Cannot change credentials for wso2 api manager Analytics - wso2

I have a API Manager 2.6.0 deployment within 3 nodes i.e. 3 VMs. Abbreviations:
GW - Gateway
AIO - Traffic Manager, Key Manager, Dev portal, Publisher
Analytucs - Api M Analytics 2.6.0
DB - PostgreSQL.
I've set everything working between components, till I changed the default admin password, username stood the same.
As per manual I did
Changed the admin password from UI, sice I did a tests already with default credentials
Changed password in api-manager.xml on AIO and GW
Changed password in user-mgt.xml on AIO and GW
Changed password in jndi.properties on AIO and GW
Above 4 points as noted in manual- https://docs.wso2.com/display/AM260/Maintaining+Logins+and+Passwords
This manual does not tell how to make distributed analytics node to accept that password.
The Analytics Install manual told to install WSO2 API-M Analytics and WSO2 API-M(which as I understand is meant if both are on same machine). Again, this manual does not tell much about user configuring on Analytics server.
I tried to look from DAS and SP manual, but the Analytics does not have auth.configs: in YAML files and nor adding them manually from SP source code helps.
Error returned on GW and AIO:
2019-02-21 15:13:52,090 [-] [DataBridge-ConnectionService-tcp://192.168.102.39:7612-pool-11-thread-1] ERROR DataEndpointConnectionWorker Error while trying to connect to the endpoint. Cannot borrow client for ssl://192.168.102.39:7712.
org.wso2.carbon.databridge.agent.exception.DataEndpointLoginException: Cannot borrow client for ssl://192.168.102.39:7712.
Caused by: org.wso2.carbon.databridge.agent.exception.DataEndpointLoginException: Error while trying to login to the data receiver.
Caused by: ThriftAuthenticationException(message:wrong userName or password)
On Analytics obvious:
[2019-02-21 15:16:49,016] ERROR {org.wso2.carbon.databridge.core.internal.authentication.CarbonAuthenticationHandler} - Authentication failed for username 'admin'. Error : 'Invalid_Credentials'. Error Description : 'The login credential used for login are invalid, username : 'admin'.'
[2019-02-21 15:16:49,016] ERROR {org.wso2.carbon.databridge.core.internal.authentication.Authenticator} - wrong userName or password
The question is, how to make WSO2 APIM Analytics(2.6.0) node, which is separated from API Manager, to accept the changed credentials.
Last tought is do I need to connect Analytics to Carbon DB?

You have to add the auth.configs element to the conf/worker/deployment.yaml file, (Please note the password has to be The Base64(UTF-8) encrypted)
auth.configs:
type: 'local'
userManager:
adminRole: admin
userStore:
users:
-
user:
username: admin
password: YWRtaW4=
roles: 1
roles:
-
role:
id: 1
displayName: admin

Related

WSO2 IS and federated iDP

We are running WSO2 IS version 5.10. and want to use external iDP (SafeNet) as step 2 authentication for Service Provider. I configured Service Provider in order to use an advanced configuration for the login process. I configured 2 steps where first step is basic auth and second step is federeted iDP - SafeNet (Saml2SSO).
Everything work's fine except one thing - when i try to logon to my application, WSO2 shows me login interface, I put my credentials (username and password) after that a redirected to SafeNet login interface and I should put my username again in safenet login page. So the user name, how it say correctly, does not transferred to step 2 (sorry for my English ))). I inspect SAML request which is generated by WSO2 and could not find NAMEID. Can any one help with this?

Google Cloud SSO SAMLClient configuration with Keycloak

Currently I'm trying to setup my Google Cloud organization to accept login from SSO using Keycloak. I've followed the documentation from Keycloak and from Google during the setup, but the setup isn't working. Can someone confirm if the client configuration is properly set? Anytime
I login into the keycloak with the my test keycloak user in keycloak I get redirected to google authentication page and from there keycloak is out of the authentication. When I'm trying to login from Google Account login page, I can't get redirected to the sso, so basically the connection between Keycloak and Google isn't working properly.
Client Setup
Client ID - google.com/a/gcp-test2.com
Name - gcp-test2.com
Enabled ON
Consent Required OFF
Client Protocol - saml
Include AuthnStatement - ON
Include OneTimeUse Condition - OFF
Sign Documents - ON
Sign Assertions - ON
Signature Algorithm -RSA_SHA512
Force POST Binding - ON
Front Channel Logout - ON
Force Name ID Format - ON
Name ID Format - email
Root URL - empty
Valid Redirect URIs - empty
Base URL - /auth/realms/gcp-test2.com/protocol/saml/clients/gcp-test2.com?RelayState=true
Master SAML Processing URL - https://google.com/a/gcp-test2.com
IDP Initiated SSO URL Name - gcp-test2.com
Target IDP initiated SSO URL: https://fqdn/auth/realms/gcp-test2.com/protocol/saml/clients/gcp-test2.com
Assertion Consumer Service POST Binding URL - https://google.com/a/gcp-test2.com
SSO config on GCP side:
Login URL: https://fqdn/auth/realms/gcp-test2.com/protocol/saml/clients/gcp-test2.com?RelayState=true
Logout URL: https://fqdn/auth/
Use a domain-specific issuer - checked
Certificate is the one from the REALM certificate with public key.
This :
Assertion Consumer Service POST Binding URL -
https://google.com/a/gcp-test2.com
Should point to
https://google.com/a/gcp-test2.com/acs
https://cloud.google.com/architecture/identity/keycloak-single-sign-on documents how to do this and it works for me. As it is noted in blue:
Note: For SAML federation to work, Client ID must be google.com.
So change you client ID to google.com.* .
I don't know why you use RelayState, I do not see that mentioned.
Set it up precisely as documented and it should work.

WSO2 IS 5.1 adding #carbon.super to username while authenticating with Password Grant

We recently migrated (registry and user store) from WSO2 IS 5.0 to WSO2 IS 5.1 as per instructions at WSO2 migration guide. After migrating and successfully bringing up the WSO2 IS server, when we are trying to authenticate existing user with /oauth2/token endpoint the authentication is failing. We can see user along with user attributes in user store.
On WSO2 server we are seeing error -
{org.wso2.carbon.identity.oauth2.token.handlers.grant.PasswordGrantHandler} - Token request with Password Grant Type received. Username : <username>#carbon.superScope : openid, Authentication State : false
This is migrated user so we can not change the user name. I tried googling to disable the multi tenancy with 5.1 as we do not use that feature, but no luck.
This is blocking us from moving to newer version of WSO2.
Has Any one fixed this?
Modified the SP to disable domain name as per instructions from Gusto2 -
enter image description here
But still same results.
on the duo identity provider configuration page, under federated authenticators, put "true" in the "disable tenant domain" box
This solution may help. You can go to your identity server and navigate to the service. Now click on edit button of your target service and go to Local & Outbound Authentication Configuration section and uncheck following options-
Use tenant domain in local subject identifier
Use user store domain in local subject identifier
I am showing in the image. Follow the red mark box -

UserProfileMgtService is not able to find user in WSO2 IS 5.2.0

I recently updated my environment from WSO2 IS 5.0.0 to WSO2 IS 5.2.0. My environment consists of 2 machines that are creating a cluster (using the WKA membership scheme and Load Balancer(AWS ELB) with sticky session enabled). I am using MySQL(not the default H2 database). The machines on which the IS is deployed are Windows Server 2012 R2 (EC2 AWS machines). I am also using the so called WSO2 IS Admin services.
As mentioned in the heading I am consuming the UserProfileMgtService
(https://url:port/services/UserProfileMgtService?wsdl).
In combination with it I am using OAuth2TokenValidationService
(https://url:port/services/OAuth2TokenValidationService?wsdl).
If I pass valid access token to the OAuth2TokenValidationService I am able to fill in with data OAuth2TokenValidationResponseDTO object by using the Validate method of the OAuth2TokenValidationService. As result I am able to extract the authorizedUser and pass it to the getUserProfile method of the UserProfileMgtService. I am using the standard carbon.super domain and I am using the email as username. For example I am passing the following two parameters to the getUserProfile:
"admin#admin.com#carbon.super" as username
"default" as profileName
And as result I receive the following message:
UserNotFound: User admin#admin.com#carbon.superdoes not exist in: PRIMARY
If I remove the "#carbon.super" from the authorizedUser, everything is fine and I am able to get the user profile information. This is quite important for me since I am using multitenancy of the IS and there is a case that I might have the following users:
admin#admin.com#test.net
admin#admin.com#test2.net
I noticed that this service was not working this way in WSO2 IS 5.0.0. I started experiencing this issue after the upgrade.
Is this a desired behavior and is introduced because of the change in the API in IS 5.2.0? If so is there another way to be able to get the user profile using the "username"+"tenant-domain"(that is retrieved by the OAuth2TokenValidationService as authorized user when passing valid access token).
Is it possible that this is caused because of misconfiguration? If so which is the file that needs to updated and what exactly should be modified in it?
Is there a place where more information could be retrieved for the WSO2 IS 5.2.0 Admin Services?
Thanks in advance.
UserProfileMgtService in Identity Server is an Admin Service. In WSO2 Admin Services, the tenant domain is identified by authenticated user and it should not pass with username.
username should be tenant free username.
So, you can remove carbon.super portion from the username and then it will work.
In tenant setup, you need to authenticate with a tenant user (Ex admin#admin.com#test.net) in order to access these API. So, like in the super tenant, you can use tenant free username and then it will work.
For example, if you want to get user profile of user : testuser#admin.com in tenant domain test.net, your request should be like bellow image.
Thanks
Isura.

wso2 identity server Multifactor Authentication error

I am unable to implement Multifactor Authentication .
The error i am getting is
TID: [0] [WSO2 Identity Server] [2012-10-30 10:31:38,620] ERROR {org.wso2.carbon.identity.provider.xmpp.MPAuthenticationProvider} - login failed. Trying again.. {org.wso2.carbon.identity.provider.xmpp.MPAuthenticationProvider}
SASL authentication failed:
at org.jivesoftware.smack.SASLAuthentication.authenticate (SASLAuthentication.java:209)
at org.jivesoftware.smack.XMPPConnection.login(XMPPConnection.java:341)
at org.jivesoftware.smack.XMPPConnection.login(XMPPConnection.java:301)
This is for wso2 Identity Server 3.2.3 . Straight out of the box. No additional configuration performed to run this instance of Identity Server.
It appears that signing in as admin , the ldap authentication is completed and then authentication with gtalk is attempted when the error occurs.
Should I be setting my own configuration in the identity.xml where gtalk is being set?
<MultifactorAuthentication>
<XMPPSettings>
<XMPPConfig>
<XMPPProvider>gtalk</XMPPProvider>
<XMPPServer>talk.google.com</XMPPServer>
<XMPPPort>5222</XMPPPort>
<XMPPExt>gmail.com</XMPPExt>
<XMPPUserName>multifactor1#gmail.com</XMPPUserName>
<XMPPPassword>wso2carbon</XMPPPassword>
</XMPPConfig>
</XMPPSettings>
</MultifactorAuthentication>
I found out that I do need to set up a Google talk account.
I added the new settings to the MultifactorAuthentication configuration.
I restarted the server.
I edited the user account with another new Google talk account.
I logged out.
Logged back in via relyingparty URL with openid,
received communication over gtalk requesting pin.
I entered the pin and got logged in.
It would have been nice if wso2 had I their documentation the need to setup the settings for this configuration to get multifactor authentication to work out of the box.