Synchronize secure vault in wso2 esb - wso2

I have clustered and deployment synchronize enabled 'wso2 esbs'(4.9).and i had enable secure vault. now all the deployments have been sync with all worker nodes.but how can i sync my secure vault credentials with worker nodes.
I tried copy "wso2carbon.jks" file,i tried copy "cypher-text.property" file,it doesn't worked.
so how can i sync my secure valet with other worker node?

Yes. If you have clustered the environment correctly it should automatically get synchronized. Steps to follow,
Add a secure vault entry to ESB manager node.
Check the secure vaults in ESB woker node. (If not running in the -Dworker mode.)
If the workers are running on -Dworker mode, you can also check the wso2carbon.log for the logs right after adding the entries to secure vault.

When you are deploying ESB cluster, you can use Puppet and Hiera to make the configurations changes.Wso2, already provided puppet modules to deploy wso2 product clusters.You can use existing Wso2 ESB puppet module to
achieve your requirement. Refer "Running WSO2 Enterprise Service Bus with Secure Vault" section of the README of the WSO2 Enterprise Service Bus Puppet Module to configure Secure Vault related configurations among the cluster.

Related

How to share configurations of WSO2-IS among servers?

I have multiple wso2-is server set up as my dev, staging and prod environment.
And I would want to have a functionality wherein I can export all the configuration from some server ( say dev ) to some other server ( say staging ) to make both the server identical i.e both the server would have same database configurations, same tenants, same service providers and same identity providers and so on.
From the documentation here, I know that I can create service providers and identity providers using XML files, so in turn, I can share the XML files to sync SPs and IdPs between servers.
But is there a standard way to achieve that? Like, from the management console or so?
It even seems possible that syncing between [IS-HOME]/repository directory would ensure that the servers are identical, But are there any caveats for this approach?
There is no standard way to sync the service provider configurations among different environment, as of now. This issue is reported to track the feature requirement and its a work in progress at the moment and you can expect it in a future release.
One possible solution you can use to achieve your target is, retrieving the service provider from the Admin service and create the same service provider in other environment.
You can use the file based service provider configurations to achieve this target. But with that approach, you will not be able to see the service providers added from the configuration files in the management console. Next limitation you will face is you can add saml based inbound authentication configurations only through the config files ( such as OAuth 2.0 / OIDC inbound authentication configurations)
To answer your last question, you can't sync the [IS-HOME]/repository folder to achieve this. The reason you were able to observe this behavior seems to be you are using the inbuilt H2 database and its in [IS-HOME]/repository/database folder. With your file sync, you have actually synced the databases.

How Can I enable SSO login to Apache Zeppelin on AWS EMR

I created a AWS EMR Cluster using (http://docs.aws.amazon.com/emr/latest/ReleaseGuide/emr-spark-launch.html, I chose the application - "Spark: Spark 2.1.0 on Hadoop 2.7.3 YARN with Ganglia 3.7.2 and Zeppelin 0.7.0 while creating the cluster") and I am able to access Apache Zeppelin.
Now I want to give Zeppelin access to a new user using their Gmail or Google SSO or any other login. How can do this? Please point me to any documentation or steps.
*The SAML /SSO logins give access only to AWS console but not the application like Zeppelin which is hosted on the master node.
Zeppelin uses
Apache Shiro
and there are some libraries and examples to use oauth in shiro.
shiro-oauth
Oauth2Relam.java
pac4j security library for Shiro: OAuth, CAS, SAML, OpenID Connect, LDAP, JWT...
But Zeppelin doens't support oauth extensions currently (0.8.0-SNAPSHOT) as far as i know. You might extend Zeppelin by yourself.
Docs: Zeppelin Shiro Configuration for Relam
Single sign-on can be implemented using Apache Knox. KnoxSSO support is recently added to Zeppelin.
For configuration options check out this link

Centralize Claim Configuration for Service Providers WSO2 IS 5.2.0

I recently updated my environment from WSO2 IS 5.0.0 to WSO2 IS 5.2.0. My environment consists of 2 machines that are creating a cluster (using the WKA membership scheme and Load Balancer(AWS ELB) with sticky session enabled). I am using MySQL(not the default H2 database). The machines on which the IS is deployed are Windows Server 2012 R2 (EC2 AWS machines).
I noticed that if I want to return particular set of claims I must:
- Update the Claim Configuration of the particular Service Provider
- Make sure /_system/config/oidc has the necessary claims stored in the "openid" property
- Make sure the claims stated in the Claim Configuration of the Service Provider are populated in the identity profile
Is there a way to centralize the claim mappings and not have to configure the claims for each Service Provider?
I noticed that I could update directly the SP_CLAIM_MAPPING table in the database, but is there another way achieve this result?
Thanks in advance.
Currently, there is no way to centralize claim mappings in Identity Server. You have to specify claim mappings in each SP separately.
It will be supported in a future release. You can find some discussions here.
Thanks
Isura

Issue with wso2 api manager permission for roles

I have two instances of wso2 api manager running on two different servers.Both of them are referring to same UM_DB . I created a role by logging with admin credentials on one server .After that i checked for the role on other server by logging with admin credentials again.I found that there was role existing on other server but permission that i provided for that role does not exist on another server.Is that a bug with wso2 api manager or I missed something in configuration..?
You want to deploy two APIM instances in a cluster. It is better to refer the APIM clustering guide to setup it properly. There are tow things you need to understand.. when your deploying APIM in cluster
You must point both instance in to same database. There are can be three logical databases i.e UM, Registry and AM database. These three can be an one physical DB. However must pointed to same by the both instance.
You must configure the Hazelcast based clustering using axis2.xml file. This is required because, APIM uses Hazelcast based implementation to distribute the data in the caches. Sometime, In your scenario, i guess you have not configured this. Therefore permission tree has not been distributed between two nodes. Therefore lot of data that is stored in the caches for high performance. therefore please make sure to configure this properly.
I guess this would help you.

wso2 esb bam server profile in governance registry

Is there any way to store BAM server profile and stream definition under governance registry, so that it can be added once in ESB master node and made available to other ESB slave nodes ? Currently, looks like it is stored under configuration registry only.
FYI - We have mounted all ESB nodes to one Governance registry. Only master node has write permission to registry.
Your approach is the correct way. By default BAM server profiles and stream configurations are designed only to be stored in config registry. It is not possible to store in governance registry. In future releases we will store all configurations in a deployable artifact which will easily deployment synchronized over other nodes.