How can I disable features WSO2 ESB 4.0.3? - wso2

We are in final few steps of WSO2 ESB / Data services implementation.
We are trying to pass the Information Security review of our WSO2 ESB implementation. We are using 4.0.3 EAB with 3.2.2 DSS feature.
Information security group has objected for following things in default WSO2 ESB
QPID / AMQP server listening to 5672 / 8672 ports. Can we disable the default message broker so that QPID will not start. If we disable, will it affect any other functionality? We are NOT using message brokers / any JMS related applications, mainly Data Services.
How to block JMX console being started? The JMX console starts at 11111 / 9999 be default.
We have already disabled Admin UI, however is there any way where I can turn the logging levels for individual loggers with out Admin UI and WITHOUT re- starting the ESB?

Can stop starting jmx server through CARBON_HOME/repository/conf/etc/jmx.xml by setting,
<StartRMIServer>false</StartRMIServer>

If the admin console was enabled, then you can configure the logging from the UI. Since you have disabled the admin console, then you can configure the loggers using the lgo4j.properties file in CARBON_HOME/repository/conf. But then you have to restart the server.
There is no other way to configure logging without restarting.

You can disable QPID server listening on 8672 TLS port with the following configuration change.
Go to /repository/conf/advanced/qpid-config.xml file and change the entry as below.
<broker>
<connector>
<!-- To enable SSL edit the keystorePath and keystorePassword
and set enabled to true.To disasble Non-SSL port set sslOnly to true -->
<ssl>
**<enabled>false</enabled>**
<sslOnly>false</sslOnly>
<keystorePath>repository/resources/security/wso2carbon.jks</keystorePath>
<keystorePassword>wso2carbon</keystorePassword>
</ssl>
After that QPID Broker will not be starting on TLS port. However regarding disabling the Qpid Server in 5672 TCP port, ESB 4.0.3 version comes with an embedded QPID broker which is tightly coupled with other ESB components. Therefore unfortunately it is not possible to detach the broker from the ESB with a configuration setting.This is changed after ESB 4.5.x versions where the embedded Qpid broker is no longer shipped with ESB, therefore if it is possible, you can upgrade the ESB version in order to meet this requirement.

Related

HTTPS outbound requests time increases to 5 min after 14-21 days on an instance running a product based on IdentityServer 4

Running an ASP.Net Core application based on IdentityServer 4 on an AWS cluster,
after 14-21 days all outgoing HTTPS requests take 5min or more to finish.
After an investigation found that the WinHTTP Web Proxy Auto-Discovery Service dies with the following error: The endpoint mapper database entry could not be created. not sure if this is the issue or a side effect of something else that breaks lower in the OS.
Environment:
ELB with with an autoscaling group with two instances behind it, issue occurs on both
Windows Server 2019
Notes:
It is a custom AMI but the only difference with the instances that do not experience this is the product is running on it.
Happens on both .Net core 2.2 and 3.1 based versions of the application
Happens on both versions based on IdentityServer4 v2 and v3
The app is deployed self contained
The app uses Kestrel without a reverse proxy in front of it
Tried:
Enabled schannel: no errors in the schannel logs set on trace
No other notable errors in any of the EventViewer logs
Restarting the instance fixes the problem
When running curl.exe -v to an HTTPS site on the machine the request gets stuck on schannel: checking server certificate revocation
The clocks on the instances are OK
Restarting the app process does not resolve the issue
Disabling the HTTPClient in the code using the WinHTTP Web Proxy Auto-Discovery Service service still breaks the service.
For those running into this.
The root of this issue is the WinHTTP autoproxy (wpad) service which is used to autoconfigure proxy settings, WinHTTP 5.1 implements the Web Proxy Auto-Discovery (WPAD) protocol also known as autoproxy, and it must support DHCP. Now this is where the problem occurs, the AWS DHCP does not support DHCP option 252 (used by WPAD) which in turn causes the issue.
The resolution is to disable the WinHTTP service as it is turned on by default in Windows.
I am seeing this exact same problem on a bare-bones AWS Lightsail instance of Server 2019. I am simply using IIS as a reverse proxy with the URL Rewrite module.
Here are some details about my environment/scenario in case it helps narrow down some common factors.
I have zero .Net applications running on this box, it is simply a reverse proxy.
I have 2 web applications, and 2 websites setup in IIS, each is a reverse proxy for a different back-end API.
The websites in IIS on the reverse proxy use the same CA issued wildcard certificate as the back-end API's.
The back-end API's are also hosted in IIS (Server 2012 R2).
The back-end API's run in a PCI compliant environment so IIS Crypto has been used to tighten up encryption protocols/algo's. I have not used IIS Crypto on the reverse proxy yet, so as I type this I'm starting to wonder if there's an SSL aspect to this.

WSO2 MB vs Apache Kafka

I've been working with both Apache Kafka plus WSO2 Message Broker in order to publish and consume messages using Topics. But then apart from changing the jndi properties in WSO2 MB, the configurations in integrating the WSO2 CEP looks to be the same in both.
I'm sure it has it's own pros' & cons'. I've gone through the doc of Kafka and the WSO2 MB documentation. Are there any major differences when comparing one against the other? Any help would be appreciated.
Architecture
WSO2 MB: Built by extending Apache Qpid code base. Also it uses apache zookeeper and apache cassandra.
Apache Kafka:
Solution built from scratch.
Web Management Console
WSO2 MB: Native Management Console
Apache Kafka: No native Management Console. But there is some open source options: https://github.com/yahoo/kafka-manager and https://github.com/claudemamo/kafka-web-console
Community
Apache Kafka: used by giant companies checkout below
https://cwiki.apache.org/confluence/display/KAFKA/Powered+By
WSO2 MB: doesn't have proven use-cases in the market.
Protocols
WSO2 MB: Support JMS, AMQP and MQTT
Apache Kafka: It has its own protocol which built over TCP http://kafka.apache.org/protocol.html Kafka built for high throughput and large scale message processing applications.
Client Libraries
Apache Kafka: https://cwiki.apache.org/confluence/display/KAFKA/Clients
WSO2 MB: Java

Why do Data Services use the Servlet Ports as opposed to NIO/PT - WSO2

I've installed Dss 3.2.2 features onto Esb4.8.1.
When I create a proxy service the Service endpoints are as expected e.g
http://[ip]:8280/services/[proxy_service_name]
But when I create a dataservice , the service endpoints also show the same(NIO) port , contrary to the expected (mgmt) port :
http://[ip]:8280/services/[data_service_name]
But it should be
http://[ip]:9763/services/[data_service_name]
If I send a json post request to the 8280 for a dataservice , it does not receive any params :
"current_params": "{}"
Sending it to 9763 it reads my params:
"current_params": "{no=xxx, dump_size=10}"
Is there a config/way to fix this?
I believe you are using try-it tool shipped with WSO2 ESB by default. Let me explain what it the reason for this problem. WSO2 ESB exposes two HTTP ports (i.e NIO port which is 8280 and servlet port which is 9763) and when dataservice features are installed, data services are also exposed via both ports. By default ESB try-it uses NIO port(8280). The issue is ESB try-it tool does not handle invoking data service via NIO transport. It drops the parameters passed. That is why the current_params is empty. This is a known issue and will be fixed in a future release. As a workaround you can either use servlet port to invoke dataservice or any other soap client such as SoapUI.
Thanks

Configuring WSO2 AS and BAM -new error

I followed the same steps as mentioned in the WSO2 documentation for configuring BAM server and WSO2 AS. Both are in different computers. Still not able to solve the errors. Now I am getting new error when I click BAM EVENT_KS. My BAM server offset address is 0 by default. I changed my WSO2 AS offset to 2 in carbon.xml.
ERROR {org.wso2.carbon.databridge.agent.thrift.AsyncDataPublisher} - Error while connection to event receiver
org.wso2.carbon.databridge.agent.thrift.exception.AgentException: Cannot borrow client for TCP,203.252.180.178:9443,TCP,203.252.180.178:9543
at org.wso2.carbon.databridge.agent.thrift.internal.publisher.authenticator.AgentAuthenticator.connect(AgentAuthenticator.java:58)
and many more .....
Please help what will be the configuration problem with BAM. I tried all the latest 3 version.
Read [1] for configuration details. As I can see you have used ports 9443 and 9543 instead of 7611 or 7711 which are the correct Thrift server ports.
Use 7611 for unsecured port and 7711 for the secured port when no port offset is applied in BAM.
[1] http://docs.wso2.org/wiki/display/AS501/Collecting+Data+Statistics+of+Services

WSO2 ESB -How to set HTTPS port for proxy services other than management console HTTPS port

I am using ESB 4.0.3 on Mac OSX 10.7.5.
Java version is
java version "1.6.0_35" /
Java(TM) SE Runtime Environment (build 1.6.0_35-b10-428-11M3811) /
Java HotSpot(TM) 64-Bit Server VM (build 20.10-b01-428, mixed mode)
In my axis2.xml I am using have following configuration for HTTPS transport listner
<transportReceiver name="https" class="org.wso2.carbon.core.transports.http.HttpsTransportListener">
<parameter name="port" locked="true">9443</parameter>
</transportReceiver>
In my mgt-transports.xml I have following configuration
<parameter name="port" locked="xsd:false">${Ports.ServletTransports.HTTPS}</parameter>
In my carbon.xml I have following configuration
<ServletTransports>
<HTTPS>9440</HTTPS>
<HTTP>9763</HTTP>
</ServletTransports>
How ever when I start the ESB the proxy / Data services on HTTPS port never listen to 9443 where as they listen on 9440 all the time.
How can I enable HTTPS port for the proxy and Data services different than the management console HTTPS port?
Please let me know.
thanks
Abhijit
Hi Nuwan
I am not using NHTTP transport. Please see the transportlistener class above. I am using servelet transport only for the ESB as my requirement is not to disturb existing HTTP client.
For servlet transport in ESB I would like to know if ADMIN UI port can be different than the ESB proxy services HTTPS port.
Please help.
Abhijit
Are mentioning about ESB proxy services ?, If so they do not listen to the servlet transport. They are working on NHHTP transport which you can configure. Please provide more information. whats the NHTTP ports in ESB ?
Regards,
/Nuwan
If you are using the servlet transport for ESB, the same port will be used by Admin Console UI. You cannot do anything for that, since there is only one Servlet transport Admin UI will also use that.
Regards,
/Nuwan