Wednesday, July 28, 2010

WSO2 Identity Server as OpenID Provider


I am going to explain  how we can use Openid issued by WSO2Identity server in an actual environment. Here I am using Liferay portal as Openid consumer and assume that Liferay portal and Identity server have been setup in different hosts in a LAN.

1. First  download WSO2Identity server from here and you can extract in to a directory in your file system. Lets call as CARBON_HOME

2. You can start Identity server by running  wso2server.sh (in unix) or wso2server.bat (in windows)  file in the CARBON_HOME/bin directory

Identity server will be started with default configuration. if you examine openid url of  a user(default admin username is admin) in identity server. It will look like

https://localhost:9443/openid/admin

But this openid url can not be accessed by other hosts in your network. So Lets change our host name.

3. Lets assume we want to configure host name as "wso2identity" (or any ip address).  First configure following parameters in carbon.xml which can be found in CARBON_HOME/conf

 <ServerURL>https://wso2identity:${carbon.management.port}${carbon.context}/services/</ServerURL>
 <HostName>wso2identity</HostName>

configure following parameters in identity.xml which can be found in same location

    <OpenIDServerUrl>https://wso2identity:9443/openidserver</OpenIDServerUrl>
    <OpenIDUserPattern>https://wso2identity:9443/openid/</OpenIDUserPattern>

4. Restart identity server. Now openid url 

https://wso2identity:9443/openid/admin

5. Download latest version of Liferay portal from here and you can extract in to a directory in your file system. Lets call as LIFERAY_HOME

6. Set CATALINA_HOME =LIFERAY_HOME/tomcat_dir

7. Start Liferay portal by running  catalina.sh run (in unix) or calalina.bat file in CATALINA_HOME/bin directory.

8. Create a user account in Liferay and configure an openid  that is issued by identity server  (https://wso2identity:9443/openid/admin)



9. Now try to sign in by providing your openid


10. You will probably get following error message.    Because there are one configuration to do, if we use default keystore, wso2carbon.jks for identity server.


Liferay use java cacerts as its trust-store. But wso2carbon.jks contains self signed certificate. So public key should be imported to the cacerts that is used by Liferay. Then Liferay can trust the Openid provided by wso2identity server.

11. Import Identity server public certificate to the cacerts

first export wso2carbon cert from wso2carbon.jks which can be found in CARBON_HOME/resources/security directory. sample keytool command

> keytool -export -keystore wso2carbon.jks -file carbon.cert -alias localhost -keypass wso2carbon

Then import it to cacerts in JAVA_HOME/jre/lib/security

> keytool -import -keystore cacerts -file carbon.cert -alias carbon -keypass changeit

12. Then restart Liferay portal. Now you can sign in to Liferay portal using  wso2identity server's Openid.........!!!


Posted by
2 comments:

Sunday, July 25, 2010

Apache Dircetory Studio as Your LDAP User Store


1.  You can downlaod Apache Dirctory Stido from here

2. Then you can extract in to a directory in your file system

3. Start Apache Directory Studio by running executable file called ApacheDirectoryStudio

Lets create a LDAP Server.

4. If you can not see the ApacheDS server window, First you must view it.

Window -> Show View -> Other -> Select ApacheDS Server


Now you can see the Server management window.

5. Then Lets create a new server. Click on new server icon (ctrl+E) and you must only enter a name for the server and New server will be created with default configurations


By double-clicking you can view the configuration file (server.xml) of created server. Your can configure it as your options. But Here i am continuing with default configuration



6. Now just click on Run icon (ctr+R), Your server will be started.

Now we are going to create a connection to the running LDAP server to browse it.  (You can create connections with almost any LDAP server)

7. LDAP -> New Connection ,  New LDAP connection wizard will be promoted.



8. Configure Network parameters

Connection Name  - Any name you like
Host Name  - Host name of your LDAP server is running. Here LDAP server is also in within same machine. So localhost
Port - LDAP server running port.  Here 10386, default port or which has configured in server.xml file
Encryption Method - if you want  to secure the connection to LDAP server, use SSL. Also make sure to change user Port according ldap and ldaps


9. Configure Authentication  parameters

Authentication method  - You can select simple authentication , advance authentication method or no authentication, according what you have already configured in server.xml Here we must use the simple authentication.
Bind DN or User  -   uid=admin ,ou =system
Bind password    - secret



when new LDAP server is created, by default, admin user is created with above DN and password. If LDAP server already contain any users, you can use any DN that you want.  Browser option and edit option are kept as defaults and lets finished it.

10. Now open your connection by clicking open connection icon in your connection browser.


11. Then you can view your LDAP Browser by double clicking on your connection and display the tree of your LDAP Server.

Now you are able to create, delete and modify your entities in LDAP server....!!!

Posted by
2 comments:

Thursday, July 1, 2010

SSL profiles in WSO2 ESB


"SSL profiles" is new feature which was introduced in WSO2 ESB 3.0.0. Using SSL profiles WSO2 ESB can be configured  to communicate with SSL and Mutual SSL enabled target servers.  Lets see how to configure it.


1. First, You can download WSO2 ESB 3.0.0 for here. then you can extract in to a directory in your file system. Lets call as ESB_HOME

2. Then define the appropriate SSL profiles under the HTTPS transport sender configuration, in the axis2.xml file which can be found in ESB_HOME/repository/conf .

Following shows the example configuration i am going to use.
Here, I have used localhost:9444 server for SSL communication and localhost:9445 for Mutual SSL.  As you can see, it consists of a keystore-truststore pair. A single profile can be associated with one or more target servers. So you can define more than one target servers under one profile. A target server is identified by its hostname and port number. Once SSL profile is defined and associated with a target server, WSO2 ESB will use the truststore for SSL communicating and keystore-truststore pair for Mutual SSL communicating.

In this example configuration, localhost:9444 is WSO2 WSAS and localhost:9445 is WSO2 BPS server. Also It should be noted that trust-store must contains target server's certificate for SSL communication and target server must contains the key-store certificate for Mutual SSL communication


<parameter name="customSSLProfiles">

    <profile>
        <servers>www.test.org:80, localhost:9444</servers>
        <TrustStore>
            <Location>path/to/trust/store</Location>
            <Type>JKS</Type>
            <Password>password</Password>
        </TrustStore>
    </profile>

    <profile>
        <servers>localhost:9445</servers>
        <KeyStore>
            <Location>/path/to/identity/store</Location>
            <Type>JKS</Type>
            <Password>password</Password>
            <KeyPassword>password</KeyPassword>
        </KeyStore>
        <TrustStore>
            <Location>path/to/trust/store</Location>
            <Type>JKS</Type>
            <Password>password</Password>
        </TrustStore>
    </profile>

</parameter>


3. Start WSO2 ESB server,  Run the wso2server.sh (in unix) or wso2server.bat (in windows) file in the ESB_HOME/bin directory
Once the server starts, point your Web browser to https://localhost:9443/carbon/   You can see following info logs when starting, If you have configured SSL Profile successfully.

[2010-07-01 15:22:26,300]  INFO - HttpCoreNIOSSLSender Loading Trust Keystore from : path/to/trust/store
[2010-07-01 15:22:26,306]  INFO - HttpCoreNIOSSLSender Loading Identity Keystore from : /path/to/identity/store
[2010-07-01 15:22:26,310]  INFO - HttpCoreNIOSSLSender Loading Trust Keystore from : path/to/trust/store
[2010-07-01 15:22:26,322]  INFO - HttpCoreNIOSSLSender Custom SSL profiles initialized for 3 servers


4. Lets create simple proxy services which endpoints are hosted in localhost:9444 and localhost:9445.

I created following two proxies..

<syn:proxy name="BPSProxy" transports="https http" startOnLoad="true" trace="disable">
        <syn:target>
            <syn:inSequence>
                <syn:send>
                    <syn:endpoint>
                        <syn:address uri="https://localhost:9444/services/TestE4XService"/>
                    </syn:endpoint>
                </syn:send>
            </syn:inSequence>
            <syn:outSequence>
                <syn:send/>
            </syn:outSequence>
        </syn:target>
    </syn:proxy>

    <syn:proxy name="WSASProxy" transports="https http" startOnLoad="true" trace="disable">
        <syn:target>
            <syn:inSequence>
                <syn:send>
                    <syn:endpoint>
                        <syn:address uri="https://localhost:9445/services/HelloService"/>
                    </syn:endpoint>
                </syn:send>
            </syn:inSequence>
            <syn:outSequence>
                <syn:send/>
            </syn:outSequence>
        </syn:target>
    </syn:proxy>

5. Now send your request messages to two proxy services, You can see ESB will successfully communicate with SSL and Mutual SSL enabled target servers using SSL Profiles.

Posted by
2 comments:
Subscribe to: Posts (Atom)