We are working on delivering a deployment of two WSO2 components - API Manager 3.0.0 and Identity Server 5.9.0 (which acts as Key Manager for APIM). For last few weeks everything worked fairly ok until today (or max few days ago) - suddenly we are getting following error when we try to log in to APIM Publisher:
ERROR {Jaggery service for token introspection} - {"data" : null, "xhr" : {}}
At same time publisher just keeps redirecting somewhere with an error message in the the browser logs:
Something went wrong while introspecting the token!!
Both components run on same virtual machine with offset for IS-as-KM set to 2. Datasources are OracleDB with full range of permissions for sake of testing.
Entire thing is handled using FQDN with wildcard certificate added to keystore.
Any idea about what this could be related to?
Related
I have a wso2apimanager-4.1.0 with the role of control-plane. In the wso2carbon.log, the following stack trace keeps appearing, especially when I try to deploy an API change. The main errors are "Caused by: org.wso2.andes.AMQConnectionFailureException: Server did not respond in a timely fashion [error code 408: Request Timeout]" and "ERROR {org.wso2.andes.client.AMQConnection} - Throwable Received but no listener set. org.wso2.andes.AMQDisconnectedException: Server closed connection and reconnection not permitted."
error_1
error_2
Despite these errors, the gateway-workers can connect to the control-plane on startup pulling all the APIs deployed on the API Manager ecosystem. Although, when I deploy a new version of an API, the gateways are not notified (because the JMS is down) and they do not pull the changes until they are rebooted.
I've already reviewed the jndi.properties, user-mgt.xml and all the superuser username and password are correct (they are pulled from deployment.toml correctly). The JMS port exists when the control-plane service starts and is not being blocked by any firewall, also the superuser password doesn't have special characters like '#'.
I've migrated the control-plane from version 4.0.0 to version 4.1.0 recently, the error did not occur in 4.0.0. The config file (deployment.toml) is the same.
Has anyone come across this problem? How can I resolve this error?
I recently updated my environment from WSO2 IS 5.0.0 to WSO2 IS 5.2.0. My environment consists of 2 machines that are creating a cluster (using the WKA membership scheme and Load Balancer(AWS ELB) with sticky session enabled). I am using MySQL(not the default H2 database). The machines on which the IS is deployed are Windows Server 2012 R2 (EC2 AWS machines).
I ensured that the "IS_HOME\repository\conf\datasources\master-datasources.xml" is configured the same way on both machines and that they are using the exact same MySQL data sources. Also I am sure that the correct database is referenced in user-mgt.xml and identity.xml.
I have two worker nodes under AWS ELB as mentioned above. When the cluster was configured the following instructions were used:
https://docs.wso2.com/display/CLUSTER44x/Clustering+Identity+Server+5.1.0
I have application which is using the clientID and clientSecret of one of the service providers. I am using the authorization_code grant type. When I try to login in my application and I am redirected to NODE1 I receive authorization code and I am trying to get access token by calling: https://URL/oauth2/token?client_id=CLIENT_ID&redirect_uri=REDIRECT_URId&client_secret=CLIENT_SECRET&grant_type=authorization_code&code=AUTH_CODE.
If this request is processed by NODE1 I receive access token and everything is fine. However if the mentioned above request is processed by NODE2, I receive the following:
{
"error": "invalid_grant",
"error_description": "Error when validating an authorization code"
}
I am able to see the generated authorization code in the IDN_OAUTH2_AUTHORIZATION_CODE table. I double checked that the machine clocks are synchronized and are using NTP, but I am not able to validate authorization code generated by NODE1 through NODE2 and vice versa.
If I am running single node configuration, no such issues is reproduced.
I am not seeing any errors in wso2carbon.log regarding this issue.
I have patch0481 applied to my system.
Could this be some sort of configuration issue? If so in which configuration files I should take a look?
Thanks in advance.
I have downloaded the WSO2 IS 5.0.0 , when I started running the server .
I am getting the following error, not sure where it is picking the wrong password from :
[2015-12-16 12:46:46,541] WARN {org.wso2.carbon.apimgt.impl.observers.APIStatusObserverList} - Attempt to reinitialize APIStatusObserverList - Skipping
[2015-12-16 12:46:48,709] ERROR {org.wso2.carbon.apimgt.impl.dao.ApiMgtDAO} - Failed to retrieve the API Context
org.h2.jdbc.JdbcSQLException: Wrong user name or password [8004-140]
at org.h2.message.DbException.getJdbcSQLException(DbException.java:327)
at org.h2.message.DbException.get(DbException.java:167)
at org.h2.message.DbException.get(DbException.java:144)
at org.h2.message.DbException.get(DbException.java:133)
at org.h2.engine.Engine.validateUserAndPassword(Engine.java:277)
at org.h2.engine.Engine.getSession(Engine.java:133)
at org.h2.engine.Session.createSession(Session.java:122)
at org.h2.engine.SessionRemote.connectEmbeddedOrServer(SessionRemote.java:241)
at org.h2.engine.SessionRemote.createSession(SessionRemote.java:219)
at org.h2.jdbc.JdbcConnection.<init>(JdbcConnection.java:111)
at org.h2.jdbc.JdbcConnection.<init>(JdbcConnection.java:95)
at org.h2.Driver.connect(Driver.java:73)
Additional Info:
I am using the following documentation to configure IS as the keyManager.
https://docs.wso2.com/display/CLUSTER420/Configuring+the+Pre-Packaged+Identity+Server+5.0.0+with+API+Manager+1.9.1
What I found is only if I change the username and password of the newly added datasources to default username and password , then the server is starting.
Created the setup using Pre-Packaged IS 5.0.0 with API Manager 1.9.1 and API Manager 1.9.1 as describe in [1]. while starting the server there is no error get printed on the console. The main reason behind the error is that you are changing the wso2carbondb credential shipped with the the IS.
[1]: https://docs.wso2.com/display/CLUSTER420/Configuring+the+Pre-Packaged+Identity+Server+5.0.0+with+API+Manager+1.9.1
I locally installed WSO2 API manager and create API but API list is not coming at WSO2 dashboard . It displaying an error i.e
[2015-11-03 18:47:29,781] ERROR - AsyncDataPublisher Reconnection failed for for tcp://localhost:7614"
index:jag org.wso2.carbon.apimgt.api.APIManagementException: Error occurred while getting the APIs
Version of API manager is 1.9.1
I can't get any API statistics
This issue can be occurred when you have not configured information according to the Port Offset value. As an example if the port offset value of BAM instance is 3,need to configure as follows in property in the api-manager.xml which is in /repository/conf/ folder.
<ThriftPort>7614</ThriftPort>
<BAMServerURL>{tcp://<IP Address>:7614/}</BAMServerURL>
Also make sure to restart both servers.
I have updated WSO2 default SLL with the custom SSL certificate on my Production Server on which WSO2Api installed.
SSL issues have been fixed, but now I am getting error while re-generating access token
Logs
Caused by: org.wso2.carbon.apimgt.keymgt.APIKeyMgtException: Error in getting new accessToken
at org.wso2.carbon.apimgt.keymgt.service.APIKeyMgtSubscriberService.renewAccessToken(APIKeyMgtSubscriberService.java:281)
... 45 more
Caused by: java.lang.RuntimeException: Failed : HTTP error code : 500
at org.wso2.carbon.apimgt.keymgt.service.APIKeyMgtSubscriberService.renewAccessToken(APIKeyMgtSubscriberService.java:252)
... 45 more
TID: [0] [AM] [2014-08-27 10:57:41,440] ERROR {org.wso2.carbon.apimgt.hostobjects.APIStoreHostObject} - Error in getting new accessToken {org.wso2.carbon.apimgt.hostobjects.APIStoreHostObject}
If APIManager runs with a port offset,you need to do addtional changes.
Change the endpoint ports defined in default APIs shipped with APIManager
Find all default APIs of the API Manager in /repository/deployment/server/synapse-configs/default/api folder. Those are Authorize API, Login API, Token API and Revoke API. Open each of them and change the address endpoint config included port value to match with offset value.The default address endpoint config is
"address uri="https://192.168.1.7:9443/oauth2/token".If the AM standalone pack running with port offset 2 change that config as
address uri="https://192.168.1.7:9445/oauth2/token"
What I did to fix the issue was to 1) add admin user inside ApiKeyValidaor in api-manager.xml also into admin user via management console and into user-mgt.xml; 2) Inside api-manager.xml:
Change the following:
https://${carbon.local.ip}:${mgt.transport.https.port}${carbon.context}/services/
to:
https://[FQDN_OF_HOST}:${mgt.transport.https.port}${carbon.context}/services/
Reason is my server certificate only recorded the domain name, not ip address.
My setup: Product: WSO2 AM 1.10.0 DB: MSSQL Security: SAML2 integrated with PingIdentity OS: Linux
Please also refer to this question:
wso2 am 1.10.0 API Store: "Error occurred while executing the action generateApplicationKey" with " Invalid credentials provided."
The error may be due to one of these two things:
Your admin password is not set for ApiKeyManager in api_manager.xml.
SSL is not set properly.