WSO2 Identity Server: Authorization failure caused by Thread Death - wso2

I have a WSO2 Identity Server 5.3.0 installation configured with a read-only LDAP user store following: https://docs.wso2.com/display/IS570/Configuring+a+Read-only+LDAP+User+Store
This is the (edited) user-mgt.xml: https://pastebin.com/qy9PGbnP
The setup works for a while, but after some time (around 6 or more hours) I get the following error whenever any user tries to login.
TID: [-1234] [] [2018-12-12 08:35:21,895] ERROR {org.wso2.carbon.user.core.authorization.JDBCAuthorizationManager} - Error occurred while accessing Java Security Manager Privilege Block
Full trace: https://pastebin.com/yhEBQE4V
Since this issue is hard to reproduce (I have to wait until it happens again after restarting). Is there anything that could help me debug this issue?

It was a firewall between the application server and the database.
Problem solved after adding these parameters to the master-datasources.xml
<maxAge>1800000</maxAge>
<timeBetweenEvictionRunsMillis>750000</timeBetweenEvictionRunsMillis>
<minEvictableIdleTimeMillis>750000</minEvictableIdleTimeMillis>

Related

WSO2 Api Manager Control Plane not starting JMS server

I have a wso2apimanager-4.1.0 with the role of control-plane. In the wso2carbon.log, the following stack trace keeps appearing, especially when I try to deploy an API change. The main errors are "Caused by: org.wso2.andes.AMQConnectionFailureException: Server did not respond in a timely fashion [error code 408: Request Timeout]" and "ERROR {org.wso2.andes.client.AMQConnection} - Throwable Received but no listener set. org.wso2.andes.AMQDisconnectedException: Server closed connection and reconnection not permitted."
error_1
error_2
Despite these errors, the gateway-workers can connect to the control-plane on startup pulling all the APIs deployed on the API Manager ecosystem. Although, when I deploy a new version of an API, the gateways are not notified (because the JMS is down) and they do not pull the changes until they are rebooted.
I've already reviewed the jndi.properties, user-mgt.xml and all the superuser username and password are correct (they are pulled from deployment.toml correctly). The JMS port exists when the control-plane service starts and is not being blocked by any firewall, also the superuser password doesn't have special characters like '#'.
I've migrated the control-plane from version 4.0.0 to version 4.1.0 recently, the error did not occur in 4.0.0. The config file (deployment.toml) is the same.
Has anyone come across this problem? How can I resolve this error?

Wso2am - Error in creating and login in tenants

I am trying to create multiple tenants in a wso2am (1.10) installation.
When i create the tenant i get the following error "Failed to add tenant config" with the following exception
TID: [-1234] [] [2017-02-01 13:23:58,740] ERROR {org.wso2.carbon.tenant.mgt.ui.utils.TenantMgtUtil} - Failed to add tenant config. tenant-domain: public.xxxxx, tenant-admin: admin. {org.wso2.carbon.tenant.mgt.ui.utils.TenantMgtUtil}
org.apache.axis2.AxisFault: Could not initialize class org.wso2.carbon.utils.i18n.Messages
Nevertheless when i try to enable the tenant it gets enabled and the required folders are created.
Unfortunately the tenants are not usable. On my first login i get the same exception
TID: [6] [] [2017-02-01 13:26:40,577] admin#remote.gunet [6] [AM]ERROR {org.wso2.carbon.authenticator.proxy.AuthenticationAdminClient} - Error occurred while logging in {org.wso2.carbon.authenticator.proxy.AuthenticationAdminClient}
org.apache.axis2.AxisFault: Could not initialize class org.wso2.carbon.utils.i18n.Messages
I have tried a clean installation of the server but that had no effect.
Is there some official guideline for the specific problem?
Fixed the keystore and the matter was resolved.

Errors using input-only web service (OUT_ONLY from ESB)

I have a webservice with some input only operations. In the ESB i've created a proxy and sets the properties OUT_ONLY and FORCE_SC_ACCEPTED to true. Everytime I call the proxied operation I get the following error message in the wso2carbon.log:
TID: [0] [ESB] [2015-04-02 09:52:45,307] ERROR {org.apache.axis2.transport.base.threads.NativeWorkerPool} - Uncaught exception {org.apache.axis2.transport.base.threads.NativeWorkerPool}
java.lang.UnsupportedOperationException: Not yet implemented
at org.apache.axis2.description.OutOnlyAxisOperation.getMessage(OutOnlyAxisOperation.java:124)
at org.wso2.carbon.core.multitenancy.MultitenantMessageReceiver.processResponse(MultitenantMessageReceiver.java:125)
at org.wso2.carbon.core.multitenancy.MultitenantMessageReceiver.receive(MultitenantMessageReceiver.java:81)
at org.apache.axis2.engine.AxisEngine.receive(AxisEngine.java:180)
at org.apache.synapse.transport.passthru.ClientWorker.run(ClientWorker.java:225)
at org.apache.axis2.transport.base.threads.NativeWorkerPool$1.run(NativeWorkerPool.java:172)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
at java.lang.Thread.run(Thread.java:745)
Althought everything seems to work OK, I am worried about this message. What am I doing wrong. These input only will be called very frequently in production, so I'd like them to be error free.
WSO2 ESB: 4.8.1
Thanks,
Danny
this exception will occur if OUT_ONLY=true and your backend sending a response back to the esb.if OUT_ONLY is set true, your are getting a response from the backend then it is not a valid scenarion for if OUT_ONLY property.check this post[1]
1.https://mohanadarshan.wordpress.com/2013/05/05/out_only-scenario-in-proxy-service-wso2-esb/
Out-only property is set to inform that this service does not return a response back. For instance if you are sending messages to a message broker. Force-sc-accepted flag causes ESB to send HTTP Accepted status response back to the client (which calls ESB) since otherwise client will timeout without a reaponse. So please make sure your backend service does not send a response and it is accessible to ESB.
Solved this issue for now: My ESB was running in multi-tenant mode. The proxy service were created in the tenant. I did a fresh install and put the config in (so no tenants). The error disappears immediately. When I remove the config and create a tenant and put the config into the tenant the error reappears. So might this be a bug. I can try to verify with running sample 253 (OneWayProxy) in a tenant.

WSO2API Manager : Api Store Error: Error in getting new access token

I have updated WSO2 default SLL with the custom SSL certificate on my Production Server on which WSO2Api installed.
SSL issues have been fixed, but now I am getting error while re-generating access token
Logs
Caused by: org.wso2.carbon.apimgt.keymgt.APIKeyMgtException: Error in getting new accessToken
at org.wso2.carbon.apimgt.keymgt.service.APIKeyMgtSubscriberService.renewAccessToken(APIKeyMgtSubscriberService.java:281)
... 45 more
Caused by: java.lang.RuntimeException: Failed : HTTP error code : 500
at org.wso2.carbon.apimgt.keymgt.service.APIKeyMgtSubscriberService.renewAccessToken(APIKeyMgtSubscriberService.java:252)
... 45 more
TID: [0] [AM] [2014-08-27 10:57:41,440] ERROR {org.wso2.carbon.apimgt.hostobjects.APIStoreHostObject} - Error in getting new accessToken {org.wso2.carbon.apimgt.hostobjects.APIStoreHostObject}
If APIManager runs with a port offset,you need to do addtional changes.
Change the endpoint ports defined in default APIs shipped with APIManager
Find all default APIs of the API Manager in /repository/deployment/server/synapse-configs/default/api folder. Those are Authorize API, Login API, Token API and Revoke API. Open each of them and change the address endpoint config included port value to match with offset value.The default address endpoint config is
"address uri="https://192.168.1.7:9443/oauth2/token".If the AM standalone pack running with port offset 2 change that config as
address uri="https://192.168.1.7:9445/oauth2/token"
What I did to fix the issue was to 1) add admin user inside ApiKeyValidaor in api-manager.xml also into admin user via management console and into user-mgt.xml; 2) Inside api-manager.xml:
Change the following:
https://${carbon.local.ip}:${mgt.transport.https.port}${carbon.context}/services/
to:
https://[FQDN_OF_HOST}:${mgt.transport.https.port}${carbon.context}/services/
Reason is my server certificate only recorded the domain name, not ip address.
My setup: Product: WSO2 AM 1.10.0 DB: MSSQL Security: SAML2 integrated with PingIdentity OS: Linux
Please also refer to this question:
wso2 am 1.10.0 API Store: "Error occurred while executing the action generateApplicationKey" with " Invalid credentials provided."
The error may be due to one of these two things:
Your admin password is not set for ApiKeyManager in api_manager.xml.
SSL is not set properly.

WSO2 API Manager 1.4.0 Management Console

I downloaded and installed the WSO2 API Manager version 1.4.0 yesterday and I cannot login to the web management console (https://localhost:9443/carbon) using the default credentials (i.e. admin/admin)
I can login to the API store and API publisher and the error comes only for the management console.
Note that I performed the default install (unzip and ran ./wso2server.sh from the bin folder)
Following is part of the error stacktrace
2013-06-03 15:42:13,095] INFO - CarbonAuthenticationUtil 'admin#carbon.super [-1234]' logged in at [2013-06-03 15:42:13,095+1000]
[2013-06-03 15:42:13,112] ERROR - AuthenticationHandler System error : 0 active authenticators registered in the system. The system should have at least 1 active authenticator service registered.
java.lang.RuntimeException: System error : 0 active authenticators registered in the system. The system should have at least 1 active authenticator service registered.
at org.wso2.carbon.server.admin.module.handler.AuthenticationHandler.isAuthenticated(AuthenticationHandler.java:144)
at org.wso2.carbon.server.admin.module.handler.AuthenticationHandler.authenticate(AuthenticationHandler.java:83)
Further down the stacktrace, I also get the below
[2013-06-04 11:42:15,860] ERROR - AxisEngine Authentication failure
org.apache.axis2.AxisFault: Authentication failure
at org.wso2.carbon.server.admin.module.handler.AuthenticationHandler.authenticate(AuthenticationHandler.java:110)
at org.wso2.carbon.server.admin.module.handler.AuthenticationHandler.invoke(AuthenticationHandler.java:55)
at org.apache.axis2.engine.Phase.invokeHandler(Phase.java:340)
at org.apache.axis2.engine.Phase.invoke(Phase.java:313)
I also get the following two warning messages on startup
[2013-06-04 11:14:05,489] WARN - ValidationResultPrinter Swap Memory size (MB): 64 of the system is below the recommended minimum size :2048
[2013-06-04 11:14:15,444] WARN - LandingPageWebappDeployer Product landing page not found.
#nuwandias Hi Nuwan.
I identified the issue. When I was evaluating the previous 1.3.1 version, I injected the Authorization header with the Bearer token via my Firefox browser plugin.
That was what caused the problem with the 1.4.0 version. Once I disable it it works fine.
All good now and I am looking forward to doing a deep dive evaluation of this product.
Thanks a lot for your support.
I have just downloaded the zip from the website and tried the same and it worked fine. Can you please provide the following information.
What is the environment that you are trying this on (OS)?
What is the md5sum value of the zip archive? Mine is fea68eaadd17daa5e6fa0aff3d973601.
Do you see any errors/warnings on startup? If so, could you share the startup logs too?
Thanks,
Nuwan.
Looking at this log message...
Swap Memory size (MB): 64 of the system is below the recommended minimum size :2048
It seems like your hard drive (or partition) has filled up. I'm wondering whether this could have caused any errors when you unzipped the zip file (if the hard disk has no free space).
If this is the case, can you free up some space (>200MB) in your partition, unzip the archive again and retry?