Removing TLSv1.0 in WSO2 EMM 1.1.0 - wso2

I am setting up a new WSO2 EMM server and, in order to maintain my organization's PCI DSS certification, I have to disable support for any encryption protocol lower than TLSv1.1 before I can put it into production (see this for more information on PCI 3.1).
I edited the file /repository/conf/tomcat/catalina-server.xml as per the documentation. Here is what I tried:
I changed the attribute sslEnabledProtocols from TLS to TLSv1.1,TLSv1.2, but this generates the error
ERROR {org.wso2.carbon.tomcat.internal.CarbonTomcat} -
LifeCycleException while starting tomcat connector
{org.wso2.carbon.tomcat.internal.CarbonTomcat}
in my wso2carbon.log and I'm unable to log into the EMM web console.
Does anyone know how to disable TLSv1.0 without breaking my installation?
cheers,

Found it!
you have to get rid of sslProtocol attribute and replace it with sslEnabledProtocols, they look very similar.

Related

WSS Support in WSO2 API Manager

I am verifying the Websocket support in WSO2 API manager for one of my requirement. By default, WSO2 API Manager provides the options for configuring "WS" protocol and able to access it. But I couldn't find any configuration for "WSS" protocol support.
Is there any limitation in WSO2 API manager or is there any documentation available?
Thanks,
Sow
WebSocket support is available by default in WSO2 API Manager. Related transport configurations should be available inside the axis2.xml configuration file. You can find related documentation in the WSO2 API Manager documentation.
https://docs.wso2.com/display/AM260/Create+a+WebSocket+API
When using wss endpoint, we were able to observe some errors and we were able to get rid of the errors with the following approach.
Please include the following parameter in the SecureWebSocketInboundEndpoint.xml file which resides in the <APIM_HOME>/repository/deployment/server/synapse-configs/default/inbound-endpoints directory.
TLSv1.1,TLSv1.2
Also, please remove the following parameters from the same SecureWebSocketInboundEndpoint.xml file if the following parameters(wss.ssl.trust.store.file and wss.ssl.trust.store.pass) exist in the file.
repository/resources/security/client-truststore.jks
wso2carbon
Please use the following sample web socket client to try out and run the WSS client. Please change the variable carbonKeyStoreLocation to point to <API-M_HOME>/repository/resources/security/wso2carbon.jks. Note that port for the WSS API is 8099.
You can download the WSS client in the following WSO2 official documentation under the WSS Support section. (In the second step.)[1] Further please change the access token, web socket endpoint and the carbonKeyStoreLocation with your one to try out the scenario.
[1] https://docs.wso2.com/display/AM260/Create+a+WebSocket+API

WSO2 AM 1.10.0 -- Client requested protocol TLSv1 not enabled or not supported

I deployed WSO2 Am to a production server in my organization and APIs can be accessed from organization's intranet through both http and https, (http://puaki.mpi.govt.nz/api/mrldatabase/v1/countries and https://puaki.mpi.govt.nz/api/mrldatabase/v1/countries). However, when trying to access APIs from outside internet, it is hitting an issue, I/O error: Client requested protocol TLSv1 not enabled or not supported
Could anyone please help me solve the issue?
Thanks,
Sean
it should be enabled by default , however you can configure Transport level security as described in this doc :
https://docs.wso2.com/display/IS530/Configuring+Transport+Level+Security

WSO2 ESB (4.9.0) throw out SOAPProcessingException when connecting Salesforce through proxy server

I try to use WSO2 ESB at workplace where Proxy Server is available.
Set Proxy Server settings in axis2.xml,
Install certificate.
Initialize Salesforce connector(Salesforce certificate has been installed).
Test the API, run into an exception - SOAPProcessingException,
Really appreciate if someone can give ideas of solution.
First of all I have tried this type of a scenario using WSO2 ESB 4.9.0 and which was perfectly working fine. By looking at your error messages I can see that there was an Authentication failure, hence Sales Force end point returns some HTML error message. The ESB tries to build this HTML error message using the SOAP builder leading to this situation.
This could be due to some missing configuration in your setting. You may follow [1] to enable HTTP Proxy to Sales Force. Then to setup Sales Force [2] will be helpful.
Couple of thing I need to highlight here. Did you import the Salesforce certificate into the ESBs client trust store using the keytool import command. If not please go ahead and do so. Also is there a particular reason for you to use NHTTP transport here. Ideally we would use Passthrough transport to add the proxy host as given in [1].
If you still get the error after following the above steps please enable the wirelogs and post it here to investigate further. Follow these steps to enable wirelogs.
Open log4j.properties file from a text editor.
log4j.properties file is located in $ESB_HOME/repository/conf directory.
Un-comment the following entry.
log4j.logger.org.apache.synapse.transport.http.wire=DEBUG
Hope this helps you.
[1] https://docs.wso2.com/display/ESB470/Enabling+SSL+Tunneling+through+a+Proxy+Server
[2]https://docs.wso2.com/display/ESBCONNECTORS/Working+with+Salesforce+Connector+Operations

WSO2 API Key Manager

I am configuring our API Manager, but running into troubles authenticating via OAuth, seems to be an issue with the API Key Manager. I haven't dug into it yet, but does this come with the API Manager (as I have assumed) or is this a separate installation?
I had the same issue when using the wso2 api manager on a Amazon hosted machine, turn out that Thrift was not working correctly because some problem with multicasting and broadcasting.
What I did to get it working was to switch from ThriftClient to WSClient. If you have a huge amount of requests coming in then Thrift is the recommended solution from wso2 but in any "normal" case you will not have any differences between thrift and WS.
Here is how you switch:
Shut down the API Manager
Open up <api manager install dir>\repository\conf\api-manager.xml
Find ThriftClient
Change this to
<KeyValidatorClientType>WSClient</KeyValidatorClientType>
Start the API Manager
You may get some Warnings while starting up but, try it before you jump to the conclusion that it doesn't work.
Hope it helps!
you can use APIM manager product in a distributed setup as keymanger,gateway,store,publisher..but all functionality come in a single distribution.. ..
Go through the documentation for further guides
I was facing the same issue. Everything started when I created my own jks in order to use SSL without a self-signed certificate. I successfully created the jks and changed it in the carbon file. When I started the server, everything seemed ok; but when I used SOAPUI to test an API call, I got this (in the logs of the api manager):
APIAuthenticationHandler API authentication failure due to Unclassified Authentication Failure
I started digging what was the problem by enabling Debug level in the log4j.properties file, and then tried again a tested with SOAPUI and I got:
APISecurityException: Could not connect to <my api ip address> on port 10397
Then, I read the comment of OneMuppet and I checked that file and I found that the Thrift config has a host option, so I uncommented it:
<KeyValidatorClientType>ThriftClient</KeyValidatorClientType>
<ThriftClientPort>10397</ThriftClientPort>
<ThriftClientConnectionTimeOut>10000</ThriftClientConnectionTimeOut>
<ThriftServerPort>10397</ThriftServerPort>
This Line --> <ThriftServerHost>localhost</ThriftServerHost>
<EnableThriftServer>true</EnableThriftServer>
Save, restarted the server and everything start working correctly.
I got the same below issue after my installation, when i try to invoke the api service it is throwing below error:
900900 Unclassified Authentication Failure Error while accessing backend services for API key validation
After some random checks i have seen the axis2.xml file in /repository/conf/axis2 there it is refering a differnt ip's instead. I change these ip's to my local ip and restarted. The issue is resolved now.
I was facing the same issue. when I was trying to setup API Manager as an API Gateway in a different machine as per the steps given here,
https://docs.wso2.com/display/AM250/Publish+through+Multiple+API+Gateways
Once the setup is done and when I am trying to use this gateway URL, I was getting the below response,
{"fault":{"code":900900,"message":"Unclassified Authentication Failure","description":"Error while accessing backend services for API key validation"}}
After changing the KeyValidatorClientType value to WSClient from ThriftClient on the <api manager install dir>\repository\conf\api-manager.xml
It started working fine. And I was able to get the expected response.
If you changed the admin password, then you also have to update the repository/conf/api-manager.xml file with the new password. The 2 places I have changed (so far) are:
<AuthManager>
and
<APIKeyManager>
but there are other admin usernames in that file. No doubt, I'll get to them....

Configuring WSO2 AS and BAM -new error

I followed the same steps as mentioned in the WSO2 documentation for configuring BAM server and WSO2 AS. Both are in different computers. Still not able to solve the errors. Now I am getting new error when I click BAM EVENT_KS. My BAM server offset address is 0 by default. I changed my WSO2 AS offset to 2 in carbon.xml.
ERROR {org.wso2.carbon.databridge.agent.thrift.AsyncDataPublisher} - Error while connection to event receiver
org.wso2.carbon.databridge.agent.thrift.exception.AgentException: Cannot borrow client for TCP,203.252.180.178:9443,TCP,203.252.180.178:9543
at org.wso2.carbon.databridge.agent.thrift.internal.publisher.authenticator.AgentAuthenticator.connect(AgentAuthenticator.java:58)
and many more .....
Please help what will be the configuration problem with BAM. I tried all the latest 3 version.
Read [1] for configuration details. As I can see you have used ports 9443 and 9543 instead of 7611 or 7711 which are the correct Thrift server ports.
Use 7611 for unsecured port and 7711 for the secured port when no port offset is applied in BAM.
[1] http://docs.wso2.org/wiki/display/AS501/Collecting+Data+Statistics+of+Services