, November 27, 2013
How to access the H2 database of the WSO2 API Manager
1. Go to <APIM HOME>\repository\conf and open the carbon.xml
2. Enable the following configurations as shown below:-
<H2DatabaseConfiguration>
<property name="web" />
<property name="webPort">8082</property>
<property name="webAllowOthers" />
<!--property name="webSSL" />
<property name="tcp" />
<property name="tcpPort">9092</property>
<property name="tcpAllowOthers" />
<property name="tcpSSL" />
<property name="pg" />
<property name="pgPort">5435</property>
<property name="pgAllowOthers" />
<property name="trace" />
<property name="baseDir">${carbon.home}</property-->
</H2DatabaseConfiguration>
3. The start the server
4. Go to http://localhost:8082 where you can see the login page for the H2 database
5. Type jdbc:h2:repository/database/WSO2AM_DB as JDBC URL and wso2carbon as username and password.
2. Enable the following configurations as shown below:-
<H2DatabaseConfiguration>
<property name="web" />
<property name="webPort">8082</property>
<property name="webAllowOthers" />
<!--property name="webSSL" />
<property name="tcp" />
<property name="tcpPort">9092</property>
<property name="tcpAllowOthers" />
<property name="tcpSSL" />
<property name="pg" />
<property name="pgPort">5435</property>
<property name="pgAllowOthers" />
<property name="trace" />
<property name="baseDir">${carbon.home}</property-->
</H2DatabaseConfiguration>
3. The start the server
4. Go to http://localhost:8082 where you can see the login page for the H2 database
5. Type jdbc:h2:repository/database/WSO2AM_DB as JDBC URL and wso2carbon as username and password.
Monday, November 25, 2013
How to configure WSO2 API Manager to use WSO2 BAM for statistics
1. Download WSO2 API Manager from here and WSO2 BAM from here.
First lets configure the BAM. I am using BAM 2.3.0 and APIM 1.5.0
BAM configuration
----------------------------
1. Change the <offset> tag of carbon.xml to 1 which is in <BAM HOME>\repository\conf (We are going to run APIM on port 9443 and BAM on 9444)
You can refer this for introductory information on WSO2 product start up.
2. Then you have to copy the API_Manager_Analytics.tbox which is in <APIM HOME>\wso2am-1.5.0\statistics to <BAM HOME>/repository/deployment/server/bam-toolbox
3. Add the following to <BAM_HOME>/conf/datasources/master-datasources.xml file.
<datasource>
<name>WSO2AM_STATS_DB</name>
<description>The datasource used for getting statistics to API Manager</description>
<jndiConfig>
<name>jdbc/WSO2AM_STATS_DB</name>
</jndiConfig>
<definition type="RDBMS">
<configuration>
<!-- JDBC URL to query the database -->
<url>jdbc:h2:<BAM_HOME>/repository/database/APIMGTSTATS_DB;AUTO_SERVER=TRUE</url>
<username>wso2carbon</username>
<password>wso2carbon</password>
<driverClassName>org.h2.Driver</driverClassName>
<maxActive>50</maxActive>
<maxWait>60000</maxWait>
<testOnBorrow>true</testOnBorrow>
<validationQuery>SELECT 1</validationQuery>
<validationInterval>30000</validationInterval>
</configuration>
</definition>
</datasource>
<datasource>
<name>WSO2BAM_CASSANDRA_DATASOURCE</name>
<description>The datasource used for Cassandra data</description>
<definition type="RDBMS">
<configuration>
<url>jdbc:cassandra://localhost:9161/EVENT_KS</url>
<username>admin</username>
<password>admin</password>
</configuration>
</definition>
</datasource>
Note:- When adding the above configurations, please check whether some of those are already there. No need of duplicating. And also check whehter the cassandra port is set to 9161 since we are running the BAM on port 9444. (we changed the offset of BAM)
For <BAM HOME> you need to give the path where you have extracted the BAM product.
Now lets go and configure APIM.
APIM configurations
--------------------------------------
1. Enable the following configurations in repository/conf/api-manager.xml.
<!--
Enable/Disable the API usage tracker.
-->
<Enabled>true</Enabled>
<!--
JNDI name of the data source to be used for getting BAM statistics.This data source should
be defined in the master-datasources.xml file in conf/datasources directory.
-->
<DataSourceName>jdbc/WSO2AM_STATS_DB</DataSourceName>
2. Configure the following in the <APIM HOME>/conf/datasources/master-datasources.xml file.
<datasource>
<name>WSO2AM_STATS_DB</name>
<description>The datasource used for getting statistics to API Manager</description>
<jndiConfig>
<!-- This jndi name should be same as the DataSourceName defined in api-manager.xml -->
<name>jdbc/WSO2AM_STATS_DB</name>
</jndiConfig>
<definition type="RDBMS">
<configuration>
<!-- JDBC URL to query the database -->
<url>jdbc:h2:<BAM_HOME>/repository/database/APIMGTSTATS_DB;AUTO_SERVER=TRUE</url>
<username>wso2carbon</username>
<password>wso2carbon</password>
<driverClassName>org.h2.Driver</driverClassName>
<maxActive>50</maxActive>
<maxWait>60000</maxWait>
<testOnBorrow>true</testOnBorrow>
<validationQuery>SELECT 1</validationQuery>
<validationInterval>30000</validationInterval>
</configuration>
</definition>
</datasource>
Note:- For <BAM HOME> you need to give the path where you have extracted the BAM product.
Now start the BAM server and then start the APIM.
Using WSO2 APIM you can create APIs and publish them to be used by external users by subscribing.
Lets learn about the WSO2 API Manager in the coming posts.
NOTE:-
In a clustered deployment change APIM setting in Gateway and Publisher nodes.
See ya'll for now :)
First lets configure the BAM. I am using BAM 2.3.0 and APIM 1.5.0
BAM configuration
----------------------------
1. Change the <offset> tag of carbon.xml to 1 which is in <BAM HOME>\repository\conf (We are going to run APIM on port 9443 and BAM on 9444)
You can refer this for introductory information on WSO2 product start up.
2. Then you have to copy the API_Manager_Analytics.tbox which is in <APIM HOME>\wso2am-1.5.0\statistics to <BAM HOME>/repository/deployment/server/bam-toolbox
3. Add the following to <BAM_HOME>/conf/datasources/master-datasources.xml file.
<datasource>
<name>WSO2AM_STATS_DB</name>
<description>The datasource used for getting statistics to API Manager</description>
<jndiConfig>
<name>jdbc/WSO2AM_STATS_DB</name>
</jndiConfig>
<definition type="RDBMS">
<configuration>
<!-- JDBC URL to query the database -->
<url>jdbc:h2:<BAM_HOME>/repository/database/APIMGTSTATS_DB;AUTO_SERVER=TRUE</url>
<username>wso2carbon</username>
<password>wso2carbon</password>
<driverClassName>org.h2.Driver</driverClassName>
<maxActive>50</maxActive>
<maxWait>60000</maxWait>
<testOnBorrow>true</testOnBorrow>
<validationQuery>SELECT 1</validationQuery>
<validationInterval>30000</validationInterval>
</configuration>
</definition>
</datasource>
<datasource>
<name>WSO2BAM_CASSANDRA_DATASOURCE</name>
<description>The datasource used for Cassandra data</description>
<definition type="RDBMS">
<configuration>
<url>jdbc:cassandra://localhost:9161/EVENT_KS</url>
<username>admin</username>
<password>admin</password>
</configuration>
</definition>
</datasource>
Note:- When adding the above configurations, please check whether some of those are already there. No need of duplicating. And also check whehter the cassandra port is set to 9161 since we are running the BAM on port 9444. (we changed the offset of BAM)
For <BAM HOME> you need to give the path where you have extracted the BAM product.
Now lets go and configure APIM.
APIM configurations
--------------------------------------
1. Enable the following configurations in repository/conf/api-manager.xml.
<!--
Enable/Disable the API usage tracker.
-->
<Enabled>true</Enabled>
<!--
JNDI name of the data source to be used for getting BAM statistics.This data source should
be defined in the master-datasources.xml file in conf/datasources directory.
-->
<DataSourceName>jdbc/WSO2AM_STATS_DB</DataSourceName>
2. Configure the following in the <APIM HOME>/conf/datasources/master-datasources.xml file.
<datasource>
<name>WSO2AM_STATS_DB</name>
<description>The datasource used for getting statistics to API Manager</description>
<jndiConfig>
<!-- This jndi name should be same as the DataSourceName defined in api-manager.xml -->
<name>jdbc/WSO2AM_STATS_DB</name>
</jndiConfig>
<definition type="RDBMS">
<configuration>
<!-- JDBC URL to query the database -->
<url>jdbc:h2:<BAM_HOME>/repository/database/APIMGTSTATS_DB;AUTO_SERVER=TRUE</url>
<username>wso2carbon</username>
<password>wso2carbon</password>
<driverClassName>org.h2.Driver</driverClassName>
<maxActive>50</maxActive>
<maxWait>60000</maxWait>
<testOnBorrow>true</testOnBorrow>
<validationQuery>SELECT 1</validationQuery>
<validationInterval>30000</validationInterval>
</configuration>
</definition>
</datasource>
Note:- For <BAM HOME> you need to give the path where you have extracted the BAM product.
Now start the BAM server and then start the APIM.
Using WSO2 APIM you can create APIs and publish them to be used by external users by subscribing.
Lets learn about the WSO2 API Manager in the coming posts.
NOTE:-
In a clustered deployment change APIM setting in Gateway and Publisher nodes.
See ya'll for now :)
Subscribe to:
Posts (Atom)