We are configuring an API Manager distributed setup with 2 Key manager nodes. Key Manager nodes are fronted by F5 Load Balancer. Key Manager is used only for authentication purpose. We are using PING Federate server for Authorization.
We are getting an error as "Error! Transport error: 401 Error: Unauthorized" when user log in to the Publisher sometimes. We noted that two services are calling when log in to the publisher and the issue is getting since those two services calling from the same session are redirected to the two key manager nodes.
What are the configurations we need to do when using two key manager nodes? How can we fix this issue?
You need to persist session in F5 for WSO2 Key manager servers. There aren't any configurations in WSO2 server side. Enabling session affinity in F5 will work.
Example config for Nginx using JsessionId - https://docs.wso2.com/display/AM210/Configuring+the+Proxy+Server+and+the+Load+Balancer#HA-Publisher
Related
I'm trying to implement cloud-run services to service communication.
Aim: service A (frontend) need to call service B (content-api) which is connected to cloud SQL DB.
Implemented using official doc - https://cloud.google.com/run/docs/authenticating/service-to-service
My present setup is as below
Frontend service config
Created a new service account and attached it.
Created a serverless VPC connector in the host project and configured it with all traffic through this connector.
Ingress is set to allow all traffic
Authentication is set to allow unauthenticated invocations
Content-api config
Create another new service account and attached it.
Used the same serverless vpc access connector which is in the host project and configured with all traffic through this connector.
Ingress is set to allow internal traffic only.
Authentication is set to required authentication (frontend service code is fetching token from metadata server and is able to connect using that token)
Also configured cloud run invoker role for frontend service account principle in content-api (show info panel settings).
Expecting to get data from content-api when frontend service is triggered.
I'm able to trigger frontend service but getting access forbidden error (guessing due to content-api is set to allow internal ingress only ). But when I change that content-api ingress setting to allow all traffic. It Is working fine - requesting a token and using that to call content-api and which queries DB and responds with the expected value.
what could be the cause for the internal setting error ( Access Forbidden )? And how to resolve this? Thanks in advance for your answers/suggestions.
I've installed WSO2 Api Manager 4.0.0 on internal server and I have no idea how to tell it to use proxy server to connect to Choreo analytics.
I see following error in the log:
:Provided authentication endpoint https://analytics-event-auth.choreo.dev/auth/v1 is not reachable.
I've tried to set http_proxy, https_proxy, HTTP_PROXY and HTTPS_PROXY environment variables with flag java.net.useSystemProxies=true to api_manager.sh but they seem to not work and I don't see any traffic coming from this server through proxy.
Adding java flags http.proxyHost and http.proxyPort didn't helped too.
If I start it from server with internet access then it works just fine with Choreo.
Is there any way to set the proxy for APIM?
WSO2 API Manager's gateway component talks to an API in the Analytics cloud in order to fetch required credentials to publish events to the cloud. The failure that you have pointed out occurs at the point of talking to this API. It appears that proxy settings have not been configured for this particular HTTP client. Please see here.
Event publishing is the next step and uses AMQP protocol. Therefore I think it would not go through the HTTP/S proxy. However, if the gateway has no access to the internet, this step will fail again regardless of the API call is fixed to honour the proxy settings.
Currently, analytics does not have the support to publish events through a proxy. It seems that in order to honour proxy settings in event publishing, the protocol needs to be changed to Websocket.
We build a Kubernetes application that is deployed by our users, our users connect to the deployed API server using a client and then use that client to submit jobs.
This question is about programmatically connecting to an application running inside Kubernetes cluster from outside of the cluster.
We have this working with local Kubernetes deployments and Google Kubernetes Engine (using IAP).
However some of our users on Amazon cloud cannot connect to the application.
I do not have much experience with AWS. I'm used to token-based auth and OAuth-like auth methods where authentication happens outside of a library: the user is redirected to some page where they log into a service and the client library only gets a token without ever seeing the password.
One of our users have implemented an auth solution that takes username and password and then uses Selenium to emulate the login process and get a cookie which is then used for sending requests. https://github.com/kubeflow/pipelines/pull/4182
Here is a quote from the PR.
Currently, kfp client can not be used outside AWS EKS cluster. Application load balancer manages outside traffic and require authentication before traffic coming into mesh. This PR automates ALB authentication and get session cookie to authenticate KFP python client to Kubeflow cluster.
This unblocks user to submit pipeline/run outside kubeflow cluster and user can integrate with their CI/CD solutions much easier.
Cognito or OIDC behind ALB both can leverage this solution.
Is there a better way to authenticate with AWS EKS ALB?
I've searched the AWS documentation for programmatic authentication methods, but did not find what I wanted (the docs mostly focused on server-side auth setup). In my last search I found the following article, but I'm not 100% sure it covers what our AWS users want.
I want to set up WSO2 Identity Server cluster and an other for WSO2 API Manager. Identity server will be used to enable SSO for our applications and also to register existing Identity Providers (ex: ADFS). API Manager will be used to manage our Rest API's and to provide them to our applications. I also want to configure the Identity Server to be the Key Manager.
As the documentation says for WSO2 Cluster deployment, Management nodes are specialized in management of the setup, while worker nodes are specialized in serving requests to deployment artifacts. Besides that, API Manager product provides 5 diferent profiles (key-manager, publisher, store, gateway-manager and gateway-worker).
For now, I have 3 servers (server1, server2 and server3) in which I will install and configure the WSO2 Cluster nodes for Identiy Server and API Manager. I also created a load balancer that will be used to forward requests for each cluster nodes (IS and AM).
After some reading, I concluded that I would need to install WSO2 IS and WSO2 AM as manager nodes on the server1 and the two other servers would be used as worker nodes.
I think I already managed to install and configure Identity Server cluster, the url mgt.identity.mydomain.pt points to the server1 node and identity.mydomain.pt points to server2 and server3 nodes for load balancing requests.
Now I'm stuck with API manager cluster configuration, I want to use server2 and server3 as the gateway to load balance requests (apis.mydomain.pt) for our Rest API's and use server1 to manage our API's using store and publiser components (mgt.apis.mydomain.pt). I'm struggling to understand which profile I have to use for each nodes. I tried to install a manager node on server1 with the default profile and install worker nodes on the server2 and server3 with the gateway-worker profile but I'm getting errors related to the Deployment Synchronizer (error logs). I guess I am doing something wrong because those errors only shows up when using the gateway-worker profile.
Anyone can explain me the difference between worker and manager nodes and how they are related with wso2 profiles?
UPDATE:
I found out what I was missing and was causing the error. I was starting the server2 and server3 just with -Dprofile=gateway-worker, I added -DworkerNode=true and I have no errors in log anymore.
Anyway, I am still a little bit confused about using the gateway-manager and gateway-worker profiles.
https://docs.wso2.com/display/CLUSTER44x/Configuring+SVN-Based+Deployment+Synchronizer contains Deployment synchronizer related configurations. Can you check whether you configured the manager and worker nodes correctly
Have a two host AppFabric setup. Both hosts are Win2k8 standard and are running the 32 bit version of AppFabric. The entire system has a backing SQL server store that has the AppFabric database store. Connectivity is not an issue between the systems, verified independently.
When I start the cache-cluster I get this error:
(AppFabric Caching service crashed with exception {Microsoft.ApplicationServer.Caching.ConfigStoreException: Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON')
It appears that AppFabric is unable to impersonate the user it is running / configured with into SQL server. We have configured accounts for the domain user that will run AppFabric, also accounts for the machines. Any help is appreciated, we've been stuck on this for a while now.
This is probably checking things you've already been through but let's see if we can rule a few things out first.
Can you confirm that:
the domain account isn't locked out for some reason, has a non-expiring password etc
the AppFabric Caching service is configured (on both servers) in the Services Control Panel applet to run under the domain account you've created
the domain account has access to SQL Server and the AppFabric config database
Can you start either cache server individually?
Domain Account Configuration is not supported in V1.0. Only Network Service can be configured in V1.0.
Let me see if I have understood the problem correctly.
Configuration: AppFabric 1.0 installed with SQL server config store. All other default configurations.
Symptom: Service does not start on the machines due to sql server connection error.
If the above is correct, you can try the following:
Issue: The AppFabric Service runs as network service on the server mahcines for security reasons. When the service tries to access the sql server config store, it sees a permission issue.
Resolution: Give permission for the NT service / Machine$ account for all the server nodes on the sql server for the config store db.
Let us know if this solves the issue.