I want to include multiple WSO2 products in 1 Carbon Management console. I started with Carbon 4.1.0. However, when installing features, not all products are listed (e.g. BRS, Identity Server etc). I understand that these will added in the future (?).
You can add additional repositories in the console, pointing to other versions of Carbon.
Now my questions are:
Will this result in a stable environment (multiple carbon versions) and products that can work together?
Is this the way to go (having 1 management console for multiple products)?
Are 4.x carbon based products compatible with 3.x carbon based products?
Is there an overview of WSO2 product versions and what Carbon version contains the features?
1) It is not recommended to install multiple features without careful analysis of them. Actually products are carefully analysed and proven features that are grouped together to solve common problems. As an example if you combine AS + ESB features yes you can have it but
it may result in poor performance in ESB since your services are hosted in the same server too. (Likewise there are many negatives). Further some of the combinations are not properly tested in an production environment and will have some unidentified issues, But released products are tested properly and used in production too.
2) Not compatible. You cannot install 3.x features in 4.x.
3) You may refer this for product overviews
http://wso2.com/products/carbon/release-matrix/
About your initial question, under carbon 4.1.0 still only AS(5.1.0) is released. Rest will be released later on (sometimes may be with carbon 4.1.x or 4.2.x).
Related
I am looking out for suggestions on the recent vulnerability(https://blogs.apache.org/security/entry/cve-2022-42889) which is also coming from the wso2 IS 5.11 binary downloaded from(https://github.com/wso2/product-is/releases/tag/v5.11.0) and the carbon libraries we are using in custom plugins like:
<groupId>org.wso2.carbon.identity.framework</groupId><artifactId>org.wso2.carbon.identity.mgt</artifactId>
<version>5.18.187</version>
<groupId>org.wso2.carbon.identity.framework</groupId>
<artifactId>org.wso2.carbon.identity.application.authentication.framework</artifactId>
<version>5.18.187</version>
<groupId>org.wso2.carbon.identity.framework</groupId>
<artifactId>org.wso2.carbon.identity.provisioning</artifactId>
<version>5.18.187</version>
As there any upgrades to these which is compatible with wso2 IS v5.11?
From wso2 advisories, it is mentioned that the vulnerability has no impact on the products [1] since the preconditions are not met and the team promises of fixing the vulnerable versions and (paid) customers will be able to obtain it through their security update once it is available. Along with this effort, the public fix will be done for the current public branch and will be available if you build the product-is from the repository. The timeline for the public fix is yet to be known.
And the suggested upgrade would be to 1.10.0 of Apache Commons Text library for 5.11.0.
This library comes to Identity server 5.11 pack mainly through Forget me tool. And in the latest release (wso2is-6.0.0), forget me tool has been externalized[2] which could be used in the product on demand.
Refer:
[1] https://docs.wso2.com/display/Security/CVE-2022-42889
[2] https://is.docs.wso2.com/en/latest/deploy/remove-references-to-deleted-user-identities/#building-the-identity-anonymization-tool
I am getting log4j-core -> 2.12.0 vulnerability with org.wso2.carbon.identity.application.authentication.framework
As per the github link - https://github.com/wso2/product-is/blob/v5.11.0/pom.xml
the compatible version for WSO2 IS v5.11 is 5.18.187
But as I checked over maven also, the specified version https://mvnrepository.com/artifact/org.wso2.carbon.identity.framework/org.wso2.carbon.identity.application.authentication.framework/5.18.187
is log4j core vulnerabilities in compile dependency https://mvnrepository.com/artifact/org.wso2.carbon.identity.framework/org.wso2.carbon.identity.testutil/5.18.187
Could you please suggest, if I should go with upgrading the version of org.wso2.carbon.identity.application.authentication.framework or should just add direct dependency for log4j-core 2.17.2
Upgrading the org.wso2.carbon.identity.application.authentication.framework would not be compatible with the other modules in the distribution and I recommend not doing so since it could lead to some breaking changes in the product features.
And upgrading the log4j-core dependency in the org.wso2.carbon.identity.application.authentication.framework to the 2.17.2 version alone would not work since there are other artifacts that were affected by the log4j vulnerability.
Since this vulnerability was identified, WSO2 has released an updated version for the product-is which you can download from their website.
The Version 5.11.0 - SERVICE PACK 01 which you can download from here would have the updated product-is v5.11.0 with the fixes for the log4j vulnerability. And it also includes bug fixes for the initial 5.11.0 release.
Hence, I recommend going with the already existing 5.11.0 - SERVICE PACK 01
instead of manually updating the affected artifacts.
Upgrading org.wso2.carbon.identity.application.authentication.framework might lead in to breaking changes and updating log4j-core dependency will not resolve the issue since there can be other components whcih are also affected by this vulnerability.
WSO2 has already identified and fixed this. I would like to recommend you to download and use the latest Identity Server version (IS 6.0.0) from the official WSO2 website or from git releases. The WSO2 team has paid special attention to fixing most of the 3rd party vulnerabilities in this release and there are so many new features available.
Updated 1:
You can follow the temporary solution specified in this doc if you don't have a paid subscription or are unable to get the latest Identity Server product (NOTE that it is a temporary fix).
(I know that this sounds as a newbie questions, but, you know, really, I don't finde the answer in docs)
In WSO2 products, and specifically in API Manager (2.1.0), we have to modify a lot of configuration files just to start.
We have seen that some configuration files (api-manager.xml, carbon.xml) use configurations variables. E.g., ${admin.username} to substitute by admin user.
We have found an old post (2016) explaining the use of configuration variables in WSO2 products
https://medium.com/#shan1024/overriding-configurations-in-wso2-products-using-deployment-properties-file-f096e96f782d
But we are not able to find the deployment.properties files referenced in that post, neither and official documentation.
Do you know if this works in APIM? Where have I to install this file?
As far as I know, deployment.yaml was introduced in Carbon kernel 5.2 onwards. But WSO2 APIM 2.x is based on Carbon kernel 4.4.X. Therefore APIM 2.x doesn't support that.
WSO2 APIM 3.X will support this feature.
I have access to our corporate PCF, though both the Apps Manager webpage and the "cf" CLI (and thus the API).
How can I detect what version of PCF they're running? There's nothing in the website that lists it, and the best I can find is using cf api which returns:
api version: 2.98.0
How can I map that to the PCF version, or is there another way to detect it?
Usually via Ops Manager however another quick way is to click on the 'Docs' in Apps Manager it should take you to the documentation of relevant PCF version. For ex: https://docs.pivotal.io/pivotalcf/2-6/pas/intro.html means PCF 2.6
Please be advised that documentation link requires to be updated during upgrades so if someone doesn't do - it will be pointing out to older version..
I don't believe Apps Manager or the API (i.e. Cloud Controller) will report that information. Both are just single parts of the entire system, so I think you could really only expect them to publish their own version information.
If you want to see versions of what is installed, you need to look at Ops Manager. That will show you the tiles that are installed and each version.
If you don't have access to Ops Manager, you'd need to ask your platform operators.
Hope that helps!
I would like to create a carbon server composed of multiple features; namely the User Engagement Server (UES) and the Data Services Server (DSS). UES is only carbon 4.1.0 based and DSS is 4.2.0 or 3.0.1 based. Is this possible? If so, how? If not, what are my alternatives for utilizing the functionality of both features set?
I have looked over wso2.org and other resources for help; however, I'm failing to find best practices for deploying a custom carbon solution and upgrading to future version. In another post I found a compatibility matrix, but the answer indicates that there is neither forward or backward compatibility.
WSO2 products will have API level changes between two different platform releases (as in 4.1.0 vs 4.2.0 [Turing]). So installing features from different platform versions will not work in most cases.
However, UES does have features based on a carbon 4.2.0 kernel (UES 1.0.1) and you can install the required features from the latest p2 feature repository here. It includes UES 1.0.1 feature which is based on Carbon 4.2.0 kernel. You might want to wait till DSS 3.1.1 is officially released (due to be released in about a week) which has some important bug fixes and improved stability.
To get features of both products, it would be easier to install UES features on top of a DSS product or vice versa, rather than installing both feature sets on a bare bones carbon server, since you may have to additionally install some kernel patches, configuration files, which are not installed during a feature installation.
HTH,