wso2 api manager clustering - wso2

I am trying to set up a cluster for WSO2 api manager and I am following https://docs.wso2.com/display/CLUSTER44x/Clustering+API+Manager+1.10.0
I am using seperate VMs for each of the component and currently in my setup I am able to
Publish an api using the publisher which gets published in the Gateway (Visible in the log)
Subscribe to this API from the store and generate keys
However when I am trying to access this api using the generated key I get the following response
<soapenv:Fault xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<faultcode xmlns:axis2ns2="http://schemas.xmlsoap.org/soap/envelope/">axis2ns2:Client</faultcode>
<faultstring>Authentication Failure</faultstring>
<detail>Error while accessing backend services for API key validation</detail>
</soapenv:Fault>
In the gateway logs I can see only the below line. There is no further details in the logs
TID: [-1234] [] [2016-02-02 16:55:58,288] WARN {org.wso2.carbon.apimgt.gateway.handlers.security.APIAuthenticat
ionHandler} - API authentication failure due to Unclassified Authentication Failure {org.wso2.carbon.apimgt.gat
eway.handlers.security.APIAuthenticationHandler}
Please help me to resolve this issue.

That sounds like an issue with your API - API Manager doesn't actually "authenticate anything" unless you are using identity server see here for the difference between authentication and authorization (what WSO2 does through Oauth). Please try an API that is know to work such as http://petstore.swagger.io/ and report back the error.

This can happen due to many reason. Please check some of the reasons below
Key Manager's public certificate isn'y properly imported in the <GATEWAY_HOME>/repository/resources/security/client-truststore.jks
Open the api-manager.xml fie of the gateway and key manager nodes and change the <KeyValidatorClientType> to WSClient as bellow (default value is ThriftClient).
<KeyValidatorClientType>WSClient</KeyValidatorClientType>

The reason for this could be a result of misconfiguration between nodes. First you can double check the configurations (specially keyvalidator related configurations)
If you could not find any issue there, then you can enable debug logs and get some idea about the issue
add following entires in repository/conf/log4j.properties in gateway node
log4j.logger.org.wso2.carbon.apimgt.gateway.handlers.security=DEBUG
add following entires in repository/conf/log4j.properties in key manager node
log4j.logger.org.wso2.carbon.apimgt.keymgt=DEBUG
You might be able to find the issue by analyzing the logs

Related

Why unsubscribed Application token can be used to access WSO2 APIM endpoint?

There is an API hosted in WSO2 APIM 4.1.0 and there are two different App subscribed to that API.
Before Unsubscribe:
I just unsubscribed one of App to delete the API subscription by follows wso2 doc
After Unsubscribe:
After unsubscribed , I can able to invoke WSO2 API by using unsubscribed Application token
It should now allow that unsubscribed app to invoke API. OR correct me if my understanding is wrong.
Postman :
Note: In above API Hit, I passed unsubscribed APP token as Authorization
In your case, you should not be able to invoke the API without a proper subscriptions. Although the token is valid, you should get a 403 HTTP code saying subscription validation has failed.
You can check whether the events are propagated successfully to your gateway node from the control plane node. This is basically when you have a distributed setup. If you have a HA setup, verify both nodes are working properly when it comes to event distribution.
Are you using the GA release of APIM 4.1.0? If so, this could be a bug in that was fixed later through U2 updates. When an application subscription is deleted, any API invocations done using the tokens of that application should fail due subscription validation with an error similar to the one below with a 403 HTTP code.
{"code":"900908","message":"Resource forbidden ","description":"User is NOT authorized to access the Resource. API Subscription validation failed."}
If you have a paid WSO2 subsciption, please try this scenario by taking the latest U2 updated/patched version of APIM 4.1.0 by referring this.
I tried the GA APIM 4.1.0 and this usecase worked as expected. Shall we verify the subscription delete event flow in the API gateway by enabling debug logs for gateway and keymanagement components?
Add the following configurations in the <APIM_HOME>/repository/logs/log4j2.properties
logger.gateway-component.name = org.wso2.carbon.apimgt.gateway
logger.gateway-component.level = DEBUG
logger.keymgt-component.name = org.wso2.carbon.apimgt.keymgt
logger.keymgt-component.level = DEBUG
make sure to add the newly created loggers as below.
loggers = gateway-component,keymgt-component, AUDIT_LOG, trace-messages, org-apache-coyote, ....
With these, subscribe and unsubscribe events should be displayed in the terminal. You can use them to verify the event flow.

WSO2 revoke api

I was curious how can see the revoke api end point exists.The url configured is
https://localhost:9443/revoke
But I could see the api listed under the started application or under api.
I even tried retrieving the wadl from the url but it did not return anything.
Do we need to explicitly publish it or it gets done automatically when we start the wso2server ? Or Do we need to install something other than the wso2 api manager to get this api?
When I browse the endpoint https://localhost:9443/revoke/?_wadl , I get error
405 - method not allowed
The port should be 8243.
And it's not a SOAP service.
Ref: https://docs.wso2.com/display/AM260/Token+API#TokenAPI-Revokingaccesstokens

WSO2 api manager and SSO

I'm using wso2am 2.0.0 and trying to configure SSO for access to the store and publisher application.
I'm not using wso2 IS but just configured the api manager directly to my IdP server(I have edited the site.json file to with my IdP setting)
I'm getting this exception after being authenticated to my IdP:
SAML Response contains invalid number of assertions. {org.wso2.carbon.hostobjects.sso.SAMLSSORelyingPartyObject}
It look like my SAML response isn't correct but i'm unable to find why?
There was no problem with my SAML response .
The problem was caused by a difference between my IdP server and the api manager timezone (they are deployed in two different environment), so the exception is thrown when comparing the current time in the gateway with the NotBefore/NotOnOrAfter
So may be a more significant error message could help
You can use an online SAML Response decoders like this and see what's wrong with you SAML response.
Another option is to use SAML Tracer in firefox.

Error while publishing an API in the WSO2 API Manager

When I publish an API in the WSO2 API Manager, the following error occurs:
Gateway Failures
Failed to Publish Environments
Production and Sandbox
Error while obtaining API information from gateway. Error while obtaining API information from gateway. Authentication failure
This could be due to an authentication failure. Please check whether username/password within <Environments> content element of root <APIGateway> element in api-manager.xml (<APIM_HOME>/repository/conf/api-manager.xml) is correct
I've had this issue.
When checking the logs I saw this:
URL context: /hrs/admihrsd/osb/documentWS/2.0.0 is already registered with the API: novakgo--hrs-admihrsd-osb-document-service:v2.0.0
The issue was someone was trying to publish a new API with the same context as another one. They should change the context and publish again, and the error is fixed. Context have to be unique.

WSO2 ESB 4.0.3 - Can we stop service log getting replicated in to wso2carbon.log

Can we stop service logs getting replicated in to "wso2carbon.log" in WSO2 ESB 4.0.3?
We have set up per service logs and we do not want the per service log getting replicated in the "wso2carbon.log"
I would be really thankful if any body can let me know.
Here is my typical log4j configuration
log4j.category.SERVICE_LOGGER.TQS_RMA=INFO, TQS_RMA_APPENDER
log4j.additivity.SERVICE_LOGGER.TQS_RMA=false
log4j.appender.TQS_RMA_APPENDER=org.apache.log4j.RollingFileAppender
log4j.appender.TQS_RMA_APPENDER.File=${carbon.home}/repository/logs/${instance.log}/tqs-rma-service.log
log4j.appender.TQS_RMA_APPENDER.MaxFileSize=1000KB
log4j.appender.TQS_RMA_APPENDER.MaxBackupIndex=10
log4j.appender.TQS_RMA_APPENDER.layout=org.apache.log4j.PatternLayout
As you have tried, setting additivity false should prevent logs being directed to ancestors.
See docs for service logging with WSO2 ESB.
See also this blog post for information.