I need to automate reset password of database application role.
Password must be encrypted or hash form due to security reason.
I tried to convert password into hashbytes form and reset application role password but didn't work.
SELECT HASHBYTES('SHA2_256','PASSWORD')
GO
USE <DATABASE NAME>
GO
ALTER APPLICATION ROLE [approle_name] WITH PASSWORD= 'password hash value'
GO
Can someone kindly help how can reset the password of application role with hash value or encryption form?
Thanks in Advance
We have a WSO2 Identity Server 5.8.0 currently setup and running. By default it looks like the apostrophe isn’t acceptable in the username or email address for the user.
Three places give me errors with the current configuration:
In the Home > Add New User: I get a “Username pattern policy
violated”
In the Home > Update Profile: I get a “Email is not valid”
In the API to POST: api/identity/user/v1.0/validate-username I get Invalid = 60002
Where do I change the setting to allow apostrophe in username and email address?
Looking in documentation it seems like I should be able to change the User Store > Username Regex but when changed I get “Error occurred while updating user stories”
Also checked Identity > Claims > List but it seems strange to update the claim regex?
Any help appreciated.
Yes, Apostrophe is not supported by default and need to change the username regex to allow that. For IS 5.8 and older versions, we need to change the following regex props in /repository/conf/user-mgt.xml
1.
<Property name="UsernameJavaRegEx">{Regex}</Property>
To change the regular expression to validate usernames (In BE). By default, strings having a length of 5 to 30 between non-empty characters are allowed.
<Property name="UsernameJavaScriptRegEx">{Regex}</Property>
To change the regular expression used by the front-end components for username validation.
You can find the WSO2 recommendation for username regex here https://is.docs.wso2.com/en/latest/references/usernames-in-identity-server/#best-practices-for-username-creation
In order to test this function, I chosed Abnormal Request Count option, which is in Alert Management menu of Api Store, and added a restful api. Then I called this api for many times by Postman.
The carbon.log, which is in <API-M_ANALYTICS_HOME>/wso2/worker/logs, recorded the following error message:
[2020-10-19 11:03:36,094] ERROR {org.wso2.siddhi.core.stream.output.sink.Sink} - Error on 'APIM_ALERT_EMAIL_NOTIFICATION'. Dropping event at Sink 'email' at 'EmailNotificationStream' as its still trying to reconnect!, events dropped '<strong>Message:</strong>A request from a new IP (10.9.16.77) detected by user:admin#carbon.super using application:devMap owned by admin#carbon.super. <br><br> <strong>Type:</strong>UnusualIPAccess <br><br> <strong>AlertTimestamp:</strong>2020-10-19 11:03:35'
[2020-10-19 11:06:10,307] ERROR {org.wso2.siddhi.core.stream.output.sink.Sink} - Error on 'APIM_ALERT_EMAIL_NOTIFICATION'. Dropping event at Sink 'email' at 'EmailNotificationStream' as its still trying to reconnect!, events dropped '<strong>Message:</strong>Abnormal request count detected during last minute using application devMap owned by admin#carbon.super for api :全球风向查询, abnormal request count:9. <br><br> <strong>Type:</strong>AbnormalRequestsPerMin <br><br> <strong>AlertTimestamp:</strong>2020-10-19 11:06:10'
About detailed configuration, I referred the following links:
Configuring Alerts:
https://docs.wso2.com/display/AM260/Configuring+Alerts#ConfiguringAlerts-ConfiguringalertsviatheStore
Enabling Notifications:
https://docs.wso2.com/display/AM260/Enabling+Notifications
According to these documents, I did the following things:
1.Open the <API-M_ANALYTICS_HOME>/conf/worker/deployment.yaml file to configure the sender email address. The sample code is shown below:
siddhi:
extensions:
...
-
extension:
name: email
namespace: sink
properties:
username: abcd#163.com
address: abcd#163.com
password: xxxx
...
2.Go to the <API-M_ANALYTICS_HOME>/resources/apim-analytics/ directory. Copy the APIM_ALERT_EMAIL_NOTIFICATION.siddhi file and paste it in the <API-M_ANALYTICS_HOME>/wso2/worker/deployment/siddhi-files directory.
3.Set the email server configurations in the <API-M_HOME>/repository/conf/output-event-adapters.xml file under the section.
<adapterConfig type="email">
<!-- Comment mail.smtp.user and mail.smtp.password properties to support connecting SMTP servers which use trust
based authentication rather username/password authentication -->
<property key="mail.smtp.from">abcd#163.com</property>
<property key="mail.smtp.user">abcd</property>
<property key="mail.smtp.password">xxxx</property>
<property key="mail.smtp.host">smtp.163.com</property>
<property key="mail.smtp.port">25</property>
<property key="mail.smtp.starttls.enable">true</property>
<property key="mail.smtp.auth">true</property>
<!-- Thread Pool Related Properties -->
<property key="minThread">8</property>
<property key="maxThread">100</property>
<property key="keepAliveTimeInMillis">20000</property>
<property key="jobQueueSize">10000</property>
</adapterConfig>
4.Log in to the Management Console and click Main > Resource > Browse. Browse to the /_system/config/apimgt/applicationdata/tenant-conf.json file and click Edit as Text.Set the NotificationsEnabled property to true as shown below:
"NotificationsEnabled":"true",
"Notifications":[{
"Type":"new_api_version",
"Notifiers" :[{
"Class":"org.wso2.carbon.apimgt.impl.notification.NewAPIVersionEmailNotifier",
"ClaimsRetrieverImplClass":"org.wso2.carbon.apimgt.impl.token.DefaultClaimsRetriever",
"Title": "Version $2 of $1 Released",
"Template": " <html> <body> <h3 style=\"color:Black;\">We’re happy to announce the arrival of the next major version $2 of $1 API which is now available in Our API Store.</h3>Click here to Visit WSO2 API Store</body></html>"
}]
}
]
I've also checked APIM_ALERT_EMAIL_NOTIFICATION.siddhi:
#App:name("APIM_ALERT_EMAIL_NOTIFICATION")
#App:description('Send email to all the subscribers of a particular alert')
#source(type="inMemory", topic="APIM_EMAIL_NOTIFICATION", #map(type='passThrough'))
define stream EmailAlertStream (
type string,
message string,
alertTimestamp string,
emails string);
#sink(type='email', content.type="text/html", #map(type ='text', #payload('<strong>Message:</strong>{{message}} <br><br> <strong>Type:</strong>{{type}} <br><br> <strong>AlertTimestamp:</strong>{{alertTimestamp}}')),subject='Alerts from WSO2 APIM Analytics',to='{{emails}}')
define stream EmailNotificationStream (
type string,
message string,
alertTimestamp string,
emails string);
from EmailAlertStream
select *
insert into EmailNotificationStream;
As you can see, there is nothing special.
Have I missed anything to do? I don't know what the problem is, please help me.
As per the exceptions you received. Looks like there are issues with connecting to the SMTP server. Can you please check the configurations and check there are any restrictions to use your email.
ex: in Gmail, you have to enable 'untrusted applications' to access Gmail.
I've found the reason of this problem.
By reading the source code (EmailSink.java), I know the information of SMTP Server should be configured in APIM_ALERT_EMAIL_NOTIFICATION.siddhi, otherwise the analytic server is going to use smtp.gmail.com by default.
We have a website integrated with ADFS 3 for authentication. Website allows users to change their usernames, which in turn changes their usernames in AD. If users changes their usernames we log them out using WSFederationAuthenticationModule.FederatedSignOut. However the page redirects to adfs url and throws an error. The event log shows that "either username or password is wrong".
MSIS7066: Authentication failed for the request. ---> System.Security.SecurityException: The user name or password is incorrect.
I wonder it is because of user name change. I tried with both lsalookupcachemaxsize set to 0 in registry and without the key. By the way does ADFS 3 even consider this registry key?
The code used is below -
FormsAuthentication.SignOut();
FederatedAuthentication.SessionAuthenticationModule.SignOut();
FederatedAuthentication.SessionAuthenticationModule.DeleteSessionTokenCookie();
FederatedAuthentication.WSFederationAuthenticationModule.SignOut(false);
Response.Expires = 0;
Session.Abandon();
var authenticationModule = FederatedAuthentication.WSFederationAuthenticationModule;
WSFederationAuthenticationModule.FederatedSignOut(new Uri(authenticationModule.Issuer), new Uri(authenticationModule.Realm));
I have create my configuration file for the second user store here: /opt/wso2am-1.7.0/repository/deployment/server/userstores i named it with the name of my domain (sub_dom_local.xml my domain is sub.dom.local)
and I set as primary user store a jdbc store.
When I try to login with a domain user name I obtain this error:
[2014-06-25 10:48:39,828] ERROR - System error while Authenticating/Authorizing User : [Ljava.lang.Object; cannot be cast to [Ljava.lang.String; {org.wso2.carbon.core.services.authentication.AuthenticationAdmin}
I am sure than I have insert the correct username and password, I enabled the debug loggr and I see in the log that the Authentication procedure connected to the Active directory and retrieve all the information.
If I insert a wrong password i do not have the error but I have the information for the wrong password.
Could you help me?
Thanks Jack
When the ActiveDirectoryUserStoreManager is enabled it seems we need to enable GetAllRolesOfUserEnabled property in Authorization manager as follows in user manager configuration
`<AuthorizationManager class="org.wso2.carbon.user.core.authorization.JDBCAuthorizationManager">
<Property name="AdminRoleManagementPermissions">/permission</Property>
<Property name="AuthorizationCacheEnabled">true</Property>
<Property name="GetAllRolesOfUserEnabled">true</Property>
</AuthorizationManager>
`
Otherwise it is throwing the exception you have mentioned.
Try this configuration:
<UserStoreManager class="org.wso2.carbon.user.core.ldap.ActiveDirectoryUserStoreManager">
...
<Property name="MemberOfAttribute"/>
...
</UserStoreManager>
You do not specify the MemberOfAttribute.
Matteo