Develop Reference

WSO2 disabling port redirect from 9763 to 9443

I have a single instance deployment of WSO2 and now I want to be able to access the carbon management services like publisher/store etc through http. I have tried the following configurations in catalina-server.xml. I also want to use nginx as reverse proxy through http port for carbon consoles. Please help. I have also tried editing the axis2.xml to add port mappings for nginx 80 and 443 port. Currently when i run carbon console through 9763 it gets redirected to 9443 and after adding mappings in axis2.xml it responds as requested url not found for /publisher/..../login.jag
<Server port="8005" shutdown="SHUTDOWN">
<Service className="org.wso2.carbon.tomcat.ext.service.ExtendedStandardService" name="Catalina">
<!--
optional attributes:
proxyPort="80"
-->
<Connector protocol="org.apache.coyote.http11.Http11NioProtocol"
port="9763"
bindOnInit="false"
maxHttpHeaderSize="8192"
acceptorThreadCount="2"
maxThreads="250"
minSpareThreads="50"
disableUploadTimeout="false"
connectionUploadTimeout="120000"
maxKeepAliveRequests="200"
acceptCount="200"
server="WSO2 Carbon Server"
compression="on"
compressionMinSize="2048"
noCompressionUserAgents="gozilla, traviata"
compressableMimeType="text/html,text/javascript,application/x-javascript,application/javascript,application/xml,text/css,application/xslt+xml,text/xsl,image/gif,image/jpg,image/jpeg"
URIEncoding="UTF-8"/>
<!--
optional attributes:
proxyPort="443"
Added sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2" for poodle vulnerability fix
-->
<Connector protocol="org.apache.coyote.http11.Http11NioProtocol"
port="9443"
bindOnInit="false"
sslProtocol="TLS"
sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2"
maxHttpHeaderSize="8192"
acceptorThreadCount="2"
maxThreads="250"
minSpareThreads="50"
disableUploadTimeout="false"
enableLookups="false"
connectionUploadTimeout="120000"
maxKeepAliveRequests="200"
acceptCount="200"
server="WSO2 Carbon Server"
clientAuth="false"
compression="on"
scheme="https"
secure="true"
SSLEnabled="true"
compressionMinSize="2048"
noCompressionUserAgents="gozilla, traviata"
compressableMimeType="text/html,text/javascript,application/x-javascript,application/javascript,application/xml,text/css,application/xslt+xml,text/xsl,image/gif,image/jpg,image/jpeg"
keystoreFile="${carbon.home}/repository/resources/security/wso2carbon.jks"
keystorePass="wso2carbon"
URIEncoding="UTF-8"/>
<Engine name="Catalina" defaultHost="localhost">
<!--Realm className="org.apache.catalina.realm.MemoryRealm" pathname="${carbon.home}/repository/conf/tomcat/tomcat-users.xml"/-->
<Realm className="org.wso2.carbon.tomcat.ext.realms.CarbonTomcatRealm"/>
<Host name="localhost" unpackWARs="true" deployOnStartup="false" autoDeploy="false"
appBase="${carbon.home}/repository/deployment/server/webapps/">
<Valve className="org.wso2.carbon.tomcat.ext.valves.CarbonContextCreatorValve"/>
<Valve className="org.apache.catalina.valves.AccessLogValve" directory="${carbon.home}/repository/logs"
prefix="http_access_" suffix=".log"
pattern="combined"/>
<Valve className="org.wso2.carbon.tomcat.ext.valves.CarbonStuckThreadDetectionValve" threshold="600"/>
<Valve className="org.wso2.carbon.tomcat.ext.valves.CompositeValve"/>
</Host>
</Engine>
</Service>

Uncomment the following line in carbon.xml.
<EnableHTTPAdminConsole>true</EnableHTTPAdminConsole>
Please note this is not recommended in production environments.

Service Fabric with nginx and .NET core services

I'm setting up a Service Fabric application which contains:
an Nginx instance as frontend (single instance, port 80)
some applications written with Asp.net core (1 website, some API services) (multiple instances, dynamic port)
a Gateway service for address resolution (single instance, port 8081)
For nginx, I'm using a solution available as Nuget package.
The gateway and, in general, the example to run .NET core app have been taken here
It is suggested by the .NET core team itself to host applications behind a real web server liken nginx.
Therefore I'd like to deploy my Service Fabric application with an instance of nginx as entry point, which redirects to the Gateway service, which will do the service resolution for the replicated stateless services.
My question is about the address that I need to use in the nginx.conf to point to the Gateway address. While trying locally, I can use the local address 127.0.0.1 and it works as expected, but what happens if on a real cluster my Nginx and Gateway instances are deployed to different machines?
This is my application manifest:
<?xml version="1.0" encoding="utf-8"?>
<ApplicationManifest xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" ApplicationTypeName="SFApplicationType" ApplicationTypeVersion="1.0.0" xmlns="http://schemas.microsoft.com/2011/01/fabric">
<Parameters>
<Parameter Name="NginxPoC_InstanceCount" DefaultValue="1" />
<Parameter Name="Gateway_InstanceCount" DefaultValue="1" />
</Parameters>
<ServiceManifestImport>
<ServiceManifestRef ServiceManifestName="NginxPoCPkg" ServiceManifestVersion="1.0.0" />
<Policies>
<RunAsPolicy CodePackageRef="Code" UserRef="Admin" EntryPointType="All" />
</Policies>
</ServiceManifestImport>
<ServiceManifestImport>
<ServiceManifestRef ServiceManifestName="Gateway" ServiceManifestVersion="1.0.0" />
</ServiceManifestImport>
<DefaultServices>
<Service Name="NginxPoC">
<StatelessService ServiceTypeName="NginxPoCType" InstanceCount="[NginxPoC_InstanceCount]">
<SingletonPartition />
</StatelessService>
</Service>
<Service Name="Gateway">
<StatelessService ServiceTypeName="GatewayType" InstanceCount="[Gateway_InstanceCount]">
<SingletonPartition />
</StatelessService>
</Service>
</DefaultServices>
<Principals>
<Users>
<User Name="Admin">
<MemberOf>
<SystemGroup Name="Administrators" />
</MemberOf>
</User>
</Users>
</Principals>
</ApplicationManifest>
and this is my current nginx.conf file:
server {
listen 80;
server_name localhost;
location / {
proxy_pass http://127.0.0.1:8081;
}
}
Update 2016-10-09
As requested in the discussion, I've created a test project here. Every contribute to the project is welcome.

f you deploy the nginx and gateway service to all nodes (InstanceCount = -1) you should be good. If the gateway service is down on one node, you would of course not be able to forward the request from nginx to a gateway service on another node. For this, you need the nginx service to look-up the gateway service.
You can get the service endpoint address for the gateway using a REST call: https://msdn.microsoft.com/en-us/library/azure/dn707638.aspx

"The remote certificate is invalid according to the validation procedure"

This has been asked before but I am completely stuck and nothing so far has worked for me that has been listed in other questions. While this refers to Identity Server I think i have missed something in setting SSL up.
I have setup as follows (this is with IIS express not full IIS):
Identity Server app: auth.testhost.com:44373/core
Web API service: https://localhost:44356/
I get the error in the title on the line:
app.UseIdentityServerBearerTokenAuthentication(options);
This is basically requesting some open configuration options from the server at auth.testhost.com:44373/core/.well-known/openid-configuration.
My options are:
Authority = "https://auth.testhost.com:44373/core",
RequiredScopes = new List<string>() { "api" }
In some examples I see a client id and secret, but they are not available in the options for me: is this a problem?
If you need to see any identity server options please say and I'll post.
I ran the following command to create a cert:
makecert.exe -r -pe -n "CN=auth.testhost.com" -b 01/01/2000 -e 01/01/2036 -eku 1.3.6.1.5.5.7.3.1 -ss my -sr localMachine -sky exchange -sp "Microsoft RSA SChannel Cryptographic Provider" -sy 12 -len 2048
This generated the certificate, which I then exported to Trusted Root Certification Authorities.
From what I can tell, the SSL port bindings should be handled by Visual Studio as I am using IIS Express. Below are the bindings it has:
<site name="Authenticator_V2" id="2">
<application path="/" applicationPool="Clr4IntegratedAppPool">
<virtualDirectory path="/" physicalPath="c:\users\user\documents\visual studio 2015\Projects\Authenticator_V2\Authenticator_V2" />
</application>
<bindings>
<binding protocol="http" bindingInformation="*:49755:localhost" />
<binding protocol="https" bindingInformation="*:44373:localhost" />
<binding protocol="https" bindingInformation="*:44373:auth.testhost.com" />
</bindings>
</site>
<site name="APIClient2" id="7">
<application path="/" applicationPool="Clr4IntegratedAppPool">
<virtualDirectory path="/" physicalPath="C:\Users\user\documents\visual studio 2015\Projects\Authenticator_V2\APIClient2" />
</application>
<bindings>
<binding protocol="http" bindingInformation="*:53812:localhost" />
<binding protocol="https" bindingInformation="*:44356:localhost" />
</bindings>
</site>
This is my hosts file:
127.0.0.1 localhost
127.0.0.1 hybrid.testhost.com
127.0.0.1 auth.testhost.com
When I go to https://auth.testhost.com:44373/ I still have a red line through my protocol. I assume this means something has not been configured correctly still. I am using Chrome and clicking on the certificate gives:
"Your connection to this site is not private."
Details:
SHA-1 Certificate
The certificate for this site expires in 2017 or later, and the certificate chain contains a certificate signed using SHA-1.
View certificate
Certificate Error
There are issues with the site's certificate chain (net::ERR_CERT_COMMON_NAME_INVALID).
I looked at the ERR_CERT_COMMON_NAME_INVALID error and it seems that is a chrome bug. However my error is being thrown from the web services server trying to connect to the authentication server so I think I can ignore this one???
I also ran netsh to check there was a cert binding set up:
netsh http show sslcert ipport=0.0.0.0:44373
SSL Certificate bindings:
-------------------------
IP:port : 0.0.0.0:44373
Certificate Hash : HAS ODD HASH - REMOVED
Application ID : {HAS GUID - REMOVED}
Certificate Store Name : MY
Verify Client Certificate Revocation : Enabled
Verify Revocation Using Cached Client Certificate Only : Disabled
Usage Check : Enabled
Revocation Freshness Time : 0
URL Retrieval Timeout : 0
Ctl Identifier : (null)
Ctl Store Name : (null)
DS Mapper Usage : Disabled
Negotiate Client Certificate : Disabled
Reject Connections : Disabled
At this point a noticed this hash is not the right one for my certificate. It is for the IIS Express localhost. I found this link: IdentityServer: The remote certificate is invalid according to the validation procedure and copied the steps to move the localhost certificate into the Trusted Root Certification Authorities but unfortunately I still have the error. I now am not sure what else to do.
Scope Configuration:
new Scope
{
Name = "api",
DisplayName = "Can call API",
Enabled = true,
Type = ScopeType.Resource
//ScopeSecrets = new List<Secret> { }
}
All my clients have this scope.
Thanks

This issue was fixed by upgrading all but IdentityModel.Jwt to latest versions, which gave the options to set the Certificate and Issuer Name on the bearer options. Both of these were required to be set for the error to go away

Https not working JBoss AS 7.0.2

I am trying to load SSL certificate to one of our site. We are using JBoss AS 7.0.2 for our application on Ubuntu Server 12.04, it's running successfully on http while on https it's not responding. Server is starting successfully without any exception. Kindly suggest the steps to debug this problem.
<subsystem xmlns="urn:jboss:domain:web:1.1" default-virtual-server="default-host">
<connector name="http" protocol="HTTP/1.1" scheme="http" socket-binding="http" redirect-port="443"/>
<connector name="https" protocol="HTTP/1.1" scheme="https" socket-binding="https" enable-lookups="true" secure="true">
<ssl password="******" certificate-key-file="/mnt/jboss/******" verify-client="false" certificate-file="/mnt/jboss/********.key"/>
</connector>
<virtual-server name="default-host" enable-welcome-root="true">
<alias name="localhost"/>
<alias name="example.com"/>
</virtual-server>
</subsystem>

Configuring IIS Express to use default ports for http and https for debugging

I have followed scot's article on how to enable default ports (80 and 443) for http and https respectively. I have followed each step to the letter and in the end IIS express sytem tray shows me that site is running on following urls
Only thing i have done differently is to use netsh>advfirewall>firewall context because it was telling me that netsh firewall is deprecated. I used following command to allow port 80 through firewall
netsh advfirewall firewall add rule name="Open Port 80" dir=in action=allow protocol=TCP localport=80
Here is the relevant site section from applicationhost.config file of IIS Express
<site name="SSLTest" id="4">
<application path="/" applicationPool="Clr4IntegratedAppPool">
<virtualDirectory path="/" physicalPath="G:\Adeel\SSLTest\SSLTest" />
</application>
<bindings>
<binding protocol="http" bindingInformation="*:51518:localhost" />
<binding protocol="https" bindingInformation="*:44301:localhost" />
<binding protocol="http" bindingInformation="*:80:mhlabs" />
<binding protocol="https" bindingInformation="*:443:mhlabs" />
</bindings>
</site>
Edit: The problem is that when i browse to http:/mhlabs or https:/mhlabs it does not work. I get not found page of the browser. how can i get around that.
Edit2: Ok, as a first step, i would like to forget ssl and just reserve a url for test-one on port 80 and run my site on this url. The logical steps that come to mind is that i reserve a url using netsh http add urlacl url=http://test-one:80/ user=everyone and add this entry in bindings section of applicationhost.config file. i also allowed port 80 through firewall but the whole thing does not seem to work for me. Any ideas?

Are you starting iis express from command line or using WebMatrix?
If you are not starting it from command line, try following steps and see if there are any binding errors.
start command prompt, goto iis express installation folder '%programfiles%\iis express'
run following command
iisexpress.exe /site:SSLTest
If there are any bindings registration failure, you would see some error message.
If there is any error for 'mhlabs' binding registration, make sure your URL reservation is correct. URL reservation command should like below
netsh http add urlacl url=http://mhlabs:80/ user=everyone