I added in claim-config.xml but i dont see that claim being added in the IS management console.
<ClaimURI>http://wso2.org/claims/serialNumber</ClaimURI>
<DisplayName>serialNumber</DisplayName>
<AttributeID>url</AttributeID>
<Description>SerialNumber</Description>
<DisplayOrder>3</DisplayOrder>
<SupportedByDefault />
</Claim>
Also i dont want to add the claim mapping from management console. i want to automate this process so need a configuration change.
WSO2IS reads the claim-config.xml file and add those claims when you start the server first time. After you update the claim-config.xml, It does not read from it. When server is started first time, it reads the claim-config.xml file add add those in to the database (as there are no any claim configuration in the database). If claim mapping are dynamically changed and you do not like to configure them from UI, you can automate the web service API that is used to configure the claims. If claim mappings are not changed, them you can add all the configures in the claim-config.xml in the first start up.
You can use the ClaimManagementService admin service of WSO2 Identity Server to do CRUD operations on claims. You can get an idea of available methods by referring to the wsdl of ClaimManagementService. Please refer to this link for more information regarding calling admin services of WSO2 servers.
Related
I'm trying to setup multi-factor authentication in WSO2 Identity Server 5.5. As per instructions, I have installed and configured totp as a possible second factor. Within my service provider, I'm attempting to add multiple steps to the Advanced Authentication Configuration screen under the Local & Outbound Authentication Configuration section, and modifications are not saving when pressing Update.
I understand that some of the UI operations do not always operate as expected, so I was wondering if anyone knew how to fix this or perhaps could specify where the service provider config files are located so I can make these changes manually?
For my use case, I just want to have basic as the first step/factor and then totp as the second. Nothing seems to save on this screen.
Thanks.
screenshot-advanced configuration
We have some security requirements from customer, so we need to configure/develop detailed audit logging which will log user actions done in Carbon Management console - i.e. datasource modification, service modification in WSO2 ESB.
Is there any way do this using included log4j?
We are using WSO2 Enterprise Service Bus 4.8.1 and WSO2 Application Server 5.2.1
WSO2 products has an audit log which can be found in the repository/logs folder. But the problem is, this audit log has very little audit information. Reason is as follows.
WSO2 products are built using a collection of reusable osgi componentns. For example, for data sources related operations we have one component and for proxy related operations we have another.
Now, the problem here is, these individual components has not put enough audit logs to cover the user operations. Therefore, your requirement seems to be difficult to achieve.
There are some extension points in WSO2 products where you can use to do your own tasks upon certain actions such as user login, user creation. For example, you can implement a certain interface and print whatever log you want upon a successful user login or a failed login attempt. But, those extension points are limited mostly to user management related operations.
All the HTTP communication done with the server is already logged in HTTP access logs in CARBON_HOME/repository/logs. You can use a log analyzer tool or even grep to capture any desired user action.
Ex: To get the log ins to datasources page use
cat http_access_2016-06-02.log | grep "GET /carbon/ndatasource/index.jsp"
I am looking for a way to automatically add users to WSO2 API Manager. I have a basic install with the H2 database, but someday I might move to postgres or something like that. What is the best way to add users from say a script?
In Carbon products (APIM, IS), All user store operations can be exposed via web services. External application can use these web services to add/delete/update/get in to user store users and groups. Please note, H2 is not recommended for products`
REST web service according to the SCIM provisioning specification.
SOAP based Web service. You can find more detail from here
Is there a way to show entire Audit Log associated to one service in the Service Detail layout instead of having to go search activities & figuring out changes?
Thanks.
As i know, It is not supported yet. You need to search in log file using the service name and found out them. Actually for analysis logs and audit, WSO2 may recommend the BAM server where you want to publish server's audit and log data
In the data services server, one of the step is to create a Data Source, in which you need to supply the connection URL as well as the database userId and password.
My questions are
how is this password store in the data services server?
Is the password encrypted and what kind of encryption is used?
Is the password stored in a database or a file?
Where can I find out more about this as there is not much details in the documentation?
I need to find answers to these questions as these will be potential questions from the database security team when we plan to roll out WSO2 DSS to the live environment.
If no answers will also appreciate any links or emails that I can send my queries to.
if you use current release of a data service server this information is stored in the registry.
with the next release it will be possible to specify these as an xml file and secure the xml file using secure valult.
By default data services does not encrypt the password entries that are in the .dbs files. You can use Synapse datasource.properties file to define global datasources and access them as "Carbon Datasources" from data services. These data in the datasource.properties file can be encrypted using secure vault functionality, for more info, check [1].
Also, in the DSS v2.6.3 release, we had partial secure vault implementation, but it is not publicly documented, but can still accessed from here [2]. That implementation is not fully integrated to Carbon secure vault implementation, and you will have to write your own "SecretCallBackHandler"s.
From the upcoming DSS v3.0.0 release, which is to be released soon, it will contain proper secure vault functionality by integrating to Carbon secure vault, where you can give aliases to the password fields from the data service wizard itself. Also, we also have new XML configurations for defining global data sources, which is independent from Synapse, and is also integrated with secure vault.
[1] http://wso2.org/project/esb/java/4.0.0/docs/samples_setup_guide.html#datasource
[2] http://wso2.org/project/data-services/2.6.3/docs/secureVault.html
Cheers,
Anjana.