We have deployed an all-in-one instance of WSO2 API Manager. We have got ssl working and you can log in and see published APIs.
We have set up the carbon.xml to have the external-facing address (apidev.example.com) and both /store/ and /publisher/ can be accessed from that address.
However, the problem is the APIs published in the store are using the local hostname of dev.company.interal.
This means that a user will sign to
https://apidev.example.com/store
click on an API and get redirected to
https://dev.company.interal:9443/store/apis/...
which is no good as that address isn't accessible to people outside our network. so I want the store to use the external-facing address.
I've included the config files, shorten to the edits which have been made.
carbon.xml
<HostName>apidev.example.com</HostName>
<!-- Host name to be used for the Carbon management console-->
<MgtHostName>apidev.example.com</MgtHostName>
api-manager.xml
<APIManager>
<DataSourceName>jdbc/WSO2AM_DB</DataSourceName>
<GatewayType>Synapse</GatewayType>
<EnableSecureVault>false</EnableSecureVault>
<AuthManager>
<!-- Server URL of the Authentication service -->
<ServerURL>https://dev.company.interal:${mgt.transport.https.port}${carbon.context}services/</ServerURL>
<!-- Admin username for the Authentication manager. -->
<Username>${admin.username}</Username>
<!-- Admin password for the Authentication manager. -->
<Password>${admin.password}</Password>
<!-- Indicates whether the permissions checking of the user (on the Publisher and Store) should be done
via a remote service. The check will be done on the local server when false. -->
<CheckPermissionsRemotely>false</CheckPermissionsRemotely>
</AuthManager>
...
<APIGateway>
<!-- The environments to which an API will be published -->
<Environments>
<Environment type="hybrid" api-console="true">
<Name>Production and Sandbox</Name>
<Description>This is a hybrid gateway that handles both production and sandbox token traffic.</Description>
<!-- Server URL of the API gateway -->
<ServerURL>https://apidev.example.com${carbon.context}services/</ServerURL>
<!-- Admin username for the API gateway. -->
<Username>${admin.username}</Username>
<!-- Admin password for the API gateway.-->
<Password>${admin.password}</Password>
<!-- Endpoint URLs for the APIs hosted in this API gateway.-->
<!--GatewayEndpoint>http://${carbon.local.ip}:${http.nio.port},https://apidev.linkedsystems.uk:${https.nio.port}</GatewayEndpoint-->
<GatewayEndpoint>http://apidev.example.com,https://apidev.example.com</GatewayEndpoint>
</Environment>
</Environments>
</APIGateway>
...
<APIKeyValidator>
<!-- Server URL of the API key manager -->
<ServerURL>https://dev.company.interal:${mgt.transport.https.port}${carbon.context}services/</ServerURL>
<!-- Admin username for API key manager. -->
<Username>${admin.username}</Username>
<!-- Admin password for API key manager. -->
<Password>${admin.password}</Password>
<KeyValidatorClientType>ThriftClient</KeyValidatorClientType>
<ThriftClientConnectionTimeOut>10000</ThriftClientConnectionTimeOut>
<!--ThriftClientPort>10397</ThriftClientPort-->
<EnableThriftServer>true</EnableThriftServer>
<ThriftServerHost>localhost</ThriftServerHost>
<!--ThriftServerPort>10397</ThriftServerPort-->
<!--ConnectionPool>
<MaxIdle>100</MaxIdle>
<InitIdleCapacity>50</InitIdleCapacity>
</ConnectionPool-->
<!-- Specifies the implementation to be used for KeyValidationHandler. Steps for validating a token can be controlled by plugging in a
custom KeyValidation Handler -->
<KeyValidationHandlerClassName>org.wso2.carbon.apimgt.keymgt.handlers.DefaultKeyValidationHandler</KeyValidationHandlerClassName>
</APIKeyValidator>
...
<!-- API Store Related Configurations -->
<APIStore>
<!--GroupingExtractor>org.wso2.carbon.apimgt.impl.DefaultGroupIDExtractorImpl</GroupingExtractor-->
<!--This property is used to indicate how we do user name comparision for token generation https://wso2.org/jira/browse/APIMANAGER-2225-->
<CompareCaseInsensitively>true</CompareCaseInsensitively>
<DisplayURL>true</DisplayURL>
<!--URL>https://localhost:${mgt.transport.https.port}/store</URL-->
<URL>https://apidev.example.com/store</URL>
<!-- Server URL of the API Store. -->
<ServerURL>https://apidev.example.com:${mgt.transport.https.port}${carbon.context}services/</ServerURL>
<!-- Admin username for API Store. -->
<Username>${admin.username}</Username>
<!-- Admin password for API Store. -->
<Password>${admin.password}</Password>
<!-- This parameter specifies whether to display multiple versions of same
API or only showing the latest version of an API. -->
<DisplayMultipleVersions>false</DisplayMultipleVersions>
<!-- This parameter specifies whether to display all the APIs
[which are having DEPRECATED/PUBLISHED status] or only display the APIs
with having their status is as 'PUBLISHED' -->
<DisplayAllAPIs>false</DisplayAllAPIs>
<!-- Uncomment this to limit the number of APIs in api the API Store -->
<!--APIsPerPage>5</APIsPerPage-->
<!-- This parameter specifies whether to display the comment editing facility or not.
Default is "true". If user wants to disable, he must set this param as "false" -->
<DisplayComments>true</DisplayComments>
<!-- This parameter specifies whether to display the ratings or not.
Default is "true". If user wants to disable, he must set this param as "false" -->
<DisplayRatings>true</DisplayRatings>
<!--set isStoreForumEnabled to false for disable forum in store-->
<!--isStoreForumEnabled>false</isStoreForumEnabled-->
</APIStore>
...
<ThrottlingConfigurations>
<EnableAdvanceThrottling>true</EnableAdvanceThrottling>
<DataPublisher>
<Enabled>false</Enabled>
<Type>Binary</Type>
<ReceiverUrlGroup>tcp://${carbon.local.ip}:${receiver.url.port}</ReceiverUrlGroup>
<AuthUrlGroup>ssl://${carbon.local.ip}:${auth.url.port}</AuthUrlGroup>
<Username>${admin.username}</Username>
<Password>${admin.password}</Password>
<DataPublisherPool>
<MaxIdle>1000</MaxIdle>
<InitIdleCapacity>200</InitIdleCapacity>
</DataPublisherPool>
<DataPublisherThreadPool>
<CorePoolSize>200</CorePoolSize>
<MaxmimumPoolSize>1000</MaxmimumPoolSize>
<KeepAliveTime>200</KeepAliveTime>
</DataPublisherThreadPool>
</DataPublisher>
<PolicyDeployer>
<ServiceURL>https://dev.company.interal:${mgt.transport.https.port}${carbon.context}services/</ServiceURL>
<Username>${admin.username}</Username>
<Password>${admin.password}</Password>
</PolicyDeployer>
<BlockCondition>
<Enabled>true</Enabled>
<!--InitDelay>300000</InitDelay>
<Period>3600000</Period-->
</BlockCondition>
<JMSConnectionDetails>
<Enabled>true</Enabled>
<ServiceURL>tcp://${carbon.local.ip}:${jms.port}</ServiceURL>
<Username>${admin.username}</Username>
<Password>${admin.password}</Password>
<Destination>throttleData</Destination>
<!--InitDelay>300000</InitDelay-->
<JMSConnectionParameters>
...
</APIManager>
any help/pointers would be appreciated
So the answer is;
the file at {AM_HOME}/repository/deployment/server/jaggeryapps/store/site/conf/site.json
needs changing to reflect the reverse proxy settings. Following the example laid out in the question, the new setting would be;
"reverseProxy" : {
"enabled" : true, // values true , false , "auto" - will look for X-Forwarded-* headers
"host" : "apidev.example.com", // If reverse proxy do not have a domain name use IP
"context":"/store",
//"regContext":"" // Use only if different path is used for registry
},
Thats all folks
Related
I have below policy flow in apigee proxy
verifyapi-key --> fualt-handle --> verify-access-token --> fault-handle --> javascript policy --> fault-handle ---> remove access_token
now i get all details like access-token,custom-attributes till java script policy.
But in remove access_token policy i am not getting any values.
In this policy i want to remove access_token and pass all values as it is.But this step is not receiving any values
why wso2 api manager 3.2.0 analytics redirect automatically from
https://172.24.64.115:9643/analytics-dashboard/
to
https://localhost:9443/authenticationendpoint/oauth2_error.do?oauthErrorCode=invalid_callback&oauthErrorMsg=Registered+callback+does+not+match+with+the+provided+url.
Also following exception :
Registered callback does not match with the provided url Error
dashboard config :
## Authentication configuration
auth.configs:
type: apim
ssoEnabled: true
properties:
adminScope: apim_analytics:admin_carbon.super
allScopes: apim_analytics:admin openid apim:api_view apim:subscribe apim_analytics:monitoring_dashboard:own apim_analytics:monitoring_dashboard:edit apim_analytics:monitoring_dashboard:view apim_analytics:business_analytics:own apim_analytics:business_analytics:edit apim_analytics:business_analytics:view apim_analytics:api_analytics:own apim_analytics:api_analytics:edit apim_analytics:api_analytics:view apim_analytics:application_analytics:own apim_analytics:application_analytics:edit apim_analytics:application_analytics:view
adminUsername: admin
adminPassword: admin
kmDcrUrl: https://172.24.64.114:9443/client-registration/v0.17/register
kmTokenUrlForRedirection: https://172.24.64.114:9443/oauth2
kmTokenUrl: https://172.24.64.114:9443/oauth2
kmUsername: admin
kmPassword: admin
portalAppContext: analytics-dashboard
businessRulesAppContext : business-rules
cacheTimeout: 30
baseUrl: https://172.24.64.115:9643
grantType: authorization_code
publisherUrl: https://172.24.64.114:9443
devPortalUrl: https://172.24.64.114:9443
externalLogoutUrl: https://172.24.64.114:9443/oidc/logout
The below-mentioned error can happen when the Hostname configured under the baseUrl of the Analytics Dashboard's deployment.yaml is not matching with the Callback URL configured in the API Manager node.
https://localhost:9443/authenticationendpoint/oauth2_error.do?oauthErrorCode=invalid_callback&oauthErrorMsg=Registered+callback+does+not+match+with+the+provided+url.
Perform the following checks and update the Callback URL accordingly to overcome the behavior
Log-in to the API Manager's Carbon Management console with Admin credentials
Go to Service Providers > List > sp_analytics_dashboard and expand the OAuth2/OpenID Configurations and click on Edit
Verify whether the configured Callback URLs are matching with the Hostname and port defined in baseUrl in the deployment.yaml of the Analytics Dashboard. If not, update them.
Once after updating, save the configurations and try the scenario.
I am using Apigee as gateway to our application. Several applications will hit Apigee and Apigee will in-turn route the request to backend servers. Every incoming request will have a JWT token.
I want Apigee to pass that token to a auth server and auth server will validate if the token is valid or not.
If token is invalid(if auth server return any status other then 200) , I want Apigee to return 403 error as response to request else pass the request to backend server.
How can I implement this kind of shared flow? Is it even possible with Apigee ? Is there any better way to achieve this?
You can do that.
Create a shared flow for Authentication/Authorization which includes ServiceCallout policy which will make a call to auth server.
Based on result for Unauthorized/Bad request you can raise a fault response with help of RaiseFault.
If the response is OK it will proceed smooth to backend.
Sample shared flow.
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<SharedFlowBundle revision="1" name="Auth">
<Policies>
<Policy>AssignVariableJwks</Policy> <!-- Assign Input values if needed via AssignMessage policy -->
<Policy>RequestAuthServer</Policy> <!-- Extrnal auth server call using ServiceCallout policy -->
<Policy>TokenNotFoundValidation</Policy> <!-- Validate response and raise fault if needed using RaiseFault policy -->
</Policies>
<Resources/>
<Spec/>
<subType>SharedFlow</subType>
<SharedFlows>
<SharedFlow>default</SharedFlow>
</SharedFlows>
</SharedFlowBundle>
For above shared flow create & attach required policies with logic and you're good to go.
I'm trying to invoke an API which is having authentication. I'm getting an error like "Http request failed: java.net.SocketTimeoutException:Read timed out".
Generally when I run this url(http://samirkantalenka-test.apigee.net/zsubmitalv-3) on browser, It will ask for username and password. If I enter those credentials then it returns json data.
How can I give these credentials in Mobilefirst Http Adapters? Can any one help me out.
Adapter.xml
<?xml version="1.0" encoding="UTF-8"?>
<!--
Licensed Materials - Property of IBM
5725-I43 (C) Copyright IBM Corp. 2011, 2013. All Rights Reserved.
US Government Users Restricted Rights - Use, duplication or
disclosure restricted by GSA ADP Schedule Contract with IBM Corp.
-->
<wl:adapter name="Apigee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:wl="http://www.ibm.com/mfp/integration"
xmlns:http="http://www.ibm.com/mfp/integration/http">
<displayName>Apigee</displayName>
<description>Apigee</description>
<connectivity>
<connectionPolicy xsi:type="http:HTTPConnectionPolicyType">
<protocol>http</protocol>
<domain>samirkantalenka-test.apigee.net</domain>
<authentication>
<basic/>
<serverIdentity>
<username>{myusername}</username>
<password>{mypassword}</password>
</serverIdentity>
</authentication>
<loadConstraints maxConcurrentConnectionsPerNode="2" />
<connectionTimeoutInMilliseconds>30000</connectionTimeoutInMilliseconds>
<socketTimeoutInMilliseconds>30000</socketTimeoutInMilliseconds>
<maxConcurrentConnectionsPerNode>50</maxConcurrentConnectionsPerNode>
<!-- Following properties used by adapter's key manager for choosing specific certificate from key store
<sslCertificateAlias></sslCertificateAlias>
<sslCertificatePassword></sslCertificatePassword>
-->
</connectionPolicy>
</connectivity>
<procedure name="getStories" connectAs="server"/>
</wl:adapter>
Here I'm getting error like "cvc-complex-type.2.4.a: Invalid content was found starting with element 'loadConstraints'. One of '{proxy,
sslCertificateAlias, sslCertificatePassword, maxConcurrentConnectionsPerNode}' is expected."
Looks like that endpoint is SAP Netweaver one?
In this case simply create the dedicated SAP Netweaver Gateway adapter type:
In the adapter XML file you can then specify username and password.
Might work for you.
See the user documentation, here: http://www-01.ibm.com/support/knowledgecenter/SSHS8R_7.0.0/com.ibm.worklight.dev.doc/devref/c_sap_adapters.html
OpenAM version -12 , Agent version 3.5 and 3.3 , tomcat version 7
I have tried to follow the link https://forums.alfresco.com/forum/installation-upgrades-configuration-integration/authentication-ldap-sso/sso-openam-06052012 to set up my J2EE Agent. Let me paste the steps after asking the question(see at the end)
but I am getting the error as asked below
Not able to configure J2ee agent on adding my customized data store for users
I have tried to use 3.5 version installed and uninstalled multiple times and tried previous version.
There is a nice discussion on this topic at http://database.developer-works.com/article/16009911/%22Cannot+obtain+Application+SSO+token%22+error
but it did not help me much.
I am using LDAP so I have used LDAP realm and subjects are showing up ok. Also I am observing that the policy tab has changed quite a bit from how it is described in the Blogs.
Now with the roadblock I am not sure how to proceed as the error is not giving me any clue what to do. I even added the file named AMConfig.properties in the classpath with username and password of the agent and tried the username and password of the OpenAM admin too as suggested in the discussion mentioned. but that too did not help.
The issue is the Tomcat now is not starting and giving error that AMConfig.properties properties are needed
I know the OpenAM Realm setup is good as I am able to login via this realm to another application (Liferay) where I just have to give the URL for use OpenAM integration. but after uninstallation of the agent the tomcat starts without any error and i am able to login to the application
-------------------Step copied from 1st link(modified)--------------------------
1. Configure your OpenAM agent (tried both 3.5 and 3.3 version on tomcat 7)
a. Log into OpenAM as the admin user and navigate to "Access Control -> (Your Realm) - where in my case LDAP Realm (other application using it without issue)
b. Select Policies -> New Policy
c. Enter Share as the policy name and then create 2 new URL Policy agent rules
d. 1st Resource Name = http://:/share/*
e. 2nd Resource Name = http://alfresco.domain.com:8080/share/*?*
f. Add a subjects - already part of LDAP Realm
g. Now select Agents -> J2EE - > (your J2EE agent)
h. Select the Application tab
i. Login Processing -> Login Form URI - add /share/page/dologin
j. Logout Processing -> Application Logout URL - add Map Key = share - Corresponding Map Value = /share/page/dologout
k. Not Enforced URI Processing - Add 2 entries - /share and /share/
l. Profile Attributes Processing - Select HTTP_HEADER and add Map Key = uid - Corresponding Map Value = SsoUserHeader (This is what I called my header in the alfresco-global.properties file - see below)
Auth chain
authentication.chain=external1:external,alfrescoNtlm1:alfrescoNtlm
alfresco.authentication.allowGuestLogin=true
SSO settings
external.authentication.enabled=true
external.authentication.defaultAdministratorUserNames=admin
external.authentication.proxyUserName=
external.authentication.proxyHeader=SsoUserHeader
NOTE- It does not seem possible to configure SSO where the Guest login has been disabled. There are webscripts used on the Alfresco repository that need guest login.
That concludes the setup for Alfresco and OpenAM
For Share you need to have the following section uncommented in your share-config-custom.xml
alfresco/web-extension/alfresco-system.p12
pkcs12
alfresco-system
alfrescoCookie
Alfresco Connector
Connects to an Alfresco instance using cookie-based authentication
org.alfresco.web.site.servlet.SlingshotAlfrescoConnector
alfrescoHeader
Alfresco Connector
Connects to an Alfresco instance using header and cookie-based authentication
org.alfresco.web.site.servlet.SlingshotAlfrescoConnector
SsoUserHeader
alfresco
Alfresco - user access
Access to Alfresco Repository WebScripts that require user authentication
alfrescoHeader
http://alfreso.domain.com:8080/alfresco/wcs
user
true
Notice I am not using the SSL cert and in my alfrescoHeader connector I have used SsoUserHeader (as setup in OpenAM) and the endpoint uses the alfrescoHeader connector
Now you need to add the OpenAM filter to the Share web.xml file
Add the following filter just before the Share SSO authentication support filter
Agent
com.sun.identity.agents.filter.AmAgentFilter
Add the following filter mapping to the filter-mapping section
Agent
REQUEST
INCLUDE
FORWARD
ERROR
----- End ----------
The error message is a bit misleading: the Cannot obtain application SSO token in general means that the agent was unable to authenticate itself. When you install the agent, the agent asks for a profile name and a password file, those values need to correspond to the agent profile configured within OpenAM.
To test if you can authenticate as the user, you could simply try to authenticate as the agent by making the following request:
curl -d "username=profilename&password=password&uri=realm=/%26module=Application" http://aldaris.sch.bme.hu:8080/openam/identity/authenticate
In the above command the realm value needs to be the same as the value for the "com.sun.identity.agents.config.organization.name" property defined in OpenSSOAgentBootstrap.properties (under the agent's install directory).
Having bad username/password combination is only one of the possible root causes for this exception though. It is also possible that during startup the agent was unable to connect to OpenAM to authenticate itself. In those cases the problem could be:
network error, firewall issues preventing the agent from contacting OpenAM
SSL trust issues: agent's JVM does not trust the certificate of OpenAM's container (only problem if you've installed the agent by providing OpenAM's HTTPS URL and the certificate is self-signed or just simply not trusted by the JVM)