I would like to know an overview of what's the proper way to validate JWT at remote backend server?
I believe I'd need a public key...does API-M expose an endpoint to obtain a public key or do I extract it from wso2carbon.jks?
Thank you!
WSO2 API Manager signs the JWT with the private key of its keystore and you have to export it from the above keystore. We don't provide an endpoint for extracting public key.
Also, it's highly recommended to use your own keystore rather than the one shipped with WSO2 product because that keystore are common to all the products and released publically.
Related
I am using WSO2 IS and WSO2 EI in our project. Is it possible to bridge communication between these two products using Self Signed Certificate or default keystores given by the products? Currently, EI is throwing certificate_unknown when it is hitting WSO2 IS. Thanks.
Get the self signed public certificates of each product and put them in to the trust store (Usually <HOME>/repository/resources/security) of each other (IS public certificate to EI trust store and EI public certificate to IS trust store).
An Axis2 service can be secured using setServicePolicy operation in ServiceAdmin. However, even when the policy have the rampart configuration, when I examine from the admin console it doesn't select the default keystore for that service. Because there's no keystore selected this service cannot be invoked.
Need to manually go to the UI and select the tenant's default keystore.
When we use ServiceAdmin to secure a service programmatically how to specify what keystore to use to secure it?
There's a separate service called applySecurity() in https://svn.wso2.org/repos/wso2/carbon/platform/branches/turing/components/security/org.wso2.carbon.security.mgt/4.2.0/src/main/java/org/wso2/carbon/security/keystore/service/SecurityConfigAdmin.java to do this task.
How can I secure a thrift service using Identity server and then authenticate a user using RemoteUserStoreManagerServiceStub. After authenticating a user i wish to use the given session id for corresponding access.
Thanks
Please note, only the EntitlementService of WSO2IS has been exposed using thrift. All others are exposed with as SOAP services. EntitlementService Thrift service is already secured with username/password. First you need to authenticate using thrift authenticator and call the EntitlementService Thrift service. You can find sample client code from here
I've been reading everywhere including here and here that WSO2 provided SOAP APIs for its services. My question is where are they? How can I locate them? For example, if there's a XACML API provided by WSO2, how can I find it.
What I understand about the WSO2 platform is that ESB, STS, DSS, IS are all services. To expose their functionalities, you have to write out standard XML, then import it into the WSO2 backend. After this, a WSDL is generated which can be used by a client. Am I right?
If not, then I have simple questions;
What is the endpoint or service url for all IS services?
What is the endpoint or service url for all ESB services?
What is the endpoint or service url for all STS services?
What is the endpoint or service url for all DSS services?
Thanks for explaining.
WSO2 uses Admin services and by default they are not exposed to outside and exposed over https.
You can view the list of services available by by referring this thread.
Another sample on using an Admin service is available here.
Sample developed to create proxy services using Proxy admin service is available here
I was planning the following setup:
A proxy service in WSO2 ESB that interacts with a backend service via JMS.
Proxy service clients connects to the WSO2 ESB using https with mutual authentication.
Within the proxy service mediators, information from the client's certificate are needed.
Is there some way the client certificate could be made available to mediators?
You do not need to provide client certificates provided at mediator level. Medeators are put together in a pipes & filter chain, and it is the endpoint at the end that connects to the back-end and it is at the endpoint level, you have to secure it. The blog post on How to invoke secured backend service using WSO2 ESB shows how to ahcive this.
First you have to enable mutual authentication in WSO2 ESB.If you do not know how to do that please refer Enable Mutual SSL for Proxy services in WSO2ESB.Then refer following block post to know how to get client's certificate in class mediator