I am currently using the latest version of WSO2 APIM(4.0.0).
I tried connecting to the ldap as a readonly userstore as per the documentation, but once I startup the server a JMS error occurs possibly due to the # character used in the password.
Is it possible to use the # character without breaking WSO2 APIM functionality?
Thanks in advance.
It is not possible to use # in JMS connection string. Please check - https://apim.docs.wso2.com/en/latest/install-and-setup/setup/security/logins-and-passwords/maintaining-logins-and-passwords/#change-the-super-admin-credentials
The following worked for me.
In deployment.conf file configure the password with the special character as below.
[super_admin]
username = "your-name"
password = "<![CDATA[your-password]]>"
[apim.throttling.jms]
username = "your-name"
password = "<![CDATA[your-password]]>"
Thanks #Pubci for referring the relevant documentation link.
Related
I have to get rid of the clear text password in ActiveMQ server in the jetty-realm.properties file as part of the security requirements of our project.
I followed the procedure for encrypting passwords found here: https://activemq.apache.org/encrypted-passwords.html.
In Jetty-real.properties I replaced plain password with ${activemq.password}
But I could not login into the web console (http://localhost:8161/admin)
Are there additional config parameters I need to change? Any help would be greatly appreciated.
For ecrypt password we can use jetty utility. This can be downloaded from http://download.eclipse.org/jetty/.
use:
java -cp lib/jetty-util-$JETTY_VERSION.jar org.eclipse.jetty.util.security.Password admin admin
admin
OBF:1u2a1toa1w8v1tok1u30
MD5:21232f297a57a5a743894a0e4a801fc3
CRYPT:adpexzg3FUZAk
Add in bus\conf\jetty.xml\jetty-realm.properties
admin: MD5:21232f297a57a5a743894a0e4a801fc3, admin
A very important note: the sequence of data specified by you should be as follows:
org.eclipse.jetty.util.security.Password [username] password
Also note that in some shells (like default on Ubuntu 20.04) the dollar sign inside the password will effectively truncate your password to the part preceding the dollar sign.
(I meant to put a comment to the answer by #dorin.canepa, but clicked on a wrong button and now it's an answer, oh well)
I'd like to assign multiple user assigned managed service identities to a VM Scale Set in Azure. I can do so by following the the docs.
What I have not figured out yet is how I can request a token for a specific identity.The docs for requesting a token via the IMDS endpoint do not mention any request parameters for specifying e.g. a clientId.
Any clues?
Christian,
You can request tokens for a particular managed identity, by passing in the client_id or object_id in the request. For example: curl 'http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https://management.azure.com/&object_id=<USERASSIGNED_OBJECT_ID>' -H Metadata:true -s
Our docs are being updated right now to properly include this info. Thanks for the note! :)
-Arturo
Previous answers provide the right pointer.
If you are using Azure SDKs to write your code, then you can use Azure.Identity library and the DefaultAzureCredential object as described here - https://learn.microsoft.com/en-us/dotnet/api/overview/azure/identity-readme#specifying-a-user-assigned-managed-identity-with-the-defaultazurecredential
My application using windows server (ASP) and connecting to another app "B" database by OLEDB (Connection string). App "B" enabled password encryption on their DB and no app is unable to connect their database.
SO i need a help to add the "CS_SEC_ENCRYPTION = CS_TRUE". Please let me know where and how to add this?
If i need to add this in web.config, then how i can add that?
if any other option, please suggest.
Based on below link, add ;EncryptPassword=1; in your connectionString, that is available in your web.config file.
http://sybperl-l.peppler.narkive.com/cd3C6AAS/does-dbd-sybase-support-cs-sec-encryption
Give a try and put a comment, so that I can delete if not working.
I am using IBM HTTP Server 9.0 , when i try to create a .kdb file, it is throwing error as " The provider for keystore type 'IBMCMSKS' is not available. ",
Note :- 'CMS' Key Store is not present in the ikeyman.bat file
Please help me how to add this key store in the ikeyman
Thanks in advance
In IHS 8.5.5 this option has helped me: -DADD_CMS_SERVICE_PROVIDER_ENABLED=true
E.g.
/opt/IBM/HTTPServer/java/jre/bin/ikeycmd -DADD_CMS_SERVICE_PROVIDER_ENABLED=true -cert -getdefault -db XXX.kdb -stashed
I faced same issue while using IHS 8.5.5.15, and resolved by adding providers in java.security
security.provider.1=com.ibm.crypto.pkcs11impl.provider.IBMPKCS11Impl
security.provider.2=com.ibm.security.cmskeystore.CMSProvider
Ensure you have correct numbering of rest of providers.
Use gskcapicmd if it is available. This won't work with JKS files though. Or upgrade to 9.0.0.3 which fixes the issue.
I am trying to validate a SAML response which is coming from Siteminder IDP from a third party. I have installed the certificate provided by them. When I call the ValidateToken method (System.IdentityModel.Tokens) to create claims, I get following error :
WIF10201: No valid key mapping found for
securityToken:'System.IdentityModel.Tokens.X509SecurityToken' and
issuer: 'issuer uri'
I dug in deep to find the error and its being thrown by method GetIssuerName (System.IdentityModel.Tokens).
Where is the problem? I googled for this issue but didn't find anything specific to my case. Does the SAML token from my client have a problem or there is something I am missing in implementation. I am fairly new to federated auth so please excuse any inaccuracy with the terminology used.
Gaurav
Ok found the solution but could't quite understand the readon behind it (complete noob, will update the answer when I know more).
Followed this approach of converting the SAML2 response to WSFed response, then on that new token I ran my code, now the error is gone.
http://blogs.msdn.com/b/bradleycotier/archive/2012/10/28/saml-2-0-tokens-and-wif-bridging-the-divide.aspx
Note : you still have to override the validate token method (which I had originally done) to avoid the following error :
“ID4154: A Saml2SecurityToken cannot be created from the Saml2Assertion because it contains a SubjectConfirmationData which specifies an InResponseTo value. Enforcement of this value is not supported by default. To customize SubjectConfirmationData processing, extend Saml2SecurityTokenHandler and override ValidateConfirmationData.”
Thanks.
You are probably missing a configuration that maps the issuer name (as specified inside the token) to the certificate (probably specified with a thumbprint). I guess you solve this with some configuration in your web.config. Have a look at p.e. Microsoft validating issuer name registry The page contains some sample configuration. Setting this up correctly depends entirely on your situation.
I wanted to make a note for future reference, since I also ran into this error but my resolution was different. I got the WIF10201 error in a custom MVC application that is using ADFS (3.0) claims-based authentication under Windows Server 2012. In the web.config of the MVC application, the thumbprint of the ADFS token signing key is recorded. It turns out, when the signing certificate is about to expire, ADFS creates a new key. The new key is marked "primary" and the old key is marked as "secondary" in the ADFS console (under AD FS/Service/Certificates). So in my web.config there was, of course, still the thumbprint of the old (secondary) key. As soon as I replaced it with the thumbprint of the new (primary) key, the error disappeared.