An Axis2 service can be secured using setServicePolicy operation in ServiceAdmin. However, even when the policy have the rampart configuration, when I examine from the admin console it doesn't select the default keystore for that service. Because there's no keystore selected this service cannot be invoked.
Need to manually go to the UI and select the tenant's default keystore.
When we use ServiceAdmin to secure a service programmatically how to specify what keystore to use to secure it?
There's a separate service called applySecurity() in https://svn.wso2.org/repos/wso2/carbon/platform/branches/turing/components/security/org.wso2.carbon.security.mgt/4.2.0/src/main/java/org/wso2/carbon/security/keystore/service/SecurityConfigAdmin.java to do this task.
Related
Using WSO2 APIM 2.6.0 seems the primary keystore certificate is used for multiple purposes
service (nio-https) SSL - that can be easily changed
signing a JWT token to the API Gateway backend service
thrift SSL endpoint for the Traffic Manager (port 9711)
The issue I have is that in a distributed setup a separate gateway should reach the TM endpoint and the hostname needs to be trusted. So - in theory I can create a self-signed certificate with a new hostname, however a new keypair/certificate will break existing backend validating the JWT token.
In theory I may just create a different self-signed certificate with the same public key, it may be more complex to manage in long run (I don't want to promote this practice).
Question: Is there a way to configure either the JWT signing certificate or the thrift SSL certificate separately? Or disable hostname validation for the throttling service (port 9711)?
(I'm not sure we want to allow disabling the hostname validation globally)
Since you have a distributed setup, this can be achieved easily.
You need to change the certificate in the gateways so that they use that keystore for the TM connection.
Keep the KM keystore as it is so that JWT is signed using the same old keystore.
I would like to know an overview of what's the proper way to validate JWT at remote backend server?
I believe I'd need a public key...does API-M expose an endpoint to obtain a public key or do I extract it from wso2carbon.jks?
Thank you!
WSO2 API Manager signs the JWT with the private key of its keystore and you have to export it from the above keystore. We don't provide an endpoint for extracting public key.
Also, it's highly recommended to use your own keystore rather than the one shipped with WSO2 product because that keystore are common to all the products and released publically.
I can not understand the difference between service provier and resident service provider.I understand like following.
When i want provisioing and service provider using HTTP Basic Authentication and SCIM API, IS server have to configure resident service provider's provisioning configuration. Is it right?
When i want provisioing and service provider using OAuth Authentication Authentication and SCIM API, IS server doesn't need to to configure resident service provider, just required service provider's provisioning configuration. Is it right?
Yes. Your understanding is correct. WSO2IS normally can mediate authentication requests between SPs and IDPs. At the same time, the Identity Server itself can act as a service provider and an identity provider. When it acts as a service provider it is known as the Resident Service Provider. When you are provisioning users using SCIM, WSO2IS would be act as a service provider. Therefore you can find only the provisioning related configuration from there. Also, i guess, this may be help to understand the in-bound/out-bound provisioning with WSO2IS much better manner.
We are going to integrate Dynamics NAV 2013 with PHP eCommerce and are planning to do this by dynamics nav web services. I know that to integrate with PHP I have to enable NTLM authentication, but I'm wondering if is it possible to publish web service which doesn't require login/password authorization?
Second thing, if I want to allow only specified IP's to access my web service, is it possible to do this in Navision or it's server administrators problem?
The client consuming a Nav web service has to be authenticated and mapped to a system user account, but it is possible to authenticate via the user name and the corresponding web service access key instead of the domain password.
Common approach is to create a user account that is used for web service access only, generate the web service access key, and pass this dedicated user's credentials from the consuming application. Client application will be required to provide the security certificate.
Besides, it is a good idea to create a separate service instance specifically for external access (usually users connecting via WAN).
Create a new Nav server instance and set ClientServicesCredentialType" = "NavUserPassword". How to configure authentication via NavUserPassword
Create a user account with Web Service Access Key: Use an Access Key for SOAP and OData Web Service Authentication
Setup security certificate for the web service: Implementing Security Certificates
Develop your application that will consume Nav web service, and pass the Nav user name and the web service access key instead of the password from this application.
This way, all users connecting from your web application will be authenticated, but they won't have to enter user name / password and you don't risk exposing your domain account credentials.
As for your second question - there is no way to setup this restriction from inside Nav that I'm aware of. I think this is a task for sysadmins - firewall applications allow you to setup very elaborate access rules.
No you can't disable auth (you able to select auth type other than ntlm though). And I believe there is no case in witch you shoud do this with Nav. Nav stores financial information so no-no-no you should not do this under any corcumstances.
No you can't restrict acceess by IP via Nav.
Are there any special configuration settings you have to do to make a web service work with SSL?
Is there a way to force the service methods to authenticate using a username/password like I can do with a WCF service?
No. SSL support provided by web server (IIS).
Yes. Just configure authentication through web.config