Having trouble with api-manager recently did an installation with identity and api-manager and once in while api-manager locks up and we have to do a complete restart. When looking at the logs you can see this error but when checking the published apis it seems the outh tokens are valid, am I looking at the wrong location.
Related
There is an API hosted in WSO2 APIM 4.1.0 and there are two different App subscribed to that API.
Before Unsubscribe:
I just unsubscribed one of App to delete the API subscription by follows wso2 doc
After Unsubscribe:
After unsubscribed , I can able to invoke WSO2 API by using unsubscribed Application token
It should now allow that unsubscribed app to invoke API. OR correct me if my understanding is wrong.
Postman :
Note: In above API Hit, I passed unsubscribed APP token as Authorization
In your case, you should not be able to invoke the API without a proper subscriptions. Although the token is valid, you should get a 403 HTTP code saying subscription validation has failed.
You can check whether the events are propagated successfully to your gateway node from the control plane node. This is basically when you have a distributed setup. If you have a HA setup, verify both nodes are working properly when it comes to event distribution.
Are you using the GA release of APIM 4.1.0? If so, this could be a bug in that was fixed later through U2 updates. When an application subscription is deleted, any API invocations done using the tokens of that application should fail due subscription validation with an error similar to the one below with a 403 HTTP code.
{"code":"900908","message":"Resource forbidden ","description":"User is NOT authorized to access the Resource. API Subscription validation failed."}
If you have a paid WSO2 subsciption, please try this scenario by taking the latest U2 updated/patched version of APIM 4.1.0 by referring this.
I tried the GA APIM 4.1.0 and this usecase worked as expected. Shall we verify the subscription delete event flow in the API gateway by enabling debug logs for gateway and keymanagement components?
Add the following configurations in the <APIM_HOME>/repository/logs/log4j2.properties
logger.gateway-component.name = org.wso2.carbon.apimgt.gateway
logger.gateway-component.level = DEBUG
logger.keymgt-component.name = org.wso2.carbon.apimgt.keymgt
logger.keymgt-component.level = DEBUG
make sure to add the newly created loggers as below.
loggers = gateway-component,keymgt-component, AUDIT_LOG, trace-messages, org-apache-coyote, ....
With these, subscribe and unsubscribe events should be displayed in the terminal. You can use them to verify the event flow.
We're in the process of configuring our suite of WSO2 products in a development environment and we're having a hard time wrapping our heads around IS Key Manager.
What we're going for is an Identity Server (already configured) with an OAuth Service Provider that an external web page can log into. This is already complete, we can get our token through IS just fine.
We now want to take the same token, and pass it to API Manager, and have API Manager understand the token, and the roles within, and approve or deny the API request.
Further in, we want to pass the token to Enterprise Integrator (which API Manager calls) and get info from the token (user info, claims) within a sequence.
IS is configured and working in it's isolated way (tokens generated from it aren't being accepted by APIM). APIM is configured in that it is pointing to an EI API.
EI is only configured in that it has an API with sequences that do stuff.
I've read through these:
https://docs.wso2.com/display/AM260/Key+Concepts#KeyConcepts-KeyManager
https://docs.wso2.com/display/AM210/Configuring+WSO2+Identity+Server+as+a+Key+Manager
They suggest a separate Key Manager that all can speak to. Makes sense. But the Key Manager when downloaded is an APIM instance? And looking deeper into the documentation it seems like this Key Manager is meant to REPLACE the traditional Identity Server, which doesn't support our use case (we need a separate Identity Server that can federate freely with others).
I assume I'm not understanding something about the Key Manager configuration properly.
In short:
IS needs to have an OAuth service provider to login to. Once the token is generated there, it will be sent to an APIM endpoint. APIM should understand the roles, and authorize it through. EI should then receive the token from APIM and then also understand the roles and authorize it through.
How can I accomplish this?
I would assume you got to the page where "API Manager" download page. Then you got the download pack named "wso2am-2.6.0.zip"?
There is a link on the same download page under "Other Resources" -> "Identity Server as a Key Manager Pack". You can get the "wso2is-km-5.7.0.zip".
This is almost same as "wso2is-5.7.0.zip", except very few config modification. You could use almost all the IS features in the same way.
I am currently evaluating WSO2 IS for authentication for APIM. Basically, the APIM login, authentication and token generation should happen through WSO2 IS.
I have read through many documentation which are present in wso2 sites but could not getting through it.
I am using IS as version 5.7.0 and APIM as version 2.5.0
If some one could help me in getting the proper documentation link which has step by steps process, it could be of great support.
However, I have gone through the below links
Here's [link1] (https://docs.wso2.com/display/CLUSTER44x/Configuring+the+Identity+Server+5.2.0+as+a+Key+Manager+with+API+Manager+2.0.0#)
and
Here's [link2] https://docs.wso2.com/display/CLUSTER420/Configuring+the+Identity+Server+5.0.0+with+API+Manager+1.9.1
As updated earlier, now I have integrated IS with IAM but when I am trying to fetch the application subscription token from store, I am getting below error
ERROR - AbstractKeyManager Can not retrieve OAuth application for the given consumer key : xxxxxxxxxxxxxxxxxxxx
org.apache.axis2.AxisFault: The service cannot be found for the endpoint reference (EPR) https://localhost:9445/services/APIKeyMgtSubscriberService
at org.apache.axis2.util.Utils.getInboundFaultFromMessageContext(Utils.java:531)
at org.apache.axis2.description.OutInAxisOperationClient.handleResponse(OutInAxisOperation.java:381)
at org.apache.axis2.description.OutInAxisOperationClient.send(OutInAxisOperation.java:456)
at org.apache.axis2.description.OutInAxisOperationClient.executeImpl(OutInAxisOperation.java:227)
at org.apache.axis2.client.OperationClient.execute(OperationClient.java:149)
Can someone please check and let me know how this can be avoided. Do i have to update the Hostname anywhere?
Thanks
Refer this doc - https://docs.wso2.com/display/AM250/Configuring+WSO2+Identity+Server+as+a+Key+Manager. It contains the steps to configure IS as Key manager for APIM
I'm using wso2am 2.0.0 and trying to configure SSO for access to the store and publisher application.
I'm not using wso2 IS but just configured the api manager directly to my IdP server(I have edited the site.json file to with my IdP setting)
I'm getting this exception after being authenticated to my IdP:
SAML Response contains invalid number of assertions. {org.wso2.carbon.hostobjects.sso.SAMLSSORelyingPartyObject}
It look like my SAML response isn't correct but i'm unable to find why?
There was no problem with my SAML response .
The problem was caused by a difference between my IdP server and the api manager timezone (they are deployed in two different environment), so the exception is thrown when comparing the current time in the gateway with the NotBefore/NotOnOrAfter
So may be a more significant error message could help
You can use an online SAML Response decoders like this and see what's wrong with you SAML response.
Another option is to use SAML Tracer in firefox.
How to integrate WSO2 am 1.10.0 with PingFederate SAML 2.0? Any instructions?
From WSO2 web site, I only saw docs on how to set up SSO among WSO2 products: https://docs.wso2.com/display/AM1100/Configuring+Single+Sign-on+with+SAML2 . But I did not see documentation on how to enable WSO2 AM 1.10.0 with external identity providers such as PingFederate via SAML2.
Any help is appreciated.
*** UPDATE:
I followed the instructions here https://docs.wso2.com/display/AM1100/Configuring+Single+Sign-on+with+SAML2 - just assuming WSO2 IS as PingIdentity. For the mojority part it's working, but I cannot generate keys when subscribing to an API. It says "invalid credentials" even if I have logged into applications and subscriptions and can create applications from /store UI.
I can confirm that this can be done without adding a separate wso2 IS server into the picture. I fixed several issues (Cannot generate keys, cannot publish APIs, etc..) by: What I did to fix the issue was to 1) add admin user inside ApiKeyValidaor in api-manager.xml also into admin user via management console and into user-mgt.xml; 2) Inside api-manager.xml:
Change the following:
https://${carbon.local.ip}:${mgt.transport.https.port}${carbon.context}/services/
to: https://[FQDN_OF_HOST}:${mgt.transport.https.port}${carbon.context}/services/
Reason is my server certificate only recorded the domain name, not ip address.
The solution was also mentioned here: wso2 am 1.10.0 API Store: "Error occurred while executing the action generateApplicationKey" with " Invalid credentials provided."
Basically, you can do this by adding PingFederate as an IDP in WSO2 AM and configuring federated SAML SSO configurations. An example of how to achieve this with Shibboleth is given in [1]. You can follow the same steps to do any configurations according to your requirement.
Refer [2] for configuring SAML SSO Federated authenticator in general
[1] https://docs.wso2.com/display/IS510/How+To%3A+Configure+Shibboleth+IdP+as+a+Trusted+Identity+Provider
[2] https://docs.wso2.com/display/IS510/Configuring+SAML+2.0+Web+SSO