I am doing a POC with my team as we are introducing WSO2 components and am working with the API Manager 3.0.
I seem to be having issues loading the WSO2 API Manager / API Publisher on the defined URL;
https://[ip address]/publisher
The page is not loading and I keep getting a spinning circle.
Steps I have taken:
Stop API Manager at command prompt with [Ctrl + C] command
Modified deployment.toml file specified paths for the localhost to our IP Address, API [publisher, gateway and store] URL values to use our IP Address as well.
Changed carbon.xml and api_manager.xml
Start API Manager with wso2server.bat --run command
Issues are as follows;
api_manager.xml values are reset to localhost and not the IP Address I modified it to.
The API Publisher page is not loading and I am not able to get to the API Publisher login page.
I am an administrator on the Windows Server hosting this, so all changes are made as admin.
First of all, APIM 3.0 has a new config model, where all configurations are available (only) in deployment.toml. All other configurations are populated based on that, and shouldn't be changed manually.
Second, you don't need to replace all occurrences of localhost to IP as many are local calls.
Third, the correct URL should have the port, unless you have a reverse proxy in front of API.
eg. https://[ip address]:9443/publisher
Sounds good and thanks for the input. I will give this a try and post back to the thread.
I am using the IP and Port for now with no reverse proxy but plan to add one, once I can get through this part.
Much appreciated.
Related
my scenario is about two servers one running wso2 api manager and one running wso2 analytics and I want to show statics of api manager on analytics server .how to configure this servers? (analytics dashboard conf , analytics worker conf , api manager conf) thanx
WARN {org.wso2.msf4j.internal.MSF4JHttpConnectorListener} - Unmapped exception
feign.RetryableException: No subject alternative names matching IP address 192.168.115.132
found executing GET https://192.168.115.132:9443/api/am/admin/v1/custom-urls/carbon.super
This is due to the hostname verification. The recommended option is to use proper certs with hostnames. Otherwise, you can disable hostname verification by adding the following.
hostnameVerificationEnabled: false
https://github.com/wso2/docker-apim/blob/3.2.x/docker-compose/apim-with-analytics/conf/apim-analytics-dashboard/conf/dashboard/deployment.yaml#L25
I'm using wso2-am 2.
I have enabled analytics (from api-manager.xml) and modified DASServerURL to use port 7714 instead of 7712.
But I'm getting theses exception:
org.wso2.carbon.databridge.agent.exception.DataEndpointSecurityException: Error while trying to connect to ssl://localhost:7712
at org.wso2.carbon.databridge.agent.endpoint.thrift.ThriftSecureClientPoolFactory.createClient(ThriftSecureClientPoolFactory.java:61)
It look like it is still using the old port 7712?
A second question, I know that the api manager is persisting the configuration in it's database, so my question is: if i modify for example api-manager.xml, will it update the new setting in the DB or how to force this update?
Thanks
You have to change port settings in two places.
<APIM_HOME>/repository/conf/api-manager.xml
<APIM_HOME>/repository/conf/log4j.properties only if you have added DAS_AGENT to log4j.rootLogger
By default analytics distribution port offset set to 1 in carbon.xml. But it seems you have set it to 3. Make sure to change the port in above two places.
The answer to your second question is, API-M persist API data in the database. There are certain server configurations such as user data, registry data persisted in the database. But above configuration is not persisted and if you changed it, you have to restart the server to effect that.
Hope this would help you.
1.if your DAS offset is 3. You should set the tcp port is 7614 and restart your APIM. your 7612 is configed in apim, cannot change on admin-dashboard.
2.when you change the *.properties or *.xml.I suggest you restart your app.
We are trying to setup WSO2 API manager cluster with F5 as the load balancer and been having issues with having F5 in the mix. One manager instance is setup on a server (server/Admin port: node1.xyz.com:9443) with F5 (manager.xyz.com that maps to node1.xyz.com:9443).
After several trial and error methods, we found the issue to be with API key manager URL configuration in the worker instance. Using direct server/port URL (i.e. node1.xyz.com:9443) works fine. However, when we use the F5 url (i.e. manager.xyz.com) results in the exception below. Any thoughts as to what may be incorrect or missing?
Eventually we want to have two manager instances running. So, we like to get this F5 setup working such that worker instances can point to F5 instead of individual manager node.
Thanks for the help in advance!
Configuration in the Worker node that works:
<APIKeyManager>
<!--
Server URL of the API key manager
-->
<ServerURL>https://node1.xyz.com:9443${carbon.context}/services/</ServerURL>
Configuration in the Worker node that causes error with F5:
<APIKeyManager>
<!--
Server URL of the API key manager
-->
<ServerURL>https://manager.xyz.com${carbon.context}/services/</ServerURL>
Exception when using F5:
TID: [0] [AM] [2014-12-11 16:03:37,697] ERROR {org.wso2.carbon.apimgt.gateway.handlers.security.APIAuthenticationHandler} - API authentication failure {org.wso2.carbon.apimgt.gateway.handlers.security.APIAuthenticationHandler}
org.wso2.carbon.apimgt.gateway.handlers.security.APISecurityException: Error while accessing backend services for API key validation
at org.wso2.carbon.apimgt.gateway.handlers.security.thrift.ThriftAPIDataStore.getAllURITemplates(ThriftAPIDataStore.java:99)
at org.wso2.carbon.apimgt.gateway.handlers.security.APIKeyValidator.getAllURITemplates(APIKeyValidator.java:516)
at org.wso2.carbon.apimgt.gateway.handlers.security.APIKeyValidator.doGetAPIInfo(APIKeyValidator.java:368)
at org.wso2.carbon.apimgt.gateway.handlers.security.APIKeyValidator.findMatchingVerb(APIKeyValidator.java:343)
at org.wso2.carbon.apimgt.gateway.handlers.security.APIKeyValidator.getResourceAuthenticationScheme(APIKeyValidator.java:172)
at org.wso2.carbon.apimgt.gateway.handlers.security.oauth.OAuthAuthenticator.authenticate(OAuthAuthenticator.java:93)
at org.wso2.carbon.apimgt.gateway.handlers.security.APIAuthenticationHandler.handleRequest(APIAuthenticationHandler.java:92)
Few immediate things you could check -
Make sure the <HostName> and <MgtHostName> elements in KeyManager_HOME/repository/conf/carbon.xml are set to the hostname of the F5. ie. "manager.xyz.com"
Add the proxyPort=443 attribute to the https connector in KeyManager_HOME/repository/conf/tomcat/catalina-server.xml. Configure http connector as well if desired.
If you did not set above two settings, then the http 302 redirects fail which might explain your scenario. And, we ask users to configure ProxyPassReverse in addition to ProxyPass when using Apache HTTPD as the reverse proxy. I'm not sure the equivalent config for F5.
If the above didn't help we need to know how your deployment looks like to better help you. ie. how do you cluster the nodes. Do you have separate API gateway, keymanager instances etc.
I think it will worth your while to go through the WSO2 cluster guide to understand the clustering logic better.
With APIM, you can have separate Keymanager, API gateway (and API store, API publisher) nodes. The worker-manager separation only applies to the API Gateway. And, There is no worker-manager separation needed for the keymanager. So, you may think the all the API keymanager nodes are hybrid nodes that provide both manager and worker functionality.
We can see further if you do not have separate keymanagers.
I am configuring our API Manager, but running into troubles authenticating via OAuth, seems to be an issue with the API Key Manager. I haven't dug into it yet, but does this come with the API Manager (as I have assumed) or is this a separate installation?
I had the same issue when using the wso2 api manager on a Amazon hosted machine, turn out that Thrift was not working correctly because some problem with multicasting and broadcasting.
What I did to get it working was to switch from ThriftClient to WSClient. If you have a huge amount of requests coming in then Thrift is the recommended solution from wso2 but in any "normal" case you will not have any differences between thrift and WS.
Here is how you switch:
Shut down the API Manager
Open up <api manager install dir>\repository\conf\api-manager.xml
Find ThriftClient
Change this to
<KeyValidatorClientType>WSClient</KeyValidatorClientType>
Start the API Manager
You may get some Warnings while starting up but, try it before you jump to the conclusion that it doesn't work.
Hope it helps!
you can use APIM manager product in a distributed setup as keymanger,gateway,store,publisher..but all functionality come in a single distribution.. ..
Go through the documentation for further guides
I was facing the same issue. Everything started when I created my own jks in order to use SSL without a self-signed certificate. I successfully created the jks and changed it in the carbon file. When I started the server, everything seemed ok; but when I used SOAPUI to test an API call, I got this (in the logs of the api manager):
APIAuthenticationHandler API authentication failure due to Unclassified Authentication Failure
I started digging what was the problem by enabling Debug level in the log4j.properties file, and then tried again a tested with SOAPUI and I got:
APISecurityException: Could not connect to <my api ip address> on port 10397
Then, I read the comment of OneMuppet and I checked that file and I found that the Thrift config has a host option, so I uncommented it:
<KeyValidatorClientType>ThriftClient</KeyValidatorClientType>
<ThriftClientPort>10397</ThriftClientPort>
<ThriftClientConnectionTimeOut>10000</ThriftClientConnectionTimeOut>
<ThriftServerPort>10397</ThriftServerPort>
This Line --> <ThriftServerHost>localhost</ThriftServerHost>
<EnableThriftServer>true</EnableThriftServer>
Save, restarted the server and everything start working correctly.
I got the same below issue after my installation, when i try to invoke the api service it is throwing below error:
900900 Unclassified Authentication Failure Error while accessing backend services for API key validation
After some random checks i have seen the axis2.xml file in /repository/conf/axis2 there it is refering a differnt ip's instead. I change these ip's to my local ip and restarted. The issue is resolved now.
I was facing the same issue. when I was trying to setup API Manager as an API Gateway in a different machine as per the steps given here,
https://docs.wso2.com/display/AM250/Publish+through+Multiple+API+Gateways
Once the setup is done and when I am trying to use this gateway URL, I was getting the below response,
{"fault":{"code":900900,"message":"Unclassified Authentication Failure","description":"Error while accessing backend services for API key validation"}}
After changing the KeyValidatorClientType value to WSClient from ThriftClient on the <api manager install dir>\repository\conf\api-manager.xml
It started working fine. And I was able to get the expected response.
If you changed the admin password, then you also have to update the repository/conf/api-manager.xml file with the new password. The 2 places I have changed (so far) are:
<AuthManager>
and
<APIKeyManager>
but there are other admin usernames in that file. No doubt, I'll get to them....
I have a web service running under IIS7 on a server with a host header set so that it receives requests made to http://myserver1.mydomain.com.
I've set Windows INtegrated Authentication to Enabled and everything else (basic, anonymous, etc) to Disabled.
I'm testing the web service using a powershell script, and it works fine when I run it from my workstation against http://myserver1.mydomain.com
However, when I run the same exact script on the IIS server itself, I get a 401-Unauthorized message.
In addition, I've tried installing the web service on a second server, myserver2.mydomain.com. Again I can call my test script fine from BOTH my workstation and from myserver1.
So it seems the only issue is when the client is on the same box as the web server itself - somehow the windows credentials are not being passed or recognized.
I tried playing with IE settings on myserver1 (checked and unchecked 'Enable Windows Integrated Authentication', and added the URL to Local Sites). That did not seem to have an effect.
When I look at the IIS logs, I see the 401 unauthorized line but very little other information.
I see basically the same behavior when testing with IE (v9) - works from my workstation but not when IE is running on the IIS server.
I found the answer after several hours:
By default, there is something called a LoopbackCheck which will reject windows authentication if the host header used for the site does not match the local host's name. This behavior will only be seen when the client is on the local host. The check is there to defeat possible reflection attacks.
More details here:
http://support.microsoft.com/kb/896861
The kb item discusses ways to disable the Loopback check, but I ended up just switching from using host headers to ports to distinguish the different sites on the IIS server.
Thanks to those who gave assistance.
Try checking the actual credential that is being passed when you are running on the server itself. Often times you will be running on some system account that doesn't have access to the resource in question.
For example, on your box your credentials are running as...
MYDOMAIN\MYNAME
and the server will be something like...
SYSTEM\SYSTEM_ACCOUNT
and so this will fail because 'SYSTEM\SYSTEM_ACCOUNT' doesn't have credentials.
If this is the case, you can fix the problem in one of two ways.
Give 'SYSTEM\SYSTEM_ACCOUNT' access to the resource in question. Most people would avoid this strategy due to security concerns (which is why the account has no access in the first place).
Impersonate, or change the credentials of the client manually to something that does have access to the resource, 'MYDOMAIN\MYNAME' for example. This is what most people would probably go with, including myself.