While trying to configure Mutual SSL for an API, below error is thrown:
TID: [-1234] [] [2020-01-14 11:43:09,542] ERROR {org.wso2.carbon.apimgt.gateway.handlers.security.authenticator.MutualSSLAuthenticator} - Mutual SSL authentication failure
TID: [-1234] [] [2020-01-14 11:43:09,544] WARN {org.wso2.carbon.apimgt.gateway.handlers.security.APIAuthenticationHandler} - API authentication failure due to Invalid Credentials
<ams:fault xmlns:ams="http://wso2.org/apimanager/security"><ams:code>900901</ams:code><ams:message>Invalid Credentials</ams:message><ams:description>Invalid Credentials. Make sure you have provided the correct security credentials</ams:description></ams:fault>
For this API, only "Transport Level Security" is kept mandatory whereas "Application Level Security" is kept as optional. Please advise on how to achieve mutual SSL working on the wso2 API Manager 3.0.0
If you are watched this video, you will figure out how to achieve mutual SSL working on the WSO2 API Manager 3.0.0. It has clearly explained how mutual SSL working with WSO2 API manager
Related
I'm using WSO2 API Manager 4.1.0, ad I configurated a Key Manager of type WSO2 Identity Server.
When I go to my application, to generate the token, I have the following exception:
https://pastebin.com/rjfxLiAA
Error occurred while executing SubscriberKeyMgtClient. org.wso2.carbon.apimgt.api.APIManagementException: Key Manager IS not configured
The IS is not beeing contacted, I have the same error stopping it, so it's only an apim error.
With the same APIM versione I can contact keycloak for example.
I'm running in server mode, openjdk 11
With API Manager 4.1.0, it is recommended to use WSO2 IS 5.11.0 - https://apim.docs.wso2.com/en/latest/install-and-setup/setup/reference/product-compatibility/#tested-wso2-products
Now I used the correct IS version, and I Have this exception:
https://pastebin.com/uRLDJPqx
TID: [-1234] [api/am/devportal] [2022-11-17 14:05:46,592] ERROR {org.wso2.carbon.apimgt.impl.AbstractKeyManager} - Can not create OAuth application : admin_151a9ace-ce5d-4d7b-9455-d82f909dbce4_PRODUCTION for application: 222 and key type: PRODUCTION org.wso2.carbon.apimgt.impl.kmclient.KeyManagerClientException: Received status code: 403 Reason:
Having WSO2 API Manager 2.1.0 and WSO2 IS 5.3.0 KM (with prepackaged Key Manager) I set up the Key Manager as described in the documentation.
The main intention is authenticate and authorize users with other federated IdPs and add some authorization capabilities. My assumption is that users auhorized with WSO2IS will receive an OAuth token valid for the defined APP and API.
So far all on localhost with IS offset 1. I created an API, an application and that is usable from the API Store.
When trying to authorize a client through WSO2 IS using the code grant_type authorization:
https://localhost:9444/oauth2/authorize?response_type=code&client_id=KJTbkbFmcDvslo2fjhzfQkaBH3Ea&redirect_uri=http%3A//localhost%3A8080/test2/callback
I am asked for credentials and authorization grant (looks ok) and then I receive an exception on IS:
[2018-03-27 10:43:51,822] ERROR {org.apache.catalina.core.StandardWrapperValve} - Servlet.service() for servlet [OAuth2Endpoints] in context with path [/oauth2] threw exception
java.lang.RuntimeException: org.apache.cxf.interceptor.Fault
at org.apache.cxf.interceptor.AbstractFaultChainInitiatorObserver.onMessage(AbstractFaultChainInitiatorObserver.java:116)
...
Caused by: java.lang.NullPointerException
at org.wso2.carbon.identity.oauth.endpoint.authz.OAuth2AuthzEndpoint.authorize(OAuth2AuthzEndpoint.java:251)
at org.wso2.carbon.identity.oauth.endpoint.authz.OAuth2AuthzEndpoint.sendRequestToFramework(OAuth2AuthzEndpoint.java:1163)
at org.wso2.carbon.identity.oauth.endpoint.authz.OAuth2AuthzEndpoint.authorize(OAuth2AuthzEndpoint.java:135)
at org.wso2.carbon.identity.oauth.endpoint.authz.OAuth2AuthzEndpoint.authorizePost(OAuth2AuthzEndpoint.java:574)
What I assume I misconfigured some endpoint, however - any idea which service is invoked by the OAuth2AuthzEndpoint implementation or potential cause for this exception?
This is already reported in https://wso2.org/jira/browse/IDENTITY-5581.
You can WUM update the WSO2 IS 5.3.0 to resolve the issue.
I just downloaded and installed WSO2 API Manager to a Linux server. As per the installation guide, I have not made any changes.
The only wrinkle I had was that the wso2server.sh script did not have execute permission so I set that manually. I did not check or modify any other permissions.
After startup, I am able to access each of the Admin, Publisher and Store apps.
In the Admin app, the first screen shows the message: "No tasks assigned to the login user or no connectivity with BPS engine."
When I dig into the logs, I see this entry in wso2carbon.log
TID: [-1234] [] [2017-03-02 10:26:12,049] WARN {JAGGERY.site.blocks.user.login.ajax.login:jag} - Not Retrieving Pending Tasks. Check BPS Connectivity. java.lang.IllegalArgumentException: Illegal character in authority at index 8: https://<BPSHost>:<BPSPort>/services/AuthenticationAdmin {JAGGERY.site.blocks.user.login.ajax.login:jag}
the wso2-apigw-errors.log has a largely identical error
2017-03-02 10:26:12,049 [-] [http-nio-9443-exec-17] WARN login:jag Not Retrieving Pending Tasks. Check BPS Connectivity. java.lang.IllegalArgumentException: Illegal character in authority at index 8: https://<BPSHost>:<BPSPort>/services/AuthenticationAdmin
This may or may not be relevant, I am also seeing warnings about being unable to flush and lock system prefs, even though its successfully creating the directory earlier.
TID: [-1234] [] [2017-03-02 09:28:30,285] INFO {java.util.prefs.FileSystemPreferences$1} - Created user preferences directory. {java.util.prefs.FileSystemPreferences$1}
TID: [-1] [] [2017-03-02 11:11:19,058] WARN {java.util.prefs.FileSystemPreferences} - Could not lock System prefs. Unix error code 32645. {java.util.prefs.FileSystemPreferences}
TID: [-1] [] [2017-03-02 11:11:19,058] WARN {java.util.prefs.FileSystemPreferences} - Couldn't flush system prefs: java.util.prefs.BackingStoreException: Couldn't get file lock. {java.util.prefs.FileSystemPreferences}
I am assuming I need to configure or download something else to get this work. Please advise!
I am not sure what your use case is. You can integrate a BPS engine with WSO2 API Manager for the following tasks.
User Signup Workflow
Application Creation Workflow
Application Registration Workflow
API Subscription Workflow
This blog explains how you can integrate WSO2 Business Process Server with WSO2 API Manager. You can check the official documentation which explains the avaiable workflow extensions.
You are getting this warning message when you are logging to admin portal as it checks if there are any pending approval tasks. You can ignore this warning if you are not using any BPS integrations. Based on your use case you can add a BPS engine for workflows.
My idea is to configure microservices security pattern for APIs and SPA security pattern for web application to make our hybrid mobile apps and webapps work with WSO2 IS.
I configured IdP and SP as mentioned in the documentation. https://docs.wso2.com/display/ISCONNECTORS/Configuring+JWT+Grant+Type. I am not able to get this working.
<SupportedGrantType>
<GrantTypeName>urn:ietf:params:oauth:grant-type:jwt-bearer</GrantTypeName>
<GrantTypeHandlerImplClass>org.wso2.carbon.identity.oauth2.grant.jwt.JWTBearerGrantHandler</GrantTypeHandlerImplClass>
<GrantTypeValidatorImplClass>org.wso2.carbon.identity.oauth2.grant.jwt.JWTGrantValidator</GrantTypeValidatorImplClass>
</SupportedGrantType>
[2016-10-23 07:01:32,115] DEBUG
{org.wso2.carbon.identity.oauth2.token.handlers.clientauth.AbstractClientAuthHandler}
- Grant type : urn:ietf:params:oauth:grant-type:jwt-bearer Strict client validation set to : null
[2016-10-23 07:01:32,118] DEBUG {org.wso2.carbon.identity.oauth2.util.OAuth2Util} - Client
credentials were fetched from the database.
[2016-10-23 07:01:32,118] DEBUG {org.wso2.carbon.identity.oauth2.util.OAuth2Util} - Successfully
authenticated the client with client id : VY3zPlWNRgm3BqJWmHtYXe2ym08a
[2016-10-23 07:01:32,118] DEBUG {org.wso2.carbon.identity.oauth2.token.handlers.grant.AbstractAuthorizationGrantHandler}
- Unsupported Grant Type : urn:ietf:params:oauth:grant-type:jwt-bearer for client id :
VY3zPlWNRgm3BqJWmHtYXe2ym08a
[2016-10-23 07:01:32,118] DEBUG {org.wso2.carbon.identity.oauth2.token.AccessTokenIssuer} -
OAuth-Error-Code=unauthorized_client
client-id=VY3zPlWNRgm3BqJWmHtYXe2ym08a
grant-type=urn:ietf:params:oauth:grant-type:jwt-bearer scope=
JWT Bearer Grant is supported with IS 5.1.0
For the version to support IS 5.2.0 please follow up the jira [2]
[1] https://store.wso2.com/store/assets/isconnector/details/8affec9a-706f-4e72-83ec-f65c42895d40
[2] https://wso2.org/jira/browse/ISCONNECT-34
Please try now with version 1.0.3[1] which is compatible with IS 5.2.0.
[1] https://store.wso2.com/store/assets/isconnector/details/8affec9a-706f-4e72-83ec-f65c42895d40
I'm using the WSO2 ESB version 4.0.3, with some features installed like: Identity Provider, Identity SAML2.0 Single Sign-on, Identity XACML, also BPEL, Data Services Hosting etc.
Following the instructions from here, I set up SSO Authentication for the ESB Management Console. The sign-in works just fine, but not the sign-out. In the log I can see the following information:
TID: [] [WSO2 ESB] [2012-06-08 18:12:59,592]
INFO {org.wso2.carbon.identity.authenticator.saml2.sso.SAML2SSOAuthenticator} -
'admin' logged out at [2012-06-08 18:12:59,0592]
{org.wso2.carbon.identity.authenticator.saml2.sso.SAML2SSOAuthenticator}
after what I get errors. Furthermore, in the browser shows like I'm still logged in.
Here are the errors I'm getting:
TID: [] [WSO2 ESB] [2012-06-08 18:13:03,581]
WARN {org.wso2.carbon.server.admin.module.handler.AuthenticationHandler} -
Illegal access attempt at [2012-06-08 18:13:03,0581] from IP address :
Service is RegistryAdminService {org.wso2.carbon.server.admin.module.handler.AuthenticationHandler}
TID: [] [WSO2 ESB] [2012-06-08 18:13:03,584]
ERROR {org.apache.axis2.engine.AxisEngine} -
Access Denied. Please login first. {org.apache.axis2.engine.AxisEngine}
...
TID: [] [WSO2 ESB] [2012-06-08 18:13:03,599]
ERROR {org.wso2.carbon.ui.clients.RegistryAdminServiceClient} -
Error occurred while checking registry mode {org.wso2.carbon.ui.clients.RegistryAdminServiceClient}
org.apache.axis2.AxisFault: Access Denied. Please login first.
...
TID: [] [WSO2 ESB] [2012-06-08 18:13:03,879]
ERROR {org.wso2.carbon.server.admin.ui.ServerAdminClient} -
Cannot get server data. Backend service may be unavailable {org.wso2.carbon.server.admin.ui.ServerAdminClient}
org.apache.axis2.AxisFault: Access Denied. Please login first.
Am I missing something in the configuration? If not, can someone please explain what is happening?
Note: The errors are repeating.
These repetitive errors means you are logged out from the back end, and it tries to refresh a page like Carbon home page or statistics page by invoking the corresponding BE services.
Is WSO2 IS running as a separate node or the necessary IdP features are installed in ESB?
Thilina