I have been trying to setup the WSO2 API Manager in a distributed setup. I have made all the configurations and it got started. But when I changed the key store by creating a new key store, the Traffic manager and other profiles are not getting started. I am getting the below error while starting the different profiles of API Manager after setting up the key store.
Caused by: java.lang.IllegalArgumentException: jsse.alias_no_key_entry
at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:99)
I followed this link - https://apim.docs.wso2.com/en/latest/install-and-setup/setup/security/configuring-keystores/keystore-basics/creating-new-keystores/#adding-ca-signed-certificates-to-keystores for setting up a new key store.
Thanks in advance.
alias should be wso2carbon, if you change it you have to change alias name in config
Related
My wso2registry was pointing to wso2carbon datasource which was configured with h2 db. Other db were configured with mysql. I was getting errors that there are some locks on h2 db and my wso2 server was not starting up .I changed the wso2carbon to point to mysql regdb endpoint. The server started after that. Now the api created earlier in the publisher console are not visible. The api are also not showing up in the store even though the store says that it is listing some 18 apis. If i create the apis again I get a duplicate error.
I tried to point the wso2carbon datasource back to the same h2 db but still the publisher and store apis do not come up.
Is there a way I can clean up the apis so that I can recreate them with regdb configured with mysql db
To see your APIs with H2 database again, reindex the registry.
Change the <lastAccessTimeLocation> element in the <APIM_HOME>/repository/conf/registry.xml file in the Store/Publisher node. For example, change the /_system/local/repository/components/org.wso2.carbon.registry/indexing/lastaccesstime registry path to /_system/local/repository/components/org.wso2.carbon.registry/indexing/lastaccesstime_1.
Restart the server. After a few seconds, it should re-index the APIs.
I am just following what is on the guide
I've already populated the user's profile information but so far I only get sub. I want to get something same like in the guide:
{
"sub":"admin",
"email":"admin#wso2.com",
"website":"https://wso2.com",
"name":"admin",
"family_name":"admin",
"preferred_username":"admin",
"given_name":"admin",
"profile":"https://wso2.com",
"country":"Sri Lanka"
}
CONFIG
Identity Server - AWS Cloud with Domain and SSL + Nginx Proxy
Sample Web App - local machine
UPDATE:
It is an open bug. What
is the workaround to get the other fields? Based on that jira, only
the password grant is not fix, where to get the fix for code and
impilict grant?
I tried hosting the IS also locally, same results
To retrieve OIDC claim attributes to id_token or userinfo endpoint, the following steps needs to be done correctly(assuming you are working on IS 5.2.0).
1. Update relevant claims' Mapped Attribute with your underlying user store's matching attributes.
2. Update requested claims to Service provider [1].
3. Update missing attributes in '/_system/config/oidc' for scope 'openid' (Configuration changes in IS 5.2.0 [2]).
I recently updated my environment from WSO2 IS 5.0.0 to WSO2 IS 5.2.0. My environment consists of 2 machines that are creating a cluster (using the WKA membership scheme and Load Balancer(AWS ELB) with sticky session enabled). I am using MySQL(not the default H2 database). The machines on which the IS is deployed are Windows Server 2012 R2 (EC2 AWS machines). I am also using the so called WSO2 IS Admin services.
As mentioned in the heading I am consuming the UserProfileMgtService
(https://url:port/services/UserProfileMgtService?wsdl).
In combination with it I am using OAuth2TokenValidationService
(https://url:port/services/OAuth2TokenValidationService?wsdl).
If I pass valid access token to the OAuth2TokenValidationService I am able to fill in with data OAuth2TokenValidationResponseDTO object by using the Validate method of the OAuth2TokenValidationService. As result I am able to extract the authorizedUser and pass it to the getUserProfile method of the UserProfileMgtService. I am using the standard carbon.super domain and I am using the email as username. For example I am passing the following two parameters to the getUserProfile:
"admin#admin.com#carbon.super" as username
"default" as profileName
And as result I receive the following message:
UserNotFound: User admin#admin.com#carbon.superdoes not exist in: PRIMARY
If I remove the "#carbon.super" from the authorizedUser, everything is fine and I am able to get the user profile information. This is quite important for me since I am using multitenancy of the IS and there is a case that I might have the following users:
admin#admin.com#test.net
admin#admin.com#test2.net
I noticed that this service was not working this way in WSO2 IS 5.0.0. I started experiencing this issue after the upgrade.
Is this a desired behavior and is introduced because of the change in the API in IS 5.2.0? If so is there another way to be able to get the user profile using the "username"+"tenant-domain"(that is retrieved by the OAuth2TokenValidationService as authorized user when passing valid access token).
Is it possible that this is caused because of misconfiguration? If so which is the file that needs to updated and what exactly should be modified in it?
Is there a place where more information could be retrieved for the WSO2 IS 5.2.0 Admin Services?
Thanks in advance.
UserProfileMgtService in Identity Server is an Admin Service. In WSO2 Admin Services, the tenant domain is identified by authenticated user and it should not pass with username.
username should be tenant free username.
So, you can remove carbon.super portion from the username and then it will work.
In tenant setup, you need to authenticate with a tenant user (Ex admin#admin.com#test.net) in order to access these API. So, like in the super tenant, you can use tenant free username and then it will work.
For example, if you want to get user profile of user : testuser#admin.com in tenant domain test.net, your request should be like bellow image.
Thanks
Isura.
I am trying to set up a cluster for WSO2 api manager and I am following https://docs.wso2.com/display/CLUSTER44x/Clustering+API+Manager+1.10.0
I am using seperate VMs for each of the component and currently in my setup I am able to
Publish an api using the publisher which gets published in the Gateway (Visible in the log)
Subscribe to this API from the store and generate keys
However when I am trying to access this api using the generated key I get the following response
<soapenv:Fault xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<faultcode xmlns:axis2ns2="http://schemas.xmlsoap.org/soap/envelope/">axis2ns2:Client</faultcode>
<faultstring>Authentication Failure</faultstring>
<detail>Error while accessing backend services for API key validation</detail>
</soapenv:Fault>
In the gateway logs I can see only the below line. There is no further details in the logs
TID: [-1234] [] [2016-02-02 16:55:58,288] WARN {org.wso2.carbon.apimgt.gateway.handlers.security.APIAuthenticat
ionHandler} - API authentication failure due to Unclassified Authentication Failure {org.wso2.carbon.apimgt.gat
eway.handlers.security.APIAuthenticationHandler}
Please help me to resolve this issue.
That sounds like an issue with your API - API Manager doesn't actually "authenticate anything" unless you are using identity server see here for the difference between authentication and authorization (what WSO2 does through Oauth). Please try an API that is know to work such as http://petstore.swagger.io/ and report back the error.
This can happen due to many reason. Please check some of the reasons below
Key Manager's public certificate isn'y properly imported in the <GATEWAY_HOME>/repository/resources/security/client-truststore.jks
Open the api-manager.xml fie of the gateway and key manager nodes and change the <KeyValidatorClientType> to WSClient as bellow (default value is ThriftClient).
<KeyValidatorClientType>WSClient</KeyValidatorClientType>
The reason for this could be a result of misconfiguration between nodes. First you can double check the configurations (specially keyvalidator related configurations)
If you could not find any issue there, then you can enable debug logs and get some idea about the issue
add following entires in repository/conf/log4j.properties in gateway node
log4j.logger.org.wso2.carbon.apimgt.gateway.handlers.security=DEBUG
add following entires in repository/conf/log4j.properties in key manager node
log4j.logger.org.wso2.carbon.apimgt.keymgt=DEBUG
You might be able to find the issue by analyzing the logs
When trying to evaluate policies, I get the following error:
Error while retrieving attribute values from PIP attribute finder : Illegal access attempt to cache ] owned by tenant {[client1.mydomain.com],[1]} by tenant {[client2.mydomain.com],[2]
This occurs after successfully creating policies on client1, and then trying to create policies on client2. This seems to ocurr when testing policies on client2 that involve roles.
Any idea what is wrong?
Thanks
What is the version of WSO2IS? Did you deployed Identity Server in a cluster? Then this may be a know issue. Actually, this can not be configuration issue.. This must be an issue with WSO2IS with using caching... However you can avoid caching issue by disabling it.. Please open entitlement.properties file and disable caches..(Specially attribute cache) And restart the server.