I want to change secured= true in following lines in identity.xml:
<Resource context="(.*)/authenticationendpoint(.*)" secured="false" http-method="all"/>
I added the following codes in deployment.toml, then restart WSO2 IS
[resource.access_control]
context="(.*)/authenticationendpoint(.*)"
secured="true"
http-method="all"
But, the result is FAIL.
Could you tell me what code I need add in deployment.toml ?
Thanks
henry
You can change a configuration via deployment.toml, only ifthat config is templated in the particular .j2 file.
If you go to
<IS-HOME>/repository/resources/conf/templates/repository/conf/identity/identity.xml.j2 file and check the line
<Resource context="(.*)/authenticationendpoint(.*)" secured="false" http-method="all"/>
it is hardcoded in the .j2 file also. So you won't be able to set secured="true" in this line by adding a config to deployment.toml.
The change can be only done by changing identity.xmlj2 file.
Also, note that it's not recommended to change the .j2 file if the configs are not templated, because it is the default behavior and only deployment.toml config will be looked at as the config changes.
An alternative option is:
Apply resource control access to the deployment.toml with different context which matches to the API path(not exact the context="(.)/authenticationendpoint(.)" but with a regex matching to the endpoint) under [[resource.access_control]]. The added config will reflect in identity.xml file at the beginning of the resource access controls. The first context match is applicable for a endpoint access control.
Related
I placed my service account key file into the same directory where I execute the cloud sql proxy client from. When starting with the following
cloud_sql_proxy -instances=game:europe-west4:world-alpha=tcp:3306 -credential-file=proxy_key.json
the CLI says:
flag provided but not defined: -credential-file
I don't understand what the problem is? What is the convention to point to the key file? I also tried ./proxy_key.json but that didn't work either.
The flag is misspelled.
Use -credential_file instead of -credential-file.
when I do a simple expression like wso2:vault-lookup('my-token') it returns empty. But i have the my-token present in the vault.
Has anyone encountered this problem before ? Any possible workaround that you can suggest.
EI version 6.2.0
Can you try the following approach?
Run the ciphertool.sh with the following command.
bin/ciphertool.sh -Dorg.wso2.CipherTransformation=RSA/ECB/OAEPwithSHA1andMGF1Padding
Enter the plain text value which you need to encrypt and copy the encrypted value
Navigate to the carbon console and expand the registry browse section.
Go to the following path.
/_system/config/repository/components/secure-vault
Above is the location where the registry holds the secure vault properties and the values.
Inside the secure vault, create a new property with a name and paste the encrypted value which you acquired from the initial step.
Try to get the property from the mediation sequence.
wso2:vault-lookup('prop-name')
Since you have confirmed that this is working as expected in the vanilla version of the EI server, can you compare the configurations available in secret-conf.properties file located in [EI_HOME]/conf/security directory of the existing server and the vanilla pack (that this working).
This seems straightforward to do that passing the Service Account key file (generated from the GCP console) by specifying the file location in the application.properties file. However, I tried all the following options:
1. spring.cloud.gcp.credentials.location=file:/home/my_user_id/mp6key.json
2. spring.cloud.gcp.credentials.location=file:src/main/resources/mp6key.json
3. spring.cloud.gcp.credentials.location=file:./main/resources/mp6key.json
4. spring.cloud.gcp.credentials.location=file:/src/main/resources/mp6key.json
It all ended up with the same error:
java.io.FileNotFoundException: /home/my_user_id/mp6key.json (No such file or directory)
Could anyone advise where I should put the key file and then how should I specify the path to the file properly?
The same programs run successfully in Ecplise with messages published and subscribed using the Pub/Sub processing from GCP (using the Project Id/Service Account key generated in GCP), but now stuck with the above issue after deployed to run on GCP.
As mentioned in the official documentation, the credentials file can be obtained from a number of different locations such as the file system, classpath, URL, etc.
for example, if the service account key file is stored in the classpath as src/main/resources/key.json, pass the following property
spring.cloud.gcp.credentials.location=classpath:key.json
if the key file is stored somewhere else in your local file system, use the file prefix in the property value
spring.cloud.gcp.credentials.location=file:<path to key file>
My line looks like this:
spring.cloud.gcp.credentials.location=file:src/main/resources/[my_json_file]
And this works.
The following also works if I put it in the root of the project directory:
spring.cloud.gcp.credentials.location=file:./[my_json_file]
Have you tried to follow this quickstart? Please, try to follow it thoughtfully and explain if you get any error finishing the quickstart.
Anyway, before running your Java script, try running on the console the following (please modify with the exact path where you store your key):
export GOOGLE_APPLICATION_CREDENTIALS="/home/user/Downloads/mp6key.json"
How are you authenticating your credentials in your Java script?
My answer is easy: if you run you code on GCP, you don't have to use service account key file. Problem eliminated, problem solved!
More seriously, have a look on service identity. I don't know what is your current service (Compute? Function? Cloud Run?). Anyway, you can attach any service account on GCP components. Then, when you code, simply use the default credential. Automatically the component identity is loaded. No key to manage, no key to store securely, no key to rotate!
If you provide more detail on your target platform, I could provide your some guidance to achieve this.
Keep in mind that the service account key file are designed to be used by automatic apps (w/o user account involved) hosted outside GCP (on prem, other Cloud Provider, a CI/CD, Apigee,...)
UPDATE
When you use your personal account, you can also use the default credential.
Install gcloud SDK on your computer
Use the command gcloud auth application-default login
Follow the instructions
Enjoy!
If it doesn't work, get the <path> displayed after the login command and set this value in the environment variable named GOOGLE_APPLICATION_CREDENTIALS.
If you definitively want to use service account key file (which are a security issue for the previous reason, but...), you can use it locally
Either set the json key file path into the GOOGLE_APPLICATION_CREDENTIALS environment variable
Or run this command gcloud auth activate-service-account --key-file=<path to your json key file>
Provided your file is in the resources folder try
file://mp6key.json
using file:// instead of file:/ works for me at least
I am trying to add a file in s3-bucket in my AWS account using postman. see below screenshot.
I pass Host in the header as a divyesh.vkinds.com.s3.amazonaws.com where divyesh.vkinds.com is my bucket name. and in Body I am giving file as index.html as file type like image below.
but it is giving me The provided 'x-amz-content-sha256' header does not match what was computed.
error. I searched for it but can't find anything.
Please check content-header. Add Content-Type as text/plain and date in this format XX-XX-XXXX
I have also faced the same problem. The issue was that, postman does not calculate the SHA. It defaults to a SHA of empty string e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
So in the postman headers, add an explicit key x-amz-content-sha256. Caluclate the value of SHA256 for your file using a sha command and provide as the value. Below command works on linux flavors
shasum -a 256 index.html
Couple of other observations in the question.
You can change the Body as binary and choose the file you want to upload.
Provide the complete path including the file name in the upload URL. E.g. if you provide the URL as <your bucket name>.s3.<region>.amazonaws.com/test/index.html, the file will be copied to test directory in the bucket with name as index.html
I encountered this situation recently, and the issue was that I was copying an active log file which changed between when my side calculated the hash and when the file was actually uploaded. My solution was to copy the file to a temporary location, then upload that stable file.
I am new to wso2 so hopefully I am not missing something obvious but we are trying to sucessfully encrypt the Connection password for a seoncary user store (\repository\deployment\server\userstores\domain.xml) and have it remain usable.
We have used the cipher tool for all our other secret information and have no issues. I have also used the cipher-tool.properties to set up a refence to the secondary user store file and got the connection password encrypted running ciphertool.bat -Dconfigure.
At that point I restart the service and viewing the logs I recieve the following error and none of my secondary user store users are available.
AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903C8, comment: AcceptSecurityContext error, data 52e, v23f0
I have double checked that the value I am encrypting is infact correct. As soon as I change it back to clear text password it works agian.
Do I have to create a custom UserStoreManager in order to acheive this?
Please try setting the alias of the property as "UserStoreManager.Property.ConnectionPassword" both in cipher-tool.properties and cipher-text.properties files.
In cipher-tool.properties
UserStoreManager.Property.ConnectionPassword=../../deployment/server/userstores/prudential.xml//UserStoreManager/Property[#name='ConnectionPassword'], true
In cipher-text.properties
UserStoreManager.Property.ConnectionPassword=[your password]
Run the cipher tool again with -Dconfigure and check.
The cipher tool cannot be used to encrypt Secondary User Store connection passwords. Instead, If you are manually adding a Secondary User Store Configuration file to
<Product_Home>/repository/deployment/server/userstores
directory, you can use the following steps to easily encrypt it.
Step 1 :
Create the Secondary User Store Configuration xml file and remove the “encrypted” attribute present in the relevant property for Connection Password as follows. Note that the password is in plain text.
<Property name=”ConnectionPassword”>admin</Property>
Step 2 :
Now rename the xml file to have a file extension of .enc as shown below.
If the name of the xml file is xyz_com.xml, rename it to
xyz_com.enc
Step 3 :
Drop the .enc file to /repository/deployment/server/userstores directory. Remember to create the “userstores” directory if it is not present.
That is all you have to do. Now you can see that the dropped file has been renamed to an xml file automatically, and when you check the file contents, the “ConnectionPassword” property has been encrypted as shown below. Note the property encrypted=“true” added to the property automatically.
<Property name=”ConnectionPassword” encrypted=”true”>eyJjIjoiTUlETUFuNEJIdjUweWNFeWQ5UThjNGx1ZTExa0NOLzJZbVExTWI3d3djRkZBUnplWmVHSXdzdFNwMTlQdmtjYjdZWHhFejdtOTJhbFFONTRKT3lIczcwNnl1WW9VaHh4d1Zmci9IL3ExWUlOOVowNERvbEZ0aExiNWRnQkhkU3luUWtxVElBc3Jydys5eEVUV1RvU3MyTTgrS0xlWkhtZW12dE1BZFRoTXVIUm9ndEJnWmVvaUxxNDAxQjk1dDgrOUd1eHN0RXE5N0R3TndwZmRlWnpnRk1VMnBEWmthMGFLckdhcTAxTlpLK1kxdG1YMWFhSlJyOGtXMlpRQW1pUm1UV1lZR0g1ZGg1OVNuV21tTzgrMW9lSFJMUU02RjdKT1dSd21xclhWdTg5aTByYWtqMk41cnJ4WGgvaGRmbVk4cmg3VkkwZkJ4M3E1eEN3YjdYRlJnXHUwMDNkXHUwMDNkIiwidCI6IlJTQS9FQ0IvT0FFUHdpdGhTSEExYW5kTUdGMVBhZGRpbmciLCJ0cCI6IjUwMUZDMTQzMkQ4NzE1NURDNDMxMzgyQUVCODQzRUQ1NThBRDYxQjEiLCJ0cGQiOiJTSEEtMSJ9</Property>
You don’t need to restart the server for these changes to be reflected. The file gets hot deployed.
You can find more information regarding encrypting Secondary User Store passwords from this article.