having WSO2AM 2.1.0 in distributed setup (KM, GW, TM deployed and scaled separately) we'd like to enable SAML SSO for application users with an external SAML IdP.
Main question is - what is the SAML ACS url for the APIM as SP in this setup?
By default (it's working) the ACS URL is https://host:9443/commonauth , however as far I understood the client should have access only to the Gateway services (port 8243). On the port 8243 there are even all OAuth services exposed too.
So - do we need to expose a route / ports to 9443 (gateway to key manager)?
Thank you for any insight
question is bit unclear. We can setup SSO for publisher and store applications only. There is no connection with the gateway when configuring this. see https://docs.wso2.com/display/AM2xx/Configuring+Identity+Server+as+IDP+for+SSO . Since API Publisher or store acts as the SP, We set ACS url for publisher as https://localhost:9443/publisher/jagg/jaggery_acs.jag and for store as https://localhost:9443/store/jagg/jaggery_acs.jag
Gateway is there to accept the API requests. so only 8243 and 8280 are needed to exposed to public. but gateway needs to talk to keymanager (to validate tokens) so there needs to be a connection between gateway and keymanager.
Related
We have two API servers running in HA mode i.e. same set of services are running on both VMs with same environment. We would like to use WSO2 APIM for API Security but the problem is that we have not been able to find how to use HA routing services in WSO2 APIM.
E.g.
API Server 1- http://192.168.0.2/getCustomerDetails
API Server 2- http://192.168.0.3/getCustomerDetails
API Gateway- 192.168.0.10
Once registered on API Gateway the service endpoints become-
URL1- https://192.168.0.10:8243/getCustInfo1
[edit]
URL2- https://192.168.0.10:8243/getCustInfo2
Now the question is how does WSO2 APIM decides where to route the request i.e. URL1 or URL2 for accessing the same business service? Or there is some concept like virtual ip usage in WSO2 APIM?
You don't have to create 2 APIs in API Manager for your 2 backend URLs. Create a single API and use Load Balancing or Failover Endpoints[1].
[1] https://apim.docs.wso2.com/en/latest/Learn/DesignAPI/Endpoints/high-availability-for-endpoints/
I read a lot of information about this topic but I have no answer.
I have 3 servers with following components
server1 - WSO2 IS + OpenLDAP
server2 - WSO2 Gateway
server3 - Publisher + Store
All of theese servers working with LDAP and I have no problems to login to IS, Gateway, publisher and store with my Ldap login.
In Publisher config file I wrote Gateway server2 but when I publish new test API I have access to this API (server3:8243/ddd/v1/aaa), but via gateway I have no access https://server2:8243/ddd/v1/aaa and I got an Error 404.
How I need to configure my WSO2 Publisher or Gateway.
P.S. At this moment I have no genereated ssl keys in a keystore. Can you tell me how to resolve this problem for testing my TEST API?
When you publish an API from the publisher, it pushes the Synapse artifact of the API to the gateway node. But in your case, as you haven't changed any configuration in Publisher/Store node, it points to the server itself.
You can edit the server 3 and point server 2 which is your gateway node. Edit the api-manager.xml file in APIM/repository/conf location.
<APIGateway>
<Environments>
<Environment type="hybrid" api-console="true">
<Name>Production and Sandbox</Name>
<Description>This is a hybrid gateway that handles both production and sandbox token traffic.</Description>
<ServerURL>https://[API-Gateway-Host-or-IP]:9443/services/</ServerURL>
<Username>${admin.username}</Username>
<Password>${admin.password}</Password>
<GatewayEndpoint>http://[API-Gateway-Host]:8280,https://[API-Gateway-Host]:8243</GatewayEndpoint>
</Environment>
</Environments>
</APIGateway>
When creating an API in WSO2, the wizard has a section to pick an endpoint - current selection choices include: HTTP Endpoint, Address Endpoint, failover endpoint, Load Balance. Can additional endpoints be added, such as FTP? Is there code / config that can be added for an FTP endpoint?
WSO2 API Manager don't support FTP protocol, you can WSO2 ESB to do the same. You refer these samples here and here
I'm creating an entry in API Manager for one of our webservice endpoint which doesn't use the default HTTPS port of 443, it's binded to port 444 at the moment.
I'm configuring this API entry in WSO2 AM to be accessible via HTTPS only but I can't get it to work. I've entered https://:444/ as the HTTP Endpoint value when creating the API record.
Has anybody successfully setup a similar scenario? Thanks
I was planning the following setup:
A proxy service in WSO2 ESB that interacts with a backend service via JMS.
Proxy service clients connects to the WSO2 ESB using https with mutual authentication.
Within the proxy service mediators, information from the client's certificate are needed.
Is there some way the client certificate could be made available to mediators?
You do not need to provide client certificates provided at mediator level. Medeators are put together in a pipes & filter chain, and it is the endpoint at the end that connects to the back-end and it is at the endpoint level, you have to secure it. The blog post on How to invoke secured backend service using WSO2 ESB shows how to ahcive this.
First you have to enable mutual authentication in WSO2 ESB.If you do not know how to do that please refer Enable Mutual SSL for Proxy services in WSO2ESB.Then refer following block post to know how to get client's certificate in class mediator