How to share configurations of WSO2-IS among servers? - wso2

I have multiple wso2-is server set up as my dev, staging and prod environment.
And I would want to have a functionality wherein I can export all the configuration from some server ( say dev ) to some other server ( say staging ) to make both the server identical i.e both the server would have same database configurations, same tenants, same service providers and same identity providers and so on.
From the documentation here, I know that I can create service providers and identity providers using XML files, so in turn, I can share the XML files to sync SPs and IdPs between servers.
But is there a standard way to achieve that? Like, from the management console or so?
It even seems possible that syncing between [IS-HOME]/repository directory would ensure that the servers are identical, But are there any caveats for this approach?

There is no standard way to sync the service provider configurations among different environment, as of now. This issue is reported to track the feature requirement and its a work in progress at the moment and you can expect it in a future release.
One possible solution you can use to achieve your target is, retrieving the service provider from the Admin service and create the same service provider in other environment.
You can use the file based service provider configurations to achieve this target. But with that approach, you will not be able to see the service providers added from the configuration files in the management console. Next limitation you will face is you can add saml based inbound authentication configurations only through the config files ( such as OAuth 2.0 / OIDC inbound authentication configurations)
To answer your last question, you can't sync the [IS-HOME]/repository folder to achieve this. The reason you were able to observe this behavior seems to be you are using the inbuilt H2 database and its in [IS-HOME]/repository/database folder. With your file sync, you have actually synced the databases.

Related

Do we really need to bind Oracle service in PCF , can't we just use credentials mentioned in service?

I have a question what is the difference if I just use a Oracle/MySQL service provided by PCF without binding it? What difference will it create. I can anyway access DB using the credentials
There are two differences that come to mind:
When you create a service through the Cloud Foundry marketplace, that will create backing resources for the service but in most cases it does not create credentials. The act of binding a service to your app, in most cases with most service brokers, will actually create service credentials for you. When you unbind, again with most brokers, the service credentials are destroyed. This makes it easy to regenerate your service credentials, just unbind/rebind the service and restart your app. The net result is that if you don't bind, there are no credentials.
Most people do not want to include credentials with the actual application (see https://12factor.net/ for details why). They want to be able to provide configuration external to the app. On Cloud Foundry this commonly amounts to binding a service.
Having said that, how do you want to provide the credentials to your application?
Service bindings are there to try and make life as a developer easier but you don't have to use them. If you want to pass in the configuration some other way, like via environment variables, a config file, or using a config service (Spring Cloud Config Server or Vault) those are fine options too.
If you do not want to bind a service to your app, the only thing you'll need to do is to create a service key instead. A service key is like a binding, but not associated with an application. It will also generate a set of unique credentials. You can then take the credentials from your service key and feed them to your app in the way that works best for you.
Ex:
cf create-service-key service-instance key-name
cf service-key service-instance key-name
The first command creates the service key, the second will display its credentials.

wso2 identity server: automate the deploy of policies, claims, and other configs

I have hundreds of different identity server configurations (policies, claims, service provider, etc)
And i need to repeat the same configuration on several environments: dev, test, prod
To do it by hands through export import in web console - it's a nightmare.
What is the best practice to do an automatic configuration deployment to wso2is?
I'm thinking about the following options:
create a script that will call admin services to import identity server configs
create custom deployer (like a synapse & dataservice deployers, etc) and call admin services or do in-memory api calls
find where and how it's stored in database and do sql script to fill database
Maybe there is something exists for config deployment and I can't find it?
You can create your own scripts or custom methods to manage the deployments. But you have to maintain those scripts by your self.
In that case, you can use deployment automation tools such as Puppet, Chef and etc..
You can use WSO2 Puppet modules to deploy your configuration in different environments.
just in case if somebody need the file-based deployer
created a groovy script deployer that could be used for different purposes.
service-provider deployer
policy deployer

Centralize Claim Configuration for Service Providers WSO2 IS 5.2.0

I recently updated my environment from WSO2 IS 5.0.0 to WSO2 IS 5.2.0. My environment consists of 2 machines that are creating a cluster (using the WKA membership scheme and Load Balancer(AWS ELB) with sticky session enabled). I am using MySQL(not the default H2 database). The machines on which the IS is deployed are Windows Server 2012 R2 (EC2 AWS machines).
I noticed that if I want to return particular set of claims I must:
- Update the Claim Configuration of the particular Service Provider
- Make sure /_system/config/oidc has the necessary claims stored in the "openid" property
- Make sure the claims stated in the Claim Configuration of the Service Provider are populated in the identity profile
Is there a way to centralize the claim mappings and not have to configure the claims for each Service Provider?
I noticed that I could update directly the SP_CLAIM_MAPPING table in the database, but is there another way achieve this result?
Thanks in advance.
Currently, there is no way to centralize claim mappings in Identity Server. You have to specify claim mappings in each SP separately.
It will be supported in a future release. You can find some discussions here.
Thanks
Isura

What is the API used to add/remove/manage users of AWS Directory Service?

I am trying to programmatically add users to a "Simple AD" in the AWS Directory Service. There is indeed an API for managing the directory itself (http://docs.aws.amazon.com/directoryservice/latest/devguide/API_Operations.html), but I am unable to find anything similar for managing the users of the directory. Is there any way to do this via an API?
The Directory Service documentation suggests that the supported method of management is not via AWS APIs but rather via Active Directory management tools, simply connecting to the domain controllers. There is one user management endpoint in the DS API, namely ResetPassword. The WorkSpaces console (but not the API) allows user creation, and while the WorkDocs API appears to allow user creation, deletion, etc. it seems that those operations are only possible when the directory is enabled for WorkDocs, which may not be desirable if you're not actually using the service.
There is no API for that.
You must use Microsoft's tool for managing Active Directory users / groups.

Issue with wso2 api manager permission for roles

I have two instances of wso2 api manager running on two different servers.Both of them are referring to same UM_DB . I created a role by logging with admin credentials on one server .After that i checked for the role on other server by logging with admin credentials again.I found that there was role existing on other server but permission that i provided for that role does not exist on another server.Is that a bug with wso2 api manager or I missed something in configuration..?
You want to deploy two APIM instances in a cluster. It is better to refer the APIM clustering guide to setup it properly. There are tow things you need to understand.. when your deploying APIM in cluster
You must point both instance in to same database. There are can be three logical databases i.e UM, Registry and AM database. These three can be an one physical DB. However must pointed to same by the both instance.
You must configure the Hazelcast based clustering using axis2.xml file. This is required because, APIM uses Hazelcast based implementation to distribute the data in the caches. Sometime, In your scenario, i guess you have not configured this. Therefore permission tree has not been distributed between two nodes. Therefore lot of data that is stored in the caches for high performance. therefore please make sure to configure this properly.
I guess this would help you.