I am uisng wso2 api manager 1.8 i change the webroot context in carbon.xml
from / to /test
I am able to access the Carbon with the url XXX:9443/test/carbon
but when i tried to access XXX:9443/store or xxx:9443/publisher it is rediredting to carbon url. can any one please help me on this
You need to change context in the the site.json of store and publisher also.
In API store edit wso2am-1.8.0/repository/deployment/server/jaggeryapps/store/site/conf/site.json file
"context" :"with you context"
In API publisher edit wso2am-1.8.0/repository/deployment/server/jaggeryapps/publisher/site/conf/site.json file
"context" :"with you context"
Related
why wso2 api manager 3.2.0 analytics redirect automatically from
https://172.24.64.115:9643/analytics-dashboard/
to
https://localhost:9443/authenticationendpoint/oauth2_error.do?oauthErrorCode=invalid_callback&oauthErrorMsg=Registered+callback+does+not+match+with+the+provided+url.
Also following exception :
Registered callback does not match with the provided url Error
dashboard config :
## Authentication configuration
auth.configs:
type: apim
ssoEnabled: true
properties:
adminScope: apim_analytics:admin_carbon.super
allScopes: apim_analytics:admin openid apim:api_view apim:subscribe apim_analytics:monitoring_dashboard:own apim_analytics:monitoring_dashboard:edit apim_analytics:monitoring_dashboard:view apim_analytics:business_analytics:own apim_analytics:business_analytics:edit apim_analytics:business_analytics:view apim_analytics:api_analytics:own apim_analytics:api_analytics:edit apim_analytics:api_analytics:view apim_analytics:application_analytics:own apim_analytics:application_analytics:edit apim_analytics:application_analytics:view
adminUsername: admin
adminPassword: admin
kmDcrUrl: https://172.24.64.114:9443/client-registration/v0.17/register
kmTokenUrlForRedirection: https://172.24.64.114:9443/oauth2
kmTokenUrl: https://172.24.64.114:9443/oauth2
kmUsername: admin
kmPassword: admin
portalAppContext: analytics-dashboard
businessRulesAppContext : business-rules
cacheTimeout: 30
baseUrl: https://172.24.64.115:9643
grantType: authorization_code
publisherUrl: https://172.24.64.114:9443
devPortalUrl: https://172.24.64.114:9443
externalLogoutUrl: https://172.24.64.114:9443/oidc/logout
The below-mentioned error can happen when the Hostname configured under the baseUrl of the Analytics Dashboard's deployment.yaml is not matching with the Callback URL configured in the API Manager node.
https://localhost:9443/authenticationendpoint/oauth2_error.do?oauthErrorCode=invalid_callback&oauthErrorMsg=Registered+callback+does+not+match+with+the+provided+url.
Perform the following checks and update the Callback URL accordingly to overcome the behavior
Log-in to the API Manager's Carbon Management console with Admin credentials
Go to Service Providers > List > sp_analytics_dashboard and expand the OAuth2/OpenID Configurations and click on Edit
Verify whether the configured Callback URLs are matching with the Hostname and port defined in baseUrl in the deployment.yaml of the Analytics Dashboard. If not, update them.
Once after updating, save the configurations and try the scenario.
I try to use keycloak as the authentication service in my design. In my case, when the keycloak starts, I need one more realm besides default master realm. Assuming the new agency is called "demo".
So it means when keycloak starts, it should have two realms (master and demo).
In addtion, in the realm demo, I need to configure the default client "admin-cli" to enable "Full Scope Allowed". Also need to add some buildin mapper to this client.
In this case, I wonder whether I can use something like initialization file which keycloak can load when starting ?
Or I need to use keycloak client APIs to do this operations (e.g., Java keycloak admin client)?
Thanks in advance.
You can try the following:
Create the Realm;
Set all the options that you want;
Go to Manage > Export;
Switch Export groups and roles to ON;
Switch Export clients to ON;
Export.
That will export a .json file with the configurations.
Then you can tested it be deleting your Demo Realm and:
Go to Add Realm;
Chose the .json file that was exported;
Click Create.
Check if the configurations that you have changed are still presented on the Demo Realm, if there are then it means that you can use this file to import the Realm from. Otherwise, for the options that were not persistent you will have to create them via the Admin Rest API.
I have my wso2 servers up and running..now customer came up with a rewuirement that they need a separate webpage [ofcourse authenitucated] where they can see the status [up/down] and they would like to stop and start wso2 from that page rather than going to wso2 admin console.
Is there any API for getting the status as well as stopping/starting of wso2 ?
My product is wso2 EI
I guess I can invoke the wso2server.bat from Java and achieve is..is this ideal to do that or are there other approaches?
You can use WSO2 admin services to check the server(each node) status, do server restart or put into maintenance mode as well.
This internal admin service is called ServerAdmin and it's running on the servlet port(9443 - https://localhost:9443/services/ServerAdmin ). Below are the few operations available on that service
isAlive
restartGracefully
startMaintenance
endMaintenance
If you want to check the WSDL of this service, you need to change the visibility of admin WSDLs using <HideAdminServiceWSDLs>false</HideAdminServiceWSDLs> configuration in the carbon.xml file.
We are using PingFederate as Service Provider and are using Opentokenadapter.
We are also using mod_pf apache library provided by PingFederate.
Is there any way we can configure "Logout Service (present in OpenToken Adapter )" in the mod_pf configuration? Is there any query parameter for it just like we have for PartnerIdpId, TargetResource etc?
The Apache Integration Kit's mod_pf.conf refers to the /sp/startSLO.ping application endpoint. In that configuration file is where you will configure various bits for the integration... You can review the /sp/startSLO.ping options as listed here:
https://documentation.pingidentity.com/pingfederate/pf81/index.shtml#concept_spServices.html#concept_spServices
The "Logout Service", as defined in the adapter, is where the browser will be sent to for an SLO that will destroy any current session within the SP Application. By spec, that application must return BACK to PingFederate, so that PingFederate can respond back to the IdP with a success/fail. If you plan to support SLO, then this "service" must exist. It's "goal" will be close the session, and redirect back to PingFederate with a success.
OpenAM version -12 , Agent version 3.5 and 3.3 , tomcat version 7
I have tried to follow the link https://forums.alfresco.com/forum/installation-upgrades-configuration-integration/authentication-ldap-sso/sso-openam-06052012 to set up my J2EE Agent. Let me paste the steps after asking the question(see at the end)
but I am getting the error as asked below
Not able to configure J2ee agent on adding my customized data store for users
I have tried to use 3.5 version installed and uninstalled multiple times and tried previous version.
There is a nice discussion on this topic at http://database.developer-works.com/article/16009911/%22Cannot+obtain+Application+SSO+token%22+error
but it did not help me much.
I am using LDAP so I have used LDAP realm and subjects are showing up ok. Also I am observing that the policy tab has changed quite a bit from how it is described in the Blogs.
Now with the roadblock I am not sure how to proceed as the error is not giving me any clue what to do. I even added the file named AMConfig.properties in the classpath with username and password of the agent and tried the username and password of the OpenAM admin too as suggested in the discussion mentioned. but that too did not help.
The issue is the Tomcat now is not starting and giving error that AMConfig.properties properties are needed
I know the OpenAM Realm setup is good as I am able to login via this realm to another application (Liferay) where I just have to give the URL for use OpenAM integration. but after uninstallation of the agent the tomcat starts without any error and i am able to login to the application
-------------------Step copied from 1st link(modified)--------------------------
1. Configure your OpenAM agent (tried both 3.5 and 3.3 version on tomcat 7)
a. Log into OpenAM as the admin user and navigate to "Access Control -> (Your Realm) - where in my case LDAP Realm (other application using it without issue)
b. Select Policies -> New Policy
c. Enter Share as the policy name and then create 2 new URL Policy agent rules
d. 1st Resource Name = http://:/share/*
e. 2nd Resource Name = http://alfresco.domain.com:8080/share/*?*
f. Add a subjects - already part of LDAP Realm
g. Now select Agents -> J2EE - > (your J2EE agent)
h. Select the Application tab
i. Login Processing -> Login Form URI - add /share/page/dologin
j. Logout Processing -> Application Logout URL - add Map Key = share - Corresponding Map Value = /share/page/dologout
k. Not Enforced URI Processing - Add 2 entries - /share and /share/
l. Profile Attributes Processing - Select HTTP_HEADER and add Map Key = uid - Corresponding Map Value = SsoUserHeader (This is what I called my header in the alfresco-global.properties file - see below)
Auth chain
authentication.chain=external1:external,alfrescoNtlm1:alfrescoNtlm
alfresco.authentication.allowGuestLogin=true
SSO settings
external.authentication.enabled=true
external.authentication.defaultAdministratorUserNames=admin
external.authentication.proxyUserName=
external.authentication.proxyHeader=SsoUserHeader
NOTE- It does not seem possible to configure SSO where the Guest login has been disabled. There are webscripts used on the Alfresco repository that need guest login.
That concludes the setup for Alfresco and OpenAM
For Share you need to have the following section uncommented in your share-config-custom.xml
alfresco/web-extension/alfresco-system.p12
pkcs12
alfresco-system
alfrescoCookie
Alfresco Connector
Connects to an Alfresco instance using cookie-based authentication
org.alfresco.web.site.servlet.SlingshotAlfrescoConnector
alfrescoHeader
Alfresco Connector
Connects to an Alfresco instance using header and cookie-based authentication
org.alfresco.web.site.servlet.SlingshotAlfrescoConnector
SsoUserHeader
alfresco
Alfresco - user access
Access to Alfresco Repository WebScripts that require user authentication
alfrescoHeader
http://alfreso.domain.com:8080/alfresco/wcs
user
true
Notice I am not using the SSL cert and in my alfrescoHeader connector I have used SsoUserHeader (as setup in OpenAM) and the endpoint uses the alfrescoHeader connector
Now you need to add the OpenAM filter to the Share web.xml file
Add the following filter just before the Share SSO authentication support filter
Agent
com.sun.identity.agents.filter.AmAgentFilter
Add the following filter mapping to the filter-mapping section
Agent
REQUEST
INCLUDE
FORWARD
ERROR
----- End ----------
The error message is a bit misleading: the Cannot obtain application SSO token in general means that the agent was unable to authenticate itself. When you install the agent, the agent asks for a profile name and a password file, those values need to correspond to the agent profile configured within OpenAM.
To test if you can authenticate as the user, you could simply try to authenticate as the agent by making the following request:
curl -d "username=profilename&password=password&uri=realm=/%26module=Application" http://aldaris.sch.bme.hu:8080/openam/identity/authenticate
In the above command the realm value needs to be the same as the value for the "com.sun.identity.agents.config.organization.name" property defined in OpenSSOAgentBootstrap.properties (under the agent's install directory).
Having bad username/password combination is only one of the possible root causes for this exception though. It is also possible that during startup the agent was unable to connect to OpenAM to authenticate itself. In those cases the problem could be:
network error, firewall issues preventing the agent from contacting OpenAM
SSL trust issues: agent's JVM does not trust the certificate of OpenAM's container (only problem if you've installed the agent by providing OpenAM's HTTPS URL and the certificate is self-signed or just simply not trusted by the JVM)