I have installed WSO2 IOT Server and I am trying to understand it...
My principal objective is to make some IOT Device send data through MQTT.
But I can't even connect to MQTT with Mqtt.fx... I am using tcp://localhost:1886 as the broker URL address even though in the broker.xml config file it's said that the port is 1883 - It doesn't work either. I uses admin as the login and password, but I get an error:
[2017-03-31 10:40:07,861] [IoT-Broker] INFO {org.dna.mqtt.moquette.messaging.sp
i.impl.ProtocolProcessor} - Lost connection with client 5354d06fb5694b5cb65f07c
f3c62fa23
[2017-03-31 10:40:07,863] [IoT-Broker] WARN {org.dna.mqtt.moquette.messaging.sp
i.impl.ProtocolProcessor} - MQTTAuthorizationSubject for client ID 5354d06fb569
4b5cb65f07cf3c62fa23 is not removed since the entry does not exist
What am I doing wrong ?
Second issues, I can't access to WSO2 Message Broker management... I get an Error 403 Forbidden when I use https://localhost:9446/carbon. And I don't know how to access the WSO2 Message Broker when I am on the WSO2 IOT Server management page. (https://localhost:9443/carbon which works)
MQTT broker in wso2 IoT Server has a pluggable authentication and authorization, by default it comes with an OAuth based authentication, where it uses an empty password and uses an OAuth token for the username. You can generate a token by following the docs in https://docs.wso2.com/display/AM200/Password+Grant.
Implementation of this extension is explained in [1] and [2].
[1] https://medium.com/#ayyoobhamza/authentication-and-authorization-extension-for-mqtt-wso2-message-broker-2495fb2fa56e
[2] https://medium.com/#ayyoobhamza/oauth-authentication-and-authorization-with-mqtt-for-iot-devices-a42019187a05
Related
I have tried to use these 4 types of transfers in my proxy services in my tenant and none of them don't work. They work fine in carbon.super but don't work in any created tenant. There aren't any exceptions or errors in log file of EI. Do I need to change some settings for tenants?
Please refer [1] to configure a tenant specific JMS proxy service with WSO2 Message Broker.
1 - https://docs.wso2.com/display/MB310/Managing+Tenant-specific+Subscriptions
I Installed IoT Server 3.1.0 and I launched the change-ip.sh script to change the hostname (iot.wso2.com) and create a new wildcard certificate *.wso2.com.
Carbon access in IoT-Core (hostname "iot.wso2.com") and IoT-Analytics (hostname "iot-das.wso2.com") is OK, but when I try to access the IoT Broker Carbon Interface (hostname iot-mb.wso2.com) I have:
Error 403 - Forbidden
No error messages on wso2carbon.log, also with all DEBUG switch on.
We have blocked the carbon console access for message broker intentionally as it has no use. But we are in the process of creating UI to view and access the MQTT messages and statistics. But that is not yet completed and will be available on next release version.
http://wso2-oxygen-tank.10903.n7.nabble.com/IoTS-MB-Backend-APIs-for-MQTT-related-informations-and-MQTT-management-UI-td145972.html
Carbon console access is only available with IoT core and Analytics server. But not with message broker.
I have imported the WSO2 IoT server Connected Cup sample device agent into Eclipse IDE, and when it tries to connect to MQTT broker a MQTTSecurityException is thrown which states that the user name or password in not valid. I see that user name is created from the token attribute in the request, but I don’t know how to support a right one, i.e. one that would be accepted by the OAuth2 service. There isn’t any hint in the documentation on this topic, so I would appreciate any advice.
Also, I would like to take a more deep insight into the VirtualFireAlarm sample code, so please could you tell me where to find the code?
MQTT broker in wso2 IoT Server has a pluggable authentication and authorization, by default it comes with an OAuth based authentication, where it uses an empty password and uses an OAuth token for the username. You can generate a token by following the docs in https://docs.wso2.com/display/AM200/Password+Grant.
Implementation of this extension is explained in https://medium.com/#ayyoobhamza/authentication-and-authorization-extension-for-mqtt-wso2-message-broker-2495fb2fa56e and https://medium.com/#ayyoobhamza/oauth-authentication-and-authorization-with-mqtt-for-iot-devices-a42019187a05
Implementation of the virtual firealarm can be found in https://github.com/wso2/carbon-device-mgt-plugins/tree/master/components/device-types/virtual-fire-alarm-plugin
I have two instances of WSO2 on two different machines, with the same policy published to both instances. Both WSO2 instances have admin/admin.
I use SOAPUI (running on 192.168.0.9) to try to test against the EntitlementService webservice and:
If I use SOAPUI to test against the EntitlementService webservice on the same machine that SOAPUI is running on (192.168.0.9), using either localhost or IP address, I get a XACML response with a Permit. However,
If I used SOAPUI to test against the EntitlementService webservice on the other machine (192.168.0.210), I get a XACML response with a Deny, and an "Illegal access attempt" error in the 192.168.0.210 WSO2 log:
Illegal access attempt at [2014-05-12 15:26:47,0563] from IP address
192.168.0.9 while trying to authenticate access to service EntitlementService
In both cases above, I have BASIC authentication and the 'admin' username and password setup in SOAPUI.
If I run Tryit on the 192.168.0.210 WSO2 admin to test against the 192.168.0.210 WSO2, I get a Permit, i.e., this shows that the policy on the 192.168.0.210 should return a Permit.
Finally, I'm pretty sure that this is something with WSO2, and not with SOAPUI, as I also tested from the 192.168.0.9 machine using Firefox and a plugin called RESTclient, to test doing the POST of the XACML request in the content body.
Is there something in WSO2 Identity Server that would cause it to return a Deny if the requests are coming from a different machine?
Thanks,
Jim
P.S. I'm seeing the following in the WSO2 wso2carbon.log file:
TID: [0] [IS] [2014-05-12 15:59:40,798] ERROR {org.wso2.carbon.core.services.authentication.AbstractAuthenticator} - Invalid remote address detected. {org.wso2.carbon.core.services.authentication.AbstractAuthenticator}
org.wso2.carbon.core.common.AuthenticationException: Authentication Failed : Invalid remote address passed - 0:0:0:0:0:0:0:1
at org.wso2.carbon.core.services.authentication.AuthenticationUtil.validateRemoteAddress(AuthenticationUtil.java:178)
at org.wso2.carbon.core.services.authentication.AuthenticationUtil.getRemoteAddress(AuthenticationUtil.java:156)
at org.wso2.carbon.core.services.authentication.AbstractAuthenticator.getRemoteAddress(AbstractAuthenticator.java:304)
at org.wso2.carbon.core.services.authentication.AbstractAuthenticator.authenticate(AbstractAuthenticator.java:136)
at org.wso2.carbon.server.admin.module.handler.AuthenticationHandler.isAuthenticated(AuthenticationHandler.java:171)
{org.wso2.carbon.core.services.util.CarbonAuthenticationUtil}
Is there some way to turn off the remote address validation?
I am unable to implement Multifactor Authentication .
The error i am getting is
TID: [0] [WSO2 Identity Server] [2012-10-30 10:31:38,620] ERROR {org.wso2.carbon.identity.provider.xmpp.MPAuthenticationProvider} - login failed. Trying again.. {org.wso2.carbon.identity.provider.xmpp.MPAuthenticationProvider}
SASL authentication failed:
at org.jivesoftware.smack.SASLAuthentication.authenticate (SASLAuthentication.java:209)
at org.jivesoftware.smack.XMPPConnection.login(XMPPConnection.java:341)
at org.jivesoftware.smack.XMPPConnection.login(XMPPConnection.java:301)
This is for wso2 Identity Server 3.2.3 . Straight out of the box. No additional configuration performed to run this instance of Identity Server.
It appears that signing in as admin , the ldap authentication is completed and then authentication with gtalk is attempted when the error occurs.
Should I be setting my own configuration in the identity.xml where gtalk is being set?
<MultifactorAuthentication>
<XMPPSettings>
<XMPPConfig>
<XMPPProvider>gtalk</XMPPProvider>
<XMPPServer>talk.google.com</XMPPServer>
<XMPPPort>5222</XMPPPort>
<XMPPExt>gmail.com</XMPPExt>
<XMPPUserName>multifactor1#gmail.com</XMPPUserName>
<XMPPPassword>wso2carbon</XMPPPassword>
</XMPPConfig>
</XMPPSettings>
</MultifactorAuthentication>
I found out that I do need to set up a Google talk account.
I added the new settings to the MultifactorAuthentication configuration.
I restarted the server.
I edited the user account with another new Google talk account.
I logged out.
Logged back in via relyingparty URL with openid,
received communication over gtalk requesting pin.
I entered the pin and got logged in.
It would have been nice if wso2 had I their documentation the need to setup the settings for this configuration to get multifactor authentication to work out of the box.