I have the current installations of WSO2 ESB and WSO2 Registry (both 4.5.0).
Registry sharing is made exactly by the step by step instruction
Then the usecase is the following:
1) add a zip containing WSDL/Schemas to the Governance Registry. Added them I case see in the registry bowser:
_system/governance/trunk
/endpoints
/schemas
/services
/wsdls
With all WSDL/Schemas/Endpoints/Services relevand to the just added WSDL package.
2) start WSO2 ESB ithe the following registry configuration:
<dbConfig name="wso2registry_mounted">
<dataSource>jdbc/WSO2CarbonDB_GREG</dataSource>
</dbConfig>
<remoteInstance url="https:localhost:9445/registry">
<id>wso2_registry_mounted</id>
<dbConfig>wso2registry_mounted</dbConfig>
<readOnly>false</readOnly>
<enableCache>true</enableCache>
<registryRoot>/</registryRoot>
</remoteInstance>
<mount overwrite="true" path="/_system/config">
<instanceId>wso2_registry_mounted</instanceId>
<targetPath>/_system/nodes</targetPath>
</mount>
<mount overwrite="true" path="/_system/governance">
<instanceId>wso2_registry_mounted</instanceId>
<targetPath>/_system/governance</targetPath>
</mount>
3) Check registry browser both on ESB and Governance Registry. At least schemas folder content is gone overwritten by ESB.
Could anyone advise on how can I force ESB not to overwrite initial Registry entries. Marking mounted registry as readOnly=true - doesn't help.
Thanks,
Vladimir.
Please use <mount overwrite="false" not to be overwritten the content
Refer this document for more details
Related
is there a way to create a new jks only for synapse secure vault(ciphsertool)?
I configured ciphertool like in this manual https://docs.wso2.com/display/EI660/Working+with+Passwords+in+the+ESB+profile or this https://www.chakray.com/wso2-esb-tutorial-how-to-programmatically-manage-secure-vault-passwords/
I didn't find how to set up another keystore for encryption only
thanks
Yes when encrypting/decrypting passwords the server will be using the following keystore configuration block in carbon.xml
<InternalKeyStore>
<Location>${carbon.home}/repository/resources/security/internal.jks</Location>
<Type>JKS</Type>
<Password>wso2carbon</Password>
<KeyAlias>wso2carbon</KeyAlias>
<KeyPassword>wso2carbon</KeyPassword>
</InternalKeyStore>
So you can create a new keystore and change the configuration here and then change the cipher tool's keystore configurations at secret-conf.properties to point to the newly created keystore. You can read more here.
In WSO2 Identity Server 5.3.0 in carbon.xml there is still the XSS prevention config which was introduced with 5.0.0 SP1. It is described in the documentation as well.
<XSSPreventionConfig>
<Enabled>true</Enabled>
<Rule>allow</Rule>
<Patterns>
<!--Pattern></Pattern-->
</Patterns>
</XSSPreventionConfig>
The configuration is read by the tomcat XSSValve. But in the default installation WSO2IS package the tomcat valve configuration is missing. Basically leaving the XSSPreventionConfig useless.
Is the configuration still needed? Can I remove the configuration from carbon.xml or do I need to configure XSSValve in tomcat?
For one JDBC-based configuration , is the URL useful? According Remote Instance and Mount Configuration Details, The URL of the remote instance can be deduced as follows:
Let the URL of the destination server be https://localhost:9443/services. Then the URL of the remote instance will be https://localhost:9443/registry. Let the URL of the destination server be https://10.20.30.40:9445/webcontext/services. Then the URL of the remote instance will be https://10.20.30.40:9445/webcontext/registry.
But in the APIM 2.0 deployment, the publisher's configuration is as below:
<remoteInstance url="https://publisher.apim-wso2.com">
<id>gov</id>
<cacheId>user#jdbc:mysql://regdb.mysql-wso2.com:3306/regdb</cacheId>
<dbConfig>govregistry</dbConfig>
<readOnly>false</readOnly>
<enableCache>true</enableCache>
<registryRoot>/</registryRoot>
</remoteInstance>
Modify the /etc/hosts entries to map the relevant IP addresses to the remoteInstance URLs.
127.0.0.1 publisher.apim-wso2.com
Why does it use "https://publisher.apim-wso2.com" , but not "https://localhost:9445" ?
BTW, Is cacheId useful in JDBC-based configuration? if yes, what's the cacheId name rule? JDBC URL?
remoteInstance url is not used in JDBC case.
cacheId is required. See this.
WSO2 API Manager - Setting 'CacheId' when clustering with SQL Server
What would be the URL for the newly set up SAML SSO's metadata URL, or how could I download this in XML format from WSO2 Identity Server (version 4.6.0) acting as IdP?
Thanks,
Tamas
WSO2 Identity server now hosts IDPSSODesriptor metadata file on this URL.
https://localhost:9443/identity/metadata/saml2
This feature is available from Identity Server version 5.3 onward.
AFAIK there is no option to auto-generate metadata files for IS. You have to manually write the metadata file. An example is as follows, taken from this blog post.
<md:entitydescriptor entityid="https://localhost:9443/samlsso" validuntil="2023-09-23T06:57:15.396Z" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
<md:idpssodescriptor protocolsupportenumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<md:keydescriptor use="signing">
<ds:keyinfo>
<ds:x509data>
<ds:x509certificate>MIICNTCCAZ6gAwIBAgIES343gjANBgkqhkiG9w0BAQUFADBVMQswCQYDVQQGEwJVUzELMAkGA1UE
CAwCQ0ExFjAUBgNVBAcMDU1vdW50YWluIFZpZXcxDTALBgNVBAoMBFdTTzIxEjAQBgNVBAMMCWxv
Y2FsaG9zdDAeFw0xMDAyMTkwNzAyMjZaFw0zNTAyMTMwNzAyMjZaMFUxCzAJBgNVBAYTAlVTMQsw
CQYDVQQIDAJDQTEWMBQGA1UEBwwNTW91bnRhaW4gVmlldzENMAsGA1UECgwEV1NPMjESMBAGA1UE
AwwJbG9jYWxob3N0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCUp/oV1vWc8/TkQSiAvTou
sMzOM4asB2iltr2QKozni5aVFu818MpOLZIr8LMnTzWllJvvaA5RAAdpbECb+48FjbBe0hseUdN5
HpwvnH/DW8ZccGvk53I6Orq7hLCv1ZHtuOCokghz/ATrhyPq+QktMfXnRS4HrKGJTzxaCcU7OQID
AQABoxIwEDAOBgNVHQ8BAf8EBAMCBPAwDQYJKoZIhvcNAQEFBQADgYEAW5wPR7cr1LAdq+IrR44i
QlRG5ITCZXY9hI0PygLP2rHANh+PYfTmxbuOnykNGyhM6FjFLbW2uZHQTY1jMrPprjOrmyK5sjJR
O4d1DeGHT/YnIjs9JogRKv4XHECwLtIVdAbIdWHEtVZJyMSktcyysFcvuhPQK8Qc/E/Wq8uHSCo=</ds:x509certificate>
</ds:x509data>
</ds:keyinfo>
</md:keydescriptor>
<md:singlelogoutservice binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" location="https://localhost:9443/samlsso" responselocation="https://localhost:9443/samlsso">
<md:singlesignonservice binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" location="https://localhost:9443/samlsso">
<md:singlesignonservice binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" location="https://localhost:9443/samlsso">
</md:singlesignonservice></md:singlesignonservice></md:singlelogoutservice></md:idpssodescriptor>
</md:entitydescriptor>
Yes.. Identity Server does not support to generate a IDP information as metadata file. You may need to create it manually. But I guess it would be available with a future release. There is an open public jira for this. You can find a generated SAML2 metadata file from here. However you may need to configure it according to your configurations. If you have changed your keystore, you need to change the X509 certificate data. And also urls of the samlsso endpoint. By default saml sso end point is located at https://localhost:9443/samlsso. In your service provider config, you need to configure this url as IDP url (both login and logout). You must provide the wso2carbon certificate in to service provider for validating the signature.
I have a configuration as follows:
1 server with seperate Publisher (9446) and Store (port 9447). Both are configured with shared gov/config registry (note that the publisher is the same except localhost:9446/registry for the remote instance url:
<dbConfig name="govregistry">
<dataSource>jdbc/WSO2SHAREDCONREG_DB</dataSource>
</dbConfig>
<remoteInstance url="https://localhost:9447/registry">
<id>gov</id>
<dbConfig>govregistry</dbConfig>
<readOnly>false</readOnly>
<enableCache>true</enableCache>
<registryRoot>/</registryRoot>
</remoteInstance>
<mount path="/_system/governance" overwrite="true">
<instanceId>gov</instanceId>
<targetPath>/_system/governance</targetPath>
</mount>
<mount path="/_system/config" overwrite="true">
<instanceId>gov</instanceId>
<targetPath>/_system/nodes</targetPath>
</mount>
I have a Gateway and Key Manager on a different server. These are both deployed to different directories and the WSO2 documentation did not say to do anything additional for the registry.xml file so they look like:
<currentDBConfig>wso2registry</currentDBConfig>
<dbConfig name="wso2registry">
<dataSource>jdbc/WSO2CarbonDB</dataSource>
</dbConfig>
When the API is published and then I attempt to use the 'try it' functionality I get the following error (regardless of if the API is set to require a token or not)...
This error is on the gateway server:
[2014-01-23 21:54:31,111] ERROR - APIAuthenticationHandler API authentication failure
org.wso2.carbon.apimgt.gateway.handlers.security.APISecurityException: Access failure for API: /newphoneverify, version: 1.0.0 with key: null
Do I need to do something additional like setting up governance and config registry sharing on the keymanager and gateway as well?
This happens if the OPTIONS verb of the API is not enabled with 'None' auth type. Check [1].
[1]https://wso2.org/jira/browse/APIMANAGER-1819
I have the same problem:
Swagger UI does not works and return the same screenshots above, but if I use chrome/postman the API return the correct value so is just the swagger UI that has problems, I have an Apache in front of the API manager and the external name of the store is different from the internal name and apache proxypass the request.
I have configured the api-manager.xml and the API does not have authorization (all set to none) have really no idea on how to fix it.