How to incorporate wso2 esb fix? - wso2

I have installed DSS feature on ESB. While deploying DSS artifact, I came across error similar to one below
WARN - DefaultAppDeployer Can't deploy artifact : EmployeeDataService of type : service/dataservice. Required features are not installed in the system
The wso2 jira indicates that the issue has been resolved
https://wso2.org/jira/browse/CARBON-15657
How do I incorporate this fix in my wso2 esb 4.9 installation?

You can get relevant patches for that fixes and apply to your version. As most of patches are provided upon customer requests, it is better to use release versions which are having those fixes.
In ESB 5.0.0, all fixes are attached and it may be release within this month (July, 2016).

Related

how to apply bug fixes on open source wso2 API Manager 4.0.0 and wso2 Micro Integrator 1.2.0

We are working on WSO2 Open source API Manger 4.0.0 and Micro Integrator 1.2.0. we need to apply the bug fixes. We are unable get the latest build of specific WSO2 API Manager and Micro Integrator versions from the source code.
We are trying to get latest build by building the product from source code available in below github. But the master branch contains latest APIM and MI versions. could you please help on build the product of specific APIM and MI versions (APIM 4.0.0 and MI 1.2.0)
API Manager:
https://github.com/wso2/product-apim
Micro Integrator:
https://github.com/wso2/micro-integrator
You can checkout from the tag and apply the fixes.
https://github.com/wso2/product-apim/tree/v4.0.0
https://github.com/wso2/micro-integrator/tree/v1.2.0
Carbon APIMGT version for APIM v4 - https://github.com/wso2/carbon-apimgt/tree/v9.0.174
Carbon APIMGT contains the core functionalities of the product APIM.
WSO2 API Manager and MI are a collection of different jars and webapps. In our opensource code base, each product has a product repo (product-apim, micro-integrator, product-is) and multiple component repositories (carbon-apimgt, wso2-synapse). All of these are in the WSO2 or WSO2-extensions organization.
If you want to find the codebase for a specific version of a product or a component, you can check the release tag of the repository. For an example, if you want to find the APIM 4.0.0 related code base, you first need to get the 4.0.0 tag in product-apim repository.
Since we use maven as the build tool, pom.xml in the product repository includes all the component versions. Most of the time, fix is sent to a component repository and you can find the relevant component version by referring to this pom.xml. For example, most of the apim specific components are included in the carbon-apimgt repository. You can find the relevant carbon-apimgt version in the pom.xml as 9.0.174.
If you check out the carbon-apimgt repo's 9.0.174 tag, you can find the relevant code base. Similarly, synapse version is 2.1.7-wso2v227.
Once you find the relevant code base, you can apply your fix and build the component locally. This will build the jar with your fix and you can patch the product by adding this jar to the /repository/component/patches/patch0001/<Jar_name>.jar.
Make sure that use the same name as the jar included in the /repository/component/plugins repository (Sometimes the "-" in the name is converted to "_" in the name).

How can I find the hazelcast version in WSO2 IS binary

I would like to understand the hazelcast version being used with git release 5.11 https://github.com/wso2/product-is/releases/tag/v5.11.0
and where is it specified? Can I upgrade it to 4.2.4.wso2v1 to avoid the vulnerabilities?
Hazelcast is mainly used in the WSO2 carbon-kernel and simply upgrading 3.12.x to 4.2.x would result in issues as it is being a major version upgrade, there are set of API changes done from Hazelcast. This issue has tracked the effort of Hazelcast version upgrade on WSO2 products. You can port those fixes. Also note that WSO2 IS 6.0.0 has upgraded the Hazelcast.

Log4j vulnerability with org.wso2.carbon.identity.application.authentication.framework

I am getting log4j-core -> 2.12.0 vulnerability with org.wso2.carbon.identity.application.authentication.framework
As per the github link - https://github.com/wso2/product-is/blob/v5.11.0/pom.xml
the compatible version for WSO2 IS v5.11 is 5.18.187
But as I checked over maven also, the specified version https://mvnrepository.com/artifact/org.wso2.carbon.identity.framework/org.wso2.carbon.identity.application.authentication.framework/5.18.187
is log4j core vulnerabilities in compile dependency https://mvnrepository.com/artifact/org.wso2.carbon.identity.framework/org.wso2.carbon.identity.testutil/5.18.187
Could you please suggest, if I should go with upgrading the version of org.wso2.carbon.identity.application.authentication.framework or should just add direct dependency for log4j-core 2.17.2
Upgrading the org.wso2.carbon.identity.application.authentication.framework would not be compatible with the other modules in the distribution and I recommend not doing so since it could lead to some breaking changes in the product features.
And upgrading the log4j-core dependency in the org.wso2.carbon.identity.application.authentication.framework to the 2.17.2 version alone would not work since there are other artifacts that were affected by the log4j vulnerability.
Since this vulnerability was identified, WSO2 has released an updated version for the product-is which you can download from their website.
The Version 5.11.0 - SERVICE PACK 01 which you can download from here would have the updated product-is v5.11.0 with the fixes for the log4j vulnerability. And it also includes bug fixes for the initial 5.11.0 release.
Hence, I recommend going with the already existing 5.11.0 - SERVICE PACK 01
instead of manually updating the affected artifacts.
Upgrading org.wso2.carbon.identity.application.authentication.framework might lead in to breaking changes and updating log4j-core dependency will not resolve the issue since there can be other components whcih are also affected by this vulnerability.
WSO2 has already identified and fixed this. I would like to recommend you to download and use the latest Identity Server version (IS 6.0.0) from the official WSO2 website or from git releases. The WSO2 team has paid special attention to fixing most of the 3rd party vulnerabilities in this release and there are so many new features available.
Updated 1:
You can follow the temporary solution specified in this doc if you don't have a paid subscription or are unable to get the latest Identity Server product (NOTE that it is a temporary fix).

Session Timeout in WSO2 4.1.1

We are using WSO2 4.1.1 for user management. Is there a way to do a session time out in WSO2 4.1.1?
(I am looking if there is a fix for this in WSO2 4.1.1. Currently, I am not looking at migrating to WSO2 4.5
where this is mentioned as a supported feature).
I am referring to the following link where it says the WSO2 4.1.1.code has been changed to handle session time out.
https://wso2.org/jira/browse/IDENTITY-1030
Are these changes available as a new version of jar compatible with the WSO2 4.1.1 version?
Thanks in advance for the help
You won't be able to get a new version of the jar and use it with the WSO2 IS 4.1.1. AFAIK, IS 4.1.1 was never released, I think you are using a build shared via dev# list.
Anyway, you can try following.
Checkout the source for the corresponding jars in WSO2 IS 4.1.1. Try to checkout from branch. For example: https://svn.wso2.org/repos/wso2/carbon/platform/branches/4.1.0/components/identity/org.wso2.carbon.identity.base/
Fix the issue and do 'mvn clean install'
Copy the target jar as a patch.
Run server with -DapplyPatches
In this way, you can try to fix this issue.
If we discover issues with any product after it has been released, you will be able to get the fix only in a newer version. Otherwise, you need to patch the existing jar versions.
I hope this helps.

WSO2 Carbon Feature Stack - UES and Data Services Server

I would like to create a carbon server composed of multiple features; namely the User Engagement Server (UES) and the Data Services Server (DSS). UES is only carbon 4.1.0 based and DSS is 4.2.0 or 3.0.1 based. Is this possible? If so, how? If not, what are my alternatives for utilizing the functionality of both features set?
I have looked over wso2.org and other resources for help; however, I'm failing to find best practices for deploying a custom carbon solution and upgrading to future version. In another post I found a compatibility matrix, but the answer indicates that there is neither forward or backward compatibility.
WSO2 products will have API level changes between two different platform releases (as in 4.1.0 vs 4.2.0 [Turing]). So installing features from different platform versions will not work in most cases.
However, UES does have features based on a carbon 4.2.0 kernel (UES 1.0.1) and you can install the required features from the latest p2 feature repository here. It includes UES 1.0.1 feature which is based on Carbon 4.2.0 kernel. You might want to wait till DSS 3.1.1 is officially released (due to be released in about a week) which has some important bug fixes and improved stability.
To get features of both products, it would be easier to install UES features on top of a DSS product or vice versa, rather than installing both feature sets on a bare bones carbon server, since you may have to additionally install some kernel patches, configuration files, which are not installed during a feature installation.
HTH,