My organization has changed proxy server to F5. There is a WSO2 AM behind the server and cannot been connected from outside. the following is a list of ciphers supported by API Manager,
I was told by security architect that it seems that the ciphers and/or the key exchange on the api manager server are not accepted on the F5. the following link is a list of cipher supported by F5, https://support.f5.com/csp/article/K11444.
I was wondering if the cipher suite supported by F5 below is same to the highlighted one in above picture.
If not match, how can I add the additional cipher suite into wso2 AM server's supported list?
Thanks a lot, Sean
Related
I'm using SoapUI 5.2.1 and accessing a IIS hosted web service on my domain. The web service has windows authentication enabled.
When I browse to the wsdl using internet explorer, it asks for my credentials, then shows the wsdl.
When I do the exact same with soapui, it prompts for my details, then fails and when I check the http log it sayus 'unauthorised: access is denied due to invalid credentials'.
But I'm entering it correctly, I've even tried various permutations of domain\username, username, leaving the domain text box blank or entering it there.
Any ideas?
I needed to provide a lot more info than would fit into a comment...
The other setting that I was referring to is detailed here : https://www.soapui.org/soap-and-wsdl/authenticating-soap-requests.html. If you are sure its windows credentials authentication, then use the NTLM setting. You may have to restart for the settings to take effect.
"Domain – add this for NTLM authentication challenges. If you are authenticating NTLM, make sure to note the following in your configurations:
File > Preferences > HTTP Settings tab > uncheck Authenticate Preemptively preference
for NTLM v2 provide your username as "DOMAIN\USERNAME" or at least as "\USERNAME""
If you still have issues, you can use BURP suite or Fiddler or similar proxy tools for proxy setup. BURP is an extensive security testing tool and may even be an overkill. Fiddler is a proxy. Check out these two links:
Burp : Testing web service with SoapUI and Windows authentication
Fiddler: Using fiddler with Windows Authentication
I have a client server based application where user is presented with login screen in the client. It then passes the credentials to the server which does the authentication. Client-server communication happens via a web service hosted on the server using https protocol (with TLS1.2 support). Client passes username and password to the web service. I am thinking of encrypting the password evethough I am using https based communication. My questions are:
Is it worthwhile to do a second level of encryption for password?
Is there any good practices to follow (like which algorithm to use etc)?
Its a MFC based application written in C++. Does windows provide any methods to do this?
I agree you should ask the first two question Information Security Stack Exchange.
Yes windows provides some methods to do encryption. There is a whole library called Microsoft CNG
Do not be tempted to use their obsolete "Cryptography API" - CAPI.
DO NOT be tempted to write crypto code yourself.
If you are using HTTPS/TLS1.2 and pin the certificate there is no reason to further encrypt the data.
https encrypt the entire transmission except for the URL address, thus the query string, etc is encrypted.
Encrypting the password just moves the problem to how will the encryption key be shared between the client and server?
I have a TIBCO Web Service that I want to publish on a WSO2 UDDI Server.
I configure the UDDI server on the Infrastructure -> Servers tab and I try to publish my application on the server.
I tried authenticating as root, admin and uddi but I always get the same error on WSO2 Side:
TID: [0] [Greg] [2015-09-10 15:25:28,108] INFO {org.apache.cxf.phase.PhaseInterceptorChain} - Application {urn:uddi-org:v3_service}UDDIPublicationService#{urn:uddi-org:v3_service}save_tModel has thrown exception, unwinding now: org.apache.juddi.v3.error.FatalErrorException: A Key Generator cannot be added for the root publisher. Try signing in as a different user {org.apache.cxf.phase.PhaseInterceptorChain}
I tried to google a bit but I found only answers relevant to WSO2 API Server (which I don't have).
As far as I can remember, the WSO2 server doesn't have any custom configuration. This is the content of my tomcat-user.xml:
<user username="admin" password="admin" roles="tomcat,manager,admin"/>
<user username="root" password="root" roles="tomcat,manager,admin"/>
<user username="uddi" password="uddi" roles="tomcat,manager,admin"/>
jUDDI doesn't allow you to create tModels key generators as the root user. Try it again using a different user name. This is probably in WSO2's configuration. Since it's probably an integration issue between the two, contact WS02 for support.
Alternatively, you can just download jUDDI and use the standalone server and use the the jUDDI web user interface to publish the service.
~ jUDDI PMC
I have to write client for webservice which is using private key to encrypt the xml data and send it over wire.
I am unable to find anything useful which help me to build my understanding over same.
Most probably I have to do this with spring ws security.
--> my server is using wso2 framework for the same.
Kindly help me out with ur experience.
you can use rampart (ws security module comes with WSO2 framework) at the client side as well.
You need to set the policy at the client side and invoke the client using the relevant modules please have a look here[1].
If your server uses WSO2 platform there is an option to generate the client using the admin console. If you have engaged the security to the service generated client has those policies.
Take a look at the rampart[2] samples as well.
[1] http://wso2.org/library/3190
[2] http://axis.apache.org/axis2/java/rampart/
We've Installed Pre-Packaged Identity Server 5.1.0 with API Manager 1.10.0 and use sqlserver as a data store.
We use OAUTH2 to authorize our API's and we want to map our local claims to a service provider (an application?). Behind the API we have a .Net Wcf Service with some logging where we read the header with WebOperationContext.Current.IncomingRequest.Headers["assertion"] and print the claims which are present.
The Claims which are returned are:
{"iss":"wso2.org/products/am"
"exp":1462357259751
"wso2url/claims/subscriber":"Sjaak"
"wso2url/claims/applicationid":"1003"
"wso2url/claims/applicationname":"DefaultApplication"
"wso2url/claims/applicationtier":"Medium"
"wso2url/claims/apicontext":"/Test/v1.0"
"wso2url/claims/version":"v1.0"
"wso2url/claims/tier":"Silver"
"wso2url/claims/keytype":"PRODUCTION"
"wso2url/claims/usertype":"APPLICATION"
"wso2url/claims/enduser":"Sjaak#carbon.super"
"wso2url/claims/enduserTenantId":"-1234"
"wso2url/claims/emailaddress":"sjakie#chocola.nl"
"wso2url/claims/givenname":"Sjakie"
"wso2url/claims/lastname":"van de Chocoladefabriek"
"wso2url/claims/role":"Internal/subscriber
Internal/everyone
Application/Sjaak_DefaultApplication_PRODUCTION"}
Where wso2url is http://wso2.org, but we cannot post this, because I don't have 10 reputation points...:(
The information in these claims is good, but only we want to use our own uri, so not wso2.org, but myorg.com. And we want to add other claims, with for example our own userId and some other stuff.
Among other things we have followed the guide for configuring claims for a service provider but had no success with this. We have made the assumption that an application is a service provider for which we can use the claims.
Has anyone got an idea what we are doing wrong? What do we need to do to add custom claims?
Thanks in advance!
[Added on 9th may]
Maybe this can point us in the right direction?
When we add a subscription to an application and we generate a new key than there is no new Service provider in the list:
The list of service provider without a new one for user Sjaak, so there is missing: Sjaak_CalculatorApp_PRODUCTION
But even when we do this for user admin the claims are not coming through. We have the following claim configuration and in my logging still the same claims as described above are there, no new ones, so no claim named accountnaam and no voogd.com uri:
Service Provider(SP) - It provides services to some end users and relies on a trusted Identity provider(IDP) to handle authentication and authorization for them. SP may use multiple protocols(Oauth2, SAML2, etc.) to communicate with IDP.
Claims are defined for SP, since same claims can be send over different protocols. In the default case, Identity server uses wso2 claim dialect(start with wos2.com) for claims. If you want a different claim dialect than this, use "Define Custom Claim Dialect" option in the service provider configuration. In there you can map wso2 claims(Local Claim) to your own claims(Service Provider Claim).