Sign-up for Liferay portal with OpenID provided By WSO2Identity Server

Here i am going to describe the steps how we can configure to use openid provided by identity server to sign-up with Liferay 4.4.2 portal

1. First  download WSO2Identity server from here (Alpha3 Build of latest version) and you can extract in to a directory in your file system. Lets call as CARBON_HOME

2. Then configure host name (assume change it to "wso2is") First configure following parameters in carbon.xml which can be found in CARBON_HOME/conf

 <ServerURL>https://wso2is:${carbon.management.port}${carbon.context}/services/</ServerURL>
 <HostName>wso2is</HostName>

configure following parameters in identity.xml which can be found in same location

    <OpenIDServerUrl>https://wso2is:9443/openidserver</OpenIDServerUrl>
    <OpenIDUserPattern>https://wso2is:9443/openid/</OpenIDUserPattern>

if you are running in local machine, make sure to add your new host name in to the hosts file

3. You can start Identity server by running  wso2server.sh (in unix) or wso2server.bat (in windows)  file in the CARBON_HOME/bin directory

openid url of default admin will look like  https://wso2is:9443/openid/admin

4. Import Identity server public certificate to the java cacerts which is the trust-store for Liferay (This step, if you use default keystore, wso2carbon.jks for identity server or any self sign key store)

Liferay use java cacerts as its trust-store. But wso2carbon.jks contains self signed certificate. So public key should be imported to the cacerts that is used by Liferay. Then Liferay can trust the Openid provided by wso2identity server.

first export wso2carbon cert from wso2carbon.jks which can be found in CARBON_HOME/resources/security directory. sample keytool command

> keytool -export -keystore wso2carbon.jks -file carbon.cert -alias localhost -keypass wso2carbon

Then import it to cacerts in JAVA_HOME/jre/lib/security

> keytool -import -keystore cacerts -file carbon.cert -alias carbon -keypass changeit

5. Download latest version of Liferay portal 4.4.2  from here and you can extract in to a directory in your file system. Lets call as LIFERAY_HOME

6. Set CATALINA_HOME =LIFERAY_HOME/tomcat_dir

7. Start Liferay portal by running  catalina.sh run (in unix) or catalina.bat file in CATALINA_HOME/bin directory.

8. Add Full Name as a default attribute in identity user profiles and Fill the user profile

In order to perform the registration (sign-up) in Liferay using OpenID, when user first logins with an OpenID, Liferay asks some information from WSO2Identity Server (Openid provider) about the user. The provider must be able to provide this information through OpenID protocol extensions (Identity Server have implemented the Simple Registration Extension protocol).  Here Full Name and Email attributes are retrieved from identity server. So these two should be configure in user profiles.

--Full name is not supported by default. so first you need to update the claim mapping. Goto Claim management ->  http://wso2.org/claims claim dialect -> full name claim mapping and tick on "Supported by Default" and update.

--Then Goto My profile and fill default or you can add a new profile.

                                                                                                                                  

9. Now try to sign-up by providing your openid , https://wso2is:9443/openid/admin

WSO2 Identity Server as OpenID Provider

I am going to explain  how we can use Openid issued by WSO2Identity server in an actual environment. Here I am using Liferay portal as Openid consumer and assume that Liferay portal and Identity server have been setup in different hosts in a LAN.

1. First  download WSO2Identity server from here and you can extract in to a directory in your file system. Lets call as CARBON_HOME

2. You can start Identity server by running  wso2server.sh (in unix) or wso2server.bat (in windows)  file in the CARBON_HOME/bin directory

Identity server will be started with default configuration. if you examine openid url of  a user(default admin username is admin) in identity server. It will look like

https://localhost:9443/openid/admin

But this openid url can not be accessed by other hosts in your network. So Lets change our host name.

3. Lets assume we want to configure host name as "wso2identity" (or any ip address).  First configure following parameters in carbon.xml which can be found in CARBON_HOME/conf

 <ServerURL>https://wso2identity:${carbon.management.port}${carbon.context}/services/</ServerURL>
 <HostName>wso2identity</HostName>

configure following parameters in identity.xml which can be found in same location

    <OpenIDServerUrl>https://wso2identity:9443/openidserver</OpenIDServerUrl>
    <OpenIDUserPattern>https://wso2identity:9443/openid/</OpenIDUserPattern>

4. Restart identity server. Now openid url 

https://wso2identity:9443/openid/admin

5. Download latest version of Liferay portal from here and you can extract in to a directory in your file system. Lets call as LIFERAY_HOME

6. Set CATALINA_HOME =LIFERAY_HOME/tomcat_dir

7. Start Liferay portal by running  catalina.sh run (in unix) or calalina.bat file in CATALINA_HOME/bin directory.

8. Create a user account in Liferay and configure an openid  that is issued by identity server  (https://wso2identity:9443/openid/admin)

9. Now try to sign in by providing your openid

10. You will probably get following error message.    Because there are one configuration to do, if we use default keystore, wso2carbon.jks for identity server.

Liferay use java cacerts as its trust-store. But wso2carbon.jks contains self signed certificate. So public key should be imported to the cacerts that is used by Liferay. Then Liferay can trust the Openid provided by wso2identity server.

11. Import Identity server public certificate to the cacerts

first export wso2carbon cert from wso2carbon.jks which can be found in CARBON_HOME/resources/security directory. sample keytool command

> keytool -export -keystore wso2carbon.jks -file carbon.cert -alias localhost -keypass wso2carbon

Then import it to cacerts in JAVA_HOME/jre/lib/security

> keytool -import -keystore cacerts -file carbon.cert -alias carbon -keypass changeit

12. Then restart Liferay portal. Now you can sign in to Liferay portal using  wso2identity server's Openid.........!!!

Apache Dircetory Studio as Your LDAP User Store

1.  You can downlaod Apache Dirctory Stido from here

2. Then you can extract in to a directory in your file system

3. Start Apache Directory Studio by running executable file called ApacheDirectoryStudio

Lets create a LDAP Server.

4. If you can not see the ApacheDS server window, First you must view it.

Window -> Show View -> Other -> Select ApacheDS Server

Now you can see the Server management window.

5. Then Lets create a new server. Click on new server icon (ctrl+E) and you must only enter a name for the server and New server will be created with default configurations

By double-clicking you can view the configuration file (server.xml) of created server. Your can configure it as your options. But Here i am continuing with default configuration

6. Now just click on Run icon (ctr+R), Your server will be started.

Now we are going to create a connection to the running LDAP server to browse it.  (You can create connections with almost any LDAP server)

7. LDAP -> New Connection ,  New LDAP connection wizard will be promoted.

8. Configure Network parameters

Connection Name  - Any name you like
Host Name  - Host name of your LDAP server is running. Here LDAP server is also in within same machine. So localhost
Port - LDAP server running port.  Here 10386, default port or which has configured in server.xml file
Encryption Method - if you want  to secure the connection to LDAP server, use SSL. Also make sure to change user Port according ldap and ldaps

9. Configure Authentication  parameters

Authentication method  - You can select simple authentication , advance authentication method or no authentication, according what you have already configured in server.xml Here we must use the simple authentication.
Bind DN or User  -   uid=admin ,ou =system
Bind password    - secret

when new LDAP server is created, by default, admin user is created with above DN and password. If LDAP server already contain any users, you can use any DN that you want.  Browser option and edit option are kept as defaults and lets finished it.

10. Now open your connection by clicking open connection icon in your connection browser.

11. Then you can view your LDAP Browser by double clicking on your connection and display the tree of your LDAP Server.

Now you are able to create, delete and modify your entities in LDAP server....!!!

SSL profiles in WSO2 ESB

"SSL profiles" is new feature which was introduced in WSO2 ESB 3.0.0. Using SSL profiles WSO2 ESB can be configured  to communicate with SSL and Mutual SSL enabled target servers.  Lets see how to configure it.


1. First, You can download WSO2 ESB 3.0.0 for here. then you can extract in to a directory in your file system. Lets call as ESB_HOME

2. Then define the appropriate SSL profiles under the HTTPS transport sender configuration, in the axis2.xml file which can be found in ESB_HOME/repository/conf .

Following shows the example configuration i am going to use.
Here, I have used localhost:9444 server for SSL communication and localhost:9445 for Mutual SSL.  As you can see, it consists of a keystore-truststore pair. A single profile can be associated with one or more target servers. So you can define more than one target servers under one profile. A target server is identified by its hostname and port number. Once SSL profile is defined and associated with a target server, WSO2 ESB will use the truststore for SSL communicating and keystore-truststore pair for Mutual SSL communicating.

In this example configuration, localhost:9444 is WSO2 WSAS and localhost:9445 is WSO2 BPS server. Also It should be noted that trust-store must contains target server's certificate for SSL communication and target server must contains the key-store certificate for Mutual SSL communication


<parameter name="customSSLProfiles">

    <profile>
        <servers>www.test.org:80, localhost:9444</servers>
        <TrustStore>
            <Location>path/to/trust/store</Location>
            <Type>JKS</Type>
            <Password>password</Password>
        </TrustStore>
    </profile>

    <profile>
        <servers>localhost:9445</servers>
        <KeyStore>
            <Location>/path/to/identity/store</Location>
            <Type>JKS</Type>
            <Password>password</Password>
            <KeyPassword>password</KeyPassword>
        </KeyStore>
        <TrustStore>
            <Location>path/to/trust/store</Location>
            <Type>JKS</Type>
            <Password>password</Password>
        </TrustStore>
    </profile>

</parameter>


3. Start WSO2 ESB server,  Run the wso2server.sh (in unix) or wso2server.bat (in windows) file in the ESB_HOME/bin directory
Once the server starts, point your Web browser to https://localhost:9443/carbon/   You can see following info logs when starting, If you have configured SSL Profile successfully.

[2010-07-01 15:22:26,300]  INFO - HttpCoreNIOSSLSender Loading Trust Keystore from : path/to/trust/store
[2010-07-01 15:22:26,306]  INFO - HttpCoreNIOSSLSender Loading Identity Keystore from : /path/to/identity/store
[2010-07-01 15:22:26,310]  INFO - HttpCoreNIOSSLSender Loading Trust Keystore from : path/to/trust/store
[2010-07-01 15:22:26,322]  INFO - HttpCoreNIOSSLSender Custom SSL profiles initialized for 3 servers


4. Lets create simple proxy services which endpoints are hosted in localhost:9444 and localhost:9445.

I created following two proxies..

<syn:proxy name="BPSProxy" transports="https http" startOnLoad="true" trace="disable">
        <syn:target>
            <syn:inSequence>
                <syn:send>
                    <syn:endpoint>
                        <syn:address uri="https://localhost:9444/services/TestE4XService"/>
                    </syn:endpoint>
                </syn:send>
            </syn:inSequence>
            <syn:outSequence>
                <syn:send/>
            </syn:outSequence>
        </syn:target>
    </syn:proxy>

    <syn:proxy name="WSASProxy" transports="https http" startOnLoad="true" trace="disable">
        <syn:target>
            <syn:inSequence>
                <syn:send>
                    <syn:endpoint>
                        <syn:address uri="https://localhost:9445/services/HelloService"/>
                    </syn:endpoint>
                </syn:send>
            </syn:inSequence>
            <syn:outSequence>
                <syn:send/>
            </syn:outSequence>
        </syn:target>
    </syn:proxy>

5. Now send your request messages to two proxy services, You can see ESB will successfully communicate with SSL and Mutual SSL enabled target servers using SSL Profiles.

Enabling JMS Transport in WSO2 BPS

As I highlighted in my previous blog post, WSO2 BPS is a powerful open source BPEL engine.Here i am going to enable JMS Transport in WSO2 BPS.  You can use any JMS provider as you preferred. I'm going to use Apache ActiveMQ-5.2.0 for this example.


1. You can download WSO2BPS (version 1.1.1) from here. then you can extract in to a directory in your file system. Lets call as BPS_HOME

2. Start ActiveMQ message broker. Go to (ActiveMQ_Install_directory)/bin and run activemq.sh (or activemq.bin in DOS)

3. Copy ActiveMQ libraries to BPS_HOME/repository/components/lib directory

activemq-core-5.2.0.jar and geronimo-j2ee-management_1.0_spec-1.0

4. Enable JMS Transport in WSO2 BPS.  Uncomment following parameters in axis2.xml (BPS_HOME/conf directory) Here I have configured it for ActiveMQ environment.

For Receiver

<parameter name="myTopicConnectionFactory">
            <parameter name="java.naming.factory.initial">org.apache.activemq.jndi.ActiveMQInitialContextFactory</parameter>
            <parameter name="java.naming.provider.url">tcp://localhost:61616</parameter>
            <parameter name="transport.jms.ConnectionFactoryJNDIName">TopicConnectionFactory</parameter>
        </parameter>


        <parameter name="myQueueConnectionFactory">
            <parameter name="java.naming.factory.initial">org.apache.activemq.jndi.ActiveMQInitialContextFactory</parameter>
            <parameter name="java.naming.provider.url">tcp://localhost:61616</parameter>
            <parameter name="transport.jms.ConnectionFactoryJNDIName">QueueConnectionFactory</parameter>
        </parameter>


        <parameter name="default">
            <parameter name="java.naming.factory.initial">org.apache.activemq.jndi.ActiveMQInitialContextFactory</parameter>
            <parameter name="java.naming.provider.url">tcp://localhost:61616</parameter>
            <parameter name="transport.jms.ConnectionFactoryJNDIName">QueueConnectionFactory</parameter>
        </parameter>

For Sender
    <transportSender name="jms"
                     class="org.apache.axis2.transport.jms.JMSSender"/>

5. Start BPS server running  the wso2server.sh (in unix) or wso2server.bat (in windows)
You can see following Logs when starting if you have correctly configured

[2010-05-27 22:19:55,019]  INFO -  JMS ConnectionFactory : default initialized
[2010-05-27 22:19:55,021]  INFO -  JMS ConnectionFactory : myTopicConnectionFactory initialized
[2010-05-27 22:19:55,022]  INFO -  JMS ConnectionFactory : myQueueConnectionFactory initialized
[2010-05-27 22:19:55,022]  INFO -  JMS Transport Receiver/Listener initialized...

We can see JMS endpoint has been added to BPEL service (See the wsdl also)

Note:-

Step 4,   You can enable JMS and configure it using UI.

Home

> Manage

> Transports

But there are some issues when disabling  JMS from UI. So i recommended to use axis2.xml configure JMS in WSO2BPS version 1.1.1. This will be fixed in next WSO2BPS release.....!!!

WSO2 BPS in Cluster

Clustering is one of a major requirement for web servers which are in production environment. because these servers have to fulfill two basic needs, high availability and scalability.

WSO2 carbon based web products comes with the clustering functionality (Please refer this article for more information on WSO2 carbon clustering) Here I am going to introduce to configure the WSO2BPS in a clustering environment.
 

1. You can download WSO2BPS (version 1.1.1) from here.

2. All nodes in BPS cluster would share the  same persistence storage (BPS datasource) and same registry. So Each node must be connected to external datasource and external registry. This Post is described configuration of  external BPS datasource. Use same configuration for all nodes, But don't forget to use different provider port for each node, if you are starting all nodes in same machine (same url).

3. Then registry.xml and user-mgt.xml (Both are in WSO2BPS/conf directory)must be configured to use a one central registry. Use same configuration for all nodes.

Sample configuration of registry.xml for Mysql database

        <dbConfig name="wso2registry">
            <url>jdbc:mysql://10.100.1.1:3306/regdb</url>
            <userName>regadmin</userName>
            <password>regadmin</password>
            <driverName>com.mysql.jdbc.Driver</driverName>
            <maxActive>80</maxActive>
            <maxWait>6000</maxWait>
            <minIdle>5</minIdle>
       </dbConfig>

Sample configuration of user-mgt.xml

 <Database>
         <URL>jdbc:mysql://10.100.1.1:3306/regdb</URL>
         <UserName>regadmin</UserName>
         <Password>regadmin</Password>
         <Dialect>mysql</Dialect>
         <Driver>com.mysql.jdbc.Driver</Driver>
          <maxActive>30</maxActive>
          <maxWait>60000</maxWait>
          <minIdle>5</minIdle>
    </Database>


4. Then One BPS node must be started as the group management node. you can simply do this by configuring following basic parameters in axis2.xml (WSO2BPS/conf directory)

# Enable clustering for this node

<clustering class="org.apache.axis2.clustering.tribes.TribesClusteringAgent" enable="true"> 
  
# Clustering domain/group

<parameter name="domain">bps</parameter>

# Enable the group Management

<groupManagement enable="true">
            <applicationDomain name="bps" description="BPS group" agent="org.apache.axis2.clustering.management.DefaultGroupManagementAgent"/>
</groupManagement>

5.  Other BPS nodes also should be started with enabling the clustering (Can enable or disable node management, but there is no effect for BPS. So here i did not use it)

# Enable clustering for this node

<clustering class="org.apache.axis2.clustering.tribes.TribesClusteringAgent" enable="true">
  
# Clustering domain/group

<parameter name="domain">bps</parameter>


6. Start every BPS node running  the wso2server.sh (in unix) or wso2server.bat (in windows) file in the WSO2BPS/bin directory.  Don't forget to use different http and https port for each node, if you are starting all nodes in same machine (same url). Configuration can be found in transport.xml and axis2.xml

By looking at Debug and INFO message you can understand what is happening there.

But WSO2BPS (version 1.1.1) have some limitations when setting on clustering ( Retiring of BPEL process not propagate to other node, Managing BPEL packages and processes should be disable for member nodes) which would be resolved in next BPS release.........!!!

How to create a Password Callback class

Most of web services have been secured using various WS security  methods. Therefore we need to implements clients that support WS-Security to invoke these web services.

If you are using Rampart or WSS4J for WS-Security for processing in client side,  you may need to create a password callback class for following

1) Get the password to build the username token

2) Get the private key password for signture or decryption


It is very easy to write a Password callback. Following Java code is for simple Password callback class

package org.wso2.samples.pwcb;

import org.apache.ws.security.WSPasswordCallback;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.callback.UnsupportedCallbackException;
import java.io.IOException;

public class PWCBHandler implements CallbackHandler {

        public void handle(Callback[] callbacks) throws IOException,
        UnsupportedCallbackException {

            for (int i = 0; i < callbacks.length; i++) {
                WSPasswordCallback pwcb = (WSPasswordCallback)callbacks[i];
                String id = pwcb.getIdentifer();
                int usage = pwcb.getUsage();


                   if (usage == WSPasswordCallback.USERNAME_TOKEN) {
                   // Logic to get the password to build the username token
                        if ("admin".equals(id)) {pwcb.setPassword("admin");}
                } else if (usage == WSPasswordCallback.SIGNATURE || usage == WSPasswordCallback.DECRYPT) {
                // Logic to get the private key password for signture or decryption
                        if ("client".equals(id)) {pwcb.setPassword("apache");}
                        if ("service".equals(id)) {pwcb.setPassword("apache");}
                }

            }
        }
}

Lets see how you can use this password class back class with the WSO2 products such as ESB and BPS. For ESB, we need a class back class to invoke a secured BE services where ESB Proxy service would act as client for BE service.  Also when external partner service is invoked by a BPEL is act as a client to the external web service.

Therefore we need to create a jar file ... 

Step1 : Creating a jar file 

Note :  If you are familiar with maven. Please find the maven project of callback class from here 

1. Copy sample Password callback in to text file and save it as PWCBHandler.java

2. Create a directory called "temp"  ...any where you like,

3. Go in to temp directory and create following directory structure   org/wso2/samples/pwcb

4. Copy PWCBHandler.java in to pwcb directory

5. Download wss4j.jar from here (http://ws.apache.org/wss4j/) and copy it to temp directory

6. Compile PWCBHandler.java pointing classpath to wss4j.jar from pwcb directory

Ex:-
#javac PWCBHandler.java -classpath /home/asela/temp/PWC/org/wso2/samples/pwcb/wss4j-1.5.8.jar

7. Go in to temp directory and create a jar file issuing following

#jar cf PWCBHandler.jar org/wso2/samples/pwcb/*.class

Step2 : Adding jar file in to classpath

1. Now you have created your  PWCBHandler.jar and Copy jar in to <CARBON_HOME> /repository/components/lib

2. Restart Server


That All........!!!

How Install PostgreSQL database in Ubuntu 9.04

It is very simple to install postgreSQL in Ubuntu. Just run the following command in the command prompt

sudo apt-get install postgresql

This will install the latest postgreSQL and Now your are ready to use it.

But lets do some important configurations (that I did). The PostgreSQL configuration files are stored in the /etc/postgresql//main directory. In my case, I install PostgreSQL 8.3.  So there are in /etc/postgresql/8.3/main

1. Enable TCP/IP connections

By default, connection via TCP/IP is disabled. PostgreSQL supports multiple client authentication methods. By default, IDENT authentication method is used for postgres and local users

To enable TCP/IP connections, edit the file /etc/postgresql/8.3/main/postgresql.conf

Locate the line #listen_addresses = 'localhost'  and uncomment it.

To allow other computers to connect to your PostgreSQL server replace 'localhost' with the IP Address of your server.

2. Set a password for the postgres user


Run the following command at a terminal prompt to connect to the default PostgreSQL template database

 sudo -u postgres psql template1

Then run following SQL command at the psql prompt to configure the password for the user postgres. 

ALTER USER postgres with encrypted password 'your_password';

Remember to restart the PostgreSQL service to initialize the new configuration

Enter the following to restart
 
sudo /etc/init.d/postgresql-8.3 restart

How to Deploy Axis2 services in WSO2 BPS

Wso2bps is powerful bpel engine which allows you to easily deploy and manage bpel services,  can be download from here.

Also we can deploy Axis2 services in Wso2bps (But not from remotely).  It is easy , Just copy your *.aar file in to repository/services directory in the extracted Wso2bps

After few second, your service will be list in the Deployed service page. You can configure QoS accessing Service Dashboard.