Are there any hosted wso2 feature repositories that use https? I tired adding https to product-dist.wso2.com/p2/carbon/releases/wilkes/ just to see if it would work but it doesn't look like anything is using the standard 443 port. I could not find anything thing searching the internet.
It would be nice be able to validate the servers we are connecting to when loading features from WSO2 and not worry about a MITM supplying a malicious code.
Currently there is no feature repositories hosted with 'https' from WSO2.
The official WSO2 Carbon features are only available in Equinox P2 repository at: http://dist.wso2.org/p2/carbon/releases.
Related
First of all, I'm in no way an expert at security or networking, so any advice would be appreciated.
I'm developing an IOS app that communicates with an API hosted on an AWS EC2 linux machine.
The API is deployed using **FastAPI + Docker**.
Currently, I'm able to communicate with my remote API using HTTP requests to my server's public IP address (after opening port 80 for TCP) and transfer data between the client and my server.
One of my app's features requires sending a private cookie from the client to the server.
Since having the cookie allows potential attackers to make requests on behalf of the client, I intend to transfer the cookie securely with HTTPS.
I have several questions:
Will implementing HTTPS for my server solve my security issue? Is that the right approach?
The FastAPI "Deploy with Docker" docs recommend this article for implementing TLS for the server (using Docker Swarm Mode and Traefik).Is that guide relevant for my use-case?
In that article, it says Define a server name using a subdomain of a domain you own. Do I really need to own a domain to implement HTTPS? Can't I just keep using the server's IP address to communicate with it?
Thanks!
Will implementing HTTPS for my server solve my security issue? Is that the right approach?
With HTTP all traffic between your clients and the ec2 is in plain text. With HTTPS the traffic is encrypted, so it is secure.
FastAPI "Deploy with Docker"
Sadly can't comment on the article.
Do I really need to own a domain to implement HTTPS?
Yes. The SSL certificates can only be registered for domains that you own. You can't get the certificate for domain that is not yours.
I have generated a JAX-WS web service with RAD 8.5 which automatically generated an endpoint for the service at "http:endpoint". I generated a client for the web service from the WSDL and added transport security (SSL) to the web service and added a secure endpoint using the following line of code in my client:
proxy._getDescriptor().setEndpoint("https:endpoint");
Everything seems to work fine. My question is do I need to do anything about the existence of the original endpoint ant "http:endpoint". This is an in-house web service so all of the apps which use it in house will use the secure endpoint, but is the availability of the unsecure endpoint a security risk for the web service? If so, what do I need to do to fix it? Any help would be appreciated.
I am not familiar with the Framework you are using, but there should be a configuration in your proxy to not allow http calls at all. If you have that option, turn it on so that your service only listens on port 443 (secure port).
An alternative would be to rewrite all http requests with https.
I installed and configured WSO2 IS 5.0 But I would like the users access through the proxy. So I would like to know WSO2 has WSO2 IS Proxy or not? Or WSO2 has any product to use for this purpose?
WSO2 has not any proxy related product. Also, there are well known proxy such as Apache HTTP / Nginx and so on. As i know, WSO2 also recommends to use Nginx. Please find details on how you can use proxy with WSO2IS from here
I have used WSO2 IS in production with Nginx and it has worked correctly for me.
You can also review the official documentation here
WSO2 does not provide in-built proxy. However, you you can use well known proxy products for this purpose. Ex: Nginx, HA proxy etc.
If you deploy WSO2 products in cloud environments, you can can use cloud native LBs such as AWS ALB, Azure application gateway etc.
You need 443 LB listener port to forward traffic to 9443 port in WSO2 IS server.
Could you please clarify if it is possible to configure a WSO2 Identity Server answering and serving requests from multiple IP domains, like for example an internal company domain, as well as an external official IP domain.
Today, the dashboard access functionality has a number of hard-coded link references in its XML setup files.
Is such hybrid configuration supported in the WSO2 Carbon and IdP server framework, or should it be handled by an external proxy gateway, translating all requests and host names?
Thanks in advance for your feedback and guidance.
I've read source code of wso2 greg, and find that there is a tomcat embedded in it, and there are two connectors: http with port 9763 and https with port 9443. But when I type the url [http://localhost:9763/carbon] in browser, it redirect to https automatically. While I can't find the related source code about the redirecting.
Can anybody help?
thx
The Management Console (UI) of all WSO2 Carbon based products communicate with backend web service called AdminService. These services are secured and that's why it can be accessed only through https.
More info - http://charithaka.blogspot.com/2013/06/invoking-wso2-carbon-admin-services.html