tag:blogger.com,1999:blog-78144690429841152842024-03-05T11:53:28.499-08:00SOA SecurityAselahttp://www.blogger.com/profile/08941025038081812446noreply@blogger.comBlogger27125tag:blogger.com,1999:blog-7814469042984115284.post-71275531868236959072013-06-28T07:49:00.002-07:002013-06-28T09:59:40.031-07:00How SAML2 Single Logout Works<span style="color: #222222; font-family: inherit;">First, lets understand the single logout work flow that is initiated by SP</span><br />
<span style="font-family: inherit;"><span style="color: #222222;"><br /></span>
</span><br />
<span style="color: #222222;"> <span style="font-size: x-small;"><i>Please note here, i am using following diagram (This is copied from specification). Here <b>IDP</b> is referred to SAML2 SSO Identity Provider and <b>SP</b> is referred to SAML2 SSO Service Provider</i></span></span><br />
<span style="color: #222222;"><span style="font-size: x-small;"><i><br /></i></span></span>
<h3>
<span style="color: #222222; font-family: inherit;">Profile Overview </span></h3>
<span style="font-family: inherit;"><span style="color: #222222;"><br /></span>
<span style="color: #222222;"><br /></span>
<span style="color: #222222;"><br /></span>
</span><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj2Z7wk8xTUG6yxOfEcajaVVrDrSAMC4UakE8Fbhxsp_7WThntAYtfhshVo10Xv8IAw_INrGEVhvBo1u-BbyD-Cm6Y-kaagay5uSAoOCyNkmwA651-9R1b5druJ2WHb1QT7fH_lkpzuMC45/s871/sso.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><span style="font-family: inherit;"><img border="0" height="419" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj2Z7wk8xTUG6yxOfEcajaVVrDrSAMC4UakE8Fbhxsp_7WThntAYtfhshVo10Xv8IAw_INrGEVhvBo1u-BbyD-Cm6Y-kaagay5uSAoOCyNkmwA651-9R1b5druJ2WHb1QT7fH_lkpzuMC45/s640/sso.png" width="640" /></span></a></div>
<span style="font-family: inherit;"><span style="color: #222222;"><br /></span>
<span style="color: #222222;"><br /></span>
<span style="color: #222222;"><b>1<i>. LogoutRequest</i></b> issued by SP to IDP</span></span><br />
<span style="font-family: inherit;"><span style="color: #222222;"><br /></span>
<span style="color: #222222;"><b>2.</b> IDP determines authenticated SPs for given user session. If there are no SPs, other than the SP who sends logout request, the profile proceeds with step 5. </span></span><br />
<span style="font-family: inherit;"><span style="color: #222222;"><br /></span></span>
<span style="font-family: inherit;"><span style="color: #222222;">Otherwise, steps 3 and 4 are <b>repeated</b> for each SP </span></span><br />
<span style="font-family: inherit;"><span style="color: #222222;"><br /></span>
<span style="color: #222222;"><b>3.</b> <b><i>LogoutRequest</i></b> issued by IDP to SP</span></span><br />
<span style="font-family: inherit;"><span style="color: #222222;"><br /></span>
<span style="color: #222222;"><b>4.</b> SP issues <b><i>LogoutResponse</i></b> to IDP</span></span><br />
<span style="font-family: inherit;"><span style="color: #222222;"><br /></span>
<span style="color: #222222;"><b>5.</b> IDP issues <b><i>LogoutResponse</i></b> to SP who sends logout request</span></span><br />
<span style="font-family: inherit;"><span style="color: #222222;"><br /></span>
<span style="color: #222222;">Let see what is in these requests and response messages </span></span><br />
<span style="font-family: inherit;"><span style="color: #222222;"><br /></span></span>
<span style="font-family: inherit;">
</span>
<h3>
<span style="color: #222222; font-family: inherit;"><b>Logout Request</b></span></h3>
<span style="font-family: inherit;"><span style="color: #222222;"><br /></span>
<span style="color: #222222;">LogoutRequest is extend from RequestAbstractType. </span></span><br />
<span style="font-family: inherit;"><span style="color: #222222;"><br /></span></span>
<span style="font-family: inherit;"><span style="color: #222222;">There are some attributes that must be in the RequestAbstractType element </span></span><br />
<span style="font-family: inherit;"><span style="color: #222222;"><br /></span>
<span style="color: #222222;"><b>1.</b> <i><b>ID</b></i> - An identifier for the request. This must be unique. Basically a random number. </span></span><br />
<span style="font-family: inherit;"><span style="color: #222222;"><br /></span>
<span style="color: #222222;"><b>2</b>. <b><i>Version </i></b>- Indicate SAML version </span></span><br />
<span style="font-family: inherit;"><span style="color: #222222;"><br /></span>
<span style="color: #222222;"><b>3. <i>IssueInstant </i></b>- Time instant of issue of the request. The time value is encoded in UTC</span></span><br />
<span style="font-family: inherit;"><br /></span>
<span style="color: #222222; font-family: inherit;">Apart from that, One of following is a required attribute for LogoutRequest request...</span><br />
<span style="font-family: inherit;"><span style="color: #222222;"><br /></span>
<span style="color: #222222;"><b>4</b><i>.</i><b><i> BaseID or NameID or EncryptedID</i></b> </span></span><br />
<span style="font-family: inherit;"><span style="color: #222222;"><br /></span>
<span style="color: #222222;">This indicate the principle (user identifier). Basically name that is known to both IDP and SP. </span></span><br />
<span style="font-family: inherit;"><span style="color: #222222;"><br /></span>
<span style="color: #222222;">Also there are few optional elements</span></span><br />
<span style="font-family: inherit;"><span style="color: #222222;"><br /></span>
<span style="color: #222222;"><b>5</b>. <b><i>NotOnOrAfter </i></b> - The time at which the request expires in UTC</span></span><br />
<span style="font-family: inherit;"><span style="color: #222222;"><br /></span>
<span style="color: #222222;"><b>6.</b> <b><i>Reason</i></b> - reason for the logout, in the form of a URI reference.</span></span><br />
<span style="font-family: inherit;"><span style="color: #222222;"><br /></span>
<span style="color: #222222;">There are two standard reasons </span></span><br />
<span style="font-family: inherit;"><span style="color: #222222;"><br /></span>
<span style="color: #222222;"><i>urn:oasis:names:tc:SAML:2.0:logout:user</i> - user terminates session and initiates logout</span></span><br />
<span style="color: #222222; font-family: inherit;"><i>urn:oasis:names:tc:SAML:2.0:logout:admin</i> - admin terminates session and initiates logout</span><br />
<span style="font-family: inherit;"><span style="color: #222222;"><br /></span>
<span style="color: #222222;"><b>7. <i>SessionIndex</i></b> - This is the session identifier that is used to identify the user session with both IDP and SP for given user.</span></span><br />
<span style="font-family: inherit;"><span style="color: #222222;"><br /></span>
</span><br />
<h3>
<span style="color: #222222; font-family: inherit;"><b>Logout Repsonse</b></span></h3>
<span style="font-family: inherit;"><span style="color: #222222;"><br /></span>
<span style="color: #222222;">LogoutRepsonse</span><b style="color: #222222;"> </b><span style="color: #222222;">is extend from StatusResponseType. There are some attributes that must be in the StatusResponseType element. i.e. ID, Version and IssueInstant which is same as in RequestAbstractType. There is element called <b><i>Status</i></b> element that is required. Status element would contain the status code corresponding to the request. </span></span><br />
<span style="font-family: inherit;"><span style="color: #222222;"><br /></span>
</span><br />
<h3>
<span style="color: #222222; font-family: inherit;">Sample Scenario</span></h3>
<span style="font-family: inherit;"><span style="color: #222222;"><br /></span>
<span style="color: #222222;">Lets take sample scenarios to explain how IDP and SPs handle the single logout scenario. Here we assume that there are IDP and two SPs; i.e called as SP1 and SP2 </span></span><br />
<span style="font-family: inherit;"><span style="color: #222222;"><br /></span>
<span style="color: #222222;">Please note all request response messages must be <b>signed</b> or otherwise authenticated and integrity protected by the under line protocol. </span></span><br />
<span style="font-family: inherit;"><span style="color: #222222;"><br /></span>
<span style="color: #222222;"><b>1. </b>User is trying access SP1 and user has no authenticated session, therefore user is redirected to IDP</span></span><br />
<span style="font-family: inherit;"><span style="color: #222222;"><br /></span>
<span style="color: #222222;"><b>2. </b>IDP has no authenticated session for user. Therefore user would be authenticated with user store. </span></span><br />
<span style="font-family: inherit;"><span style="color: #222222;"><br /></span>
<span style="color: #222222;"><b>3. </b>After successful authentication; </span></span><br />
<span style="color: #222222;"><br /></span>
<span style="color: #222222;">IDP creates SAML token based on user and user's attributes. </span><br />
<span style="color: #222222;"><br /></span>
<span style="color: #222222; font-family: inherit;">IDP creates a session for user and IDP that is normally called as SSO session. This SSO session is uniquely identified by session Id (which would be sent in assertion as <b><i>SessionIndex</i></b>) and the user. SSO session would contain details about the SP1. </span><span style="color: #222222; font-family: inherit;">Mostly SSO session would be persisted by the IDP</span><br />
<span style="font-family: inherit;"><span style="color: #222222;"><br /></span>
<span style="color: #222222;"><b>4.</b> User is redirected to SP1 with SAML Response. </span></span><br />
<span style="font-family: inherit;"><span style="color: #222222;"><br /></span>
<span style="color: #222222;">Here we are interesting in followings element in the SAML Assertion </span></span><br />
<span style="font-family: inherit;"><span style="color: #222222;"><br /></span>
<span style="color: #222222;"><b>a) Subject</b> - This is used to identify the authenticated User. Mostly NameID is used for this. Basically this is user name of the authenticated user. </span></span><br />
<pre class="xml" name="code">
<saml2:nameid>admin</saml2:nameid>
</pre>
<span style="color: #222222;"><b>b)</b> <b>AuthnStatement</b> - This provides some statement describing how subject has been authenticated with IDP. </span><br />
<pre class="xml" name="code">
<saml2:authnstatement authninstant="2013-06-28T11:49:29.879Z" sessionindex="26C0530CBEA1DCF404C95B029D6A64AF">
<saml2:authncontext>
<saml2:authncontextclassref>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml2:authncontextclassref>
</saml2:authncontext>
</saml2:authnstatement>
</pre>
<span style="color: #222222;"> Here user has been authenticated by providing password. Also it specifies the session identifier of the session that has been created with IDP and user, using <i><b>SessionIndex</b></i> attribute </span><br />
<span style="font-family: inherit;"><span style="color: #222222;"><br /></span>
<span style="color: #222222;"><b>5. </b>If SAML response is valid, SP1 would create session for user and SP1. Then, created session would be map with the received <i><b>SessionIndex</b></i> value.</span></span><br />
<span style="font-family: inherit;"><span style="color: #222222;"><br /></span>
<span style="color: #222222;"><b>6.</b> Now same user is trying to access SP2. </span></span><span style="color: #222222;">and user has no authenticated session, therefore user is redirected to IDP</span><br />
<span style="font-family: inherit;"><span style="color: #222222;"><br /></span>
<span style="color: #222222;"><b>7.</b> IDP has an authenticated SSO session for user and IDP. Therefore SAML token is created. SSO session would be updated with SP2 details. </span></span><br />
<span style="font-family: inherit;"><span style="color: #222222;"><br /></span>
<span style="color: #222222;"><b>8.</b> User is redirected to SP2 with SAML Response. <b><i> </i></b> SAML Assertion would be same as </span></span><span style="color: #222222;">we discussed in </span><b style="color: #222222;"><i>step4</i></b><br />
<span style="font-family: inherit;"><span style="color: #222222;"><br /></span>
<span style="color: #222222;"><b>9.</b> If SAML response is valid, SP2 would create session with user and SP2. Then, created session would be map with the received <b><i>SessionIndex</i></b>.</span></span><br />
<span style="font-family: inherit;"><span style="color: #222222;"><br /></span>
<span style="color: #222222;">Now lets see single logout scenario....</span></span><br />
<span style="font-family: inherit;"><span style="color: #222222;"><br /></span>
<span style="color: #222222;"><b>10. </b>User is trying to logout from SP1. Then <b><i>LogoutRequest</i></b> is sent to IDP from SP1. </span></span><br />
<span style="font-family: inherit;"><span style="color: #222222;"><br /></span>
<span style="color: #222222;">Lets see what should be in this request. </span></span><br />
<span style="font-family: inherit;"><span style="color: #222222;"><br /></span>
<span style="color: #222222;">Basically, SP1 need to provided the SSO session that is associated with IDP and the User. </span></span><br />
<span style="font-family: inherit;"><span style="color: #222222;"><br /></span>
<span style="color: #222222;">SP1 could finds out, received <b><i>SessionIndex</i></b> id and <b><i>NameID</i></b> for the user. As these details has been kept in SP's session</span></span><br />
<span style="font-family: inherit;"><span style="color: #222222;"><br /></span>
<span style="color: #222222;">Then creates <b><i>LogoutRequest</i></b> based on that.. </span></span><br />
<span style="font-family: inherit;"><span style="color: #222222;"><br /></span>
<span style="color: #222222;">Sample <b><i>LogoutRequest</i></b> would be as follows</span></span><br />
<pre class="xml" name="code">
<saml2p:logoutrequest id="flkjhgfehcfjkjjmabgkcmlcnalbcillibfeeeag" issueinstant="2013-06-28T11:51:06.024Z" notonorafter="2013-06-28T11:56:06.024Z" reason="urn:oasis:names:tc:SAML:2.0:logout:user" version="2.0" xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol">
<saml2:nameid format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">admin</saml2:nameid>
<saml2p:sessionindex>26C0530CBEA1DCF404C95B029D6A64AF</saml2p:sessionindex>
</saml2p:logoutrequest>
</pre>
<span style="color: #222222;"><b>11. </b>IDP validates LogoutRequest and If valid, it finds out the associate SSO session for given <b><i>SessionIndex</i></b> and that also is matched with <b><i>NameID</i></b> </span><br />
<span style="font-family: inherit;"><span style="color: #222222;"><br /></span>
<span style="color: #222222;"><b>12. </b>IDP identifies the SPs that have been authenticated for the user from the SSO session. Then IDP sends <b><i>LogoutRequest</i></b> to each SP (other than SP1) with corresponding <b><i>SessionIndex</i></b> and <b><i>NameID</i></b></span></span><br />
<span style="font-family: inherit;"><span style="color: #222222;"><br /></span>
<span style="color: #222222;">Therefore same LogoutRequest that is discussed in <b><i>step10</i></b> would be sent to SP2 from IDP</span></span><br />
<span style="font-family: inherit;"><br /></span>
<span style="color: #222222; font-family: inherit;"><b>13.</b> SP2 validates and processes <i style="font-weight: bold;">LogoutRequest. </i>SP2 invalidates the session that is associated with <b><i>SessionIndex</i></b> and is matched with <b><i>NameID</i></b> </span><br />
<span style="font-family: inherit;"><span style="color: #222222;"><br /></span>
<span style="color: #222222;"><b>14. </b>SP2 sends <b><i>LogoutResponse</i></b> to IDP with the status of success</span></span><br />
<pre class="xml" name="code"><saml2p:status><saml2p:statuscode value="urn:oasis:names:tc:SAML:2.0:status:Success"></saml2p:statuscode></saml2p:status>
</pre>
<span style="color: #222222;"><b>15.</b> IDP validates the <b><i>LogoutResponse</i></b> and tracks on received <b><i>status</i></b></span><br />
<span style="font-family: inherit;"><span style="color: #222222;"><br /></span>
<span style="color: #222222;"><b>16.</b> Finally IDP invalidates SSO session that is associated with <i><b>SessionIndex</b></i> and </span></span><span style="color: #222222;">is matched with </span><b style="color: #222222;"><i>NameID</i></b><span style="color: #222222;"> </span><br />
<span style="font-family: inherit;"><span style="color: #222222;"><br /></span>
<span style="color: #222222;"><b>17. </b>IDP sends <b><i>LogoutResponse</i></b> to SP1 </span></span><br />
<span style="font-family: inherit;"><span style="color: #222222;"><br /></span>
<span style="color: #222222;">If all are success </span></span><span style="color: #222222;"><i style="font-weight: bold;">LogoutResponse </i>would be </span><span style="color: #222222; font-family: inherit;">with status code </span><br />
<span style="font-family: inherit;"><span style="color: #222222;"><br /></span>
<span style="color: #222222;"><i>urn:oasis:names:tc:SAML:2.0:status:Success</i></span></span><br />
<span style="font-family: inherit;"><span style="color: #222222;"><br /></span>
<span style="color: #222222;">If SP2 sends an error status in <i>LogoutResponse</i>, then with status code</span></span><br />
<span style="font-family: inherit;"><span style="color: #222222;"><br /></span>
<span style="color: #222222;"><i>urn:oasis:names:tc:SAML:2.0:status:PartialLogout</i></span></span><br />
<span style="font-family: inherit;"><span style="color: #222222;"><br /></span>
<span style="color: #222222;">If any other error, it would be with error status code.</span></span><br />
<span style="font-family: inherit;"><span style="color: #222222;"><br /></span>
</span><br />
<span style="color: #222222; font-family: inherit;">I guess, this would help you to understand how single logout must be implemented. Basically , if i simplify, this in code level... </span><br />
<span style="font-family: inherit;"><span style="color: #222222;"><br /></span>
<span style="color: #222222;">In IDP implementation, There must be a some kind of SSO session (session between User and IDP) persistence method. It can be a simple in-memory Map; </span></span><span style="color: #222222; font-family: inherit;">with SessionIndex (session Id) as the key and session as the value of the Map. Please find sample implementation from </span><a href="https://svn.wso2.org/repos/wso2/carbon/platform/trunk/components/identity/org.wso2.carbon.identity.sso.saml/src/main/java/org/wso2/carbon/identity/sso/saml/session/" style="font-family: inherit;">here</a><span style="color: #222222; font-family: inherit;"> </span><br />
<span style="font-family: inherit;"><span style="color: #222222;"><br /></span>
<span style="color: #222222;">In SP implementation. There must be a some kind of user session (session between User and SP) persistence method. It can be a simple in-memory Map; </span></span><span style="color: #222222; font-family: inherit;">with SessionIndex (received SessionIndex in Assertion) as the key and user session as the value of the Map. Please find sample implementation from </span><a href="https://svn.wso2.org/repos/wso2/carbon/platform/trunk/components/identity/org.wso2.carbon.identity.sso.saml.tomcat.agent/src/main/java/org/wso2/carbon/identity/sso/saml/tomcat/agent/SSOSessionManager.java" style="font-family: inherit;">here</a><span style="color: #222222; font-family: inherit;"> </span><br />
<span style="color: #222222; font-family: inherit;"><br /></span>
<span style="color: #222222; font-family: inherit;">With WSO2 Identity Server 4.5.0 release, you could find sample web apps that demonstrate single logout functions. </span>Aselahttp://www.blogger.com/profile/08941025038081812446noreply@blogger.com1tag:blogger.com,1999:blog-7814469042984115284.post-54261911197509146922012-11-21T13:13:00.001-08:002012-11-21T13:19:43.087-08:00Identity management feature with WSO2 Identity Server<br />
<div style="margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;">
<span class="Apple-style-span" style="font-family: Times, 'Times New Roman', serif;">Identity management feature is a separate feature that is shipped as carbon feature that can be installed with WSO2 Identity server. This is one of powerful feature that shows the extensibility of WSO2 Carbon platform. i.e. This feature is an implementation of a listener interface in carbon user kernel. These listener implementations would be executed before of after a user kernel action is done such as adding user, authentication and so on. </span></div>
<div style="margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;">
<span class="Apple-style-span" style="font-family: Times, 'Times New Roman', serif;"><br /></span></div>
<div style="margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;">
<span class="Apple-style-span" style="font-family: Times, 'Times New Roman', serif;">Before going in to more implementation details, In this blog post, let see what is supported by this feature by default. But always you can extend these as you wish.</span></div>
<div style="margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;">
<span class="Apple-style-span" style="font-family: Times, 'Times New Roman', serif;"><br /></span></div>
<div style="margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;">
<span class="Apple-style-span" style="font-family: Times, 'Times New Roman', serif;">Some of the features that is included...</span></div>
<div style="margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;">
<span class="Apple-style-span" style="font-family: Times, 'Times New Roman', serif;"><br /></span></div>
<div style="margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;">
<span class="Apple-style-span" style="font-family: Times, 'Times New Roman', serif;">1. User account verification methods</span></div>
<div style="margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;">
<span class="Apple-style-span" style="font-family: Times, 'Times New Roman', serif;">2. Password recovery methods</span></div>
<div style="margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;">
<span class="Apple-style-span" style="font-family: Times, 'Times New Roman', serif;">3. User account recovery methods.</span></div>
<div style="margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;">
<span class="Apple-style-span" style="font-family: Times, 'Times New Roman', serif;">4. Account locking / unlocking</span></div>
<div style="margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;">
<span class="Apple-style-span" style="font-family: Times, 'Times New Roman', serif;"><br /></span></div>
<div style="margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;">
<span class="Apple-style-span" style="font-family: Times, 'Times New Roman', serif;">Let see how we can install Identity management feature with WSO2 Identity Server 4.0.0</span></div>
<div style="margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;">
<span class="Apple-style-span" style="font-family: Times, 'Times New Roman', serif;"><br /></span></div>
<div style="margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;">
<span class="Apple-style-span" style="font-family: Times, 'Times New Roman', serif;">Lets Start from a fresh pack of WSO2 Identity Server 4.0.0 release which can be found at <a href="http://wso2.com/products/identity-server/">here</a>. </span></div>
<div style="margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;">
<span class="Apple-style-span" style="font-family: Times, 'Times New Roman', serif;"><br /></span></div>
<div style="margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;">
<span class="Apple-style-span" style="font-family: Times, 'Times New Roman', serif;"><b>Step1 :</b> Start server by running wso2server script file and login to management console </span></div>
<div style="margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;">
<span class="Apple-style-span" style="font-family: Times, 'Times New Roman', serif;"><br /></span></div>
<div style="margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;">
<span class="Apple-style-span" style="font-family: Times, 'Times New Roman', serif;"><b>Step2 : </b>Go to feature manager UI and configure P2 repository which is available <a href="http://dist.wso2.org/p2/carbon/releases/4.0.3/">online</a></span></div>
<div style="margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhb0FhmanunPBcG19zIwkzSY0YLSbREu6JxJi2pNAcJlgSNq8cOl8wvXeKZaFBJ8nQRfcG2aIyaG_GRVNfZnNLKg6eSzTBsDnRavRhyphenhyphenIiC_kJwnpoFcVsm6kiLxMJmaC_AU6odvxtKTr0zQ/s1600/1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="225" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhb0FhmanunPBcG19zIwkzSY0YLSbREu6JxJi2pNAcJlgSNq8cOl8wvXeKZaFBJ8nQRfcG2aIyaG_GRVNfZnNLKg6eSzTBsDnRavRhyphenhyphenIiC_kJwnpoFcVsm6kiLxMJmaC_AU6odvxtKTr0zQ/s640/1.png" width="640" /></a></div>
<div style="margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;">
<span class="Apple-style-span" style="font-family: Times, 'Times New Roman', serif;"><br /></span></div>
<div style="margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;">
<span class="Apple-style-span" style="font-family: Times, 'Times New Roman', serif;"><b>Step3 : </b>Search for identity management feature </span></div>
<div style="margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;">
<span class="Apple-style-span" style="font-family: Times, 'Times New Roman', serif;"><br /></span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj290HciSlxlAlHuy69y6AzFiV8xl5P1qiZZrGh6sF6UibyRqbqluo55ceJIs70o_MPQ077Wyu2VU657N5fIOyyWPpPkI3e0uRyj2RQ1jlyt4gzpDJUGUGkNtp8tUoeMAS57L1ZDPEkkM1g/s1600/3.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="286" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj290HciSlxlAlHuy69y6AzFiV8xl5P1qiZZrGh6sF6UibyRqbqluo55ceJIs70o_MPQ077Wyu2VU657N5fIOyyWPpPkI3e0uRyj2RQ1jlyt4gzpDJUGUGkNtp8tUoeMAS57L1ZDPEkkM1g/s640/3.png" width="640" /></a></div>
<div style="margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;">
<span class="Apple-style-span" style="font-family: Times, 'Times New Roman', serif;"><br /></span></div>
<div style="margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;">
<span class="Apple-style-span" style="font-family: Times, 'Times New Roman', serif;"><br /></span></div>
<div style="margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;">
<span class="Apple-style-span" style="font-family: Times, 'Times New Roman', serif;"><b>Step4 :</b> Install it by going through required steps. </span></div>
<div style="margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;">
<span class="Apple-style-span" style="font-family: Times, 'Times New Roman', serif;"><br /></span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgLWDmS6Re2QwSPpGWVrs2k867N6bheAtd7emXUFN9Q9WGxp_Pz02e-6XiWP0JQDHheV9SMkOIDWdv3UXPmI_L7EzAJ6yFY6WT0y8XecvWrgECCOB088zfniBlRwcie3WjQIEje8sx73mQi/s1600/4.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="292" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgLWDmS6Re2QwSPpGWVrs2k867N6bheAtd7emXUFN9Q9WGxp_Pz02e-6XiWP0JQDHheV9SMkOIDWdv3UXPmI_L7EzAJ6yFY6WT0y8XecvWrgECCOB088zfniBlRwcie3WjQIEje8sx73mQi/s640/4.png" width="640" /></a></div>
<div style="margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;">
<span class="Apple-style-span" style="font-family: Times, 'Times New Roman', serif;"><br /></span></div>
<div style="margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;">
<span class="Apple-style-span" style="font-family: Times, 'Times New Roman', serif;"><br /></span></div>
<div style="margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;">
<span class="Apple-style-span" style="font-family: Times, 'Times New Roman', serif;"><b>Step5 : </b>Restart the server.</span></div>
<div style="margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;">
<span class="Apple-style-span" style="font-family: Times, 'Times New Roman', serif;"><br /></span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhjimk8FoyyGdoeHyL6TuRdu-yfBcV_m4E1sTTdPdqykuYKrpFbFS-lsuNRDQvNfRJYJrjguKiMy_9lugCRlIghiTsLfaLBe4Ok9bBPewiyQD8JCTTA386a6z3-rXA_GgEiQfFBxU0pjKzU/s1600/6.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="198" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhjimk8FoyyGdoeHyL6TuRdu-yfBcV_m4E1sTTdPdqykuYKrpFbFS-lsuNRDQvNfRJYJrjguKiMy_9lugCRlIghiTsLfaLBe4Ok9bBPewiyQD8JCTTA386a6z3-rXA_GgEiQfFBxU0pjKzU/s640/6.png" width="640" /></a></div>
<div style="margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;">
<span class="Apple-style-span" style="font-family: Times, 'Times New Roman', serif;"><br /></span></div>
<div style="margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;">
<span class="Apple-style-span" style="font-family: Times, 'Times New Roman', serif;"><br /></span></div>
<div style="margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;">
<span class="Apple-style-span" style="font-family: Times, 'Times New Roman', serif;">However due to following error, P2 installation would not work out of the box which would probably be fixed in next release.</span></div>
<div style="margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;">
<span class="Apple-style-span" style="font-family: Times, 'Times New Roman', serif;"><br /></span></div>
<div style="margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;">
<span class="Apple-style-span" style="font-family: Times, 'Times New Roman', serif;">1. <a href="https://wso2.org/jira/browse/IDENTITY-595">https://wso2.org/jira/browse/IDENTITY-595</a></span></div>
<div style="margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;">
<span class="Apple-style-span" style="font-family: Times, 'Times New Roman', serif;">2. <a href="https://wso2.org/jira/browse/IDENTITY-512">https://wso2.org/jira/browse/IDENTITY-512</a></span></div>
<div style="margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;">
<span class="Apple-style-span" style="font-family: Times, 'Times New Roman', serif;">3. <a href="https://wso2.org/jira/browse/IDENTITY-596">https://wso2.org/jira/browse/IDENTITY-596</a></span></div>
<div style="margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;">
<span class="Apple-style-span" style="font-family: Times, 'Times New Roman', serif;"><br /></span></div>
<div style="margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;">
<span class="Apple-style-span" style="font-family: Times, 'Times New Roman', serif;">Therefore you need to go through following additional step to get this work. </span></div>
<div style="margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;">
<span class="Apple-style-span" style="font-family: Times, 'Times New Roman', serif;"><br /></span></div>
<div style="margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;">
<span class="Apple-style-span" style="font-family: Times, 'Times New Roman', serif;">1. Do proper attribute mapping with your user store </span></div>
<div style="margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;">
<span class="Apple-style-span" style="font-family: Times, 'Times New Roman', serif;">2. Delete current database and create new one and start server with -Dsetup option (Basically you need to point to a new registry and user mgt database)</span></div>
<div style="margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;">
<span class="Apple-style-span" style="font-family: Times, 'Times New Roman', serif;">3. Uninstall SCIM feature from WSO2 Identity server. </span></div>
<div style="margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;">
<span class="Apple-style-span" style="font-family: Times, 'Times New Roman', serif;"><br /></span></div>
<div style="margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;">
<span class="Apple-style-span" style="font-family: Times, 'Times New Roman', serif;">After this installation, you would see new UI links with WSO2 Identity Server. But most important thing is the APIs. There are two web service API, that has been deployed with identity management feature. These two API can be used by external application to implement identify management use cases.</span></div>
<div style="margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;">
<span class="Apple-style-span" style="font-family: Times, 'Times New Roman', serif;"><br /></span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgdzu83yKnILbf0oah7jsiIfHXoOKuKhLHl_XCPv-PeWLXMxQGaJhX5tzbCE6RQnBeZweBsag0FIAwxqMJVQIg1JAKbylt0hkPPSrzeoScYntb6VBGj9CWfRMK4g0W8DXDYDvuthiP7_OMb/s1600/7.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="140" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgdzu83yKnILbf0oah7jsiIfHXoOKuKhLHl_XCPv-PeWLXMxQGaJhX5tzbCE6RQnBeZweBsag0FIAwxqMJVQIg1JAKbylt0hkPPSrzeoScYntb6VBGj9CWfRMK4g0W8DXDYDvuthiP7_OMb/s400/7.png" width="400" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgg6RnYNpEzlub3HzfkT4zcV7K6q-G1xYaKNIxJ7YFE456JF-biiotFeFQzaDQ-iz7Y-gkLBMEv5dW2NAC8rSG4E7lldju83c8DTptRl1cEWRuT5xVnE78XJuPFfmRNnCeAM3zKLZyPyWU_/s1600/8.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="121" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgg6RnYNpEzlub3HzfkT4zcV7K6q-G1xYaKNIxJ7YFE456JF-biiotFeFQzaDQ-iz7Y-gkLBMEv5dW2NAC8rSG4E7lldju83c8DTptRl1cEWRuT5xVnE78XJuPFfmRNnCeAM3zKLZyPyWU_/s400/8.png" width="400" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh3cmVxsrjuCcMpdMFi9o8TMnFG9EhGWaxf3tf8JXo5avWQY6ynG3Hc2Y4nKBMaZ0AB2aKWQgQ7Q2Bf9hCZXBHiUxSMPkVFf25oGekpb1VT6muKFHTtZOwcM4bre3c6MZ__oONdqOhLb1ls/s1600/9.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="192" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh3cmVxsrjuCcMpdMFi9o8TMnFG9EhGWaxf3tf8JXo5avWQY6ynG3Hc2Y4nKBMaZ0AB2aKWQgQ7Q2Bf9hCZXBHiUxSMPkVFf25oGekpb1VT6muKFHTtZOwcM4bre3c6MZ__oONdqOhLb1ls/s400/9.png" width="400" /></a></div>
<div style="margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;">
<span class="Apple-style-span" style="font-family: Times, 'Times New Roman', serif;"><br /></span></div>
<div style="margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;">
<span class="Apple-style-span" style="font-family: Times, 'Times New Roman', serif;"><br /></span></div>
<div style="margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;">
<span class="Apple-style-span" style="font-family: Times, 'Times New Roman', serif;">Also there are some new configurations that you need to know in following configuration files</span></div>
<div style="margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;">
<span class="Apple-style-span" style="font-family: Times, 'Times New Roman', serif;"><br /></span></div>
<div style="margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;">
<span class="Apple-style-span" style="font-family: Times, 'Times New Roman', serif;"><b>user-mgt.xml file</b></span></div>
<div style="margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;">
<span class="Apple-style-span" style="font-family: Times, 'Times New Roman', serif;"><br /></span></div>
<div style="margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;">
<span class="Apple-style-span" style="font-family: Times, 'Times New Roman', serif;"> Email and Captcha are used for account and password recovery processes. Therefore actual applications (may be application that uses WSO2 Identity Server API) can handle email sending and capatcha management as they like. Or else it can be delegated to WSO2 Identity server using following properties </span></div>
<div style="margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;">
<span class="Apple-style-span" style="font-family: Times, 'Times New Roman', serif;"> </span></div>
<pre class="xml" name="code">
<Property name="emailSendingInternallyManaged">true</Property>
<Property name="captchaVerificationInternallyManaged">true</Property>
</pre>
<div style="margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;">
<span class="Apple-style-span" style="font-family: Times, 'Times New Roman', serif;"><br /></span></div>
<div style="margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;">
<span class="Apple-style-span" style="font-family: Times, 'Times New Roman', serif;"> After maximum number of failed login attempts, user account must be locked. No of attempts can be configured. </span></div>
<div style="margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;">
<br /></div>
<pre class="xml" name="code">
<Property name="maxFailedLoginAttempt">3</Property>
</pre>
<div style="margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;">
<span class="Apple-style-span" style="font-family: Times, 'Times New Roman', serif;"><br /></span></div>
<div style="margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;">
<span class="Apple-style-span" style="font-family: Times, 'Times New Roman', serif;"> When using temporary or one time password to create a user account, password can be configured as follows</span></div>
<div style="margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;">
<span class="Apple-style-span" style="font-family: Times, 'Times New Roman', serif;"><br /></span></div>
<pre class="xml" name="code">
<Property name="defaultPassword">123456</Property>
</pre>
<div style="margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;">
<span class="Apple-style-span" style="font-family: Times, 'Times New Roman', serif;"><br /></span></div>
<div style="margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;">
<span class="Apple-style-span" style="font-family: Times, 'Times New Roman', serif;"><br /></span></div>
<div style="margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;">
<span class="Apple-style-span" style="font-family: Times, 'Times New Roman', serif;"><b>claim-config.xml</b> </span></div>
<div style="margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;">
<span class="Apple-style-span" style="font-family: Times, 'Times New Roman', serif;"><br /></span></div>
<div style="margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;">
<span class="Apple-style-span" style="font-family: Times, 'Times New Roman', serif;">There are new user attribute values that have been introduced with this feature. We need to properly configure those</span></div>
<div style="margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;">
<span class="Apple-style-span" style="font-family: Times, 'Times New Roman', serif;"><br /></span></div>
<div style="margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;">
<span class="Apple-style-span" style="font-family: Times, 'Times New Roman', serif;"><b>email-admin-config.xml</b></span></div>
<div style="margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;">
<span class="Apple-style-span" style="font-family: Times, 'Times New Roman', serif;"><br /></span></div>
<div style="margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;">
<span class="Apple-style-span" style="font-family: Times, 'Times New Roman', serif;">If email is sent by WSO2 Identity Server, we need to configure the contain of it. By using this file, we can configure it for different use cases. </span></div>
<div style="margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;">
<span class="Apple-style-span" style="font-family: Times, 'Times New Roman', serif;"><br /></span></div>
<div style="margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;">
<span class="Apple-style-span" style="font-family: Times, 'Times New Roman', serif;"><b>axis2.xml </b></span></div>
<div style="margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;">
<span class="Apple-style-span" style="font-family: Times, 'Times New Roman', serif;"><br /></span></div>
<div style="margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;">
<span class="Apple-style-span" style="font-family: Times, 'Times New Roman', serif;"> If email is sent by WSO2 Identity Server, you need to configure axis2 email sender configurations </span></div>
<div style="margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;">
<span class="Apple-style-span" style="font-family: Times, 'Times New Roman', serif;"><br /></span></div>
<pre class="xml" name="code">
<transportSender name="mailto"
class="org.apache.axis2.transport.mail.MailTransportSender">
<parameter name="mail.smtp.from">wso2is@gmail.com</parameter>
<parameter name="mail.smtp.user">wso2is</parameter>
<parameter name="mail.smtp.password">222222</parameter>
<parameter name="mail.smtp.host">smtp.gmail.com</parameter>
<parameter name="mail.smtp.port">587</parameter>
<parameter name="mail.smtp.starttls.enable">true</parameter>
<parameter name="mail.smtp.auth">true</parameter>
</transportSender>
</pre>
Aselahttp://www.blogger.com/profile/08941025038081812446noreply@blogger.com0tag:blogger.com,1999:blog-7814469042984115284.post-78944102271115136522012-11-12T02:22:00.000-08:002012-11-18T22:29:09.440-08:00Multiple user store manager feature with WSO2 Identity Server 4.0.0<br />
<span class="Apple-style-span" style="font-family: Times, 'Times New Roman', serif;">This is powerful feature which is shipped with WSO2 Identity Server 4.0.0 release. With that feature, you are able to configure more than one user store with WSO2 Identity Server. User stores can be LDAP, JDBC or AD or combination of different user stores. Also it can be configured both read/write and read only modes.</span><br />
<span class="Apple-style-span" style="font-family: Times, 'Times New Roman', serif;"><br /></span>
<span class="Apple-style-span" style="font-family: Times, 'Times New Roman', serif;">I am going to use this feature to configure LDAP with multiple OU (Organization Units) Where each OU is treated as different user store. There are some scenario where we want to treat OU as a separate user store by WSO2 Identity Server. As an example, we want to connect different OUs, to WSO2 Identity Server with read-write mode and user must be created in a defined OU. </span><br />
<span class="Apple-style-span" style="font-family: Times, 'Times New Roman', serif;"><br /></span>
<span class="Apple-style-span" style="font-family: Times, 'Times New Roman', serif;">First let assume our exiting LDAP structure as following.... where we have three OU under the "pathberiya.com" domain (i.e dc=pathberiya, dc=com). Each OU contains users and these users are assign to roles, i.e under the "pathberiya.com" domain. Also there are users who are under the "pathberiya.com" domain. </span><br />
<span class="Apple-style-span" style="font-family: Times, 'Times New Roman', serif;"><br /></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgQFinyQaDalaGL4FrZY08GSwsIVgduFDZAiMyU_A99FBl5jS9OXIf8Qwgz3QFutsN3Xnq4fjmZqol2Tneaj-_XpLim2RUqB7RvSg97CnkyqsrGH_B8WNWWZjG0cEOk1ATZdUEQO8bo_kpG/s1600/ldap1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="378" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgQFinyQaDalaGL4FrZY08GSwsIVgduFDZAiMyU_A99FBl5jS9OXIf8Qwgz3QFutsN3Xnq4fjmZqol2Tneaj-_XpLim2RUqB7RvSg97CnkyqsrGH_B8WNWWZjG0cEOk1ATZdUEQO8bo_kpG/s640/ldap1.png" width="640" /></a></div>
<span class="Apple-style-span" style="font-family: Times, 'Times New Roman', serif;"><br /></span>
<span class="Apple-style-span" style="font-family: Times, 'Times New Roman', serif;"><br /></span>
<span class="Apple-style-span" style="font-family: Times, 'Times New Roman', serif;"><br /></span>
<span class="Apple-style-span" style="font-family: Times, 'Times New Roman', serif;"><b>Step1. </b> Identify different OUs that must be connected with WSO2 Identity Server. in above sample, it would be </span><br />
<span class="Apple-style-span" style="font-family: Times, 'Times New Roman', serif;"><br /></span>
<span class="Apple-style-span" style="font-family: Times, 'Times New Roman', serif;">ou=users,dc=pathberiya,dc=com,ou=system</span><br />
<span class="Apple-style-span" style="font-family: Times, 'Times New Roman', serif;">ou=users,ou=it,dc=pathberiya,dc=com,ou=system</span><br />
<span class="Apple-style-span" style="font-family: Times, 'Times New Roman', serif;">ou=users,ou=sales,dc=pathberiya,dc=com,ou=system</span><br />
<span class="Apple-style-span" style="font-family: Times, 'Times New Roman', serif;">ou=users,ou=marketing,dc=pathberiya,dc=com,ou=system</span><br />
<span class="Apple-style-span" style="font-family: Times, 'Times New Roman', serif;"><br /></span>
<span class="Apple-style-span" style="font-family: Times, 'Times New Roman', serif;"><br /></span>
<span class="Apple-style-span" style="font-family: Times, 'Times New Roman', serif;"><b>Step2.</b> Creating user store configurations for each OU. As each OU is treated as a user store, So we need to create separate user store manager configurations and configure them in the user-mgt.xml file which can be found at <IS_HOME>/repository/conf directory.</span><br />
<span class="Apple-style-span" style="font-family: Times, 'Times New Roman', serif;"><br /></span>
<span class="Apple-style-span" style="font-family: Times, 'Times New Roman', serif;">(i) WSO2 Identity server identify each user store using a domain name. lets assign domain names for each OU. (any name what you prefer)</span><br />
<span class="Apple-style-span" style="font-family: Times, 'Times New Roman', serif;"><br /></span><span class="Apple-style-span" style="font-family: Times, 'Times New Roman', serif;">dc=pathberiya,dc=com,ou=system ========== > pathberiya.com</span><br />
<span class="Apple-style-span" style="font-family: Times, 'Times New Roman', serif;">ou=users,ou=it,dc=pathberiya,dc=com,ou=system ======= > it.com</span><br />
<span class="Apple-style-span" style="font-family: Times, 'Times New Roman', serif;">ou=users,ou=sales,dc=pathberiya,dc=com,ou=system ======= > sales.com</span><br />
<span class="Apple-style-span" style="font-family: Times, 'Times New Roman', serif;">ou=users,ou=marketing,dc=pathberiya,dc=com,ou=system ======= > marketing.com </span><br />
<span class="Apple-style-span" style="font-family: Times, 'Times New Roman', serif;"><br /></span>
<span class="Apple-style-span" style="font-family: Times, 'Times New Roman', serif;">Please note in </span><span class="Apple-style-span" style="font-family: Times, 'Times New Roman', serif;"> "pathberiya.com" domain, all users in the four OUs can be seen.</span><br />
<span class="Apple-style-span" style="font-family: Times, 'Times New Roman', serif;"><br /></span>
<span class="Apple-style-span" style="font-family: Times, 'Times New Roman', serif;">(ii) We need to identify one user store as the primary user store. Primary user store must be configured as the first user store configuration in the user-mgt.xml file. Let see what are the functions of primary user store.</span><br />
<ul>
<li><span class="Apple-style-span" style="font-family: Times, 'Times New Roman', serif;">If domain name is not defined for user, then user is 1st authenticated with primary user store, If it is not successful, then user is authenticated with other user store according to the order that has been configured in user-mgt.xml file.</span></li>
</ul>
<ul>
<li><span class="Apple-style-span" style="font-family: Times, 'Times New Roman', serif;">User Management UI of the WSO2 Identity server is loaded from this user store. Basically User Management UI does not show users of other user store.</span></li>
</ul>
<div>
<span class="Apple-style-span" style="font-family: Times, 'Times New Roman', serif;">So as all users are defined for "pathberiya.com" domain, we set this domain as primary user store.</span></div>
<div>
<span class="Apple-style-span" style="font-family: Times, 'Times New Roman', serif;"><br /></span></div>
<span class="Apple-style-span" style="font-family: Times, 'Times New Roman', serif;">(iii) Then lets identify role search based for WSO2 Identity Server's roles.</span><br />
<span class="Apple-style-span" style="font-family: Times, 'Times New Roman', serif;"><br /></span>
<span class="Apple-style-span" style="font-family: Times, 'Times New Roman', serif;">ou=roles,dc=pathberiya,dc=com,ou=system</span><br />
<span class="Apple-style-span" style="font-family: Times, 'Times New Roman', serif;"><br /></span>
<span class="Apple-style-span" style="font-family: Times, 'Times New Roman', serif;">(iv) Then we need to identify the admin user and role for WSO2 Identity Server from above user stores (OUs)</span><br />
<span class="Apple-style-span" style="font-family: Times, 'Times New Roman', serif;"><br /></span>
<span class="Apple-style-span" style="font-family: Times, 'Times New Roman', serif;">let select user called "adminUser" in primary user store as the admin user for WSO2 Identity Server. And "admin" role in ou=roles,dc=pathberiya,dc=com,ou=system as admin role for WSO2 Identity Server.</span><br />
<span class="Apple-style-span" style="font-family: Times, 'Times New Roman', serif;"><br /></span>
<span class="Apple-style-span" style="font-family: Times, 'Times New Roman', serif;">lets see our final configuration of the user-mgt.xml file. Please fine <a href="https://svn.wso2.org/repos/wso2/people/asela/wso2-samples/user-manager/multiple-user-store/conf/user-mgt.xml">here</a> </span><br />
<span class="Apple-style-span" style="font-family: Times, 'Times New Roman', serif;"><br /></span>
<span class="Apple-style-span" style="font-family: Times, 'Times New Roman', serif;">Basically you can create one user store configuration as following and you can create others user store configurations for each OUs easily by changing the "UserSearchBase" , "UserDNPattern" and "DomainName" attributes. </span><br />
<pre class="xml" name="code"> <userstoremanager class="org.wso2.carbon.user.core.ldap.ReadWriteLDAPUserStoreManager">
<property name="ConnectionURL">ldap://localhost:10389</property>
<property name="ConnectionName">uid=admin,ou=system</property>
<property name="ConnectionPassword">secret</property>
<property name="UserNameListFilter">(objectClass=person)</property>
<property name="UserEntryObjectClass">inetOrgPerson</property>
<property name="UserSearchBase">ou=users,ou=it,dc=pathberiya,dc=com,ou=system</property>
<property name="UserNameSearchFilter">(&(objectClass=person)(uid=?))</property>
<property name="UserNameAttribute">uid</property>
<property name="UsernameJavaRegEx">[a-zA-Z0-9._-]{3,30}$</property>
<property name="UsernameJavaScriptRegEx">^[\\S]{3,30}$</property>
<property name="RolenameJavaScriptRegEx">^[\\S]{3,30}$</property>
<property name="RolenameJavaRegEx">[a-zA-Z0-9._-]{3,30}$</property>
<property name="PasswordJavaScriptRegEx">^[\\S]{5,30}$</property>
<property name="ReadLDAPGroups">true</property>
<property name="WriteLDAPGroups">true</property>
<property name="EmptyRolesAllowed">false</property>
<property name="GroupSearchBase">ou=roles,dc=pathberiya,dc=com,ou=system</property>
<property name="GroupNameListFilter">(objectClass=groupOfNames)</property>
<property name="GroupEntryObjectClass">groupOfNames</property>
<property name="GroupNameSearchFilter">(&(objectClass=groupOfNames)(cn=?))</property>
<property name="GroupNameAttribute">cn</property>
<property name="MembershipAttribute">member</property>
<property name="UserRolesCacheEnabled">true</property>
<property name="ReplaceEscapeCharactersAtUserLogin">true</property>
<property name="UserDNPattern">uid={0},ou=users,ou=it,dc=pathberiya,dc=com,ou=system</property>
<property name="DomainName">it.com</property>
</userstoremanager>
</pre>
<span class="Apple-style-span" style="font-family: Times, 'Times New Roman', serif;"><br /></span>
<span class="Apple-style-span" style="font-family: Times, 'Times New Roman', serif;"><br /></span>
<span class="Apple-style-span" style="font-family: Times, 'Times New Roman', serif;"><b>Step3</b>. Start WSO2 Identity Server by running wso2server script file from <IS_HOME>/bin directory</span><br />
<br />
<span class="Apple-style-span" style="font-family: Times, 'Times New Roman', serif;"><br /></span>
<span class="Apple-style-span" style="font-family: Times, 'Times New Roman', serif;"><b>Step4.</b> Try authentication and user management function with sample client. (or Soapui ). <a href="https://svn.wso2.org/repos/wso2/people/asela/wso2-samples/user-manager/user-admin-client-4.0.0/">Here</a> is the sample code to run user management functions.</span><br />
<span class="Apple-style-span" style="font-family: Times, 'Times New Roman', serif;"><br /></span>
<span class="Apple-style-span" style="font-family: Times, 'Times New Roman', serif;">Here when authenticating the users, if the user (say user called "user1") is in the it.com domain (IT OU), then you need to pass the user name as it.com/user1</span><br />
<span class="Apple-style-span" style="font-family: Times, 'Times New Roman', serif;"><br /></span>
<span class="Apple-style-span" style="font-family: Times, 'Times New Roman', serif;">When creating user in sales domain (Sales OU), you need to create the user by providing user name as "sales.com/newUser1"</span><br />
<div>
<br /></div>
Aselahttp://www.blogger.com/profile/08941025038081812446noreply@blogger.com1tag:blogger.com,1999:blog-7814469042984115284.post-43962767584317720052012-11-09T13:22:00.001-08:002012-11-11T09:26:38.152-08:00Disabling WS-Security for IN or OUT messages in Axis2<br />
<span class="Apple-style-span" style="font-family: Times, 'Times New Roman', serif;">This is another blog post on WS-Security with Apache Rampart. Usually, when we are securing a web service with WS-Security, both web service request and response messages are secured. But there are scenarios where you want to configured WS-Security only for web service request or either service response messages. Say, you may providing some secret data to web server, but web server responses just saying "yes" or "no". Here you do not want to worry on securing response message. So like that, there are several use cases with this. </span><br />
<span class="Apple-style-span" style="font-family: Times, 'Times New Roman', serif;"><br /></span>
<span class="Apple-style-span" style="font-family: Times, 'Times New Roman', serif;">Lets see how we can configure this with Apache Rampart; security module of Axis2 </span><br />
<span class="Apple-style-span" style="font-family: Times, 'Times New Roman', serif;"><br /></span>
<span class="Apple-style-span" style="font-family: Times, 'Times New Roman', serif;">There are two approaches for this. </span><br />
<span class="Apple-style-span" style="font-family: Times, 'Times New Roman', serif;"><br /></span>
<span class="Apple-style-span" style="font-family: Times, 'Times New Roman', serif;"><b>Approach 1</b> : Apache Rampart is an axis2 module where it encapsulates several axis2 handlers. Configuration file called "module.xml" can be used for configuring this module. If we want to remove security processing for response messages, we can just remove the defined axis2 handlers from the OutFlow selection. </span><br />
<span class="Apple-style-span" style="font-family: Times, 'Times New Roman', serif;"><br /></span>
<span class="Apple-style-span" style="font-family: Times, 'Times New Roman', serif;">But there is a drawback with this. If we remove axis2 handlers from the OutFlow selection, Then this would effect for all the services that are deployed in the axis2 engine. Therefore, there are must be a way to configure this in service level. </span><br />
<span class="Apple-style-span" style="font-family: Times, 'Times New Roman', serif;"><br /></span>
<span class="Apple-style-span" style="font-family: Times, 'Times New Roman', serif;"><br /></span>
<span class="Apple-style-span" style="font-family: Times, 'Times New Roman', serif;"><b>Approach 2 </b>: As suggest in <a href="http://blog.rampartfaq.com/2009/11/how-to-generate-non-secure-response-to.html">here</a>, We can write a new simple module (say "NoSecurity" module) and plug it with axis2 handler chain where this module can ask to skip the rampart module (handlers). Therefore we can engage "NoSecurity" module only for desired services </span><br />
<span class="Apple-style-span" style="font-family: Times, 'Times New Roman', serif;"><br /></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh4RpWiegqfeya_Ob7-qXfsWeVUppKK3p6RlKStmgErci-u6xbXnf0Jr_bP6y3rwWGk791-Zx85zxjdxTq6zBcr9Okco4DsZOJmzBPCSsAnj5FjGQiUhTUH5UMNxkop3GbF2699JSyKkO61/s1600/in-out+flow.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="251" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh4RpWiegqfeya_Ob7-qXfsWeVUppKK3p6RlKStmgErci-u6xbXnf0Jr_bP6y3rwWGk791-Zx85zxjdxTq6zBcr9Okco4DsZOJmzBPCSsAnj5FjGQiUhTUH5UMNxkop3GbF2699JSyKkO61/s640/in-out+flow.jpg" width="640" /></a></div>
<span class="Apple-style-span" style="font-family: Times, 'Times New Roman', serif;">However it is not easy to write a module to skip rampart. Therefore i have used the concept of IN and OUT policies in Rampart. Here we are configuring OUT policy that has no security assertion to skip the security processing. </span><br />
<span class="Apple-style-span" style="font-family: Times, 'Times New Roman', serif;"><br /></span>
<span class="Apple-style-span" style="font-family: Times, 'Times New Roman', serif;">"NoSecurity" <a href="https://svn.wso2.org/repos/wso2/people/asela/ws-security/no-security">Project</a> contains handler called "NoSecurityHandler" that inject the IN or OUT policy to rampart. This handler must be placed in the "NoSecurity" phase of axis2 message flows. Handler has been enclosed with the "NoSecyrityModule" module.</span><br />
<span class="Apple-style-span" style="font-family: Times, 'Times New Roman', serif;"><br /></span>
<span class="Apple-style-span" style="font-family: Times, 'Times New Roman', serif;">Let see how we can configure this module in a practical use case. </span><br />
<span class="Apple-style-span" style="font-family: Times, 'Times New Roman', serif;"><br /></span>
<span class="Apple-style-span" style="font-family: Times, 'Times New Roman', serif;"><b>User case 1</b> : </span><br />
<span class="Apple-style-span" style="font-family: Times, 'Times New Roman', serif;"><br /></span>
<span class="Apple-style-span" style="font-family: Times, 'Times New Roman', serif;">WSO2AS as our web service engine and let try to apply this module for echo service that has been hosted there. </span><br />
<span class="Apple-style-span" style="font-family: Times, 'Times New Roman', serif;"><br /></span>
<span class="Apple-style-span" style="font-family: Times, 'Times New Roman', serif;"><b>Step1</b>. Please do desired changes in to the module and build it with maven. You would find the .mar module in target directory</span><br />
<span class="Apple-style-span" style="font-family: Times, 'Times New Roman', serif;"><br /></span>
<span class="Apple-style-span" style="font-family: Times, 'Times New Roman', serif;"><b>Step2</b>. Copy .mar module in to <CARBON_HOME>/repository/deployment/server/axis2modules directory. </span><br />
<span class="Apple-style-span" style="font-family: Times, 'Times New Roman', serif;"><br /></span>
<span class="Apple-style-span" style="font-family: Times, 'Times New Roman', serif;"><b>Step3</b>. Configure new "NoSecurity" phase in axis2.xml file which can be found at <CARBON_HOME>/repository/conf/axis2 directory.</span><br />
<span class="Apple-style-span" style="font-family: Times, 'Times New Roman', serif;"><br /></span>
<span class="Apple-style-span" style="font-family: Times, 'Times New Roman', serif;">Here you can select the desired flow. i.e. InFlow, OutFlow InFaultFlow and OutFaultFlow. Here i am configuring it OutFlow before the "Security" Phase. </span><br />
<span class="Apple-style-span" style="font-family: Times, 'Times New Roman', serif;"><br /></span>
<span class="Apple-style-span" style="font-family: Times, 'Times New Roman', serif;"><b>Step4</b>. Restart the server</span><br />
<br />
<span class="Apple-style-span" style="font-family: Times, 'Times New Roman', serif;"><b>Step5</b> Login to management console of Carbon Server and Go to Service dashboard page of echo service </span><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg4YvSpul3Z89eQrCQI_3vn1vb6ZRNIVfL-DP9E6A-HNv1mOB77-8oXQgDjsA-Bcm3_JzKtP1uAd4N_Ap9r_Zv1TZh4Ec7sWofuWlXaOOKevbpocCaIyBwinHSZAqoZSHblGdRmM6aX2Zag/s1600/noS1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="289" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg4YvSpul3Z89eQrCQI_3vn1vb6ZRNIVfL-DP9E6A-HNv1mOB77-8oXQgDjsA-Bcm3_JzKtP1uAd4N_Ap9r_Zv1TZh4Ec7sWofuWlXaOOKevbpocCaIyBwinHSZAqoZSHblGdRmM6aX2Zag/s640/noS1.png" width="640" /></a></div>
<span class="Apple-style-span" style="font-family: Times, 'Times New Roman', serif;"><br /></span>
<span class="Apple-style-span" style="font-family: Times, 'Times New Roman', serif;"><br /></span>
<span class="Apple-style-span" style="font-family: Times, 'Times New Roman', serif;"><b>Step6</b>. Go to module configuration and select your "NoSecurity" module to engage.</span><br />
<span class="Apple-style-span" style="font-family: Times, 'Times New Roman', serif;"><br /></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgrESLLQ-jpPvI99cbqfGTmyq9WEfeo_vQLK9kkToA80ZThdkjLaEEC3qaF6XH5FLG-x5k8iLi8siWAIrC3Jr4Jkt_Mz-f1uUDHOORXRvNdR4g8T2MpgT-0y6wVYkT7Fb9WKpMu8ZlOzc6j/s1600/noS2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="163" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgrESLLQ-jpPvI99cbqfGTmyq9WEfeo_vQLK9kkToA80ZThdkjLaEEC3qaF6XH5FLG-x5k8iLi8siWAIrC3Jr4Jkt_Mz-f1uUDHOORXRvNdR4g8T2MpgT-0y6wVYkT7Fb9WKpMu8ZlOzc6j/s640/noS2.png" width="640" /></a></div>
<span class="Apple-style-span" style="font-family: Times, 'Times New Roman', serif;"><br /></span>
<span class="Apple-style-span" style="font-family: Times, 'Times New Roman', serif;"><b>Step7</b>. Now you are done, you can engage and disengage this module for each services using Carbon management console.</span><br />
<span class="Apple-style-span" style="font-family: Times, 'Times New Roman', serif;"><br /></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgLwBKAMQLVtJT8CjIni7Grq-_UMxZDGtwDv3eGJbxtJ_jyjqy2hxhra0KBGHN52_6_lWN6CqJ-Gu489Dau1fazR8My4uiuvVMVCyAIaS2Xz9Xbgj99XBpjIMkW4uqzBqQVpCrTAdm-Xjd5/s1600/noS3.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="161" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgLwBKAMQLVtJT8CjIni7Grq-_UMxZDGtwDv3eGJbxtJ_jyjqy2hxhra0KBGHN52_6_lWN6CqJ-Gu489Dau1fazR8My4uiuvVMVCyAIaS2Xz9Xbgj99XBpjIMkW4uqzBqQVpCrTAdm-Xjd5/s640/noS3.png" width="640" /></a></div>
<span class="Apple-style-span" style="font-family: Times, 'Times New Roman', serif;"><br /></span>
<span class="Apple-style-span" style="font-family: Times, 'Times New Roman', serif;"><br /></span>
<span class="Apple-style-span" style="font-family: Times, 'Times New Roman', serif;"><b>User case 2</b> : </span><br />
<span class="Apple-style-span" style="font-family: Times, 'Times New Roman', serif;"><br /></span>
<span class="Apple-style-span" style="font-family: Times, 'Times New Roman', serif;">WSO2 ESB as proxy service engine for your message meditation. Here we are going to engage this module to disable the security check of incoming message from BE service. Therefore it is little bit different on writing the module. Because WSO2 ESB deals with two InFlows i.e Messages coming to proxy service and Response messages from BE service.</span><br />
<span class="Apple-style-span" style="font-family: Times, 'Times New Roman', serif;"><br /></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi6-WKslu9BgSm6m37zDXGxra9j5UhY7TofTjT6DEBP5famICd4bc-9hiOB7pRzkiBm1-sqdL0SKV31LXYnPRl11A95nYaAXt3bpSbJeekxlZ4_UgsCy5EGxoWVpzOBC91_SSLX21oXS8Wh/s1600/ESB+out-in+flow.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="272" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi6-WKslu9BgSm6m37zDXGxra9j5UhY7TofTjT6DEBP5famICd4bc-9hiOB7pRzkiBm1-sqdL0SKV31LXYnPRl11A95nYaAXt3bpSbJeekxlZ4_UgsCy5EGxoWVpzOBC91_SSLX21oXS8Wh/s640/ESB+out-in+flow.jpg" width="640" /></a></div>
<span class="Apple-style-span" style="font-family: Times, 'Times New Roman', serif;"><br /></span>
<span class="Apple-style-span" style="font-family: Times, 'Times New Roman', serif;"><br /></span>
<span class="Apple-style-span" style="font-family: Times, 'Times New Roman', serif;">If we want to only enable this module for messages coming from BE services. We can have a simple check of a property called "synapse.send"</span><br />
<pre class="java" name="code"> if("true".equals(messageContext.getProperty("synapse.send"))){
}
</pre>
<span class="Apple-style-span" style="font-family: Times, 'Times New Roman', serif;">Please find the module project for this for <a href="https://svn.wso2.org/repos/wso2/people/asela/ws-security/no-security/">here</a>. Configuration steps would be same as in WSO2AS, only thing is, we need to select the correct axis2 phase.</span><br />
<span class="Apple-style-span" style="font-family: Times, 'Times New Roman', serif;"><br /></span>
Aselahttp://www.blogger.com/profile/08941025038081812446noreply@blogger.com0tag:blogger.com,1999:blog-7814469042984115284.post-60934226862563535922012-11-05T02:44:00.003-08:002014-09-17T13:29:48.329-07:00How to invoke secured backend service using WSO2 ESB<b>Please visit new my blog for this blog post from <a href="http://soasecurity.org/2012/11/05/how-to-invoke-secured-backend-service-using-wso2-esb/">here</a></b><br />
<div>
<span class="Apple-style-span" style="font-family: Times, 'Times New Roman', serif;"><br /></span>
<span class="Apple-style-span" style="font-family: Times, 'Times New Roman', serif;"><br /></span>
<span class="Apple-style-span" style="font-family: Times, 'Times New Roman', serif;"><br /></span>
<span class="Apple-style-span" style="font-family: Times, 'Times New Roman', serif;"><br /></span>
<span class="Apple-style-span" style="font-family: Times, 'Times New Roman', serif;"><br /></span>
<span class="Apple-style-span" style="font-family: Times, 'Times New Roman', serif;">WSO2 ESB can be used for implementing various security patterns in
your SOA. It supports message level security with WS-Security
specification. In this blog post, we are going to use WSO2 ESB to invoke
a secured BE service. </span></div>
<div>
<span class="Apple-style-span" style="font-family: Times, 'Times New Roman', serif;"><br /></span></div>
<div>
<span class="Apple-style-span" style="font-family: Times, 'Times New Roman', serif;">Client -------------------> WSO2 ESB
-------------------> BE service. </span></div>
<div>
<span class="Apple-style-span" style="font-family: Times, 'Times New Roman', serif;"><br /></span></div>
<div>
<span class="Apple-style-span" style="font-family: Times, 'Times New Roman', serif;">Lets
assume BE service is secured with WS-Security policy. </span></div>
<div>
<span class="Apple-style-span" style="font-family: Times, 'Times New Roman', serif;"><br /></span></div>
<div>
<span class="Apple-style-span" style="font-family: Times, 'Times New Roman', serif;">Policy
contains both signature<span style="color: #111111;"><span style="border-collapse: collapse; line-height: 15px;"> and encryption and client needs
to provide X509 certificate for authentication. It mean WSO2 ESB proxy
service must be authenticated to the BE service. Therefore security
policy provides the authentication </span></span><span style="border-collapse: collapse; color: #111111; line-height: 15px;">Integrity and Confidentiality. </span></span></div>
<div>
<span class="Apple-style-span" style="font-family: Times, 'Times New Roman', serif;"><br /></span></div>
<div>
<span class="Apple-style-span" style="font-family: Times, 'Times New Roman', serif;"><a href="https://svn.wso2.org/repos/wso2/people/asela/ws-security/esb-endpoint-security/wsdl.xml">Here</a> is WSDL of the BE service. It is just a simple
echo service. </span></div>
<div>
<span class="Apple-style-span" style="font-family: Times, 'Times New Roman', serif;"><br /></span></div>
<div>
<span class="Apple-style-span" style="font-family: Times, 'Times New Roman', serif;">Lets go through step by step</span></div>
<div>
<span class="Apple-style-span" style="font-family: Times, 'Times New Roman', serif;"><br /></span></div>
<div>
<span class="Apple-style-span" style="font-family: Times, 'Times New Roman', serif;"><b>Step1 : </b>We need to create matching policy for WSO2 ESB side to invoke the BE
service. We can just copy the policy from WSDL for this. It would be some thing like <a href="https://svn.wso2.org/repos/wso2/people/asela/ws-security/esb-endpoint-security/policy.xml">this</a></span></div>
<div>
<span class="Apple-style-span" style="font-family: Times, 'Times New Roman', serif;"><br /></span></div>
<div>
<span class="Apple-style-span" style="font-family: Times, 'Times New Roman', serif;"><b>Step2 :</b> To do the encryption and signing,
we need to define the certificates that contains private key and public
key for this. This is done through a configuration. </span></div>
<div>
<span class="Apple-style-span" style="font-family: Times, 'Times New Roman', serif;"><br /></span></div>
<div>
<span class="Apple-style-span" style="font-family: Times, 'Times New Roman', serif;">
WSO2 ESB uses Apache rampart as the WS-Security implementation. Rampart
has, it own way to define the key store and key data using configuration
called "rampart configuration". </span><span class="Apple-style-span" style="font-family: Times, 'Times New Roman', serif;">We can add this rampart
configuration, in to the Security Policy as an assertion. Please find more details about rampart configurations from <a href="http://axis.apache.org/axis2/java/rampart/rampartconfig-guide.html">here</a></span></div>
<div>
<span class="Apple-style-span" style="font-family: Times, 'Times New Roman', serif;"><br /></span></div>
<div>
<span class="Apple-style-span" style="font-family: Times, 'Times New Roman', serif;">Lets add rampart configuration. </span></div>
<div>
<span class="Apple-style-span" style="font-family: Times, 'Times New Roman', serif;"><br /></span></div>
<div>
<span class="Apple-style-span" style="font-family: Times, 'Times New Roman', serif;">To
sign and encryption, we need to specify following.... </span></div>
<div>
<span class="Apple-style-span" style="font-family: Times, 'Times New Roman', serif;"><br /></span></div>
<div>
<span class="Apple-style-span" style="font-family: Times, 'Times New Roman', serif;">1.
Signature and Encryption crypto. as we are using keystores, i.e
keystore details. Such as keystore file, password, type and so on. </span></div>
<div>
<span class="Apple-style-span" style="font-family: Times, 'Times New Roman', serif;"><br /></span></div>
<div>
<span class="Apple-style-span" style="font-family: Times, 'Times New Roman', serif;">We can define them as follows ...</span><span class="Apple-style-span" style="font-family: Times, 'Times New Roman', serif;"></span></div>
<pre class="xml" name="code">
<ramp:signaturecrypto>
<ramp:crypto provider="org.apache.ws.security.components.crypto.Merlin">
<ramp:property name="org.apache.ws.security.crypto.merlin.keystore.type">JKS</ramp:property>
<ramp:property name="org.apache.ws.security.crypto.merlin.file">/home/asela/Security/resources/keys/client.jks</ramp:property>
<ramp:property name="org.apache.ws.security.crypto.merlin.keystore.password">apache</ramp:property>
</ramp:crypto>
</ramp:signaturecrypto>
<ramp:encryptioncypto>
<ramp:crypto provider="org.apache.ws.security.components.crypto.Merlin">
<ramp:property name="org.apache.ws.security.crypto.merlin.keystore.type">JKS</ramp:property>
<ramp:property name="org.apache.ws.security.crypto.merlin.file">/home/asela/Security/resources/keys/client.jks</ramp:property>
<ramp:property name="org.apache.ws.security.crypto.merlin.keystore.password">apache</ramp:property>
</ramp:crypto>
</ramp:encryptioncypto>
</pre>
<div>
<span class="Apple-style-span" style="font-family: Times, 'Times New Roman', serif;"><br /></span></div>
<div>
<span class="Apple-style-span" style="font-family: Times, 'Times New Roman', serif;">
2 Private key (certificate) that is going to sign the message </span></div>
<div>
<span class="Apple-style-span" style="font-family: Times, 'Times New Roman', serif;"><br /></span></div>
<div>
<span class="Apple-style-span" style="font-family: Times, 'Times New Roman', serif;">This
the certificate alias name of private key of the client.jks file</span></div>
<div>
<pre class="xml" name="code"><ramp:usercertalias>client</ramp:usercertalias>
</pre>
<div>
<span class="Apple-style-span" style="font-family: Times, 'Times New Roman', serif;">3.
Public key (certificate) that is going to encrypt the message</span></div>
<div>
<span class="Apple-style-span" style="font-family: Times, 'Times New Roman', serif;"><br /></span></div>
<div>
<span class="Apple-style-span" style="font-family: Times, 'Times New Roman', serif;">This
is the certificate alias name of the public certificate of the BE
service. That is also contains in my client.jks file.</span></div>
<div>
<pre class="xml" name="code"><ramp:encryptionuser>service</ramp:encryptionuser>
</pre>
<div>
<span class="Apple-style-span" style="font-family: Times, 'Times New Roman', serif;">4.
Private key password </span></div>
<div>
<span class="Apple-style-span" style="font-family: Times, 'Times New Roman', serif;"><br /></span></div>
<div>
<span class="Apple-style-span" style="font-family: Times, 'Times New Roman', serif;">
We can not define private key password in rampart configuration, we
need to provide it through password class back implementation. Therefore
here i am defining the class name of the password call back
implementation </span></div>
<pre class="xml" name="code"><ramp:passwordcallbackclass>org.wso2.samples.pwcb.PWCBHandler</ramp:passwordcallbackclass>
</pre>
<div>
<span class="Apple-style-span" style="font-family: Times, 'Times New Roman', serif;">Now
we are done with policy, it would be as <a href="https://svn.wso2.org/repos/wso2/people/asela/ws-security/esb-endpoint-security/BEPolicy-sign-encrypt.xml">this</a></span></div>
<div>
<span class="Apple-style-span" style="font-family: Times, 'Times New Roman', serif;"><br /></span></div>
<div>
<span class="Apple-style-span" style="font-family: Times, 'Times New Roman', serif;"><br /></span></div>
<div>
<span class="Apple-style-span" style="font-family: Times, 'Times New Roman', serif;"><b>Step3 :</b> Lets create a password call back class
to inject private key password. You can get help from <a href="http://pathberiya.blogspot.com/2010/02/how-to-create-password-callback-class.html">this</a> blog post. </span></div>
<div>
<span class="Apple-style-span" style="font-family: Times, 'Times New Roman', serif;"><br /></span></div>
<div>
<span class="Apple-style-span" style="font-family: Times, 'Times New Roman', serif;"><b>Step4 :</b> Upload our policy to the WSO2 ESB. Here we are uploading created policy file as a resource in the WSO2 ESB's registry. </span></div>
<div>
<span class="Apple-style-span" style="font-family: Times, 'Times New Roman', serif;"><br /></span></div>
<div>
<span class="Apple-style-span" style="font-family: Times, 'Times New Roman', serif;">1. Login to WSO2 ESB management console and Go to "Registry Browser" </span></div>
<div>
<span class="Apple-style-span" style="font-family: Times, 'Times New Roman', serif;"><br /></span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh6XU6uo5uRylMY9PIg2riP9Qrsnr7CB7XY1X7n8ThjFQDybXShPPuaQKB-lcaef2oGB1q5epRR1HWcZhwmouLKGPEwoaBwHlqkX-8B3bdLpcjEzaKTKZzkjIReUnSBWiScBgAPM-JZXcgv/s1600/03.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh6XU6uo5uRylMY9PIg2riP9Qrsnr7CB7XY1X7n8ThjFQDybXShPPuaQKB-lcaef2oGB1q5epRR1HWcZhwmouLKGPEwoaBwHlqkX-8B3bdLpcjEzaKTKZzkjIReUnSBWiScBgAPM-JZXcgv/s640/03.png" height="291" width="640" /></a></div>
<br />
<div>
<span class="Apple-style-span" style="font-family: Times, 'Times New Roman', serif;"><br /></span></div>
<div>
<span class="Apple-style-span" style="font-family: Times, 'Times New Roman', serif;">2. Add new registry collection (folder) in preferred location. I have selected governance collection for this </span></div>
<div>
<span class="Apple-style-span" style="font-family: Times, 'Times New Roman', serif;"><br /></span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiNmT8xuG0oPKjkVK5KC59vLjWqz-FGDG32-xzkZi1msSlNoxUEdNDQ7AKIYJ1q7MZGxi73NeqcDvrsGvNHcgUhP-FHOV8-Pd0GaymBasFbzTnqexLTFUllDEwU32uM0BbaKZEQ3Bx3uvX9/s1600/02.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiNmT8xuG0oPKjkVK5KC59vLjWqz-FGDG32-xzkZi1msSlNoxUEdNDQ7AKIYJ1q7MZGxi73NeqcDvrsGvNHcgUhP-FHOV8-Pd0GaymBasFbzTnqexLTFUllDEwU32uM0BbaKZEQ3Bx3uvX9/s640/02.png" height="291" width="640" /></a></div>
<div>
<span class="Apple-style-span" style="font-family: Times, 'Times New Roman', serif;"><br /></span></div>
<div>
<span class="Apple-style-span" style="font-family: Times, 'Times New Roman', serif;"><br /></span></div>
<div>
<span class="Apple-style-span" style="font-family: Times, 'Times New Roman', serif;">3. Upload policy from file system as a resource. </span></div>
<div>
<span class="Apple-style-span" style="font-family: Times, 'Times New Roman', serif;"><br /></span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh6XU6uo5uRylMY9PIg2riP9Qrsnr7CB7XY1X7n8ThjFQDybXShPPuaQKB-lcaef2oGB1q5epRR1HWcZhwmouLKGPEwoaBwHlqkX-8B3bdLpcjEzaKTKZzkjIReUnSBWiScBgAPM-JZXcgv/s1600/03.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh6XU6uo5uRylMY9PIg2riP9Qrsnr7CB7XY1X7n8ThjFQDybXShPPuaQKB-lcaef2oGB1q5epRR1HWcZhwmouLKGPEwoaBwHlqkX-8B3bdLpcjEzaKTKZzkjIReUnSBWiScBgAPM-JZXcgv/s640/03.png" height="291" width="640" /></a></div>
<div>
<span class="Apple-style-span" style="font-family: Times, 'Times New Roman', serif;"><br /></span></div>
<div>
<span class="Apple-style-span" style="font-family: Times, 'Times New Roman', serif;"><br /></span></div>
<div>
<span class="Apple-style-span" style="font-family: Times, 'Times New Roman', serif;"><b>Step5 :</b> Create ESB end point for BE service with security</span></div>
<div>
<span class="Apple-style-span" style="font-family: Times, 'Times New Roman', serif;"><br /></span></div>
<div>
<span class="Apple-style-span" style="font-family: Times, 'Times New Roman', serif;">1. Go to Endpoint configuration UI in Management console </span></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg89rzVp1qwll89nIYAq4NAiH2qSUZZYuS5hORERVzV8KW1pm-y0yfVswaiWyOzf8eSj63353l1S1BSOSUwGSZ5aZS6O8Q4qvQqteAV58HUa2N7vpbAgYkA2BCy0iCfl165htvLD8attv03/s1600/1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg89rzVp1qwll89nIYAq4NAiH2qSUZZYuS5hORERVzV8KW1pm-y0yfVswaiWyOzf8eSj63353l1S1BSOSUwGSZ5aZS6O8Q4qvQqteAV58HUa2N7vpbAgYkA2BCy0iCfl165htvLD8attv03/s640/1.png" height="289" width="640" /></a></div>
<div>
<span class="Apple-style-span" style="font-family: Times, 'Times New Roman', serif;"><br /></span></div>
<div>
<span class="Apple-style-span" style="font-family: Times, 'Times New Roman', serif;"><br /></span></div>
<div>
<span class="Apple-style-span" style="font-family: Times, 'Times New Roman', serif;">2. Create new address end point with your BE service configuration and then select advance options. </span></div>
<div>
<span class="Apple-style-span" style="font-family: Times, 'Times New Roman', serif;"><br /></span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhLM26lhoUPF8lk60H7LwJU2EuKR1rGV2ALZhyphenhyphenuMJqGor3GYidJWiFOt0ySJrd0D36vIkgXxpOimPxG5gJNxVOELidQCpZ5aBTaxJpkABxFWhCE6IutFRPGoPj6NjlaNtGdnzqhFlsi1V8a/s1600/2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhLM26lhoUPF8lk60H7LwJU2EuKR1rGV2ALZhyphenhyphenuMJqGor3GYidJWiFOt0ySJrd0D36vIkgXxpOimPxG5gJNxVOELidQCpZ5aBTaxJpkABxFWhCE6IutFRPGoPj6NjlaNtGdnzqhFlsi1V8a/s640/2.png" height="288" width="640" /></a></div>
<div>
<span class="Apple-style-span" style="font-family: Times, 'Times New Roman', serif;"><br /></span></div>
<div>
<span class="Apple-style-span" style="font-family: Times, 'Times New Roman', serif;"><br /></span></div>
<div>
<span class="Apple-style-span" style="font-family: Times, 'Times New Roman', serif;">3. Select WS-Security option under the QoS in advance options</span></div>
<div>
<span class="Apple-style-span" style="font-family: Times, 'Times New Roman', serif;"><br /></span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh35qMTkqjZmZCfws3LVTEbLGZDvW0DsAEeiiHIQDQOZXxsFNyITvELDEpWmayGm7q1tdmjxrwjPAT_WQFLogVuppiJFadFaT7RyEX1CQ6btK-aun1aB3M_Mh9ycnUh-gZ6Ki54dv7fzvAK/s1600/3.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh35qMTkqjZmZCfws3LVTEbLGZDvW0DsAEeiiHIQDQOZXxsFNyITvELDEpWmayGm7q1tdmjxrwjPAT_WQFLogVuppiJFadFaT7RyEX1CQ6btK-aun1aB3M_Mh9ycnUh-gZ6Ki54dv7fzvAK/s640/3.png" height="288" width="640" /></a></div>
<div>
<span class="Apple-style-span" style="font-family: Times, 'Times New Roman', serif;"><br /></span></div>
<div>
<span class="Apple-style-span" style="font-family: Times, 'Times New Roman', serif;"><br /></span></div>
<div>
<span class="Apple-style-span" style="font-family: Times, 'Times New Roman', serif;">4. Select Governance registry collection to local the uploaded policy </span></div>
<div>
<span class="Apple-style-span" style="font-family: Times, 'Times New Roman', serif;"><br /></span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgwy41iZEJEH4c3J_lTuIapYT-39-xOho32bNSgXOszGpMFW8ZNWizHNHhABQs8icCL-cgap2repXwAyN2PXI_B68rYlrOw5ZFHY8A57YxGoG1rPsFVUuVktn9E1HXUwRGRr6IbOUsIVP-U/s1600/5.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgwy41iZEJEH4c3J_lTuIapYT-39-xOho32bNSgXOszGpMFW8ZNWizHNHhABQs8icCL-cgap2repXwAyN2PXI_B68rYlrOw5ZFHY8A57YxGoG1rPsFVUuVktn9E1HXUwRGRr6IbOUsIVP-U/s640/5.png" height="288" width="640" /></a></div>
<div>
<span class="Apple-style-span" style="font-family: Times, 'Times New Roman', serif;"><br /></span></div>
<div>
<span class="Apple-style-span" style="font-family: Times, 'Times New Roman', serif;"><br /></span></div>
<div>
<span class="Apple-style-span" style="font-family: Times, 'Times New Roman', serif;">5. Finish the endpoint creation </span></div>
<div>
<span class="Apple-style-span" style="font-family: Times, 'Times New Roman', serif;"><br /></span></div>
<div>
<span class="Apple-style-span" style="font-family: Times, 'Times New Roman', serif;"><br /></span></div>
<div>
<span class="Apple-style-span" style="font-family: Times, 'Times New Roman', serif;"><b>Step6 : </b>Create sample proxy service with our secured endpoint.</span></div>
<div>
<span class="Apple-style-span" style="font-family: Times, 'Times New Roman', serif;"><br /></span></div>
<div>
<span class="Apple-style-span" style="font-family: Times, 'Times New Roman', serif;">There are different ways to create proxy service according to your preferences. Here i am creating simple pass through proxy </span></div>
<div>
<span class="Apple-style-span" style="font-family: Times, 'Times New Roman', serif;"><br /></span></div>
<div>
<span class="Apple-style-span" style="font-family: Times, 'Times New Roman', serif;">1. Create proxy service by defining the endpoint created above</span></div>
<div>
<span class="Apple-style-span" style="font-family: Times, 'Times New Roman', serif;"><br /></span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiJ4TFc1b_tWqNs2_okFgSSQKByQ2CBgRSm_gV4xd_ANfgVF6sE-MPe4bXChdNd0dY-J9qEtDc9gEYOlAp2C8jTud4duGBwTspxPqtRvQWWwKf7s0wb6uRObu5u77Fv41zN2GJhIRultTw1/s1600/6.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiJ4TFc1b_tWqNs2_okFgSSQKByQ2CBgRSm_gV4xd_ANfgVF6sE-MPe4bXChdNd0dY-J9qEtDc9gEYOlAp2C8jTud4duGBwTspxPqtRvQWWwKf7s0wb6uRObu5u77Fv41zN2GJhIRultTw1/s640/6.png" height="286" width="640" /></a></div>
<div>
<span class="Apple-style-span" style="font-family: Times, 'Times New Roman', serif;"><br /></span></div>
<div>
<span class="Apple-style-span" style="font-family: Times, 'Times New Roman', serif;"><br /></span></div>
<div>
<span class="Apple-style-span" style="font-family: Times, 'Times New Roman', serif;">2. You can see synapse configuration as following in proxy and endpoint configurations </span></div>
<div>
<span class="Apple-style-span" style="font-family: Times, 'Times New Roman', serif;"><br /></span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhCJQItbL3sIsiV2zSDyOQ1GyPLb7jSYDVpGefrANOSY3pQ4spAG9nYXEojRbxFAgHqKpJ8OA8AnyyKay2FYTLK-bQwJm6IuuBu9fIGLn6D8lmTGwpqeJQGy4S0C_gQ0sU6ysAzxE7nuYG5/s1600/7.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhCJQItbL3sIsiV2zSDyOQ1GyPLb7jSYDVpGefrANOSY3pQ4spAG9nYXEojRbxFAgHqKpJ8OA8AnyyKay2FYTLK-bQwJm6IuuBu9fIGLn6D8lmTGwpqeJQGy4S0C_gQ0sU6ysAzxE7nuYG5/s640/7.png" height="284" width="640" /></a></div>
<div>
<span class="Apple-style-span" style="font-family: Times, 'Times New Roman', serif;"><br /></span></div>
<div>
<span class="Apple-style-span" style="font-family: Times, 'Times New Roman', serif;"><br /></span></div>
<div>
<span class="Apple-style-span" style="font-family: Times, 'Times New Roman', serif;">Now we are done...!!! You can invoke the proxy service with non-secured client. </span></div>
<div>
<span class="Apple-style-span" style="font-family: Times, 'Times New Roman', serif;"><br /></span></div>
<div>
<span class="Apple-style-span" style="font-family: Times, 'Times New Roman', serif;"><i>Previous </i></span></div>
<div>
<span class="Apple-style-span" style="font-family: Times, 'Times New Roman', serif;"><br /></span></div>
<div>
<span class="Apple-style-span" style="font-family: Times, 'Times New Roman', serif;">Secured Client ------------------------------------------------> Secured BE service </span></div>
<div>
<span class="Apple-style-span" style="font-family: Times, 'Times New Roman', serif;"><br /></span></div>
<div>
<span class="Apple-style-span" style="font-family: Times, 'Times New Roman', serif;"><i>Now with WSO2ESB</i></span></div>
<div>
<span class="Apple-style-span" style="font-family: Times, 'Times New Roman', serif;"><br /></span></div>
<div>
<span class="Apple-style-span" style="font-family: Times, 'Times New Roman', serif;">Non Secured Client </span></div>
<div>
<span class="Apple-style-span" style="font-family: Times, 'Times New Roman', serif;">(Endpoint is changed to proxy enpoint) ---------> WSO2ESB -------------> </span><span class="Apple-style-span" style="font-family: Times, 'Times New Roman', serif;">Secured BE service </span></div>
<div>
<span class="Apple-style-span" style="font-family: Times, 'Times New Roman', serif;"><br /></span></div>
<div>
<span class="Apple-style-span" style="font-family: Times, 'Times New Roman', serif;"><br /></span></div>
<div>
<span class="Apple-style-span" style="font-family: Times, 'Times New Roman', serif;"><br /></span></div>
<div>
<span class="Apple-style-span" style="font-family: Times, 'Times New Roman', serif;"><br /></span></div>
<div>
<span class="Apple-style-span" style="font-family: Times, 'Times New Roman', serif;"><br /></span></div>
</div>
</div>
Aselahttp://www.blogger.com/profile/08941025038081812446noreply@blogger.com1tag:blogger.com,1999:blog-7814469042984115284.post-66154632177200081122012-08-12T10:21:00.002-07:002014-09-17T13:32:05.209-07:00Secure plain text passwords in WSO2 Carbon configuration files<span style="font-size: small;"><span class="Apple-style-span" style="border-collapse: separate; color: black; font-family: 'Times New Roman'; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><span class="Apple-style-span" style="font-family: arial;"></span></span></span><br />
<div>
<b style="background-color: white; color: #222222; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; font-size: 13px; line-height: 18px;">Please visit new my blog for this blog post from <a href="http://soasecurity.org/2012/08/12/secure-plain-text-passwords-in-wso2-carbon-configuration-files/">here</a><span id="goog_1091937290"></span><span id="goog_1091937291"></span><a href="https://www.blogger.com/"></a></b><br />
<br />
<span style="font-family: Verdana, Arial, Helvetica, sans-serif; font-size: small; line-height: 16px;"><span class="Apple-style-span" style="border-collapse: separate; color: black; font-family: 'Times New Roman'; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><span class="Apple-style-span" style="font-family: arial;"><br /></span></span></span>
<span style="font-family: Verdana, Arial, Helvetica, sans-serif; font-size: small; line-height: 16px;"><span class="Apple-style-span" style="border-collapse: separate; color: black; font-family: 'Times New Roman'; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><span class="Apple-style-span" style="font-family: arial;">If you go through the conf directory of WSO2 products, there are some configuration file, that contains secret informations such as passwords...This blog post describes how we can secure the plain text passwords in these configuration files. <a href="http://wso2.org/project/carbon/3.2.0/docs/secure_vault.html">This</a> [1] document gives you clear understanding about secure vault implementation. But here i am going step by step to configure it. Please note this configurations only valid for carbon 3.2.X products. But with 4.0.X release, steps are same.. but there are new configurations files.... as an example, we have "</span></span></span><span style="font-family: arial;"><span style="line-height: 16px;">master-datasources.xml</span></span><span style="font-family: arial; line-height: 16px;">" file which can be found in "</span><span style="font-family: arial;"><span style="line-height: 16px;">conf/datasources</span></span><span style="font-family: arial; line-height: 16px;">". In this file, we are configuring all data source related configurations... Therefore database configuring passwords would be in this file. </span></div>
<span style="font-size: small;"><span class="Apple-style-span" style="border-collapse: separate; color: black; font-family: 'Times New Roman'; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
</span></span>
<br />
<div style="font-family: Verdana, Arial, Helvetica, sans-serif; line-height: 16px;">
<span style="font-size: small;"><span class="Apple-style-span" style="border-collapse: separate; color: black; font-family: 'Times New Roman'; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><br /></span></span></div>
<span style="font-size: small;"><span class="Apple-style-span" style="border-collapse: separate; color: black; font-family: 'Times New Roman'; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
</span></span>
<br />
<div style="font-family: arial;">
<span style="font-size: small;"><span class="Apple-style-span" style="border-collapse: separate; color: black; font-family: 'Times New Roman'; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><span class="Apple-style-span" style="font-family: Verdana, Arial, Helvetica, sans-serif;"><span class="Apple-style-span" style="line-height: 16px;">First, let see what are the secret information that can be secured. </span></span><span class="Apple-style-span" style="font-family: Verdana,Arial,Helvetica,sans-serif; line-height: 16px;">Following are the alias names and secrets of carbon configuration files. </span><span class="Apple-style-span" style="font-family: Verdana,Arial,Helvetica,sans-serif; line-height: 16px;"> </span></span></span></div>
<span style="font-size: small;"><span class="Apple-style-span" style="border-collapse: separate; color: black; font-family: 'Times New Roman'; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
</span></span>
<div style="font-family: Verdana, Arial, Helvetica, sans-serif; line-height: 16px;">
<span style="font-size: small;"><span class="Apple-style-span" style="border-collapse: separate; color: black; font-family: 'Times New Roman'; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><br /></span></span></div>
<span style="font-size: small;"><span class="Apple-style-span" style="border-collapse: separate; color: black; font-family: 'Times New Roman'; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
<div style="font-family: Verdana, Arial, Helvetica, sans-serif; line-height: 16px;">
1. in user-mgt.xml </div>
<div style="font-family: Verdana, Arial, Helvetica, sans-serif; line-height: 16px;">
<br /></div>
<div style="font-family: Verdana, Arial, Helvetica, sans-serif; line-height: 16px;">
<i>UserManager.AdminUser.Password -> Admin User password in user-mgt.xml<br />UserManager.Configuration.Property.password -> User Manager database connection password in user-mgt.xml </i>(Only in 3.2.X)<i><br />UserStoreManager.Property.ConnectionPassword -> User store connection password in user-mgt .xml </i></div>
<div style="font-family: Verdana, Arial, Helvetica, sans-serif; line-height: 16px;">
<br /></div>
<div style="font-family: Verdana, Arial, Helvetica, sans-serif; line-height: 16px;">
2. in registry.xml (Only in 3.2.X )</div>
<div style="font-family: Verdana, Arial, Helvetica, sans-serif; line-height: 16px;">
<i><br /></i></div>
<div style="font-family: Verdana, Arial, Helvetica, sans-serif; line-height: 16px;">
<i>wso2registry.[Registry Name].password -> Registry database connection password in registry.xml </i></div>
<div style="font-family: Verdana, Arial, Helvetica, sans-serif; line-height: 16px;">
<br /></div>
<div style="font-family: Verdana, Arial, Helvetica, sans-serif; line-height: 16px;">
3. in carbon.xml</div>
<div style="font-family: Verdana, Arial, Helvetica, sans-serif; line-height: 16px;">
<br /></div>
<div style="font-family: Verdana, Arial, Helvetica, sans-serif; line-height: 16px;">
<i>Carbon.Security.KeyStore.Password- > Keystore password of Carbon server in carbon.xml<br />Carbon.Security.KeyStore.KeyPassword -> Private key password of Carbon server in carbon.xml<br />Carbon.Security.TrustStore.Password -> Trust store password of Carbon server in carbon.xml </i></div>
<div style="font-family: Verdana, Arial, Helvetica, sans-serif; line-height: 16px;">
<br /></div>
<div style="font-family: Verdana, Arial, Helvetica, sans-serif; line-height: 16px;">
4. in mgt-transport.xml (Only in 3.2.X )</div>
<div style="font-family: Verdana, Arial, Helvetica, sans-serif; line-height: 16px;">
<br /></div>
<div style="font-family: Verdana, Arial, Helvetica, sans-serif; line-height: 16px;">
<i>transports.https.keystorePass -> SSL key and keystore password in mgt-transport.xml </i></div>
<div style="font-family: Verdana, Arial, Helvetica, sans-serif; line-height: 16px;">
<br /></div>
<div>
<div style="font-family: Verdana, Arial, Helvetica, sans-serif; line-height: 16px;">
5. <span style="font-family: arial;">master-datasources.xml (With Carbon 4.0.X Only)</span></div>
<div style="font-family: Verdana, Arial, Helvetica, sans-serif; line-height: 16px;">
<span style="font-family: arial;"><br /></span></div>
<span style="font-family: Verdana, Arial, Helvetica, sans-serif;"><span style="line-height: 16px;"><i>Datasources.[Data source name].Configuration.Password -> Database connection password of defined data source. There can be more than one datasource configurations in this file.</i></span></span><br />
<div style="font-family: Verdana, Arial, Helvetica, sans-serif; line-height: 16px;">
<br /></div>
<div style="font-family: Verdana, Arial, Helvetica, sans-serif; line-height: 16px;">
Also by using secure vault you can secure the passwords in axis2.xml file, i.e.</div>
</div>
<div style="font-family: Verdana, Arial, Helvetica, sans-serif; line-height: 16px;">
<br /></div>
<div style="font-family: Verdana, Arial, Helvetica, sans-serif; line-height: 16px;">
<i>Axis2.Https.Listener.TrustStore.Password -> NIO Listener SSL trust store password in axis2.xml<br />Axis2.Https.Listener.KeyStore.Password -> NIO Listener SSL keystore store password in axis2.xml<br />Axis2.Https.Listener.KeyStore.KeyPassword -> NIO Listener SSL key password in axis2.xml<br />Axis2.Https.Sender.TrustStore.Password -> NIO Sender SSL trust store password in axis2.xml<br />Axis2.Https.Sender.KeyStore.Password -> NIO Sender SSL key store password in axis2.xml<br />Axis2.Https.Sender.KeyStore.KeyPassword -> NIO Sender SSL key password in axis2.xml<br />Axis2.Mailto.Parameter.Password -> Email sender password in axis2.xml </i></div>
<div style="font-family: Verdana, Arial, Helvetica, sans-serif; line-height: 16px;">
<br /></div>
<div style="font-family: Verdana, Arial, Helvetica, sans-serif; line-height: 16px;">
<br /></div>
<div style="font-family: Verdana, Arial, Helvetica, sans-serif; line-height: 16px;">
<b>Step 1</b>. Locate cipher-text.properties which can be found at <CARBON_HOME>/repository/conf directory in your WSO2 product. This file contains the alias names and the corresponding plain text password in square brackets. </div>
<div style="font-family: arial;">
<span class="Apple-style-span" style="font-family: Verdana, Arial, Helvetica, sans-serif;"><span class="Apple-style-span" style="line-height: 16px;"><br /></span></span></div>
<div style="font-family: arial;">
<span class="Apple-style-span" style="font-family: Verdana, Arial, Helvetica, sans-serif;"><span class="Apple-style-span" style="line-height: 16px;">If you can not find this file in your product, Please download it from <a href="https://svn.wso2.org/repos/wso2/branches/carbon/3.2.0/core/distribution/3.2.0/carbon-home/repository/conf/cipher-text.properties">this</a> svn location [2] and copy to above location. </span></span></div>
<div style="font-family: arial;">
<span class="Apple-style-span" style="font-family: Verdana, Arial, Helvetica, sans-serif;"><span class="Apple-style-span" style="line-height: 16px;"><br /></span></span></div>
<div style="font-family: arial;">
<span class="Apple-style-span" style="font-family: Verdana, Arial, Helvetica, sans-serif;"><span class="Apple-style-span" style="line-height: 16px;"><b>Step 2</b>. Configure </span></span><span class="Apple-style-span" style="font-family: Verdana,Arial,Helvetica,sans-serif; line-height: 16px;">cipher-text.properties file with your passwords. </span></div>
<div style="font-family: arial;">
<span class="Apple-style-span" style="font-family: Verdana,Arial,Helvetica,sans-serif; line-height: 16px;"><br /></span></div>
<div style="font-family: arial;">
<span class="Apple-style-span" style="font-family: Verdana,Arial,Helvetica,sans-serif; line-height: 16px;">As an example, I want to secure keystore passwords of carbon.xml file (You should secured them as encryption is done with it) , </span><span class="Apple-style-span" style="font-family: Verdana,Arial,Helvetica,sans-serif; line-height: 16px;"> both database and LDAP connection password of<span class="Apple-converted-space"> </span></span><span class="Apple-style-span" style="font-family: Verdana,Arial,Helvetica,sans-serif; line-height: 16px;">user-mgt.xml file. My </span><span class="Apple-style-span" style="font-family: Verdana,Arial,Helvetica,sans-serif; line-height: 16px;">cipher-text.properties would be as follows,</span></div>
<div style="font-family: arial;">
<span class="Apple-style-span" style="font-family: Verdana, Arial, Helvetica, sans-serif;"><span class="Apple-style-span" style="line-height: 16px;"><br /></span></span></div>
<div style="font-family: arial;">
<span class="Apple-style-span" style="font-family: Verdana,Arial,Helvetica,sans-serif; line-height: 16px;"></span><br />
<div>
<span class="Apple-style-span" style="font-family: Verdana,Arial,Helvetica,sans-serif; line-height: 16px;">Carbon.Security.KeyStore.Password=[mykeystorepass]</span></div>
<span class="Apple-style-span" style="font-family: Verdana,Arial,Helvetica,sans-serif; line-height: 16px;">
</span>
<br />
<div>
<span class="Apple-style-span" style="font-family: Verdana,Arial,Helvetica,sans-serif; line-height: 16px;">Carbon.Security.KeyStore.KeyPassword=[mykeystorepass]</span></div>
<span class="Apple-style-span" style="font-family: Verdana,Arial,Helvetica,sans-serif; line-height: 16px;">
</span>
<br />
<div>
<span class="Apple-style-span" style="font-family: Verdana,Arial,Helvetica,sans-serif; line-height: 16px;">Carbon.Security.TrustStore.Password=[mytruststorepass]</span></div>
<span class="Apple-style-span" style="font-family: Verdana,Arial,Helvetica,sans-serif; line-height: 16px;">
</span>
<div>
<span class="Apple-style-span" style="font-family: Verdana,Arial,Helvetica,sans-serif; line-height: 16px;">UserManager.Configuration.Property.password=[myuserdbpass]</span></div>
<span class="Apple-style-span" style="font-family: Verdana,Arial,Helvetica,sans-serif; line-height: 16px;">
<div>
UserStoreManager.Property.ConnectionPassword=[myldappass]</div>
<div>
<br /></div>
<div>
<b>Step 3</b>. Locate "ciphertool" script which can be found at <CARBON_HOME>/bin directory. If you can not find this file in your product, Please download it from <a href="https://svn.wso2.org/repos/wso2/branches/carbon/3.2.0/core/distribution/3.2.0/carbon-home/bin/">this</a> svn location [3] and copy to above location.</div>
</span></div>
<div style="font-family: arial;">
<span class="Apple-style-span" style="font-family: Verdana,Arial,Helvetica,sans-serif; line-height: 16px;"><br /></span></div>
<div style="font-family: arial;">
<span class="Apple-style-span" style="font-family: Verdana,Arial,Helvetica,sans-serif; line-height: 16px;"><b>Step 4</b>. Run "</span><span class="Apple-style-span" style="font-family: Verdana,Arial,Helvetica,sans-serif; line-height: 16px;">ciphertool</span><span class="Apple-style-span" style="font-family: Verdana,Arial,Helvetica,sans-serif; line-height: 16px;">" script with -Dconfigure option. </span></div>
<div style="font-family: arial;">
<span class="Apple-style-span" style="font-family: Verdana, Arial, Helvetica, sans-serif;"><span class="Apple-style-span" style="line-height: 16px;"><br /></span></span></div>
<div style="font-family: arial;">
<span class="Apple-style-span" style="font-family: Verdana, Arial, Helvetica, sans-serif;"><span class="Apple-style-span" style="line-height: 16px;">as an example in UNIX,</span></span></div>
<div style="font-family: arial;">
<span class="Apple-style-span" style="font-family: Verdana, Arial, Helvetica, sans-serif;"><span class="Apple-style-span" style="line-height: 16px;"><br /></span></span></div>
<div style="font-family: arial;">
<span class="Apple-style-span" style="font-family: Verdana, Arial, Helvetica, sans-serif;"><span class="Apple-style-span" style="line-height: 16px;">></span></span><span class="Apple-style-span" style="font-family: Verdana,Arial,Helvetica,sans-serif; line-height: 16px;">ciphertool.sh -Dconfigure</span></div>
<div style="font-family: arial;">
<span class="Apple-style-span" style="font-family: Verdana,Arial,Helvetica,sans-serif; line-height: 16px;"><br /></span></div>
<div style="font-family: arial;">
<span class="Apple-style-span" style="font-family: Verdana,Arial,Helvetica,sans-serif; line-height: 16px;"><span class="Apple-style-span" style="font-family: arial; line-height: normal;"><span class="Apple-style-span" style="font-family: Verdana,Arial,Helvetica,sans-serif; line-height: 16px;">This script does followings </span></span></span></div>
<div style="font-family: arial;">
</div>
<div style="font-family: arial;">
<span class="Apple-style-span" style="font-family: Verdana,Arial,Helvetica,sans-serif; line-height: 16px;"><span class="Apple-style-span" style="font-family: arial; line-height: normal;"><span class="Apple-style-span" style="font-family: Verdana,Arial,Helvetica,sans-serif; line-height: 16px;">1. encrypt the passwords defined in </span><span class="Apple-style-span" style="font-family: Verdana,Arial,Helvetica,sans-serif; line-height: 16px;">cipher-text.properties file</span></span></span></div>
<div style="font-family: arial;">
<span class="Apple-style-span" style="font-family: Verdana,Arial,Helvetica,sans-serif; line-height: 16px;"><span class="Apple-style-span" style="font-family: arial; line-height: normal;"><span class="Apple-style-span" style="font-family: Verdana,Arial,Helvetica,sans-serif; line-height: 16px;">2. remove plain text passwords in conf files.</span></span></span></div>
<div style="font-family: arial;">
<span class="Apple-style-span" style="font-family: Verdana,Arial,Helvetica,sans-serif; line-height: 16px;"><span class="Apple-style-span" style="font-family: arial; line-height: normal;"><span class="Apple-style-span" style="font-family: Verdana,Arial,Helvetica,sans-serif; line-height: 16px;">3. configure secret-conf.properties file</span></span></span></div>
<div style="font-family: arial;">
<span class="Apple-style-span" style="font-family: Verdana,Arial,Helvetica,sans-serif; line-height: 16px;"><span class="Apple-style-span" style="font-family: arial; line-height: normal;"><span class="Apple-style-span" style="font-family: Verdana,Arial,Helvetica,sans-serif; line-height: 16px;"><br /></span></span></span></div>
<div style="font-family: arial;">
<span class="Apple-style-span" style="font-family: Verdana,Arial,Helvetica,sans-serif; line-height: 16px;"><span class="Apple-style-span" style="font-family: arial; line-height: normal;"><span class="Apple-style-span" style="font-family: Verdana,Arial,Helvetica,sans-serif; line-height: 16px;"><b>Step 5</b>. Check above mentioned files, are </span></span></span><span class="Apple-style-span" style="font-family: Verdana,Arial,Helvetica,sans-serif; line-height: 16px;">properly </span><span class="Apple-style-span" style="font-family: Verdana,Arial,Helvetica,sans-serif; line-height: 16px;">configured. </span></div>
<div style="font-family: arial;">
<span class="Apple-style-span" style="font-family: Verdana,Arial,Helvetica,sans-serif; line-height: 16px;"><br /></span></div>
<div style="font-family: arial;">
<span class="Apple-style-span" style="font-family: Verdana, Arial, Helvetica, sans-serif;"><span class="Apple-style-span" style="line-height: 16px;"><b>Step 6.</b> Start server. in startup, server would promote for master password (i.e is key store password) you need to provide it. </span></span></div>
<div style="font-family: arial;">
<span class="Apple-style-span" style="font-family: Verdana, Arial, Helvetica, sans-serif;"><span class="Apple-style-span" style="line-height: 16px;"><br /></span></span></div>
<div style="font-family: arial;">
<span class="Apple-style-span" style="font-family: Verdana, Arial, Helvetica, sans-serif;"><span class="Apple-style-span" style="line-height: 16px;"><br /></span></span></div>
<div style="font-family: arial;">
<span class="Apple-style-span" style="font-family: Verdana, Arial, Helvetica, sans-serif;"><span class="Apple-style-span" style="line-height: 16px;">Personally, I do not like to provide master password each server startup, although it is one of a secured way to provide it.... This is the default way of providing the master password according to <a href="http://wso2.org/project/carbon/3.2.0/docs/secure_vault.html#defaultSecretCallbackHandler">this</a> [4]. You can write your own implementation for this. Therefore i just write a simple implementation for this where i have hard coded my master password. Please find the my project from <a href="https://svn.wso2.org/repos/wso2/people/asela/wso2-samples/password-callback/SamplePasswordCallbackHandler">here</a> [5]. </span></span></div>
<div style="font-family: arial;">
<span class="Apple-style-span" style="font-family: Verdana, Arial, Helvetica, sans-serif;"><span class="Apple-style-span" style="line-height: 16px;"><br /></span></span></div>
<div style="font-family: arial;">
<span class="Apple-style-span" style="font-family: Verdana, Arial, Helvetica, sans-serif;"><span class="Apple-style-span" style="line-height: 16px;">Let see how we can configure new master password callback handler</span></span></div>
<div style="font-family: arial;">
<span class="Apple-style-span" style="font-family: Verdana, Arial, Helvetica, sans-serif;"><span class="Apple-style-span" style="line-height: 16px;"><br /></span></span></div>
<div style="font-family: arial;">
<span class="Apple-style-span" style="font-family: Verdana, Arial, Helvetica, sans-serif;"><span class="Apple-style-span" style="line-height: 16px;">1. R</span></span><span class="Apple-style-span" style="font-family: Verdana, Arial, Helvetica, sans-serif;"><span class="Apple-style-span" style="line-height: 16px;">eplace the default password handler class name </span></span><span class="Apple-style-span" style="font-family: Verdana,Arial,Helvetica,sans-serif; line-height: 16px;">(org.wso2.carbon.securevault.DefaultSecretCallbackHandler) </span><span class="Apple-style-span" style="font-family: Verdana,Arial,Helvetica,sans-serif; line-height: 16px;">from secret-conf.properties file and configure my own one (</span><span class="Apple-style-span" style="font-family: Verdana,Arial,Helvetica,sans-serif; line-height: 16px;">com.sample.password.callback.handler.HardCodedSecretCallbackHandler</span><span class="Apple-style-span" style="font-family: Verdana,Arial,Helvetica,sans-serif; line-height: 16px;">). </span></div>
<div style="font-family: arial;">
<span class="Apple-style-span" style="font-family: Verdana,Arial,Helvetica,sans-serif; line-height: 16px;"><br /></span></div>
<div style="font-family: arial;">
<span class="Apple-style-span" style="font-family: Verdana, Arial, Helvetica, sans-serif;"><span class="Apple-style-span" style="line-height: 16px;">2. Copy own implementations as a jar file in to </span></span><span class="Apple-style-span" style="font-family: Verdana,Arial,Helvetica,sans-serif; line-height: 16px;"><CARBON_HOME>/repository/components/lib directory </span></div>
<div style="font-family: arial;">
<span class="Apple-style-span" style="font-family: Verdana,Arial,Helvetica,sans-serif; line-height: 16px;"><br /></span></div>
<div style="font-family: arial;">
<span class="Apple-style-span" style="font-family: Verdana, Arial, Helvetica, sans-serif;"><span class="Apple-style-span" style="line-height: 16px;">3. If you have secured the passwords in mgt-transport.xml file, Please Copy your jar file to </span></span><span class="Apple-style-span" style="font-family: Verdana,Arial,Helvetica,sans-serif; line-height: 16px;"><CARBON_HOME>/lib/api directory.</span></div>
<div style="font-family: arial;">
<span class="Apple-style-span" style="font-family: Verdana,Arial,Helvetica,sans-serif; line-height: 16px;"><br /></span></div>
<div style="font-family: arial;">
<span class="Apple-style-span" style="font-family: Verdana, Arial, Helvetica, sans-serif;"><span class="Apple-style-span" style="line-height: 16px;">4. Restart the server.</span></span></div>
<div style="font-family: arial;">
<span class="Apple-style-span" style="font-family: Verdana,Arial,Helvetica,sans-serif; line-height: 16px;"><br /></span></div>
<div style="font-family: arial;">
<span class="Apple-style-span" style="font-family: Verdana,Arial,Helvetica,sans-serif; line-height: 16px;"><br /></span></div>
<div style="font-family: arial;">
<span class="Apple-style-span" style="font-family: Verdana, Arial, Helvetica, sans-serif;"><span class="Apple-style-span" style="line-height: 16px;">Links again :) </span></span></div>
<div style="font-family: arial;">
<span class="Apple-style-span" style="font-family: Verdana, Arial, Helvetica, sans-serif;"><span class="Apple-style-span" style="line-height: 16px;"><br /></span></span></div>
<div style="font-family: arial;">
<span class="Apple-style-span" style="font-family: Verdana, Arial, Helvetica, sans-serif;"><span class="Apple-style-span" style="line-height: 16px;">[1] </span></span><a href="http://wso2.org/project/carbon/3.2.0/docs/secure_vault.html">http://wso2.org/project/carbon/3.2.0/docs/secure_vault.html</a></div>
<div style="font-family: arial;">
[2] <a href="https://svn.wso2.org/repos/wso2/branches/carbon/3.2.0/core/distribution/3.2.0/carbon-home/repository/conf/cipher-text.properties">https://svn.wso2.org/repos/wso2/branches/carbon/3.2.0/core/distribution/3.2.0/carbon-home/repository/conf/cipher-text.properties</a></div>
<div style="font-family: arial;">
[3] <a href="https://svn.wso2.org/repos/wso2/branches/carbon/3.2.0/core/distribution/3.2.0/carbon-home/bin/">https://svn.wso2.org/repos/wso2/branches/carbon/3.2.0/core/distribution/3.2.0/carbon-home/bin/</a> </div>
<div style="font-family: arial;">
[4] <a href="http://wso2.org/project/carbon/3.2.0/docs/secure_vault.html#defaultSecretCallbackHandler">http://wso2.org/project/carbon/3.2.0/docs/secure_vault.html#defaultSecretCallbackHandler</a></div>
<div style="font-family: arial;">
[5] <a href="https://svn.wso2.org/repos/wso2/people/asela/wso2-samples/password-callback/SamplePasswordCallbackHandler/">https://svn.wso2.org/repos/wso2/people/asela/wso2-samples/password-callback/SamplePasswordCallbackHandler/</a> </div>
<div style="font-family: arial;">
<span class="Apple-style-span" style="font-family: Verdana, Arial, Helvetica, sans-serif;"><span class="Apple-style-span" style="line-height: 16px;"><br /></span></span></div>
<div style="font-family: arial;">
<span class="Apple-style-span" style="font-family: Verdana,Arial,Helvetica,sans-serif; line-height: 16px;"><br /></span></div>
<div style="font-family: arial;">
<span class="Apple-style-span" style="font-family: Verdana, Arial, Helvetica, sans-serif;"><span class="Apple-style-span" style="line-height: 16px;"><br /></span></span></div>
<div style="font-family: arial;">
</div>
<div style="font-family: Verdana, Arial, Helvetica, sans-serif; line-height: 16px;">
</div>
<div style="font-family: Verdana, Arial, Helvetica, sans-serif; line-height: 16px;">
<br /></div>
<div style="font-family: Verdana, Arial, Helvetica, sans-serif; line-height: 16px;">
</div>
<div style="font-family: Verdana, Arial, Helvetica, sans-serif; line-height: 16px;">
<br /></div>
</span></span>Aselahttp://www.blogger.com/profile/08941025038081812446noreply@blogger.com1tag:blogger.com,1999:blog-7814469042984115284.post-69674467458754664822012-08-08T14:04:00.000-07:002012-08-08T14:04:01.518-07:00Enable Mutual SSL for Proxy services in WSO2ESB - II<span style="font-size: small;"><span class="Apple-style-span" style="border-collapse: separate; color: black; font-family: 'Times New Roman'; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><span class="Apple-style-span" style="font-family: arial;"><div>
This is my second blog post about enabling mutual SSL for ESB proxy services. In my previous blog <a href="http://pathberiya.blogspot.com/2012/08/enable-mutual-ssl-for-proxy-services-in.html">post</a>, we enabled mutual SSL for all deployed proxy services. But in this blog post, we are going to enable it for only selected proxy services. Let assume we have proxy service call "TestProxy" and also there are many other proxy services that have been deployed in WSO2ESB. We want to enable mutual SSL for "TestProxy" only. Let see how we can do it. Here we are using transport binding in WS-Security. </div>
<div>
<br /></div>
<div>
I assume that you have gone through my previous blog <a href="http://pathberiya.blogspot.com/2012/08/enable-mutual-ssl-for-proxy-services-in.html">post</a>, therefore i am not going to much details in some configurations</div>
<div>
<br /></div>
<div>
<span><b>Step 1</b> : Configure "SSLVerifyClient" property to optional in NIO transport receiver and Restart the server. </span></div>
<div>
<br /></div>
<div>
<b>Step 2</b>. Secure TestProxy using security scenario 1 (Username Token authentication) </div>
<div>
<br /></div>
<div>
<b>Step 3</b>. Modify applied policy in to <a href="https://svn.wso2.org/repos/wso2/people/asela/xacml-samples/clients/mutual_auth/AdvanceMutualAuthenticationClient/resource/policy/server-policy.xml">this</a> policy using policy editor. Here we have remove the user name token validation and forced the client certificated.</div>
<div>
<br /></div>
<div>
<b>Step 4</b>. Apply <a href="https://svn.wso2.org/repos/wso2/people/asela/xacml-samples/clients/mutual_auth/AdvanceMutualAuthenticationClient/resource/lib">these</a> patched jars to WSO2ESB 4.0.3 distribution. Copy and Replace in to <ESB_HOME>/repository/components/plugins. Actually we have done small modification to bring the client certificate in to rampart level and validate it at that level </div>
<div>
</div>
<div>
<b>Step 5.</b> Step you key stores and trust stores as described in my previous <a href="http://pathberiya.blogspot.com/2012/08/enable-mutual-ssl-for-proxy-services-in.html">post </a></div>
<div>
<br /></div>
<div>
<b>Step 6.</b> Invoke the "TestProxy" using sample client which can be found at <a href="https://svn.wso2.org/repos/wso2/people/asela/xacml-samples/clients/mutual_auth/AdvanceMutualAuthenticationClient">here</a>. </div>
<div>
<br /></div>
<div>
If you have not used a key store or your certificate does not contain in the NIO transport receiver's trust store file; you would probably experience following error.</div>
<div>
</div>
<div>
<span class="Apple-style-span" style="border-collapse: separate; color: black; font-family: 'Times New Roman'; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><span class="Apple-style-span" style="font-family: arial;"><div>
<div>
<i>[2012-08-08 18:02:47,879] ERROR - AxisEngine Service requires SSL mutual authentication</i></div>
<div>
<i>org.apache.axis2.AxisFault: Service requires SSL mutual authentication</i></div>
<div>
<i><span style="white-space: pre-wrap;"> </span>at org.apache.rampart.handler.<wbr></wbr>RampartReceiver.<wbr></wbr>setFaultCodeAndThrowAxisFault(<wbr></wbr>RampartReceiver.java:180)</i></div>
<div>
<i><span style="white-space: pre-wrap;"> </span>at org.apache.rampart.handler.<wbr></wbr>RampartReceiver.invoke(<wbr></wbr>RampartReceiver.java:99)</i></div>
<div>
<i><span style="white-space: pre-wrap;"> </span>at org.apache.axis2.engine.Phase.<wbr></wbr>invokeHandler(Phase.java:340)</i></div>
</div>
</span></span><br class="Apple-interchange-newline" /> </div>
</span></span></span>Aselahttp://www.blogger.com/profile/08941025038081812446noreply@blogger.com2tag:blogger.com,1999:blog-7814469042984115284.post-20398769573521877612012-08-08T12:39:00.007-07:002014-09-17T13:31:01.726-07:00Enable Mutual SSL for Proxy services in WSO2ESB - I<b style="background-color: white; color: #222222; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; font-size: 13px; line-height: 18px;">Please visit new my blog for this blog post from <a href="http://soasecurity.org/2012/08/08/enable-mutual-ssl-for-proxy-services-in-wso2esb-i/">here</a><span id="goog_1306738265"></span><span id="goog_1306738266"></span><a href="https://www.blogger.com/"></a></b><br />
<br />
<br />
<span style="font-size: small;"><br /></span>
<span style="font-size: small;"><br /></span>
<span style="font-size: small;">Lets see how we can enable mutual SSL (two-way SSL) for all the proxy services that are deployed in WSO2 ESB</span><br />
<span style="font-size: small;"><br /></span>
<span style="font-size: small;"><b>Step 1 : </b> Enable mutual SSL for NIO transport receiver</span><br />
<br />
<span style="font-size: small;"><span class="Apple-style-span" style="border-collapse: separate; color: black; font-family: 'Times New Roman'; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><span class="Apple-style-span" style="font-family: arial;"></span></span></span><br />
<div>
<span style="font-size: small;"><span class="Apple-style-span" style="border-collapse: separate; color: black; font-family: 'Times New Roman'; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><span class="Apple-style-span" style="font-family: arial;">WSO2 ESB uses NIO transport for sending and receiving messages. You can find NIO transport receiver and sender configuration from axis2.xml file which can be found at <ESB_HOME>/repository/conf directory. Under the transport receiver, there are key store and trust store configurations as follows. </span></span></span></div>
<span style="font-size: small;"><span class="Apple-style-span" style="border-collapse: separate; color: black; font-family: 'Times New Roman'; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><span class="Apple-style-span" style="font-family: arial;">
<div>
<br /></div>
<div>
By default </div>
<div>
1. mutual authentication is not enabled</div>
<div>
2. for keystore and trust store, WSO2ESB is using the default wso2carbon.jks and client-truststore.jks file</div>
<div>
<br /></div>
<div>
Therefore you need to change those default parameters. Here i have changed only the "SSLVerifyClient" parameter to "require" to enable mutual authentication for all services that has been exposed via NIO</div>
<div>
<div>
<br /></div>
<div>
<div>
<i><transportReceiver name="https" class="org.apache.synapse.</i><wbr></wbr></div>
</div>
</div>
</span></span></span><br />
<br />
<br />
<i>transport.nhttp.</i><wbr></wbr><br />
<br />
<i>HttpCoreNIOSSLListener"></i>
<br />
<div>
<i> <parameter name="port" locked="false">8243</</i><wbr></wbr></div>
<i>parameter></i>
<br />
<div>
<i> <parameter name="non-blocking" locked="false">true</</i><wbr></wbr></div>
<i>parameter></i>
<br />
<div>
<i> <parameter name="keystore" locked="false"></i></div>
<div>
<i> <KeyStore></i></div>
<div>
<i> <Location>repository/</i><wbr></wbr></div>
<i>resources/security/wso2carbon.</i><wbr></wbr><br />
<br />
<br />
<i>jks</Location></i>
<br />
<div>
<i> <Type>JKS</Type></i></div>
<div>
<i> <Password>wso2carbon</</i><wbr></wbr></div>
<i>Password></i>
<br />
<div>
<i> <KeyPassword>wso2carbon</</i><wbr></wbr></div>
<i>KeyPassword></i>
<br />
<div>
<i> </KeyStore></i></div>
<div>
<i> </parameter></i></div>
<div>
<i> <parameter name="truststore" locked="false"></i></div>
<div>
<i> <TrustStore></i></div>
<div>
<i> <Location>repository/</i><wbr></wbr></div>
<i>resources/security/client-</i><wbr></wbr><br />
<br />
<br />
<i>truststore.jks</Location></i>
<br />
<div>
<i> <Type>JKS</Type></i></div>
<div>
<i> <Password>wso2carbon</</i><wbr></wbr></div>
<i>Password></i>
<br />
<div>
<i> </TrustStore></i></div>
<div>
<i> </parameter></i></div>
<div>
<i> <parameter name="SSLVerifyClient"></i><wbr></wbr></div>
<i>require</parameter></i>
<br />
<div>
<i> </transportReceiver></i></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
After configuration is finished, Restart WSO2ESB server, if you have already started. Then just create a simple pass through proxy service call "TestProxy". </div>
<div>
</div>
<div>
<span class="Apple-style-span" style="border-collapse: separate; color: black; font-family: 'Times New Roman'; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><span class="Apple-style-span" style="font-family: arial;"></span></span><br />
<div>
<span class="Apple-style-span" style="border-collapse: separate; color: black; font-family: 'Times New Roman'; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><span class="Apple-style-span" style="font-family: arial;"><br /></span></span>
<span class="Apple-style-span" style="border-collapse: separate; color: black; font-family: 'Times New Roman'; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><span class="Apple-style-span" style="font-family: arial;"><br /></span></span>
<span class="Apple-style-span" style="border-collapse: separate; color: black; font-family: 'Times New Roman'; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><span class="Apple-style-span" style="font-family: arial;"><b>Step 2 : </b>Writing Axis2 client to invoke </span></span></div>
<span class="Apple-style-span" style="border-collapse: separate; color: black; font-family: 'Times New Roman'; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><span class="Apple-style-span" style="font-family: arial;">
<div>
<br /></div>
<div>
<span class="Apple-style-span" style="border-collapse: separate; color: black; font-family: 'Times New Roman'; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><span class="Apple-style-span" style="font-family: arial;">You can find the client program for <a href="https://svn.wso2.org/repos/wso2/people/asela/xacml-samples/clients/mutual_auth/MutualAuthenticationClient">here</a>. </span></span>To run the client program you need to setup your key store and trust store properly. Actually we can use same key store file as both <span style="font-size: small;"><span class="Apple-style-span" style="border-collapse: separate; color: black; font-family: 'Times New Roman'; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><span class="Apple-style-span" style="font-family: arial;"><span class="Apple-style-span" style="border-collapse: separate; color: black; font-family: 'Times New Roman'; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><span class="Apple-style-span" style="font-family: arial;"> key store (which contains private key) and
trust store</span></span></span></span></span> (which contains trusted certificates) </div>
<div>
<br /></div>
<div>
First we need to import the NIO transport receiver's certificate to client's trust store file</div>
<div>
</div>
<div>
<span class="Apple-style-span" style="border-collapse: separate; color: black; font-family: 'Times New Roman'; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><span class="Apple-style-span" style="font-family: arial;"></span></span><br />
<div>
<span class="Apple-style-span" style="border-collapse: separate; color: black; font-family: 'Times New Roman'; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><span class="Apple-style-span" style="font-family: arial;">Please export NIO transport receiver's <wbr></wbr></span></span></div>
<span class="Apple-style-span" style="border-collapse: separate; color: black; font-family: 'Times New Roman'; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><span class="Apple-style-span" style="font-family: arial;">
</span></span></div>
</span></span></div>
certificate from key store. As a sample, you can use keytool command as follows.
<br />
<div>
<br /></div>
<div>
<i>> keytool -export -keystore wso2carbon.jks -alias localhost -file wso2.crt</i></div>
<div>
<br /></div>
<div>
Please import NIO certificate in to client trust store.</div>
<div>
<br /></div>
<div>
<div>
<i>> keytool -import -keystore client.jks -alias wso2carbon -file wso2.crt </i></div>
</div>
<div>
<br /></div>
<div>
Now you have setup the SSL properly. If this is not properly done, when you tries with sample client, you would receive following error in client side.</div>
<div>
<i> </i></div>
<div>
<span class="Apple-style-span" style="border-collapse: separate; color: black; font-family: 'Times New Roman'; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><span class="Apple-style-span" style="font-family: arial;"></span></span><br />
<div>
<span class="Apple-style-span" style="border-collapse: separate; color: black; font-family: 'Times New Roman'; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><span class="Apple-style-span" style="font-family: arial;"><span class="Apple-style-span" style="border-collapse: separate; color: black; font-family: 'Times New Roman'; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><span class="Apple-style-span" style="font-family: arial;"></span></span></span></span><br />
<div>
<span class="Apple-style-span" style="border-collapse: separate; color: black; font-family: 'Times New Roman'; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><span class="Apple-style-span" style="font-family: arial;"><span class="Apple-style-span" style="border-collapse: separate; color: black; font-family: 'Times New Roman'; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><span class="Apple-style-span" style="font-family: arial;"><i>org.apache.axis2.AxisFault: Connection has been shutdown: javax.net.ssl.<wbr></wbr></i></span></span></span></span></div>
<span class="Apple-style-span" style="border-collapse: separate; color: black; font-family: 'Times New Roman'; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><span class="Apple-style-span" style="font-family: arial;"><span class="Apple-style-span" style="border-collapse: separate; color: black; font-family: 'Times New Roman'; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><span class="Apple-style-span" style="font-family: arial;">
</span></span></span></span></div>
<span class="Apple-style-span" style="border-collapse: separate; color: black; font-family: 'Times New Roman'; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><span class="Apple-style-span" style="font-family: arial;">
</span></span></div>
SSLHandshakeException: sun.security.validator.<wbr></wbr><br />
<br />
<br />
ValidatorException: PKIX path building failed: sun.security.provider.<wbr></wbr><br />
<br />
certpath.<wbr></wbr><br />
SunCertPathBuilderException: unable to find valid certification path to requested target
<br />
<div>
<i><span style="white-space: pre-wrap;"> </span>at org.apache.axis2.AxisFault.<wbr></wbr></i></div>
makeFault(AxisFault.java:430)
<br />
<div>
<br /></div>
<div>
Then we need to import client's certificate in to the NIO transport receiver's trust store file. Please go through above keytool command for this also</div>
<div>
</div>
<div>
Now you have setup the SSL properly. If not, <span style="font-size: small;"><span class="Apple-style-span" style="border-collapse: separate; color: black; font-family: 'Times New Roman'; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><span class="Apple-style-span" style="font-family: arial;"><span class="Apple-style-span" style="border-collapse: separate; color: black; font-family: 'Times New Roman'; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><span class="Apple-style-span" style="font-family: arial;"><span class="Apple-style-span" style="border-collapse: separate; color: black; font-family: 'Times New Roman'; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><span class="Apple-style-span" style="font-family: arial;">when you tries with
sample client,</span></span></span></span></span></span></span> you would receive following error in client side.</div>
<div>
<br /></div>
<div>
<div>
<i>Exception in thread "main" org.apache.axis2.AxisFault: Connection has been shutdown: javax.net.ssl.SSLException: java.net.SocketException: Connection reset</i></div>
<div>
<i><span style="white-space: pre-wrap;"> </span>at org.apache.axis2.AxisFault.</i><wbr></wbr></div>
</div>
<i>makeFault(AxisFault.java:430)</i>
<br />
<div>
<i><span style="white-space: pre-wrap;"> </span>at org.apache.axis2.transport.</i><wbr></wbr></div>
<i>http.SOAPMessageFormatter.</i><wbr></wbr><br />
<br />
<br />
<i>writeTo(SOAPMessageFormatter.</i><wbr></wbr><br />
<br />
<i>java:78)</i>
<br />
<div>
<br /></div>
<div>
And in server side.</div>
<div>
<br /></div>
<div>
<div>
<i>[2012-08-08 17:29:56,390] ERROR - ServerHandler I/O error: null cert chain</i></div>
<div>
<i>javax.net.ssl.</i><wbr></wbr></div>
</div>
<i>SSLHandshakeException: null cert chain</i>
<br />
<div>
<i><span style="white-space: pre-wrap;"> </span>at com.sun.net.ssl.internal.ssl.</i><wbr></wbr></div>
<i>Handshaker.checkThrown(</i><wbr></wbr><br />
<br />
<br />
<i>Handshaker.java:1015)</i>
<br />
<div>
<br /></div>
Now you know how to secure WSO2ESB proxy services using mutual SSL and invoke them. In my next blog post let see, how we can secure only the one or two <span style="font-size: small;"><span class="Apple-style-span" style="border-collapse: separate; color: black; font-family: 'Times New Roman'; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><span class="Apple-style-span" style="font-family: arial;"><span class="Apple-style-span" style="border-collapse: separate; color: black; font-family: 'Times New Roman'; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><span class="Apple-style-span" style="font-family: arial;"> WSO2ESB proxy
services using mutual SSL(Not all)</span></span></span></span></span>
<br />
<span style="font-size: small;"> </span>Aselahttp://www.blogger.com/profile/08941025038081812446noreply@blogger.com5tag:blogger.com,1999:blog-7814469042984115284.post-79597187228118362562012-05-28T22:56:00.002-07:002012-07-03T10:46:45.522-07:00Login to WSO2 Carbon servers via Shibboleth SAML2 IDP<br />
<span class="Apple-style-span" style="border-collapse: separate; color: black; font-family: 'Times New Roman'; font-size: small; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><span class="Apple-style-span" style="font-family: arial;"><div>
In my previous <a href="http://pathberiya.blogspot.com/2012/05/configure-shibboleth-as-saml2-idp.html">post</a>, I went through step by step to configure the shibboleth as a SAML2 IDP. Now lets try to use <span class="Apple-style-span" style="border-collapse: separate; color: black; font-family: 'Times New Roman'; font-size: small; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><span class="Apple-style-span" style="font-family: arial;">Shibboleth SAML2 IDP</span></span> in a real word use case. In this blog post i am going to configure WSO2 Carbon product as a SSO service provider for Shibboleth IDP. Any WSO2 Carbon server can act as a SAML2 SSO relying party components. </div>
<div>
<br /></div>
<div>
This type of scenario actually useful when you want to login to management console of several WSO2 Carbon products that had been deployed as cluster; where users want to experience SSO. </div>
<div>
<br /></div>
<div>
User experience would be as follows. </div>
<div>
<br /></div>
<div>
1. User type WSO2 Carbon product management console url</div>
<div>
2. User redirected to the shibboleth login console </div>
<div>
3. User enter his user name and password associate with shibboleth IDP account </div>
<div>
4. User now has redirected to WSO2 Carbon product management console.<br />
<br />
(But still i could not setup single logout with <span class="Apple-style-span" style="border-collapse: separate; color: black; font-family: 'Times New Roman'; font-size: small; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><span class="Apple-style-span" style="font-family: arial;"><span class="Apple-style-span" style="border-collapse: separate; color: black; font-family: 'Times New Roman'; font-size: small; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><span class="Apple-style-span" style="font-family: arial;">Shibboleth :( . Therefore you want to exit from the browser to logout from </span></span></span></span><span class="Apple-style-span" style="border-collapse: separate; color: black; font-family: 'Times New Roman'; font-size: small; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><span class="Apple-style-span" style="font-family: arial;"><span class="Apple-style-span" style="border-collapse: separate; color: black; font-family: 'Times New Roman'; font-size: small; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><span class="Apple-style-span" style="font-family: arial;"><span class="Apple-style-span" style="border-collapse: separate; color: black; font-family: 'Times New Roman'; font-size: small; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><span class="Apple-style-span" style="font-family: arial;">Shibboleth)</span></span></span></span></span></span></div>
<div>
<br /></div>
<div>
Here we want to understand one thing very carefully. i.e User, who has an account in shibboleth IDP, must be also exist in the user store of the WSO2 Carbon server. Why? For authentication, we do not want to duplicate the user accounts. Yes...! Actually authentication would be successful at the WSO2 Carbon server without even a user store. But; to login to the WSO2 Carbon management console, authentication is not enough, users are needed to authorize to access the management console. Therefore after successful authentication by using SSO, WSO2 Carbon server performs an authorization check with respect to its own user store. Therefore user must be in that user store also. (basically user Id and access control list). But credentials do not want to be there. </div>
<div>
<br /></div>
<div>
Therefore basically, you need to syn shibboleth IDP with WSO2 Carbon user store. For this we can have two options. </div>
<div>
<br /></div>
<div>
1. Use provisioning mechanism such as SCIM (SCIM would be supported by WSO2Carbon server 4.0.0 version) </div>
<div>
2. Share same user store for shibboleth IDP and WSO2 Carbon servers. Most of the cases, shibboleth IDP is backed by LDAP or AD. Therefore we can easily configure WSO2 Carbon servers to connect to that LDAP or AD. But authentication check would be always happened at the shibboleth IDP. </div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
Now lets go with configurations. </div>
<div>
<br /></div>
<div>
First configure at shibboleth IDP side,</div>
<div>
<br /></div>
<div>
<b>Step 1</b>. Configure new relying party for carbon servers under the "RelyingPartyGroup" in relying-party.xml which can be found at IPD_HOME/conf directory. Sample configuration would be as follows </div>
<div>
<br /></div>
<div>
<div>
<rp:RelyingParty id="carbonServer"</div>
<div>
provider="<a href="https://idp.example.org/idp/shibboleth" target="_blank">https://idp.<wbr></wbr>example.org/idp/shibboleth</a>"</div>
<div>
defaultSigningCredentialRef="<wbr></wbr>IdPCredential" defaultAuthenticationMethod="<wbr></wbr>urn:oasis:names:tc:SAML:2.0:<wbr></wbr>ac:classes:<wbr></wbr>PasswordProtectedTransport"></div>
<div>
<rp:ProfileConfiguration xsi:type="saml:<wbr></wbr>SAML2SSOProfile" signResponses="always" signAssertions="never" </div>
<div>
encryptAssertions="never" encryptNameIds="never"/></div>
<div>
</rp:RelyingParty></div>
</div>
<div>
<br /></div>
<div>
<br /></div>
<div>
Here i have configured only to sign the SAML2 response.</div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<span class="Apple-style-span" style="border-collapse: separate; color: black; font-family: 'Times New Roman'; font-size: small; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><span class="Apple-style-span" style="font-family: arial;"><b>Step 2</b></span></span>. Configure SAML2 meta data configuration by using a new meta data config file at IPD_HOME/metadata <wbr></wbr>directory. In this directory, I created a new file called carbon.xml and configure followings.</div>
<div>
<br /></div>
<div>
<EntityDescriptor entityID="carbonServer" xmlns="urn:oasis:names:tc:<wbr></wbr>SAML:2.0:metadata"></div>
<div>
<SPSSODescriptor protocolSupportEnumeration="<wbr></wbr>urn:oasis:names:tc:SAML:2.0:<wbr></wbr>protocol"></div>
<div>
<NameIDFormat>urn:oasis:<wbr></wbr>names:tc:SAML:1.1:nameid-<wbr></wbr>format:unspecified</<wbr></wbr>NameIDFormat></div>
<div>
<AssertionConsumerService index="1" Binding="urn:oasis:names:tc:<wbr></wbr>SAML:2.0:bindings:HTTP-POST"</div>
<div>
Location="<a href="https://localhost:9443/acs" target="_blank">https://localhost:<wbr></wbr>9443/acs</a>" /></div>
<div>
</SPSSODescriptor></div>
<div>
</EntityDescriptor> </div>
<div>
<br /></div>
<div>
Please make sure NameIDFormat, Binding in ACS and Location of ACS are configured according to your own configurations</div>
<div>
<br /></div>
<div>
<span class="Apple-style-span" style="border-collapse: separate; color: black; font-family: 'Times New Roman'; font-size: small; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><span class="Apple-style-span" style="font-family: arial;"><b>Step</b></span></span><b> 3</b>. Configure new meta data configuration file under the "RelyingPartyGroup" in relying-party.xml which can be found at IPD_HOME/conf directory. Sample configuratio cn would be as follows </div>
<div>
Here we have pointed to the new meta data config file.</div>
<div>
<br /></div>
<div>
<div>
<MetadataProvider id="carbonMD" xsi:type="<wbr></wbr>FilesystemMetadataProvider" xmlns="urn:mace:shibboleth:2.<wbr></wbr>0:metadata"</div>
<div>
metadataFile="/home/asela/<wbr></wbr>shibboleth/metadata/carbon.<wbr></wbr>xml" maintainExpiredMetadata="true" /></div>
</div>
<div>
<br /></div>
<div>
<br /></div>
<div>
Now lets configure Service provider side, WSO2 Carbon server.</div>
<div>
<br /></div>
<div>
WSO2 Carbon server can be configured with different authenticators. AuthenticationAdmin (which uses user name and password) is the default Carbon Server Authenticator. Therefore we need to change those configurations and enable <span class="Apple-style-span" style="border-collapse: separate; color: black; font-family: 'Times New Roman'; font-size: small; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><span class="Apple-style-span" style="font-family: arial;">Shibboleth related </span></span>SAML2 SSO authenticator. Actually there is existing SAML2 SSO authenticator that can be found at <a href="https://svn.wso2.org/repos/wso2/branches/carbon/3.2.0/components/authenticators/saml2-sso-authenticator">this</a> SVN location. But it seems to be that default SAML2 SSO authenticator would not work with Shibboleth out of the box. Therefore you need to write a new authenticator for shibboleth. It would be really easy, because we only need to do small modifications to the existing SAML2 SSO authenticator source code.<span class="Apple-style-span" style="border-collapse: separate; color: black; font-family: 'Times New Roman'; font-size: small; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><span class="Apple-style-span" style="font-family: arial,FreeSans,Helvetica,sans-serif; line-height: 17px;"> Therefore I did that simple modification. You can find the modified source from <a href="https://svn.wso2.org/repos/wso2/people/asela/wso2-samples/saml-sso/shibboleth/authenticator/">here</a>. And the patched jar files from <a href="https://svn.wso2.org/repos/wso2/people/asela/wso2-samples/saml-sso/shibboleth/authenticator/lib/">here</a>. </span></span><br />
<br />
Lets see how we can do this. please note here i am using Carbon 3.2.3 based servers.</div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<span class="Apple-style-span" style="border-collapse: separate; color: black; font-family: 'Times New Roman'; font-size: small; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><span class="Apple-style-span" style="font-family: arial;"><b>Step </b></span></span><b>1</b>. Install following patched SAML SSO authenticator <a href="https://svn.wso2.org/repos/wso2/people/asela/wso2-samples/saml-sso/shibboleth/authenticator/lib/">jars</a> with WSO2 Carbon server by copying them in to <CARBON_HOME>/repository/components/dropins</div>
<div>
<br /></div>
<div>
org.wso2.carbon.identity.authenticator.saml2.sso-3.2.1.jar </div>
<div>
org.wso2.carbon.identity.authenticator.saml2.sso.ui-3.2.2.jar </div>
<div>
org.wso2.carbon.identity.authenticator.saml2.sso.stub-3.2.0.jar </div>
<div>
<br /></div>
<div>
<span class="Apple-style-span" style="border-collapse: separate; color: black; font-family: 'Times New Roman'; font-size: small; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><span class="Apple-style-span" style="font-family: arial;"><span class="Apple-style-span" style="border-collapse: separate; color: black; font-size: small; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><span class="Apple-style-span" style="font-family: arial;"><b>Step </b></span></span><b>2</b></span></span>. Configure authenticators.xml file which can be found at <CARBON_HOME>/repository/conf/advanced directory. Sample configuration would be as follows</div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<div>
<Authenticator name="SAML2SSOAuthenticator"></div>
<div>
<Priority>10</Priority></div>
<div>
<Config></div>
<div>
<Parameter name="LoginPage">/carbon/admin/login.jsp</Parameter></div>
<div>
<Parameter name="ServiceProviderID">carbonServer</Parameter></div>
<div>
<Parameter name="IdentityProviderSSOServiceURL">https://localhost:8443/idp/profile/SAML2/Redirect/SSO</Parameter></div>
<div>
</Config></div>
<div>
</Authenticator></div>
</div>
<div>
<br /></div>
<div>
Here please note following two parameters must be according your configurations.</div>
<div>
<br /></div>
<div>
ServiceProviderID -> This must be same value that you have configured as RelyingParty Id.</div>
<div>
IdentityProviderSSOServiceURL --> This must be the SSO redirect url of shibboleth IDP</div>
<div>
<br /></div>
<div>
<span class="Apple-style-span" style="border-collapse: separate; color: black; font-family: 'Times New Roman'; font-size: small; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><span class="Apple-style-span" style="font-family: arial;"><span class="Apple-style-span" style="border-collapse: separate; color: black; font-size: small; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><span class="Apple-style-span" style="font-family: arial;"><b>Step </b></span></span><b>3</b></span></span>. Start the server and try to login to management console, you would probably redirected to shibboleth IDP login page.. </div>
<div>
</div>
<div>
<br /></div>
<div>
<br /></div>
</span></span>Aselahttp://www.blogger.com/profile/08941025038081812446noreply@blogger.com1tag:blogger.com,1999:blog-7814469042984115284.post-51789438942285139302012-05-28T22:07:00.001-07:002012-05-29T05:32:49.762-07:00Configure Shibboleth as SAML2 IDP<span class="Apple-style-span" style="border-collapse: separate; color: black; font-family: 'Times New Roman'; font-size: small; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><span class="Apple-style-span" style="font-family: arial;"><div>
<a href="http://shibboleth.net/products/identity-provider.html">Shibboleth</a> is one of a most popular SAML2 IDP that is widely used. I tried to configure shibboleth as SAML2 IDP. In this post i am going to share these steps with you. I hope that would be useful for you also. My Operating System was ubunutu 10.04</div>
<div>
<br /></div>
<div>
</div>
<div>
<b>Step1</b>. Download latest version (v2.3.6) of shibboleth IDP from <a href="http://shibboleth.net/downloads/identity-provider/latest/">here</a> </div>
<div>
<br /></div>
<div>
<span class="Apple-style-span" style="border-collapse: separate; color: black; font-family: 'Times New Roman'; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><span class="Apple-style-span" style="font-family: arial;"><b>Step2</b></span></span>. Extract in to your file system. </div>
<div>
</div>
<div>
<br />
<span class="Apple-style-span" style="border-collapse: separate; color: black; font-family: 'Times New Roman'; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><span class="Apple-style-span" style="font-family: arial;"><b>Step3</b></span></span>. Go to root directory and run install script. This would install shibboleth in to given location in your file system Lets call it as IDP_HOME. Also this installation would create a key store which can be found at IDP_HOME/credentials directory and war file which can be found at IDP_HOME/war directory.</div>
<div>
<br /></div>
<div>
<br /></div>
<div>
First let configure a user store with shibboleth. We can use LDAP based user store for this. Here i am using the ApacheDS LDAP user store. You can find simple steps to create an ApacheDS LDAP server from <a href="http://pathberiya.blogspot.com/2010/07/apache-dircetory-stdio-as-your-ldap.html">here</a>.</div>
<div>
<br /></div>
<div>
<span class="Apple-style-span" style="border-collapse: separate; color: black; font-family: 'Times New Roman'; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><span class="Apple-style-span" style="font-family: arial;"><b>Step4</b></span></span>. Open login.config file which can be found at IDP_HOME/conf directory and configure your LDAP user store. following is my sample configurations. </div>
<div>
<br /></div>
<div>
<div>
ShibUserPassAuth {</div>
<div>
<br /></div>
<div>
edu.vt.middleware.ldap.jaas.<wbr></wbr>LdapLoginModule required</div>
<div>
ldapUrl="ldap://localhost:<wbr></wbr>10389"</div>
<div>
bindDn="uid=admin,ou=system"</div>
<div>
bindCredential="secret"</div>
<div>
baseDn="ou=users,ou=system"</div>
<div>
ssl="false"</div>
<div>
userFilter="uid={0}"</div>
<div>
;</div>
<div>
<br /></div>
<div>
};</div>
</div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<span class="Apple-style-span" style="border-collapse: separate; color: black; font-family: 'Times New Roman'; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><span class="Apple-style-span" style="font-family: arial;"><b>Step5</b></span></span>. Enable username/password login handler from handler.xml file which can be found at IDP_HOME/conf directory. </div>
<div>
<br /></div>
<div>
<div>
<ph:LoginHandler xsi:type="ph:UsernamePassword"<wbr></wbr> </div>
<div>
jaasConfigurationLocation="<wbr></wbr>file:///home/asela/Wso2/<wbr></wbr>shibboleth/conf/login.config"></div>
<div>
<ph:AuthenticationMethod>urn:<wbr></wbr>oasis:names:tc:SAML:2.0:ac:<wbr></wbr>classes:<wbr></wbr>PasswordProtectedTransport</<wbr></wbr>ph:AuthenticationMethod></div>
<div>
</ph:LoginHandler></div>
</div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<span class="Apple-style-span" style="border-collapse: separate; color: black; font-family: 'Times New Roman'; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><span class="Apple-style-span" style="font-family: arial;"><b>Step6</b></span></span>. Configure logging level from logging.xml file can be found at IDP_HOME/conf directory. All the logs files would be saved at IDP_HOME/logs. This would probably help you to trouble shooting the issues.</div>
<div>
<br /></div>
<div>
Now let deploy idp.war file in a web application server. Here i am using apache tomcat for this. Please use tomcat 6.X.X as shibboleth is not tested with tomcat 7.X.X</div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<span class="Apple-style-span" style="border-collapse: separate; color: black; font-family: 'Times New Roman'; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><span class="Apple-style-span" style="font-family: arial;"><b>Step7</b></span></span>. Copy IDP_HOME/lib/endorsed directory in to tomcat root directory. </div>
<div>
<br /></div>
<div>
<span class="Apple-style-span" style="border-collapse: separate; color: black; font-family: 'Times New Roman'; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><span class="Apple-style-span" style="font-family: arial;"><b>Step8.</b></span></span> Enable HTTPS in tomcat. Locate the server.xml at TOMCAT_HOME/conf directory and configure HTTPS connector. Sample configuration would be as follows. </div>
<div>
<br /></div>
<div>
<div>
<Connector port="8443"</div>
<div>
protocol="org.apache.coyote.<wbr></wbr>http11.Http11Protocol"</div>
<div>
SSLImplementation="edu.<wbr></wbr>internet2.middleware.security.<wbr></wbr>tomcat6.<wbr></wbr>DelegateToApplicationJSSEImple<wbr></wbr>mentation"</div>
<div>
scheme="https"</div>
<div>
SSLEnabled="true"</div>
<div>
clientAuth="false"</div>
<div>
keystoreFile="/home/asela/<wbr></wbr>shibboleth/credentials/idp.<wbr></wbr>jks"</div>
<div>
keystorePass="changeit" /> </div>
</div>
<div>
<br /></div>
<div>
<span class="Apple-style-span" style="border-collapse: separate; color: black; font-family: 'Times New Roman'; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><span class="Apple-style-span" style="font-family: arial;"><b>Step9</b></span></span>. Copy idp.war file in to TOMCAT_HOME/webapp directory.</div>
<div>
<br /></div>
<div>
<span class="Apple-style-span" style="border-collapse: separate; color: black; font-family: 'Times New Roman'; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><span class="Apple-style-span" style="font-family: arial;"><b>Step10</b></span></span>. Start tomcat server by running catalina script. </div>
<div>
<br /></div>
<div>
<span class="Apple-style-span" style="border-collapse: separate; color: black; font-family: 'Times New Roman'; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><span class="Apple-style-span" style="font-family: arial;"><b>Step11</b></span></span>. Check status of the server by using <a href="https://localhost:8443/idp/status" target="_blank">https://localhost:8443/idp/<wbr></wbr>status</a></div>
</span></span>Aselahttp://www.blogger.com/profile/08941025038081812446noreply@blogger.com1tag:blogger.com,1999:blog-7814469042984115284.post-33888436913315499462012-05-02T03:07:00.000-07:002012-06-15T06:18:00.514-07:00Claim management with WSO2 Identity Server<span class="Apple-style-span" style="border-collapse: separate; color: black; font-family: 'Times New Roman'; font-size: small; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"></span><br />
<div style="background-color: transparent;">
<h3>
<span class="Apple-style-span" style="border-collapse: separate; color: black; font-family: 'Times New Roman'; font-size: small; font-style: normal; font-variant: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><b><span style="background-color: transparent; color: black; font-family: Arial; font-size: 13px; font-style: normal; font-variant: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">What is a Claim?</span></b></span></h3>
<div>
<span class="Apple-style-span" style="border-collapse: separate; color: black; font-family: 'Times New Roman'; font-size: small; font-style: normal; font-variant: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><b><span style="background-color: transparent; color: black; font-family: Arial; font-size: 13px; font-style: normal; font-variant: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><br /></span></b></span></div>
<span class="Apple-style-span" style="border-collapse: separate; color: black; font-family: 'Times New Roman'; font-size: small; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><b id="internal-source-marker_0.15712157520465553" style="font-weight: normal;"><span style="background-color: transparent; color: black; font-family: Arial; font-size: 13px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">A claim is a piece of information (or statement) about a subject (or user). It can be a anything that subject owned by or associated with it, such as name, group, preferences and etc. Claim provides a single and general notion to define the identity information related the subject.<br /><br />Claims-based identity is a common way for any applications to acquire those identity information. It provides a consistent approach for all applications by hiding the lower level implementation.<br /><br />Also Claims are used in identity propagation, by packaging the claims into one or more tokens (such as SAML). And those are then issued by an issuer; commonly known as a security token service (STS).</span></b></span></div>
<span class="Apple-style-span" style="border-collapse: separate; color: black; font-family: 'Times New Roman'; font-size: small; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
</span><br />
<div style="background-color: transparent;">
</div>
<span class="Apple-style-span" style="border-collapse: separate; color: black; font-family: 'Times New Roman'; font-size: small; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
</span><span class="Apple-style-span" style="border-collapse: separate; color: black; font-family: 'Times New Roman'; font-size: small; font-style: normal; font-variant: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"></span><br />
<div style="background-color: transparent;">
<h3>
<span class="Apple-style-span" style="border-collapse: separate; color: black; font-family: 'Times New Roman'; font-size: small; font-style: normal; font-variant: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
<b id="internal-source-marker_0.15712157520465553"><span style="background-color: transparent; color: black; font-family: Arial; font-size: 13px; font-style: normal; font-variant: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><br /></span></b></span></h3>
<h3>
<span class="Apple-style-span" style="border-collapse: separate; color: black; font-family: 'Times New Roman'; font-size: small; font-style: normal; font-variant: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
<b id="internal-source-marker_0.15712157520465553"><span style="background-color: transparent; color: black; font-family: Arial; font-size: 13px; font-style: normal; font-variant: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Claim Management </span></b></span></h3>
<div>
<span class="Apple-style-span" style="border-collapse: separate; color: black; font-family: 'Times New Roman'; font-size: small; font-style: normal; font-variant: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><b id="internal-source-marker_0.15712157520465553"><span style="background-color: transparent; color: black; font-family: Arial; font-size: 13px; font-style: normal; font-variant: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><br /></span></b></span></div>
<div style="font-weight: normal;">
<span class="Apple-style-span" style="border-collapse: separate; color: black; font-family: 'Times New Roman'; font-size: small; font-style: normal; font-variant: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><b id="internal-source-marker_0.15712157520465553" style="font-weight: normal;"><span style="background-color: transparent; color: black; font-family: Arial; font-size: 13px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">The Claim Management component of the WSO2 Identity Server enables you to define set of claims for users. It maps a set of attributes from the underlying user store to a set of defined claims. </span></b></span><br />
<span class="Apple-style-span" style="border-collapse: separate; color: black; font-family: 'Times New Roman'; font-size: small; font-style: normal; font-variant: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><b id="internal-source-marker_0.15712157520465553" style="font-weight: normal;"><span style="background-color: transparent; color: black; font-family: Arial; font-size: 13px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><br /></span></b></span><br />
<span class="Apple-style-span" style="border-collapse: separate; color: black; font-family: 'Times New Roman'; font-size: small; font-style: normal; font-variant: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><b id="internal-source-marker_0.15712157520465553" style="font-weight: normal;"><span style="background-color: transparent; color: black; font-family: Arial; font-size: 13px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Each claim can be uniquely identified by the Claim Uri.</span></b><b id="internal-source-marker_0.15712157520465553" style="font-weight: normal;"><span style="background-color: transparent; color: black; font-family: Arial; font-size: 13px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> Claim Uris are independent from the user store and each claim uri can be mapped into the any desired attribute in the user store; which are also associated with user profile. The underlying user store can be either JDBC , LDAP or AD that can be configured using user-mgt.xml file. </span></b></span></div>
<div style="font-weight: normal;">
<span class="Apple-style-span" style="border-collapse: separate; color: black; font-family: 'Times New Roman'; font-size: small; font-style: normal; font-variant: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><br /></span></div>
</div>
<span class="Apple-style-span" style="border-collapse: separate; color: black; font-family: 'Times New Roman'; font-size: small; font-style: normal; font-variant: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
</span><br />
<div style="background-color: transparent; font-weight: normal;">
<div class="separator" style="clear: both; text-align: center;">
<span class="Apple-style-span" style="border-collapse: separate; color: black; font-family: 'Times New Roman'; font-size: small; font-style: normal; font-variant: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj-iUFTqikAB5f4WF-wtJdUDxzJ-v_PAV1oK6LBCAYsy7OEno7XW31v06LZ20gNyU_0Dn09J5LGiolpwP_9ojyQPaAc_kpVMrMCBGPHYH95IpT0TMjnISJTeVdb2XHs58FY2ncwB_xIUUUr/s1600/claim1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="251" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj-iUFTqikAB5f4WF-wtJdUDxzJ-v_PAV1oK6LBCAYsy7OEno7XW31v06LZ20gNyU_0Dn09J5LGiolpwP_9ojyQPaAc_kpVMrMCBGPHYH95IpT0TMjnISJTeVdb2XHs58FY2ncwB_xIUUUr/s640/claim1.png" width="640" /></a></span></div>
<span class="Apple-style-span" style="border-collapse: separate; color: black; font-family: 'Times New Roman'; font-size: small; font-style: normal; font-variant: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><b id="internal-source-marker_0.15712157520465553" style="font-weight: normal;"><span style="background-color: transparent; color: black; font-family: Arial; font-size: 13px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><br /></span><span style="background-color: transparent; color: black; font-family: Arial; font-size: 13px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"></span></b></span></div>
<span class="Apple-style-span" style="border-collapse: separate; color: black; font-family: 'Times New Roman'; font-size: small; font-style: normal; font-variant: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
</span><span class="Apple-style-span" style="border-collapse: separate; color: black; font-family: 'Times New Roman'; font-size: small; font-style: normal; font-variant: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"></span><br />
<div style="background-color: transparent;">
<h3>
<span class="Apple-style-span" style="border-collapse: separate; color: black; font-family: 'Times New Roman'; font-size: small; font-style: normal; font-variant: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
<b id="internal-source-marker_0.15712157520465553"><span style="background-color: transparent; color: black; font-family: Arial; font-size: 13px; font-style: normal; font-variant: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Claim Dialect</span></b></span></h3>
<h3 style="font-weight: normal;">
<span class="Apple-style-span" style="border-collapse: separate; color: black; font-family: 'Times New Roman'; font-size: small; font-style: normal; font-variant: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
<b id="internal-source-marker_0.15712157520465553" style="font-weight: normal;"><span style="background-color: transparent; color: black; font-family: Arial; font-size: 13px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"></span></b></span></h3>
<div style="font-weight: normal;">
<span class="Apple-style-span" style="border-collapse: separate; color: black; font-family: 'Times New Roman'; font-size: small; font-style: normal; font-variant: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><b id="internal-source-marker_0.15712157520465553" style="font-weight: normal;"><span style="background-color: transparent; color: black; font-family: Arial; font-size: 13px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><br />A set of claims are identified as a dialect. Different dialects represents the same piece of information with different claim URIs. <br /><br />Following dialects are defined by-default with WSO2 Claim Management Component. Those are populated when the server is started at first time; by reading the claim-mgt.xml file which can be found at <IS_HOME></span></b><b id="internal-source-marker_0.15712157520465553" style="font-weight: normal;"><span style="background-color: transparent; color: black; font-family: Arial; font-size: 13px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">/repository/conf</span></b></span></div>
</div>
<span class="Apple-style-span" style="border-collapse: separate; color: black; font-family: 'Times New Roman'; font-size: small; font-style: normal; font-variant: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
</span><br />
<div style="background-color: transparent;">
<div style="font-weight: normal;">
<span class="Apple-style-span" style="border-collapse: separate; color: black; font-family: 'Times New Roman'; font-size: small; font-style: normal; font-variant: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><b id="internal-source-marker_0.15712157520465553" style="font-weight: normal;"><span style="background-color: transparent; color: black; font-family: Arial; font-size: 13px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><br /></span></b></span></div>
<ul style="font-weight: normal;"><span class="Apple-style-span" style="border-collapse: separate; color: black; font-family: 'Times New Roman'; font-size: small; font-style: normal; font-variant: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
<li><span style="background-color: transparent; color: black; font-family: Arial; font-size: 13px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">http://wso2.org/claims :</span><span style="background-color: transparent; color: black; font-family: Arial; font-size: 13px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> </span><b id="internal-source-marker_0.15712157520465553" style="font-weight: normal;"><span style="background-color: transparent; color: black; font-family: Arial; font-size: 13px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Default dialect for WSO2 Carbon (Claim set of this dialect is used for default user profile)</span></b></li>
<li><span style="background-color: transparent; color: black; font-family: Arial; font-size: 13px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">http://schemas.xmlsoap.org/ws/2005/05/identity :</span><b id="internal-source-marker_0.15712157520465553" style="font-weight: normal;"><span style="background-color: transparent; color: black; font-family: Arial; font-size: 13px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> Default dialect for Information Cards</span></b><span style="background-color: transparent; color: black; font-family: Arial; font-size: 13px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> </span></li>
<li><span style="background-color: transparent; color: black; font-family: Arial; font-size: 13px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">http://axschema.org :</span><b id="internal-source-marker_0.15712157520465553" style="font-weight: normal;"><span style="background-color: transparent; color: black; font-family: Arial; font-size: 13px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> Default dialect for OpenID Attribute EXchange</span></b><span style="background-color: transparent; color: black; font-family: Arial; font-size: 13px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> </span></li>
<li><span style="background-color: transparent; color: black; font-family: Arial; font-size: 13px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">http://schema.openid.net/2007/05/claims : </span><b id="internal-source-marker_0.15712157520465553" style="font-weight: normal;"><span style="background-color: transparent; color: black; font-family: Arial; font-size: 13px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Default dialect for OpenID Simple Registration</span></b></li>
</span></ul>
<h3>
<span class="Apple-style-span" style="border-collapse: separate; color: black; font-family: 'Times New Roman'; font-size: small; font-style: normal; font-variant: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
<b id="internal-source-marker_0.15712157520465553"><span style="background-color: transparent; color: black; font-family: Arial; font-size: 13px; font-style: normal; font-variant: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><br /></span></b></span></h3>
<h3>
<span class="Apple-style-span" style="border-collapse: separate; color: black; font-family: 'Times New Roman'; font-size: small; font-style: normal; font-variant: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
<b id="internal-source-marker_0.15712157520465553"><span style="background-color: transparent; color: black; font-family: Arial; font-size: 13px; font-style: normal; font-variant: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Defining Claim Dialect</span></b></span></h3>
<div>
<span class="Apple-style-span" style="border-collapse: separate; color: black; font-family: 'Times New Roman'; font-size: small; font-style: normal; font-variant: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><b id="internal-source-marker_0.15712157520465553"><span style="background-color: transparent; color: black; font-family: Arial; font-size: 13px; font-style: normal; font-variant: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><br /></span></b></span></div>
<div style="font-weight: normal;">
<span class="Apple-style-span" style="border-collapse: separate; color: black; font-family: 'Times New Roman'; font-size: small; font-style: normal; font-variant: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><b id="internal-source-marker_0.15712157520465553" style="font-weight: normal;"><span style="background-color: transparent; color: black; font-family: Arial; font-size: 13px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">You can define a new Claim Dialect by clicking on the link 'Add New Claim Dialect' in Claim management UI.</span></b></span></div>
<ul style="font-weight: normal;"><span class="Apple-style-span" style="border-collapse: separate; color: black; font-family: 'Times New Roman'; font-size: small; font-style: normal; font-variant: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
<li><b id="internal-source-marker_0.15712157520465553" style="font-weight: normal;"><span style="background-color: transparent; color: black; font-family: Arial; font-size: 13px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Dialect Uri : URI which uniquely identifies the Dialect. Eg :- http://test.org/claims</span></b></li>
</span></ul>
<div style="font-weight: normal;">
<span class="Apple-style-span" style="border-collapse: separate; color: black; font-family: 'Times New Roman'; font-size: small; font-style: normal; font-variant: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><b id="internal-source-marker_0.15712157520465553" style="font-weight: normal;"><span style="background-color: transparent; color: black; font-family: Arial; font-size: 13px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><br />Each dialect should have at least one claim. Therefore you need to define the claim configuration as defined in next heading </span></b></span></div>
</div>
<span class="Apple-style-span" style="border-collapse: separate; color: black; font-family: 'Times New Roman'; font-size: small; font-style: normal; font-variant: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
</span><br />
<div style="background-color: transparent; font-weight: normal;">
<span class="Apple-style-span" style="border-collapse: separate; color: black; font-family: 'Times New Roman'; font-size: small; font-style: normal; font-variant: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><b id="internal-source-marker_0.15712157520465553" style="font-weight: normal;"><span style="background-color: transparent; color: black; font-family: Arial; font-size: 13px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><br /></span><span style="background-color: transparent; color: black; font-family: Arial; font-size: 13px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"></span></b></span><br />
<div class="separator" style="clear: both; text-align: center;">
<span class="Apple-style-span" style="border-collapse: separate; color: black; font-family: 'Times New Roman'; font-size: small; font-style: normal; font-variant: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiHXNs8g9_XKQUbylNQp5bAlSNHwcawmoB_wGA6L74z4tJWRY1mwInd57s_L3l5f5SjC5sepAsNB909cPo3P8RodiAGCF4n2Ju3ju_HIt5ewNnsJLDc_rBYD5EF5gEwiRRQBhqMWeMhEZgn/s1600/claim4.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="260" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiHXNs8g9_XKQUbylNQp5bAlSNHwcawmoB_wGA6L74z4tJWRY1mwInd57s_L3l5f5SjC5sepAsNB909cPo3P8RodiAGCF4n2Ju3ju_HIt5ewNnsJLDc_rBYD5EF5gEwiRRQBhqMWeMhEZgn/s640/claim4.png" width="640" /></a></span></div>
<span class="Apple-style-span" style="border-collapse: separate; color: black; font-family: 'Times New Roman'; font-size: small; font-style: normal; font-variant: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><b id="internal-source-marker_0.15712157520465553" style="font-weight: normal;"><span style="background-color: transparent; color: black; font-family: Arial; font-size: 13px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><br /></span><span style="background-color: transparent; color: black; font-family: Arial; font-size: 13px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"></span></b></span><br />
<span class="Apple-style-span" style="border-collapse: separate; color: black; font-family: 'Times New Roman'; font-size: small; font-style: normal; font-variant: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><b id="internal-source-marker_0.15712157520465553" style="font-weight: normal;"><span style="background-color: transparent; color: black; font-family: Arial; font-size: 13px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><br /></span><span style="background-color: transparent; color: black; font-family: Arial; font-size: 13px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"></span></b></span></div>
<span class="Apple-style-span" style="border-collapse: separate; color: black; font-family: 'Times New Roman'; font-size: small; font-style: normal; font-variant: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
</span><span class="Apple-style-span" style="border-collapse: separate; color: black; font-family: 'Times New Roman'; font-size: small; font-style: normal; font-variant: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><div style="background-color: transparent;">
<h3>
<b id="internal-source-marker_0.15712157520465553"><span style="background-color: transparent; color: black; font-family: Arial; font-size: 13px; font-style: normal; font-variant: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Defining Claim </span></b></h3>
<h3 style="font-weight: normal;">
</h3>
<div style="font-weight: normal;">
<b id="internal-source-marker_0.15712157520465553" style="font-weight: normal;"><span style="background-color: transparent; color: black; font-family: Arial; font-size: 13px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><br />You can extend a defined dialect by adding new claim mappings. Click 'Add New Claim Mapping' link to add a new claim mapping.</span></b></div>
</div>
<div style="background-color: transparent; font-weight: normal;">
<b id="internal-source-marker_0.15712157520465553" style="font-weight: normal;"><span style="background-color: transparent; color: black; font-family: Arial; font-size: 13px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><br /></span></b><br />
<ul>
<li><b id="internal-source-marker_0.15712157520465553" style="font-weight: normal;"><span style="background-color: transparent; color: black; font-family: Arial; font-size: 13px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Display Name : Name of the claim displayed on the UI (displayed name in the user profile)</span></b></li>
<li><b id="internal-source-marker_0.15712157520465553" style="font-weight: normal;"><span style="background-color: transparent; color: black; font-family: Arial; font-size: 13px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Description : Describe the functionality of the claim</span></b></li>
<li><b id="internal-source-marker_0.15712157520465553" style="font-weight: normal;"><span style="background-color: transparent; color: black; font-family: Arial; font-size: 13px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Claim Uri : URI defined under the dialect, specific to the claim (Unique identifier for claim)</span></b></li>
<li><b id="internal-source-marker_0.15712157520465553" style="font-weight: normal;"><span style="background-color: transparent; color: black; font-family: Arial; font-size: 13px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Mapped Attribute : Corresponding attribute name from the underlying user store</span></b></li>
<li><b id="internal-source-marker_0.15712157520465553" style="font-weight: normal;"><span style="background-color: transparent; color: black; font-family: Arial; font-size: 13px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Regular Expression : Regular expression to validate inputs (which are entered, when configuring user profiles)</span></b></li>
<li><b id="internal-source-marker_0.15712157520465553" style="font-weight: normal;"><span style="background-color: transparent; color: black; font-family: Arial; font-size: 13px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Display Order : Display order of the claim among all the other claims defined under the same dialect</span></b></li>
<li><b id="internal-source-marker_0.15712157520465553" style="font-weight: normal;"><span style="background-color: transparent; color: black; font-family: Arial; font-size: 13px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Supported by Default : If unchecked won’t be prompted in user profile and in user self registration </span></b></li>
<li><b id="internal-source-marker_0.15712157520465553" style="font-weight: normal;"><span style="background-color: transparent; color: black; font-family: Arial; font-size: 13px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Required : Required for claims for user profile and </span></b><span class="Apple-style-span" style="border-collapse: separate; color: black; font-family: 'Times New Roman'; font-size: small; font-style: normal; font-variant: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><b id="internal-source-marker_0.15712157520465553" style="font-weight: normal;"><span style="background-color: transparent; color: black; font-family: Arial; font-size: 13px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> user self registration </span></b></span></li>
</ul>
</div>
</span><span class="Apple-style-span" style="border-collapse: separate; color: black; font-family: 'Times New Roman'; font-size: small; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
<div style="background-color: transparent;">
<b id="internal-source-marker_0.15712157520465553" style="font-weight: normal;"><span style="background-color: transparent; color: black; font-family: Arial; font-size: 13px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><br /></span></b></div>
<div style="background-color: transparent;">
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjbFgEpK35gJ3cfHUXOWtZJNrnMVs_jWtXgqdtG3BVu10g7FkaMf-WMof0VFRwMN0ln5dlLWbmXkVjL_mtivSbYirEOULCjkBdWM8-AMPLpBLAN3eBcFti2z6y_huYxy3aIbqI96qsEm7Cc/s1600/claim5.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="246" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjbFgEpK35gJ3cfHUXOWtZJNrnMVs_jWtXgqdtG3BVu10g7FkaMf-WMof0VFRwMN0ln5dlLWbmXkVjL_mtivSbYirEOULCjkBdWM8-AMPLpBLAN3eBcFti2z6y_huYxy3aIbqI96qsEm7Cc/s640/claim5.png" width="640" /></a></div>
<b id="internal-source-marker_0.15712157520465553" style="font-weight: normal;"><span style="background-color: transparent; color: black; font-family: Arial; font-size: 13px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><br /></span></b></div>
</span><span class="Apple-style-span" style="border-collapse: separate; color: black; font-style: normal; font-variant: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; widows: 2; word-spacing: 0px;"><div style="background-color: transparent;">
<h3 style="font-family: 'Times New Roman'; font-size: medium; white-space: normal;">
<b id="internal-source-marker_0.15712157520465553"><span style="background-color: transparent; color: black; font-family: Arial; font-size: 13px; font-style: normal; font-variant: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Example </span></b></h3>
<div style="font-family: 'Times New Roman'; font-size: medium; white-space: normal;">
<b id="internal-source-marker_0.15712157520465553"><span style="background-color: transparent; color: black; font-family: Arial; font-size: 13px; font-style: normal; font-variant: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span class="Apple-style-span" style="font-weight: normal;"><br /></span></span></b></div>
<div>
<div style="font-family: 'Times New Roman'; font-size: medium; white-space: normal;">
<b id="internal-source-marker_0.15712157520465553"><span style="background-color: transparent; color: black; font-family: Arial; font-size: 13px; font-style: normal; font-variant: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span class="Apple-style-span" style="font-weight: normal;">Lets assume that there is an attribute called “policyId” in the under line user store (say openldap). And Lets make it as a required claim value in the user’s identity using claim management. </span></span></b></div>
<div style="font-family: 'Times New Roman'; font-size: medium; white-space: normal;">
<b id="internal-source-marker_0.15712157520465553"><span style="background-color: transparent; color: black; font-family: Arial; font-size: 13px; font-style: normal; font-variant: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span class="Apple-style-span" style="font-weight: normal;"><br /></span></span></b></div>
<span class="Apple-style-span" style="font-family: Arial; font-size: x-small;"><span class="Apple-style-span" style="white-space: pre-wrap;"><span class="Apple-style-span" style="font-family: 'Times New Roman'; font-size: small; white-space: normal;"><span id="internal-source-marker_0.15712157520465553"><span style="background-color: transparent; color: black; font-family: Arial; font-size: 13px; font-style: normal; font-variant: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><b>Step 1 : </b>Login to Identity Server management console as admin user </span></span></span></span></span></div>
<span class="Apple-style-span" style="font-family: Arial; font-size: x-small;"><span class="Apple-style-span" style="white-space: pre-wrap;"><b><br /></b></span></span><br />
<div style="font-family: 'Times New Roman'; font-size: medium; white-space: normal;">
<b id="internal-source-marker_0.15712157520465553"><span style="background-color: transparent; color: black; font-family: Arial; font-size: 13px; font-style: normal; font-variant: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Step 2</span><span style="background-color: transparent; color: black; font-family: Arial; font-size: 13px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">. Go to Configure -> Claim Management UI<br /><br /><span class="Apple-style-span" style="font-family: 'Times New Roman'; font-size: small; white-space: normal;"><b id="internal-source-marker_0.15712157520465553"><span style="background-color: transparent; color: black; font-family: Arial; font-size: 13px; font-style: normal; font-variant: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Step 3</span></b></span>. Locate WSO2 Carbon claim dialect (http://wso2.org/claims)<br /><br /><span class="Apple-style-span" style="font-family: 'Times New Roman'; font-size: small; white-space: normal;"><b id="internal-source-marker_0.15712157520465553"><span style="background-color: transparent; color: black; font-family: Arial; font-size: 13px; font-style: normal; font-variant: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Step 4</span></b></span>. Create new claim under the </span></b><b id="internal-source-marker_0.15712157520465553"><span style="background-color: transparent; color: black; font-family: Arial; font-size: 13px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">WSO2 Carbon claim dialect </span></b><b id="internal-source-marker_0.15712157520465553"><span style="background-color: transparent; color: black; font-family: Arial; font-size: 13px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">and map it for for the policyId attribute </span></b><br />
<b id="internal-source-marker_0.15712157520465553"><span style="background-color: transparent; color: black; font-family: Arial; font-size: 13px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><br />Lets define claim as follows;<br /><br />Claim Uri as --> http://wso2.org/claims/policyId (unique id to identify the claim)<br /><br />Display Name → Policy Id (Displayed name in user profile UI and Claim management UI)<br /><br />Description -- > Policy Id of the User (Description about claim)<br /><br />Mapped Attribute → policyId (Attribute id of the user store)<br /><br />Regular Expression → ^[0-9] (regular expression to configure only the numerical values)<br /><br />Display Order → 3 (Display order in user profile)<br /><br />Supported by Default → true (This claim is in user profile and </span></b><span class="Apple-style-span" style="border-collapse: separate; color: black; font-family: 'Times New Roman'; font-size: small; font-style: normal; font-variant: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><b id="internal-source-marker_0.15712157520465553" style="font-weight: normal;"><span style="background-color: transparent; color: black; font-family: Arial; font-size: 13px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> user self registration </span></b></span><b id="internal-source-marker_0.15712157520465553"><span style="background-color: transparent; color: black; font-family: Arial; font-size: 13px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">by default)<br /><br />Required → true </span></b><span class="Apple-style-span" style="border-collapse: separate; color: black; font-family: 'Times New Roman'; font-size: small; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><b id="internal-source-marker_0.15712157520465553" style="font-weight: normal;"><span style="background-color: transparent; color: black; font-family: Arial; font-size: 13px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">(This claim is a required claim in user profile and </span></b></span><span class="Apple-style-span" style="border-collapse: separate; color: black; font-family: 'Times New Roman'; font-size: small; font-style: normal; font-variant: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><b id="internal-source-marker_0.15712157520465553" style="font-weight: normal;"><span style="background-color: transparent; color: black; font-family: Arial; font-size: 13px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> user self registration</span></b></span><span class="Apple-style-span" style="border-collapse: separate; color: black; font-family: 'Times New Roman'; font-size: small; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><b id="internal-source-marker_0.15712157520465553" style="font-weight: normal;"><span style="background-color: transparent; color: black; font-family: Arial; font-size: 13px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">)</span></b></span></div>
<div style="font-family: 'Times New Roman'; font-size: medium; font-weight: normal; white-space: normal;">
<b id="internal-source-marker_0.15712157520465553" style="font-weight: normal;"><span style="background-color: transparent; color: black; font-family: Arial; font-size: 13px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><br /><br /><span class="Apple-style-span" style="font-family: 'Times New Roman'; font-size: small; white-space: normal;"><b id="internal-source-marker_0.15712157520465553"><span style="background-color: transparent; color: black; font-family: Arial; font-size: 13px; font-style: normal; font-variant: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Step 5</span></b></span>. Go to My Identity -> My Profiles and View default profile<br /><br /><span class="Apple-style-span" style="font-family: 'Times New Roman'; font-size: small; white-space: normal;"><b id="internal-source-marker_0.15712157520465553"><span style="background-color: transparent; color: black; font-family: Arial; font-size: 13px; font-style: normal; font-variant: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Step 6</span></b></span>. Policy Id can be seen as required attribute where you can configure only numerical values [0-9] </span></b></div>
<div style="font-family: 'Times New Roman'; font-size: medium; font-weight: normal; white-space: normal;">
<br /></div>
<div class="separator" style="clear: both; font-family: 'Times New Roman'; font-size: medium; font-weight: normal; text-align: center; white-space: normal;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjP24tTiG7rWEehsz_cjrC5yvmWUJv6f0HGjxRJPiOSus6s8DuBpxx_znLKP_iqjCH5LTZSnqLnaMAnORf-Yj96Axo19tH7bzDN7ZjCnxTycpBZxmXLDNgSaRiVLaUd1jRUHkCIRk5HycjR/s1600/claim3.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="242" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjP24tTiG7rWEehsz_cjrC5yvmWUJv6f0HGjxRJPiOSus6s8DuBpxx_znLKP_iqjCH5LTZSnqLnaMAnORf-Yj96Axo19tH7bzDN7ZjCnxTycpBZxmXLDNgSaRiVLaUd1jRUHkCIRk5HycjR/s640/claim3.png" width="640" /> </a></div>
<div class="separator" style="clear: both; font-family: 'Times New Roman'; font-size: medium; font-weight: normal; text-align: left; white-space: normal;">
<span class="Apple-style-span" style="border-collapse: separate; color: black; font-style: normal; font-variant: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; widows: 2; word-spacing: 0px;"><div style="text-align: left;">
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 13px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><b>Step7</b>.</span><b id="internal-source-marker_0.15712157520465553" style="font-weight: normal;"><span style="background-color: transparent; color: black; font-family: Arial; font-size: 13px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> Log out from the admin console and go to self registration page. Identity -> Sign-up -> User name/password </span></b></div>
<div style="text-align: left;">
<br /></div>
</span></div>
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 13px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Step 8</span><span style="background-color: transparent; color: black; font-family: Arial; font-size: 13px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">.</span><b id="internal-source-marker_0.15712157520465553" style="font-weight: normal;"><span style="background-color: transparent; color: black; font-family: Arial; font-size: 13px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> Policy Id can be seen as required </span></b><b id="internal-source-marker_0.15712157520465553" style="font-weight: normal;"><span style="background-color: transparent; color: black; font-family: Arial; font-size: 13px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">attribute when user registration and you can register with only </span></b><b id="internal-source-marker_0.15712157520465553" style="font-weight: normal;"><span style="background-color: transparent; color: black; font-family: Arial; font-size: 13px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">numerical values</span></b><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgTjEmhvSjWsSdDLom0mGCQQ5ByqRgYKjtjxqpZUeCFJOzF9uUCJPdnISlnizc8o9Kn-bKDztJ8YilUEwAxr-2s_22i_36V5jCIqlVAZAAStcUiLAl6brO-DAkgWkVoFQ9kN0anl8C0-i-J/s1600/111.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="257" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgTjEmhvSjWsSdDLom0mGCQQ5ByqRgYKjtjxqpZUeCFJOzF9uUCJPdnISlnizc8o9Kn-bKDztJ8YilUEwAxr-2s_22i_36V5jCIqlVAZAAStcUiLAl6brO-DAkgWkVoFQ9kN0anl8C0-i-J/s640/111.png" width="640" /></a></div>
</div>
</span><br />
<div style="text-align: left;">
<span class="Apple-style-span" style="border-collapse: separate; color: black; font-style: normal; font-variant: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; widows: 2; word-spacing: 0px;">
</span></div>Aselahttp://www.blogger.com/profile/08941025038081812446noreply@blogger.com1tag:blogger.com,1999:blog-7814469042984115284.post-37039835088855014032012-02-02T05:03:00.000-08:002012-02-02T05:34:42.979-08:00How to Configure OpenDJ with WSO2 Identity Server (WSO2IS)This blog post explains how we can configure WSO2 Identity Server to connect with OpenDJ LDAP server. <br />
<br />
First lets try to install OpenDJ server and configure it.<br />
<br />
1. Download and Extract OpenDJ.zip file in to your file system. <br />
<br />
2. Go to root directory and run "<i>setup</i>" script for configure the OpenDJ server.<br />
<br />
3. Configure OpenDJ according your configuration.<br />
<br />
Following are my sample configurations that i did<br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiQIiVCrEcEIHHL2XG0H1Jwx3fbeaAHHOIVviQJ4KrbWE1KU31pAAEnr6c4V4TdVUIUPopCq9DrJEZDLjPpry9eDv-ZcmdjGL3MpRWEsczWP4Z81trjPXhSFm8FYYxkByGseYOZ3gdfq9s3/s1600/z1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="212" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiQIiVCrEcEIHHL2XG0H1Jwx3fbeaAHHOIVviQJ4KrbWE1KU31pAAEnr6c4V4TdVUIUPopCq9DrJEZDLjPpry9eDv-ZcmdjGL3MpRWEsczWP4Z81trjPXhSFm8FYYxkByGseYOZ3gdfq9s3/s400/z1.png" width="400" /></a></div><br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjHQb26yqvy7X_1QEZiwQQGwEII7URus40rtlhi1-tG_OBk1FhN5MXZxPPYKBg_wfNcu3KAa_ZwFfuhve21XAIH-cJsNvLMfsBWHA5OCM6STfyuDnA-coGy8qvAB3nWXAYliGfgCIgCyCxU/s1600/z2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="209" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjHQb26yqvy7X_1QEZiwQQGwEII7URus40rtlhi1-tG_OBk1FhN5MXZxPPYKBg_wfNcu3KAa_ZwFfuhve21XAIH-cJsNvLMfsBWHA5OCM6STfyuDnA-coGy8qvAB3nWXAYliGfgCIgCyCxU/s400/z2.png" width="400" /></a></div><br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgO3QW0eVj6XRGyE4LHFvW0MXieyhmlj5mO1cFSpSU3KIgGnRIoRjjqqz2OMkBkKr99Ybq8WlGWwyr7REvmXJhYD4D8IAjC9Zx5oMnWKYFV9NekAsoal0y_9HPuPh22S-sguSBR5mxNdj-Q/s1600/z4.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="211" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgO3QW0eVj6XRGyE4LHFvW0MXieyhmlj5mO1cFSpSU3KIgGnRIoRjjqqz2OMkBkKr99Ybq8WlGWwyr7REvmXJhYD4D8IAjC9Zx5oMnWKYFV9NekAsoal0y_9HPuPh22S-sguSBR5mxNdj-Q/s400/z4.png" width="400" /></a></div><br />
<br />
<br />
4. After configurations, you can manage the server using control panel. For that run <i>"control-panel</i>" script which can be found at bin directory <br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgXLXb8M4uS4C-TPsdvc5pNNeWZrHYkSyhyphenhyphenZQvkN451n2b4sMkC9Jr4hSNut2TEYQ-8_hoLWjmwEQijFSNb3ohwNLi816BadH-Z6Rg9kUN1Vp0Ky7RbY7kQX2EIa3xy3morxdGwN2t4qKAR/s1600/z6.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="211" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgXLXb8M4uS4C-TPsdvc5pNNeWZrHYkSyhyphenhyphenZQvkN451n2b4sMkC9Jr4hSNut2TEYQ-8_hoLWjmwEQijFSNb3ohwNLi816BadH-Z6Rg9kUN1Vp0Ky7RbY7kQX2EIa3xy3morxdGwN2t4qKAR/s400/z6.png" width="400" /></a></div><br />
<br />
5. Add some users in to your domain. In my sample, for <i>asela.com</i> domain. <br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgLfFPVpBJ-x4Eya7whc1C62cz4E7fnKpunCgXq27Aiazo3-9RUq2IE0bgV6Ox9p48HY39eFkB6AmYZiNcbeFw2d7laY3wfCAXEOVzIhssXsKcDuBTg0fwBraJKy2A83cdw_4Od-jTauyLa/s1600/z9.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="209" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgLfFPVpBJ-x4Eya7whc1C62cz4E7fnKpunCgXq27Aiazo3-9RUq2IE0bgV6Ox9p48HY39eFkB6AmYZiNcbeFw2d7laY3wfCAXEOVzIhssXsKcDuBTg0fwBraJKy2A83cdw_4Od-jTauyLa/s400/z9.png" width="400" /></a></div><br />
<br />
<br />
Now let see how we can connect to the OpenDJ user store using WSO2 Identity Server. <br />
<br />
6. <b>Download WSO2 Identity Server</b> distribution from<b> <a href="http://wso2.org/library/identity-server">here</a></b> and <b>Extract</b> it in to your file system. Let call root directory as IS_HOME<br />
<br />
7. Open <b>user-mgt.xml </b>file which can be found at <b><IS_HOME></b><is_home><b>/repository/conf </b>directory<br />
<br />
8. <b>Comment the default</b> user store manager configuration </is_home><br />
<is_home></is_home><br />
<is_home><!--UserStoreManager class="org.wso2.carbon.user.core.ldap.ApacheDSUserStoreManager"><br />
</UserStoreManager--><br />
<br />
9. <b>Uncomment LDAPUserStoreManager configuration</b> and change it according to your OpenDJ configurations. Following is the sample configuration that is relevanted to my OpenDJ that i used above. <br />
<br />
<!-- If product is using an external LDAP as the user store in read only mode, use following user manager --><br />
<UserStoreManager class="org.wso2.carbon.user.core.ldap.LDAPUserStoreManager"><br />
<Property name="ReadOnly">true</Property><br />
<Property name="MaxUserNameListLength">100</Property><br />
<Property name="ConnectionURL"><b>ldap://localhost:1389</b></Property><br />
<Property name="ConnectionName"><b>cn=TestServer</b></Property><br />
<Property name="ConnectionPassword"><b>test123</b></Property><br />
<Property name="UserSearchBase"><b>dc=asela,dc=com</b></Property><br />
<Property name="UserNameListFilter">(objectClass=person)</Property><br />
<Property name="UserNameAttribute"><b>cn</b></Property><br />
<Property name="GroupSearchBase">ou=system</Property><br />
<Property name="GroupNameListFilter">(objectClass=groupOfNames)</Property><br />
<Property name="GroupNameAttribute">cn</Property><br />
<Property name="MembershipAttribute">member</Property><br />
<Property name="UserRolesCacheEnabled">true</Property><br />
<Property name="ReplaceEscapeCharactersAtUserLogin">true</Property><br />
</UserStoreManager><br />
<br />
<br />
10. <b>Configure admin user name</b>. Then admin user of the WSO2 Identity Server must be a user in that OpenDJ search base. According to the my sample, i have configured the admin user as a user in "<i>dc=asela,dc=com"</i> UserSearchBase. <br />
<adminuser><br />
<username> <AdminUser><br />
<UserName><b>bob</b></UserName><br />
<Password></Password><br />
</AdminUser></username><br />
</adminuser><br />
If you are hoping to read groups from the OpenDJ, Please configure it in the LDAPUserStoreManager configurations and also configure one group as an admin role of the WSO2 Identity Server. <br />
<br />
Please note that user who is configured as admin must be in the admin role. <br />
<br />
11.<b>Start Identity </b>Server by running <i>" wso2server" </i>script which can be found at <is_home><b><IS_HOME>/bin </b>directory.</is_home></is_home>Aselahttp://www.blogger.com/profile/08941025038081812446noreply@blogger.com0tag:blogger.com,1999:blog-7814469042984115284.post-77599755952573123542011-02-15T12:04:00.000-08:002011-02-15T12:38:27.683-08:00WSO2Identity Server as OpenID consumer<span style="font-size: small;">WSO2Identity Server can be act as both OpenId provider and OpenId consumer. My previous blog post described how we can use WSO2Identity Server as an OpenId provider. Today lets see how we can sign up to the WSO2Identity Server using external OpenId (myopenid).</span><br />
<span style="font-size: small;"><br />
</span><br />
<div style="font-family: inherit;">
<span style="font-size: small;"><b>1.</b><b> Download</b> latest versions of WSO2Identity from <b><a href="http://wso2.org/">here</a></b>.</span></div>
<div style="font-family: inherit;">
<span style="font-size: small;"><br />
</span> </div>
<div style="font-family: inherit;">
<span style="font-size: small;"><b>2. E</b><b>xtract</b> WSO2Identity zip file in to a directory in your file system. Lets call as <b>IS_HOME</b></span><br />
<br />
<span style="font-size: small;"><b>3. S</b></span><span style="font-size: small;"><b>tart </b>WSO2Identity by running <span id="SPELLING_ERROR_8">wso</span>2server.sh (in <span id="SPELLING_ERROR_9">unix</span>) or <span id="SPELLING_ERROR_10">wso</span>2server.bat (in windows) which can be found in <b>IS<span id="SPELLING_ERROR_11">_</span>HOME/bin</b> directory.</span></div>
<div style="font-family: inherit;">
<span style="font-size: small;"><br />
</span></div>
<div style="font-family: inherit;">
<span style="font-size: small;"><b>4.</b><b> Go to</b> WSO2IS Management console by pointing your browser to https://localhost:9443/carbon/<b> </b></span><br />
<br />
<span style="font-size: small;"><b>5. Go to</b> the InfoCard/OpenID Sign-in Page and provide your OpenId (I have given my openId which is http://pathberiya.myopenid.com)</span><br />
</div>
<div style="font-family: inherit;">
<span style="font-size: small;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiB1PymijeE6cGvu4ymF8l0mBKyk9NRxvz_z5jViKANwtL_lxKaamyAdzvVyW1atdtM_1_svasvI4MeQGxvxMWnsiZMJGPVN8sX5yfXkkfrVXm9cMwCzSxSh5mq68P2qCjm6rXNoHAeo9gJ/s1600/4.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="223" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiB1PymijeE6cGvu4ymF8l0mBKyk9NRxvz_z5jViKANwtL_lxKaamyAdzvVyW1atdtM_1_svasvI4MeQGxvxMWnsiZMJGPVN8sX5yfXkkfrVXm9cMwCzSxSh5mq68P2qCjm6rXNoHAeo9gJ/s400/4.png" width="400" /></a></span> </div>
<div style="font-family: inherit;">
<br />
<span style="font-size: small;"><b>6. Provide </b>your password and select your persona to associate </span><br />
</div>
<div style="font-family: inherit;">
<span style="font-size: small;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjSEc6vBm1k-v632xoyEkHtb-3LDFdc_YhjEd2VrBNdCFkilMK1-tlY4allAz1LQr9yUoLUSw2kDmj8e0kHSejJVTdhTz_qLM-_34ix1SA5jMsdmcNHIfZ8lLBh9e93zKEiqcxppwPPQdq8/s1600/5.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="223" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjSEc6vBm1k-v632xoyEkHtb-3LDFdc_YhjEd2VrBNdCFkilMK1-tlY4allAz1LQr9yUoLUSw2kDmj8e0kHSejJVTdhTz_qLM-_34ix1SA5jMsdmcNHIfZ8lLBh9e93zKEiqcxppwPPQdq8/s400/5.png" width="400" /></a></span> </div>
<div style="font-family: inherit;">
<span style="font-size: small;"><br />
</span></div>
<div style="font-family: inherit;">
<span style="font-size: small;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjlVdSfvysIwBfoTJ9mX5LfZR8dlV9t19vASqgyJ1JgyqBXGogaqGg7dz8kkBtQawMzCYx4Aps6vFrKMAa-hm0DWYzysuTRN-WHjOE6OdkICyK2ukIlpRwf0luuZH_MeeRgIfvZrmw_zWZJ/s1600/7.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="223" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjlVdSfvysIwBfoTJ9mX5LfZR8dlV9t19vASqgyJ1JgyqBXGogaqGg7dz8kkBtQawMzCYx4Aps6vFrKMAa-hm0DWYzysuTRN-WHjOE6OdkICyK2ukIlpRwf0luuZH_MeeRgIfvZrmw_zWZJ/s400/7.png" width="400" /></a></span></div>
<div style="font-family: inherit;">
<span style="font-size: small;"><br />
</span></div>
<div style="font-family: inherit;">
<span style="font-size: small;"><b>7. Sign up</b> to the WSO2Identity server (As I am a new user)</span></div>
<span style="font-size: small;"><br />
</span><br />
<div class="separator" style="clear: both; text-align: center;">
<span style="font-size: small;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhw6QPOby_YTpHdk6uhB2bP7aC-eRUHpKl1aja_14lgOShFA_vJUF9u8ZsLhujBwV4dbgaxwWc-gPf8TF-vLU2GItOfoEzhNe3V_HHPcx7PmsqbuF10zj-awKtskCXHHT0DQ78g0RK4khwK/s1600/9.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="223" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhw6QPOby_YTpHdk6uhB2bP7aC-eRUHpKl1aja_14lgOShFA_vJUF9u8ZsLhujBwV4dbgaxwWc-gPf8TF-vLU2GItOfoEzhNe3V_HHPcx7PmsqbuF10zj-awKtskCXHHT0DQ78g0RK4khwK/s400/9.png" width="400" /></a></span></div>
<span style="font-size: small;"><br />
</span><br />
<div class="separator" style="clear: both; text-align: center;">
<span style="font-size: small;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEht4Ml3dwkUQ5WSiI1W2OIFQnmXHBPMVLetaVV8MiK_1L70tvZvOlkyRE08rMP88lsdC9Htd5HNIgH0zzOxdAqbDfpwHwID3oaIOYV4LcSfgkVK4_wwTEKJCm5l070hqF4uYQGO_-WH-j_r/s1600/10.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="223" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEht4Ml3dwkUQ5WSiI1W2OIFQnmXHBPMVLetaVV8MiK_1L70tvZvOlkyRE08rMP88lsdC9Htd5HNIgH0zzOxdAqbDfpwHwID3oaIOYV4LcSfgkVK4_wwTEKJCm5l070hqF4uYQGO_-WH-j_r/s400/10.png" width="400" /></a></span></div>
<span style="font-size: small;"><br />
</span><br />
<div class="separator" style="clear: both; text-align: center;">
<span style="font-size: small;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjbOJQW3MvDaEQYcX9C6V-zpKn1EIzVi8Xqj_wIUIC3qIzRmyIy4F0AbqCuIf4QcoRkTpplOQt0i_hlT2ZOPInLnMqnXqy5Odr_7WX_yO5hgQEhrnfV1x63M76NDzyv8VX5YqwZ9acUklg2/s1600/11.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="223" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjbOJQW3MvDaEQYcX9C6V-zpKn1EIzVi8Xqj_wIUIC3qIzRmyIy4F0AbqCuIf4QcoRkTpplOQt0i_hlT2ZOPInLnMqnXqy5Odr_7WX_yO5hgQEhrnfV1x63M76NDzyv8VX5YqwZ9acUklg2/s400/11.png" width="400" /></a></span></div>
<div class="separator" style="clear: both; text-align: center;">
<span style="font-size: small;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjbOJQW3MvDaEQYcX9C6V-zpKn1EIzVi8Xqj_wIUIC3qIzRmyIy4F0AbqCuIf4QcoRkTpplOQt0i_hlT2ZOPInLnMqnXqy5Odr_7WX_yO5hgQEhrnfV1x63M76NDzyv8VX5YqwZ9acUklg2/s1600/11.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><br />
</a></span></div>
<div style="font-family: inherit;">
<span style="font-size: small;"><b>8. Use</b> associated openId to sign-in to the WSO2Identiry server.</span><br />
<br /></div>
<div style="font-family: inherit;">
<span style="font-size: small;"> </span></div>Aselahttp://www.blogger.com/profile/08941025038081812446noreply@blogger.com0tag:blogger.com,1999:blog-7814469042984115284.post-42657571988133972302011-02-15T10:51:00.000-08:002011-02-15T12:52:24.407-08:002-legged OAuth for securing a RESTful service<div style="font-family: inherit;">
<span style="font-size: small;">This is step by step guide to secure a RESTful service with 2-legged OAuth using WSO2Identity Server and WSO2ESB.</span></div>
<div style="font-family: inherit;">
<span style="font-size: small;"><br />
</span></div>
<div style="font-family: inherit;">
<span style="font-size: small;"><b>1.</b><b> Download</b> latest versions of WSO2Identity server and WSO2ESB from <b><a href="http://wso2.org/">here</a></b>.</span></div>
<div style="font-family: inherit;">
<br /></div>
<div style="font-family: inherit;">
<span style="font-size: small;"><b>2. E</b><b>xtract</b> WSO2Identity and WSO2ESB zip files in to a directory in your file system. Lets call them as <b>IS_HOME</b> and <b>ESB_HOM</b>E respectively</span></div>
<div style="font-family: inherit;">
<br /></div>
<div style="font-family: inherit;">
<span style="font-size: small;"><b> 3. Start </b>WSO2Identity and WSO2ESB by running <span id="SPELLING_ERROR_8">wso</span>2server.sh (in <span id="SPELLING_ERROR_9">unix</span>) or <span id="SPELLING_ERROR_10">wso</span>2server.bat (in windows) which can be found in </span><span style="font-size: small;"><b>IS<span id="SPELLING_ERROR_11">_</span>HOME/bin and </b></span><span style="font-size: small;"><b>ESB<span id="SPELLING_ERROR_11">_</span>HOME/bin</b> directory respectively.</span></div>
<div style="font-family: inherit;">
<span style="font-size: small;">If Both servers are running in the localhost, You should change the default ports.</span></div>
<div style="font-family: inherit;">
<span style="font-size: small;">Here I changed the WSO2ESB https port to 9445 and http port to 9765 (default 9443 and 9763 respectively) by configuring <b>mgt-transport.xml</b> which can be found in <b><span id="SPELLING_ERROR_11">ESB_</span>HOME/repository/conf</b></span></div>
<div style="font-family: inherit;">
<br /></div>
<div style="font-family: inherit;">
<span style="font-size: small;"><b>4.</b><b> Go to</b> WSO2IS Management console by pointing your browser to https://localhost:9443/carbon/</span></div>
<div style="font-family: inherit;">
<br /></div>
<div style="font-family: inherit;">
<span style="font-size: small;"><b>5. </b><b>Register</b> a User with WSO2Identity Server by providing User name and password.</span></div>
<div style="font-family: inherit;">
<span style="font-size: small;"><br />
</span></div>
<div style="font-family: inherit;">
<span style="font-size: small;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjiFS5WY6dCMJerGQGH3_7iJ1N65dL8-vcW_wbJIqAkZPzyxHULUeuVgWl7k0IHBoN7sNMhyphenhyphenI11KErmFXU-mUE7sWS8RbswT0N9CPYzWgi_J93aAK7EWCBTEfUEfDfWmAqcVJUcAhGk9_sZ/s1600/1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="223" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjiFS5WY6dCMJerGQGH3_7iJ1N65dL8-vcW_wbJIqAkZPzyxHULUeuVgWl7k0IHBoN7sNMhyphenhyphenI11KErmFXU-mUE7sWS8RbswT0N9CPYzWgi_J93aAK7EWCBTEfUEfDfWmAqcVJUcAhGk9_sZ/s400/1.png" width="400" /></a></span> </div>
<div style="font-family: inherit;">
<span style="font-size: small;"><b>6.</b><b> Download</b> sample OAuth client source code from following svn location</span></div>
<div style="font-family: inherit;">
<span style="font-size: small;"><br />
</span></div>
<div style="font-family: inherit;">
<span style="font-size: small;"><a href="https://svn.wso2.org/repos/wso2/trunk/carbon/components/identity/org.wso2.carbon.identity.samples.oauth">https://svn.wso2.org/repos/wso2/trunk/carbon/components/identity/org.wso2.carbon.identity.samples.oauth </a></span></div>
<div style="font-family: inherit;">
<span style="font-size: small;"><br />
</span></div>
<div style="font-family: inherit;">
<span style="font-size: small;">You can build the sample using maven (<b>mvn clean install</b>) or add the jars in <b>IS_HOME/repository/components/plugins</b> directory to sample project class path.</span></div>
<div style="font-family: inherit;">
<br /></div>
<div style="font-family: inherit;">
<span style="font-size: small;"><b>7.</b> <b>Go to</b> ESB Management console by pointing your browser to https://localhost:9445/carbon/ and sign-in to it by providing admin user name and password. </span></div>
<div style="font-family: inherit;">
<br /></div>
<div style="font-family: inherit;">
<span style="font-size: small;"><b>8. Create</b> a proxy service in WSO2ESB by adding following configuration in to the service bus configuration which can be found under <b>Manage ->Service Bus -> Source View </b></span></div>
<div style="font-family: inherit;">
<span style="font-size: small;"><br />
</span></div>
<div style="font-family: inherit;">
<span style="font-size: small;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjNP2C-lxj8wK66dwoNJsOejTWsWxeUaYWo20luhYFVJbe7nI3hqP9YDCnpHT5ItKe-WEa9a1icrQjXoeLB_GlF6fOtIjY2zFA7cWLREtth6i8vGMu5PaVkBRZi-srO95myXXI2eIxqpMPL/s1600/2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="222" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjNP2C-lxj8wK66dwoNJsOejTWsWxeUaYWo20luhYFVJbe7nI3hqP9YDCnpHT5ItKe-WEa9a1icrQjXoeLB_GlF6fOtIjY2zFA7cWLREtth6i8vGMu5PaVkBRZi-srO95myXXI2eIxqpMPL/s400/2.png" width="400" /></a></span><span style="font-size: small;"><b> </b></span></div>
<div style="font-family: inherit;">
<span style="font-size: small;"><br />
</span></div>
<div style="font-family: inherit;">
<span style="font-size: small;">(or simply update the synapse configuration of ESB with the content in org.wso2.carbon.identity.samples.oauth/src/main/resources/synapse.xml)</span></div>
<div style="font-family: inherit;">
<span style="font-size: small;"><proxy name="OAuthProxy" startonload="true" trace="disable" transports="https http"><br />
</proxy></span><span style="font-size: small;"> <proxy name="OAuthProxy" transports="https http" startOnLoad="true" trace="disable"><br />
<target><br />
<inSequence><br />
<oauthService remoteServiceUrl="https://localhost:9443/services/"/><br />
<send><br />
<endpoint><br />
<address uri="http://localhost:8280/services/echo" format="rest"/><br />
</endpoint><br />
</send><br />
</inSequence><br />
<outSequence><br />
<send/><br />
</outSequence><br />
</target><br />
</proxy></span></div>
<div style="font-family: inherit;">
<span style="font-size: small;"> <span style="font-size: x-small;"><i> <outsequence><send></send></outsequence>Please note that remoteServiceUrl contains the Host name and the port that WSO2Identity server is running.</i></span></span></div>
<div style="font-family: inherit;">
<span style="font-size: small;"> </span><span style="font-size: small;"><proxy name="OAuthProxy" startonload="true" trace="disable" transports="https http"> </proxy></span></div>
<div style="font-family: inherit;">
<span style="font-size: small;"><proxy name="OAuthProxy" startonload="true" trace="disable" transports="https http"><b>9. Run</b> sample Client........ Make sure to update variables </proxy></span>IDENTITY_SERVER, ESB_SERVER, USER_NAME, PASSWORD according to your configurations</div>
<address format="rest" style="font-family: inherit;" uri="http://localhost:9764/services/echo">
<span style="font-size: small;"></span></address>
<address format="rest" style="font-family: inherit;" uri="http://localhost:9764/services/echo">
<span style="font-size: small;"></span></address>
<address format="rest" style="font-family: inherit;" uri="http://localhost:9764/services/echo">
<span style="font-size: small;"><br />
Lets briefly go through the scenario and identity what is happening here </span> </address>
<ul style="font-family: inherit;">
<li><span style="font-size: small;">Register user with WSO2Identity Server.</span></li>
</ul>
<ul style="font-family: inherit;">
<li><span style="font-size: small;">Consumer secret is registered with WSO2Identity Server </span></li>
</ul>
<div style="font-family: inherit;">
<span style="font-size: small;"> 1. Invoke AuthenticationAdmin service and user is authenticated with WSO2ISentity server</span></div>
<div style="font-family: inherit;">
<span style="font-size: small;"> 2. Invoke OAuthAdminService service and register consumer secret.</span></div>
<div style="font-family: inherit;">
<span style="font-size: small;"><br />
</span></div>
<div style="font-family: inherit;">
<span style="font-size: small;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhZrgorNGj9X8G0QWrZTn2IrnHOiVfaflAyrZqYWho2aTWbOb3zR5aYLf_d9Q-sXU1nX9s735O0RABGQoutvD6eLY_JKtEbXRMRb7DdlwcEbAZNRYGudnQ0SWxXsHo02LFzt5Pn4F7zuY1N/s1600/OAuth2.1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="165" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhZrgorNGj9X8G0QWrZTn2IrnHOiVfaflAyrZqYWho2aTWbOb3zR5aYLf_d9Q-sXU1nX9s735O0RABGQoutvD6eLY_JKtEbXRMRb7DdlwcEbAZNRYGudnQ0SWxXsHo02LFzt5Pn4F7zuY1N/s320/OAuth2.1.png" width="320" /></a></span></div>
<ul style="font-family: inherit;">
<li><span style="font-size: small;"> Consumer key would be the User Name of the User </span></li>
</ul>
<ul style="font-family: inherit;">
<li><span style="font-size: small;">Generate OAuth Authorization header and Sign it with OAuth Consumer Secret </span></li>
</ul>
<ul style="font-family: inherit;">
<li><span style="font-size: small;">Invoke the proxy service which is deployed in ESB</span></li>
</ul>
<ul style="font-family: inherit;">
<li><span style="font-size: small;">OAuth mediator in ESB invoke the OAuthService in WSO2Identity Server to verify that consumer is valid.</span></li>
</ul>
<ul style="font-family: inherit;">
<li><span style="font-size: small;">Verify consumer key (Valid User ?) and Verify oauth_signature value using consumer secret which has been registered by the user. </span></li>
</ul>
<ul style="font-family: inherit;">
<li><span style="font-size: small;">If Signature verification is done, request is Authenticated, and send it to the RESTful service</span></li>
</ul>
<div class="separator" style="clear: both; font-family: inherit; text-align: center;">
<span style="font-size: small;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiUm6ZRC6aClTih7QlT-itW5idX4_iJtQiTZ3du_0K6pKsMs0o3fLPZ9sMH3g0QnIvpSy4tXt4YaZ3CPT4UItDnatUgEjpeZUDksOxzjiIOIrq5d3sYjoaZCOpfReYwZunRC5b9uVbiGut1/s1600/OAuth1.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="300" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiUm6ZRC6aClTih7QlT-itW5idX4_iJtQiTZ3du_0K6pKsMs0o3fLPZ9sMH3g0QnIvpSy4tXt4YaZ3CPT4UItDnatUgEjpeZUDksOxzjiIOIrq5d3sYjoaZCOpfReYwZunRC5b9uVbiGut1/s400/OAuth1.png" width="400" /></a></span></div>
<div style="font-family: inherit;">
<span style="font-size: small;"><br />
</span></div>
<div style="font-family: inherit;">
<span style="font-size: small;"><br />
</span></div>
<div style="font-family: inherit;">
<span style="font-size: small;"><br />
</span></div>
<div style="font-family: inherit;">
<span style="font-size: small;"><br />
</span></div>
<div style="font-family: inherit;">
<span style="font-size: small;"><br />
</span></div>
<div style="font-family: inherit;">
<span style="font-size: small;"><br />
</span></div>
<div style="font-family: inherit;">
<span style="font-size: small;"><br />
</span></div>
<div style="font-family: inherit;">
<span style="font-size: small;"> </span></div>
<div style="font-family: inherit;">
<span style="font-size: small;"><br />
</span></div>
<div style="font-family: inherit;">
<span style="font-size: small;"><br />
</span></div>
<div style="font-family: inherit;">
<span style="font-size: small;"><br />
</span></div>Aselahttp://www.blogger.com/profile/08941025038081812446noreply@blogger.com8tag:blogger.com,1999:blog-7814469042984115284.post-90342753445097677432011-02-03T06:17:00.000-08:002011-02-23T20:17:10.743-08:00How to get the operation list from a given WSDL Uri<div style="font-family: "Trebuchet MS",sans-serif;">
<span style="font-size: small;">Today i needed to list the operation of a given WSDL uri. I went through the axis2 source code.. and just found some code block in the CodeGenerationEngine class. Following is the java code that modified.. You want to have the axis2 and wsdl4j jars in your class path...</span></div>
<div style="font-family: "Trebuchet MS",sans-serif;">
<span style="font-size: small;"><br />
</span></div>
<div style="font-family: "Trebuchet MS",sans-serif;">
<span style="font-size: small;">import org.apache.axis2.AxisFault;</span></div>
<div style="font-family: "Trebuchet MS",sans-serif;">
<span style="font-size: small;">import org.apache.axis2.description.AxisOperation;</span></div>
<div style="font-family: "Trebuchet MS",sans-serif;">
<span style="font-size: small;">import org.apache.axis2.description.AxisService;</span></div>
<div style="font-family: "Trebuchet MS",sans-serif;">
<span style="font-size: small;">import org.apache.axis2.description.WSDL11ToAxisServiceBuilder;</span></div>
<div style="font-family: "Trebuchet MS",sans-serif;">
<span style="font-size: small;">import org.apache.axis2.wsdl.codegen.CodeGenConfiguration;</span></div>
<div style="font-family: "Trebuchet MS",sans-serif;">
<span style="font-size: small;">import org.apache.axis2.wsdl.codegen.CodeGenerationEngine;</span></div>
<div style="font-family: "Trebuchet MS",sans-serif;">
<span style="font-size: small;">import org.apache.axis2.wsdl.codegen.CodeGenerationException;</span></div>
<div style="font-family: "Trebuchet MS",sans-serif;">
<span style="font-size: small;"><br />
</span></div>
<div style="font-family: "Trebuchet MS",sans-serif;">
<span style="font-size: small;">import java.util.Iterator;</span></div>
<div style="font-family: "Trebuchet MS",sans-serif;">
<span style="font-size: small;">import javax.wsdl.Definition;</span></div>
<div style="font-family: "Trebuchet MS",sans-serif;">
<span style="font-size: small;">import javax.wsdl.WSDLException;</span></div>
<div style="font-family: "Trebuchet MS",sans-serif;">
<span style="font-size: small;"><br />
</span></div>
<div style="font-family: "Trebuchet MS",sans-serif;">
<span style="font-size: small;">public class WSDLToOperation {</span></div>
<div style="font-family: "Trebuchet MS",sans-serif;">
<span style="font-size: small;"><br />
</span></div>
<div style="font-family: "Trebuchet MS",sans-serif;">
<span style="font-size: small;"><br />
</span></div>
<div style="font-family: "Trebuchet MS",sans-serif;">
<span style="font-size: small;"> public static void main(String args[]) throws CodeGenerationException, WSDLException, AxisFault {</span></div>
<div style="font-family: "Trebuchet MS",sans-serif;">
<span style="font-size: small;"><br />
</span></div>
<div style="font-family: "Trebuchet MS",sans-serif;">
<span style="font-size: small;"> String wsdlUri = "http://10.100.1.162:9764/services/echo?wsdl";</span></div>
<div style="font-family: "Trebuchet MS",sans-serif;">
<span style="font-size: small;"><br />
</span></div>
<div style="font-family: "Trebuchet MS",sans-serif;">
<span style="font-size: small;"> CodeGenConfiguration codeGenConfiguration = null;</span></div>
<div style="font-family: "Trebuchet MS",sans-serif;">
<span style="font-size: small;"><br />
</span></div>
<div style="font-family: "Trebuchet MS",sans-serif;">
<span style="font-size: small;"> CodeGenerationEngine codeGenerationEngine = new CodeGenerationEngine(codeGenConfiguration);</span></div>
<div style="font-family: "Trebuchet MS",sans-serif;">
<span style="font-size: small;"> Definition wsdl4jDef = codeGenerationEngine.readInTheWSDLFile(wsdlUri);</span></div>
<div style="font-family: "Trebuchet MS",sans-serif;">
<span style="font-size: small;"><br />
</span></div>
<div style="font-family: "Trebuchet MS",sans-serif;">
<span style="font-size: small;"> WSDL11ToAxisServiceBuilder wsdl11ToAxisServiceBuilder = new</span></div>
<div style="font-family: "Trebuchet MS",sans-serif;">
<span style="font-size: small;"> WSDL11ToAxisServiceBuilder(wsdl4jDef, null, null, false);</span></div>
<div style="font-family: "Trebuchet MS",sans-serif;">
<span style="font-size: small;"><br />
</span></div>
<div style="font-family: "Trebuchet MS",sans-serif;">
<span style="font-size: small;"> AxisService axisService = wsdl11ToAxisServiceBuilder.populateService();</span></div>
<div style="font-family: "Trebuchet MS",sans-serif;">
<span style="font-size: small;"><br />
</span></div>
<div style="font-family: "Trebuchet MS",sans-serif;">
<span style="font-size: small;"> Iterator iterator = axisService.getOperations();</span></div>
<div style="font-family: "Trebuchet MS",sans-serif;">
<span style="font-size: small;"><br />
</span></div>
<div style="font-family: "Trebuchet MS",sans-serif;">
<span style="font-size: small;"> while (iterator.hasNext()) {</span></div>
<div style="font-family: "Trebuchet MS",sans-serif;">
<span style="font-size: small;"> AxisOperation operation = (AxisOperation) iterator.next();</span></div>
<div style="font-family: "Trebuchet MS",sans-serif;">
<span style="font-size: small;"> System.out.println(operation.getName().getLocalPart());</span></div>
<div style="font-family: "Trebuchet MS",sans-serif;">
<span style="font-size: small;"> }</span></div>
<div style="font-family: "Trebuchet MS",sans-serif;">
<span style="font-size: small;"><br />
</span></div>
<div style="font-family: "Trebuchet MS",sans-serif;">
<span style="font-size: small;"> }</span></div>
<div style="font-family: "Trebuchet MS",sans-serif;">
<span style="font-size: small;">}</span></div>
<div style="font-family: "Trebuchet MS",sans-serif;">
<span style="font-size: small;"><br />
</span></div>
<div style="font-family: "Trebuchet MS",sans-serif;">
<span style="font-size: small;"><br />
</span></div>
<div style="font-family: "Trebuchet MS",sans-serif;">
<span style="font-size: small;"><br />
</span></div>
<div style="font-family: "Trebuchet MS",sans-serif;">
<span style="font-size: small;"><br />
</span></div>Aselahttp://www.blogger.com/profile/08941025038081812446noreply@blogger.com1tag:blogger.com,1999:blog-7814469042984115284.post-71833475387701231832010-08-12T02:27:00.000-07:002010-08-27T10:53:50.235-07:00Sign-up for Liferay portal with OpenID provided By WSO2Identity ServerHere i am going to describe the steps how we can configure to use openid
provided by identity server to sign-up with Liferay 4.4.2 portal <br />
<br />
<b>1</b>. First <b>download WSO2Identity</b> server from <b><a href="http://builder.wso2.org/%7Ecarbon/releases/carbon/3.0.1/Alpha3/">here</a></b> (Alpha3 Build of latest version) and you can <b>extract</b> in to a directory in your file system. Lets call as CARBON_HOME<br />
<br />
<b>2</b>. Then configure host name (assume change it to "wso2is") First configure following parameters in <b>carbon.xml</b> which can be found in <b>CARBON_HOME/conf</b><br />
<br />
<b> <ServerURL>https://wso2is:${carbon.management.port}${carbon.context}/services/</ServerURL></b><br />
<b> <HostName>wso2is</HostName></b><br />
<br />
configure following parameters in <b>identity.xml</b> which can be found in same location<br />
<br />
<b> <OpenIDServerUrl>https://wso2is:9443/openidserver</OpenIDServerUrl></b><br />
<b> <OpenIDUserPattern>https://wso2is:9443/openid/</OpenIDUserPattern></b><br />
<br />
if you are running in local machine, make sure to add your new host name in to the <b>hosts file</b><br />
<br />
<b>3. </b>You can<b> start Identity server</b> by running <span id="SPELLING_ERROR_8">wso</span>2server.sh (in <span id="SPELLING_ERROR_9">unix</span>) or <span id="SPELLING_ERROR_10">wso</span>2server.bat (in windows) file in the <b><span id="SPELLING_ERROR_11">CARBON_</span>HOME/bin</b> directory<br />
<br />
openid url of default admin will look like<b> https://wso2is:9443/openid/admin</b><br />
<br />
<b>4</b>. <b>Import</b> Identity server <b>public certificate to the java cacerts which is the trust-store for Liferay</b> (This step, if you use default keystore, wso2carbon.jks for identity server or any self sign key store)<br />
<br />
Liferay use <b>java cacerts</b> as its trust-store. But <b>wso2carbon.jks contains self signed</b> <b>certificate</b>. So public key should be <b>imported</b> to the cacerts that is used by Liferay. Then Liferay can trust the Openid provided by wso2identity server.<br />
<br />
first export wso2carbon cert from wso2carbon.jks which can be found in <b>CARBON_HOME/resources/security</b> directory. sample keytool command<br />
<br />
> keytool -export -keystore wso2carbon.jks -file carbon.cert -alias localhost -keypass wso2carbon<br />
<br />
Then import it to cacerts in <b>JAVA_HOME/jre/lib/security</b><br />
<br />
> keytool -import -keystore cacerts -file carbon.cert -alias carbon -keypass changeit<br />
<br />
<b>5</b>. <b>Download</b> latest version of <b>Liferay portal</b> <b>4.4.2</b> from <b><a href="http://sourceforge.net/projects/lportal/files/Liferay%20Portal">here</a></b> and you can <b>extract</b> in to a directory in your file system. Lets call as LIFERAY_HOME<br />
<br />
<b>6</b>. <b>Set</b> CATALINA_HOME =LIFERAY_HOME/tomcat_dir<br />
<br />
<b>7. Start</b> Liferay portal by running catalina.sh run (in unix) or catalina.bat file in CATALINA_HOME/bin directory.<br />
<br />
<b>8</b>. Add <b>Full Name</b> as a default attribute in identity user profiles and Fill the user profile<br />
<br />
In order to perform the registration (sign-up)
in Liferay using OpenID, when user
first logins with an OpenID, Liferay asks some information from
WSO2Identity Server (Openid
provider) about the user. The provider must be able to provide this
information through OpenID protocol extensions (Identity Server have
implemented the Simple Registration Extension protocol). Here <b>Full
Name and Email </b>attributes are retrieved from identity server. So these
two should be configure in user profiles. <br />
<br />
--Full name is not supported by default. so first you need to update the claim mapping. Goto Claim management -> <a href="https://localhost:9443/carbon/claim-mgt/claim-view.jsp?store=Internal&dialect=http://wso2.org/claims">http://wso2.org/claims</a> claim dialect -> full name claim mapping and tick on "Supported by Default" and update.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgts2EoU-5iScyPXN1wsHWb4dNGrX9iWuccuNN_ABTDc-q2nj_0m8lZHtOamb__aFULAPMAETbh_qVJdlqwoFYeJPtumEWzXWgUr0qEolKu5SqNfXWJln5W3mcaji0ZTJJGMRVCKuzgztt8/s1600/3.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="250" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgts2EoU-5iScyPXN1wsHWb4dNGrX9iWuccuNN_ABTDc-q2nj_0m8lZHtOamb__aFULAPMAETbh_qVJdlqwoFYeJPtumEWzXWgUr0qEolKu5SqNfXWJln5W3mcaji0ZTJJGMRVCKuzgztt8/s400/3.png" width="400" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg6SCx9hfByBRZFfGSXBFb2kA-oUFqTX4MvWbIagJajk0H2K4UOwX5yLa6GAQA5mrYhxr_8ar-VaiVW7DQMXc7iPuI3WwaKhOYZV51B_LoFgdimPjCUMiJ7Xb9MCvrZ8Bo_gdUJ6qq2Ytww/s1600/1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="250" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg6SCx9hfByBRZFfGSXBFb2kA-oUFqTX4MvWbIagJajk0H2K4UOwX5yLa6GAQA5mrYhxr_8ar-VaiVW7DQMXc7iPuI3WwaKhOYZV51B_LoFgdimPjCUMiJ7Xb9MCvrZ8Bo_gdUJ6qq2Ytww/s400/1.png" width="400" /></a></div>
<br />
<br />
--Then Goto My profile and fill default or you can add a new profile.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjdI2x4Lgc0YZpqrX1c-XAUFyHzfqDvMlu9NPxEBJ_06Mb9SkoqGYPv-2KauBXLfN6P9DrGj7citmfQHp1Vb1cGbWl6Kkaz1G4WlbIuWgKC8YKT7cVMMIvqNk5eBJ7WOiVJ4qgSbOI2pMXU/s1600/2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="250" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjdI2x4Lgc0YZpqrX1c-XAUFyHzfqDvMlu9NPxEBJ_06Mb9SkoqGYPv-2KauBXLfN6P9DrGj7citmfQHp1Vb1cGbWl6Kkaz1G4WlbIuWgKC8YKT7cVMMIvqNk5eBJ7WOiVJ4qgSbOI2pMXU/s400/2.png" width="400" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<b>9. </b>Now try to <b>sign-up by providing your openid</b> , https://wso2is:9443/openid/adminAselahttp://www.blogger.com/profile/08941025038081812446noreply@blogger.com6tag:blogger.com,1999:blog-7814469042984115284.post-66729887208127149772010-07-28T04:17:00.000-07:002010-07-28T04:17:06.635-07:00WSO2 Identity Server as OpenID Provider<br />
I am going to explain how we can use Openid issued by WSO2Identity server in an actual environment. Here I am using <b>Liferay portal</b> as Openid consumer and assume that Liferay portal and Identity server have been setup in different hosts in a LAN.<br />
<br />
<b>1</b>. First <b>download WSO2Identity</b> server from <b><a href="http://wso2.org/downloads/identity">here</a></b> and you can <b>extract</b> in to a directory in your file system. Lets call as CARBON_HOME<br />
<br />
<b>2. </b>You can<b> start Identity server</b> by running <span id="SPELLING_ERROR_8">wso</span>2server.sh (in <span id="SPELLING_ERROR_9">unix</span>) or <span id="SPELLING_ERROR_10">wso</span>2server.bat (in windows) file in the <b><span id="SPELLING_ERROR_11">CARBON_</span>HOME/bin</b> directory<br />
<br />
Identity
server will be started with default configuration. if you examine
openid url of a user(default admin username is admin) in identity
server. It will look like<br />
<br />
<b>https://localhost:9443/openid/admin</b><br />
<br />
But this openid url can not be accessed by other hosts in your network. So Lets change our host name.<br />
<br />
<b>3</b>. Lets assume we want to configure host name as "wso2identity" (or any ip address). First configure following parameters in <b>carbon.xml</b> which can be found in <b>CARBON_HOME/conf</b><br />
<br />
<b> <ServerURL>https://wso2identity:${carbon.management.port}${carbon.context}/services/</ServerURL></b><br />
<b> <HostName>wso2identity</HostName></b><br />
<br />
configure following parameters in <b>identity.xml</b> which can be found in same location<br />
<br />
<b> <OpenIDServerUrl>https://wso2identity:9443/openidserver</OpenIDServerUrl> </b><br />
<b> <OpenIDUserPattern>https://wso2identity:9443/openid/</OpenIDUserPattern></b><br />
<br />
<b>4</b>. <b>Restart identity server</b>. Now openid url <br />
<br />
<b>https://wso2identity:9443/openid/admin </b><br />
<br />
<b>5</b>. <b>Download</b> latest version of <b>Liferay portal</b> from <b><a href="http://sourceforge.net/projects/lportal/files/Liferay%20Portal/6.0.4/liferay-portal-tomcat-6.0.4.zip/download">here</a></b> and you can <b>extract</b> in to a directory in your file system. Lets call as LIFERAY_HOME<br />
<br />
<b>6</b>. <b>Set</b> CATALINA_HOME =LIFERAY_HOME/tomcat_dir<br />
<br />
<b>7. Start</b> Liferay portal by running catalina.sh run (in unix) or calalina.bat file in CATALINA_HOME/bin directory.<br />
<br />
<b>8</b>. <b>Create a user account</b> in Liferay and <b>configure an openid </b> that is issued by identity server (https://wso2identity:9443/openid/admin)<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhtbdOEcKW3j0nEvefi_0Pbv65FjmfLly4659JNcKYBEkRZHnv2ZjEgOa5VQu2P1yLzNCnjOiR3S4EPizjqsm7-lWtY-Z94-ce9oxS47ngi7IugAqXpTb6CJo74Futx4BVZLzyjkpguRzu8/s1600/1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="250" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhtbdOEcKW3j0nEvefi_0Pbv65FjmfLly4659JNcKYBEkRZHnv2ZjEgOa5VQu2P1yLzNCnjOiR3S4EPizjqsm7-lWtY-Z94-ce9oxS47ngi7IugAqXpTb6CJo74Futx4BVZLzyjkpguRzu8/s400/1.png" width="400" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiWee6PdvjJz2bA6X-R0paLAQIsy1hc5X01-w-QU9s_11hCDp8lgvpdN0S7LET3cZFL8_kveYb3JOtRideryD2QjfT8IkwmqvB1OVpwb8U87bY_AvMIriPAit-jhSF6kpyKwCF_7iZIdQc6/s1600/2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="250" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiWee6PdvjJz2bA6X-R0paLAQIsy1hc5X01-w-QU9s_11hCDp8lgvpdN0S7LET3cZFL8_kveYb3JOtRideryD2QjfT8IkwmqvB1OVpwb8U87bY_AvMIriPAit-jhSF6kpyKwCF_7iZIdQc6/s400/2.png" width="400" /></a></div>
<br />
<b>9</b>. Now try to <b>sign in by providing your openid</b><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhLd1D-Zqz_hLplfR-h2KscDC32NDAxRzJ06M7eBgT6j5R25l4-9TOl_V1ztkTF20sADYy8SxB7W_DU58wDDhq9EbdoTmXM6PIrd1H7dTHmbTILU2X6mFNp8x1k9du1f8fDgudQwR_1VUP8/s1600/3.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="250" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhLd1D-Zqz_hLplfR-h2KscDC32NDAxRzJ06M7eBgT6j5R25l4-9TOl_V1ztkTF20sADYy8SxB7W_DU58wDDhq9EbdoTmXM6PIrd1H7dTHmbTILU2X6mFNp8x1k9du1f8fDgudQwR_1VUP8/s400/3.png" width="400" /></a></div>
<br />
<b>10</b>. You will probably get following <b>error message</b>. Because there are one configuration to do, if we use default keystore, wso2carbon.jks for identity server.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiR4wJ6RhhBZHIrApTqyaQ1qzMTRAyX6kK4MywVLJpw95f1QTgxdjSXUfOoxm8PfpQ30OW6aZCeih1tXuvr_3cf2JUjx3LiH-x4uM9_SFv7Vg2V1oLGnC6UpNe8dudc7QfmcLLD7u23BeVv/s1600/5.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="250" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiR4wJ6RhhBZHIrApTqyaQ1qzMTRAyX6kK4MywVLJpw95f1QTgxdjSXUfOoxm8PfpQ30OW6aZCeih1tXuvr_3cf2JUjx3LiH-x4uM9_SFv7Vg2V1oLGnC6UpNe8dudc7QfmcLLD7u23BeVv/s400/5.png" width="400" /></a></div>
<br />
Liferay use <b>java cacerts</b> as its trust-store. But <b>wso2carbon.jks contains self signed</b> <b>certificate</b>. So public key should be <b>imported</b> to the cacerts that is used by Liferay. Then Liferay can trust the Openid provided by wso2identity server.<br />
<br />
<b>11</b>. <b>Import</b> Identity server <b>public certificate to the cacerts </b><br />
<br />
first export wso2carbon cert from wso2carbon.jks which can be found in <b>CARBON_HOME/resources/security</b> directory. sample keytool command<br />
<br />
> keytool -export -keystore wso2carbon.jks -file carbon.cert -alias localhost -keypass wso2carbon<br />
<br />
Then import it to cacerts in <b>JAVA_HOME/jre/lib/security</b><br />
<br />
> keytool -import -keystore cacerts -file carbon.cert -alias carbon -keypass changeit<br />
<br />
<b>12</b>. Then restart Liferay portal. Now you can sign in to Liferay portal using wso2identity server's Openid.........!!!<br />
<br />
<br />Aselahttp://www.blogger.com/profile/08941025038081812446noreply@blogger.com2tag:blogger.com,1999:blog-7814469042984115284.post-13065145100770288822010-07-25T11:40:00.000-07:002010-07-25T11:48:59.087-07:00Apache Dircetory Studio as Your LDAP User Store<br />
1. You can downlaod Apache Dirctory Stido from <b><a href="http://directory.apache.org/studio/downloads.html">here</a></b><br />
<br />
2. Then you can <b>extract</b> in to a directory in your file system<br />
<br />
3. Start Apache Directory Studio by <b>running executable file called ApacheDirectoryStudio</b><br />
<br />
<span style="font-size: large;"><i>Lets <b>create a LDAP Server</b>.</i></span><br />
<br />
4. If you can not see the ApacheDS server window, First you must <b>view it</b>.<br />
<br />
<b>Window -> Show View -> Other -> Select ApacheDS Server</b><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi0CQbYzf0ftZ7naCpYBat_M5KjemHo2t35OQMvTi0kRh32IZgvNJh0jkBulirFNc5E3DzlPwP-7KMT5HKRyqJ0rmEKDTnxov2h7i6h9lAMK3hieE7IuO2C-fx6nu2fEIF_NErLcwnPpUBP/s1600/1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="250" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi0CQbYzf0ftZ7naCpYBat_M5KjemHo2t35OQMvTi0kRh32IZgvNJh0jkBulirFNc5E3DzlPwP-7KMT5HKRyqJ0rmEKDTnxov2h7i6h9lAMK3hieE7IuO2C-fx6nu2fEIF_NErLcwnPpUBP/s400/1.png" width="400" /></a></div>
<br />
Now you can see the Server management window.<br />
<br />
5. Then Lets create a new server. <b>Click on new server icon (ctrl+E)</b> and you must only<b> enter a name </b>for the server and New server will be created with default configurations<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEit7jlqIvHvt5n-XNMXZuze-DqKuCGsAGaG3LkfyKbWrE7s-TZ9JWfSlyEQdux6YM9VOZTPR4Xpg2dEF9Evk9RULP_PSVhvIKeYgML70A9TObOKL4uEEh9uZOKkmKeBoyIPOsmNWIZGv391/s1600/2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="250" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEit7jlqIvHvt5n-XNMXZuze-DqKuCGsAGaG3LkfyKbWrE7s-TZ9JWfSlyEQdux6YM9VOZTPR4Xpg2dEF9Evk9RULP_PSVhvIKeYgML70A9TObOKL4uEEh9uZOKkmKeBoyIPOsmNWIZGv391/s400/2.png" width="400" /></a></div>
<br />
By double-clicking you can view the<b> configuration file (server.xml) </b>of created server. Your can configure it as your options. But Here i am continuing with default configuration<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgPyJgezfaqaeTtR1CjE1vaEE-COQ1GBcUuD91dQKkvag7iFYHrc6fR3VXrZoQpA5M1N72F0eXISVrg2MVrFjldFSkwoXrIM-D-10_J03y33t0MZ49CJn-2HCMhTY03cnvx2vZJppOQ7oFr/s1600/3.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="250" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgPyJgezfaqaeTtR1CjE1vaEE-COQ1GBcUuD91dQKkvag7iFYHrc6fR3VXrZoQpA5M1N72F0eXISVrg2MVrFjldFSkwoXrIM-D-10_J03y33t0MZ49CJn-2HCMhTY03cnvx2vZJppOQ7oFr/s400/3.png" width="400" /></a></div>
<br />
<span id="goog_101799118"></span><span id="goog_101799119"></span><br />
6. Now just click on <b>Run icon (ctr+R), Your server will be started.</b><br />
<br />
<span style="font-size: large;"><i>Now we are going to create a <b>connection to the running LDAP server to browse it.</b> (You can create connections with almost any LDAP server)</i></span><br />
<br />
7. LDAP -> New Connection , New LDAP connection wizard will be promoted.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjg4rRQ3Obeu13bC7hb3H8v4NuFh4Z0yZBZhP2mcsI0eNotORF7gsQqtLuM33PF6L227-slrUzV7clmcPaP1irYlKhFiLHazqIhrbTL-JHsqWU54V3vwg6_kp8vAj6PPkGgK4RsWyrzEqPi/s1600/11.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="250" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjg4rRQ3Obeu13bC7hb3H8v4NuFh4Z0yZBZhP2mcsI0eNotORF7gsQqtLuM33PF6L227-slrUzV7clmcPaP1irYlKhFiLHazqIhrbTL-JHsqWU54V3vwg6_kp8vAj6PPkGgK4RsWyrzEqPi/s400/11.png" width="400" /></a></div>
<br />
<span id="goog_101799124"></span><span id="goog_101799125"></span><br />
8. Configure Network parameters<br />
<br />
<b>Connection Name</b> - Any name you like<br />
<b>Host Name</b> - Host name of your LDAP server is running. Here LDAP server is also in within same machine. So localhost<br />
<b>Port </b>- LDAP server running port. Here 10386, default port or which has configured in server.xml file<br />
<b>Encryption Method</b> - if you want to secure the connection to LDAP server, use SSL. Also make sure to change user Port according ldap and ldaps<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgAK1a_C0PGnR67hLohgBdy60WR7LyePWddtjvXcGivPvOwjlAszpfyY8t92mv9J2a6cegxlx6V6e9WjxbixfNqYRoonTkEM0SjcKY6mo7LrclX4iXU7Z8cmhNtfk9nKVGUNLaiC7NCw-59/s1600/12.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="250" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgAK1a_C0PGnR67hLohgBdy60WR7LyePWddtjvXcGivPvOwjlAszpfyY8t92mv9J2a6cegxlx6V6e9WjxbixfNqYRoonTkEM0SjcKY6mo7LrclX4iXU7Z8cmhNtfk9nKVGUNLaiC7NCw-59/s400/12.png" width="400" /></a></div>
<br />
9. Configure Authentication parameters<br />
<br />
<b>Authentication method</b> - You can select simple authentication , advance authentication method or no authentication, according what you have already configured in server.xml Here we must use the simple authentication. <br />
<b>Bind DN or User</b> - uid=admin ,ou =system<br />
<b>Bind password</b> - secret<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjTP1eaHZTAc42pSVHgtQlsfMbNrJk4IOkoby-eSptjrl2OX43k_MxlEmDJmtUpkCGIH_i_VMXM1ArC5gAnA59ufZ9kSRT3AmXm4actnhSC_H1YlrMn3HwMi8Q8iQES2XC_KEDYMeS4cJON/s1600/13.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="250" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjTP1eaHZTAc42pSVHgtQlsfMbNrJk4IOkoby-eSptjrl2OX43k_MxlEmDJmtUpkCGIH_i_VMXM1ArC5gAnA59ufZ9kSRT3AmXm4actnhSC_H1YlrMn3HwMi8Q8iQES2XC_KEDYMeS4cJON/s400/13.png" width="400" /></a></div>
<br />
<br />
when new LDAP server is created, by default, admin user is created with above DN and password. If LDAP server<b> already contain any users, you can use any DN that you want</b>. Browser option and edit option are kept as defaults and lets finished it. <br />
<br />
10. Now open your connection by clicking <b>open connection icon</b> in your connection browser.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgrQQF-QJKQYZ6-mbXNyK1VV9zE8T4dyHmxLxzKLzrhII3btopv4Z34eO_TU83kXzFtqXsO6a6tpDEfUJNYBDedRFaJEiGEBWCmkou6EV6KpilRCdzuTP3aOOxyxO3Xox4hLZqOrQWBDQYx/s1600/15.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="250" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgrQQF-QJKQYZ6-mbXNyK1VV9zE8T4dyHmxLxzKLzrhII3btopv4Z34eO_TU83kXzFtqXsO6a6tpDEfUJNYBDedRFaJEiGEBWCmkou6EV6KpilRCdzuTP3aOOxyxO3Xox4hLZqOrQWBDQYx/s400/15.png" width="400" /></a></div>
<br />
11. Then you can view your <b>LDAP Browser by</b> <b>double clicking</b> on your connection and <b>display the tree of your LDAP Server</b>.<br />
<br />
Now you are able to create, delete and modify your entities in LDAP server....!!!<br />
<br />Aselahttp://www.blogger.com/profile/08941025038081812446noreply@blogger.com2tag:blogger.com,1999:blog-7814469042984115284.post-15313374076609231112010-07-01T04:26:00.000-07:002010-07-04T21:49:26.702-07:00SSL profiles in WSO2 ESB<br />
<b>"</b><b>SSL profiles"</b> is new feature which was introduced in <b>WSO2 ESB 3.0.0. </b>Using SSL profiles WSO2 ESB can be configured to communicate with <b>SSL</b> and <b>Mutual SSL</b> enabled target servers. Lets see how to configure it.<br />
<br />
<br />
1. First, You can <b>download WSO2 ESB 3.0.0</b> for <a href="http://www.wso2.org/esb"><b>here</b></a>. then you can extract in to a directory in your file system. Lets call as ESB_HOME<br />
<br />
2. Then define the appropriate <b>SSL profiles under the HTTPS transport sender configuration</b>, in the <b>axis2.xml</b> file which can be found in <b>ESB_HOME/repository/conf</b> .<br />
<br />
Following shows the example configuration i am going to use.<br />
Here, I have used localhost:9444 server for SSL communication and localhost:9445 for Mutual SSL. As you can see, it <b>consists of a keystore-truststore pair</b>. A <b>single profile can be associated with one or more target servers</b>. So you can define more than one target servers under one profile. A target server is identified by its hostname and port number. Once SSL profile is defined and associated with a target server, WSO2 ESB will use the <b>truststore for SSL communicating</b> and <b>keystore-truststore pair for Mutual SSL communicating.</b><br />
<br />
In this example configuration, localhost:9444 is WSO2 WSAS and localhost:9445 is WSO2 BPS server. Also It should be noted that trust-store must contains target server's certificate for SSL communication and target server must contains the key-store certificate for Mutual SSL communication<br />
<br />
<br />
<parameter name="customSSLProfiles"><br />
<br />
<profile><br />
<servers>www.test.org:80, localhost:9444</servers><br />
<TrustStore><br />
<Location>path/to/trust/store<<wbr></wbr>/Location><br />
<Type>JKS</Type><br />
<Password>password</Password><br />
</TrustStore><br />
</profile><br />
<br />
<profile><br />
<servers>localhost:9445</<wbr></wbr>servers><br />
<KeyStore><br />
<Location>/path/to/identity/<wbr></wbr>store</Location><br />
<Type>JKS</Type><br />
<Password>password</Password><br />
<KeyPassword>password</<wbr></wbr>KeyPassword><br />
</KeyStore><br />
<TrustStore><br />
<Location>path/to/trust/store<<wbr></wbr>/Location><br />
<Type>JKS</Type><br />
<Password>password</Password><br />
</TrustStore><br />
</profile><br />
<br />
</parameter><br />
<br />
<br />
3. <b>Start WSO2 ESB server</b>, Run the <span id="SPELLING_ERROR_8">wso</span>2server.sh (in <span id="SPELLING_ERROR_9">unix</span>) or <span id="SPELLING_ERROR_10">wso</span>2server.bat (in windows) file in the ESB_HOME/bin directory<br />
Once the server starts, point your Web browser to https://localhost:9443/carbon/ You can see <b>following info logs </b>when starting, If you have configured SSL Profile successfully.<br />
<br />
[2010-07-01 15:22:26,300] INFO - HttpCoreNIOSSLSender Loading Trust Keystore from : path/to/trust/store<br />
[2010-07-01 15:22:26,306] INFO - HttpCoreNIOSSLSender Loading Identity Keystore from : /path/to/identity/<wbr></wbr>store<br />
[2010-07-01 15:22:26,310] INFO - HttpCoreNIOSSLSender Loading Trust Keystore from : path/to/trust/store<br />
[2010-07-01 15:22:26,322] INFO - HttpCoreNIOSSLSender Custom SSL profiles initialized for 3 servers<br />
<br />
<br />
4. Lets create simple proxy services which endpoints are hosted in localhost:9444 and localhost:9445. <br />
<br />
I created following two proxies..<br />
<br />
<syn:proxy name="BPSProxy" transports="https http" startOnLoad="true" trace="disable"><br />
<syn:target><br />
<syn:inSequence><br />
<syn:send><br />
<syn:endpoint><br />
<syn:address uri="<a href="https://localhost:9444/services/TestE4XService" target="_blank">https://localhost:9444/<wbr></wbr>services/TestE4XService</a>"/><br />
</syn:endpoint><br />
</syn:send><br />
</syn:inSequence><br />
<syn:outSequence><br />
<syn:send/><br />
</syn:outSequence><br />
</syn:target><br />
</syn:proxy><br />
<br />
<syn:proxy name="WSASProxy" transports="https http" startOnLoad="true" trace="disable"><br />
<syn:target><br />
<syn:inSequence><br />
<syn:send><br />
<syn:endpoint><br />
<syn:address uri="<a href="https://localhost:9445/services/HelloService" target="_blank">https://localhost:9445/<wbr></wbr>services/HelloService</a>"/><br />
</syn:endpoint><br />
</syn:send><br />
</syn:inSequence><br />
<syn:outSequence><br />
<syn:send/><br />
</syn:outSequence><br />
</syn:target><br />
</syn:proxy><br />
<br />
5. Now send your request messages to two proxy services, You can see ESB will successfully communicate with SSL and Mutual SSL enabled target servers using SSL Profiles.<br />
<br />Aselahttp://www.blogger.com/profile/08941025038081812446noreply@blogger.com2tag:blogger.com,1999:blog-7814469042984115284.post-74303501999208840252010-05-27T10:00:00.000-07:002010-05-29T23:18:37.083-07:00Enabling JMS Transport in WSO2 BPSAs I highlighted in my previous blog post, <b>WSO2 BPS</b> is a powerful open source BPEL engine.Here i am going to <b>enable JMS Transport </b>in WSO2 BPS. You can use any JMS provider as you preferred. I'm going to use <b><a href="http://activemq.apache.org/activemq-500-release.html">Apache ActiveMQ-5.2.0</a></b> for this example.<br />
<br />
<br />
1. You can <b>download WSO2BPS</b> (version 1.1.1) from <a href="http://www.wso2.org/projects/bps"><b>here</b></a>. then you can extract in to a directory in your file system. Lets call as BPS_HOME<br />
<br />
2. <b>Start ActiveMQ</b> message broker. Go to (ActiveMQ_Install_directory)/bin and run activemq.sh (or activemq.bin in DOS)<br />
<br />
3. <b>Copy ActiveMQ libraries to BPS_HOME/repository/components/lib</b> directory<br />
<br />
<b>activemq-core-5.2.0.jar and geronimo-j2ee-management_1.0_spec-1.0</b><br />
<br />
4.<b> Enable JMS </b>Transport in WSO2 BPS. Uncomment following parameters in <b>axis2.xml </b>(BPS_HOME/conf directory) Here I have configured it for ActiveMQ environment.<br />
<br />
For Receiver<br />
<br />
<b><parameter name="myTopicConnectionFactory">
</b><br />
<b> <parameter name="java.naming.factory.initial">org.apache.activemq.jndi.ActiveMQInitialContextFactory</parameter>
</b><br />
<b> <parameter name="java.naming.provider.url">tcp://localhost:61616</parameter>
</b><br />
<b> <parameter name="transport.jms.ConnectionFactoryJNDIName">TopicConnectionFactory</parameter>
</b><br />
<b> </parameter>
</b><br />
<b><br /></b><br />
<b> <parameter name="myQueueConnectionFactory">
</b><br />
<b> <parameter name="java.naming.factory.initial">org.apache.activemq.jndi.ActiveMQInitialContextFactory</parameter>
</b><br />
<b> <parameter name="java.naming.provider.url">tcp://localhost:61616</parameter>
</b><br />
<b> <parameter name="transport.jms.ConnectionFactoryJNDIName">QueueConnectionFactory</parameter>
</b><br />
<b> </parameter>
</b><br />
<b><br /></b><br />
<b> <parameter name="default">
</b><br />
<b> <parameter name="java.naming.factory.initial">org.apache.activemq.jndi.ActiveMQInitialContextFactory</parameter>
</b><br />
<b> <parameter name="java.naming.provider.url">tcp://localhost:61616</parameter>
</b><br />
<b> <parameter name="transport.jms.ConnectionFactoryJNDIName">QueueConnectionFactory</parameter>
</b><br />
<b> </parameter></b><br />
<br />
For Sender<br />
<b> <transportSender name="jms"
</b><br />
<b> class="org.apache.axis2.transport.jms.JMSSender"/></b><br />
<br />
5. <b>Start</b> BPS server running the <span id="SPELLING_ERROR_8">wso</span>2server.sh (in <span id="SPELLING_ERROR_9">unix</span>) or <span id="SPELLING_ERROR_10">wso</span>2server.bat (in windows)<br />
You can see following Logs when starting if you have correctly configured<br />
<br />
[2010-05-27 22:19:55,019] INFO - JMS ConnectionFactory : default initialized<br />
[2010-05-27 22:19:55,021] INFO - JMS ConnectionFactory : myTopicConnectionFactory initialized<br />
[2010-05-27 22:19:55,022] INFO - JMS ConnectionFactory : myQueueConnectionFactory initialized<br />
[2010-05-27 22:19:55,022] INFO - JMS Transport Receiver/Listener initialized...<br />
<br />
We can see<b> JMS endpoint</b> has been added to BPEL service (See the wsdl also)<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEipCjhI9lAcCxHuxQ2rAPEHZ1o8ViJS6CTNWz_P7tmJQTWWSeWr785GNXhMyNXYu2yVaCxlxxTi0gVDuvNNRNeiTQf7Jj7-4lIh8isn25S9-gfa5xQXgdqP9QTE7sJlLARf9KPZ7WeQNcc7/s1600/jms3.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEipCjhI9lAcCxHuxQ2rAPEHZ1o8ViJS6CTNWz_P7tmJQTWWSeWr785GNXhMyNXYu2yVaCxlxxTi0gVDuvNNRNeiTQf7Jj7-4lIh8isn25S9-gfa5xQXgdqP9QTE7sJlLARf9KPZ7WeQNcc7/s640/jms3.png" width="640" /></a></div>
<br />
<span style="font-size: small;"><i><b>Note:-</b></i></span><br />
<br />
Step 4, You can enable JMS and configure it using <b>UI</b>.<br />
<br />
<table cellspacing="0"><tbody>
<tr></tr>
<tr><td class="breadcrumb-link">Home</td><td class="breadcrumb-link"> > Manage</td><td class="breadcrumb-link"> > Transports</td><td class="breadcrumb-link"></td><td class="breadcrumb-link"></td><td class="breadcrumb-link"></td><td class="breadcrumb-link"></td><td class="breadcrumb-link"></td><td class="breadcrumb-link"></td><td class="breadcrumb-link"></td><td class="breadcrumb-link"></td><td class="breadcrumb-link"></td><td class="breadcrumb-link"></td><td class="breadcrumb-link"></td><td class="breadcrumb-link"></td><td class="breadcrumb-link"></td><td class="breadcrumb-link"></td><td class="breadcrumb-link"></td><td class="breadcrumb-link"></td></tr>
</tbody></table>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhDdlU1zOSTBI41kLBX2R3jIybKraBrFwSzVHswtYnaMkyd4LS_jhWGdpW9SChFGMwHGQqF964YWwtUyHVPh2iWf9B5iDPgQsRgIsK7axuT9fxiArrGqhpa4bEBQZfi01Drh2LV7jxkCpWZ/s1600/jms1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhDdlU1zOSTBI41kLBX2R3jIybKraBrFwSzVHswtYnaMkyd4LS_jhWGdpW9SChFGMwHGQqF964YWwtUyHVPh2iWf9B5iDPgQsRgIsK7axuT9fxiArrGqhpa4bEBQZfi01Drh2LV7jxkCpWZ/s640/jms1.png" width="640" /></a></div>
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjfajRRYus5ZC3b8pdVg_cieSlXIpNGVbPOWWrcRuEONDqQqVwKw0Dw0cDbl8uJhrkZOXtEEBi-IAHzZvltkZAiAxLaqOiEsqmVHR65j7EUrq9gZ52x5qv9bvBrM_CdFFeZwWJPVZ4Ndtu_/s1600/jms2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjfajRRYus5ZC3b8pdVg_cieSlXIpNGVbPOWWrcRuEONDqQqVwKw0Dw0cDbl8uJhrkZOXtEEBi-IAHzZvltkZAiAxLaqOiEsqmVHR65j7EUrq9gZ52x5qv9bvBrM_CdFFeZwWJPVZ4Ndtu_/s640/jms2.png" width="640" /></a></div>
<br />
But there are some issues when disabling JMS from UI. So i recommended to use axis2.xml configure JMS in WSO2BPS version 1.1.1. This will be fixed in <b>next WSO2BPS release.....!!!</b><br />
<br />
<table cellspacing="0"><tbody>
<tr><td class="breadcrumb-link"><br /></td><td class="breadcrumb-link"><br /></td><td class="breadcrumb-link"><br /></td></tr>
</tbody></table>Aselahttp://www.blogger.com/profile/08941025038081812446noreply@blogger.com2tag:blogger.com,1999:blog-7814469042984115284.post-91948200059053092772010-05-13T06:12:00.001-07:002010-05-13T10:45:16.903-07:00WSO2 BPS in Cluster<br />
Clustering is one of a major requirement for web servers which are in
production environment. because these servers have to
fulfill two basic needs, high availability and scalability.<br />
<br />
<b>WSO2
carbon</b> based web products comes with the
clustering functionality (Please refer<b> <a href="http://wso2.org/library/articles/introduction-wso2-carbon-clustering">this</a></b> article for more
information on WSO2 carbon clustering) Here I am going to introduce to
configure the <b><a href="http://wso2.org/projects/bps">WSO2BPS</a></b> in a clustering environment.<br />
<br />
<br />
1. You can download WSO2BPS (version 1.1.1) from <b><a href="http://wso2.org/projects/bps">here</a></b>.<br />
<br />
2. All
nodes in BPS cluster would <b>share the same persistence storage (BPS
datasource) and same registry</b>. So Each node must be connected to external datasource and external registry. <b><a href="http://pathberiya.blogspot.com/2009/11/how-to-configure-external-mysql.html">This</a></b> Post is described configuration
of external BPS datasource. Use same configuration for all nodes, But
don't forget to use different provider port for each node, if you are starting all nodes in same machine (same url).<br />
<br />
3. Then registry.xml and user-mgt.xml (<span id="SPELLING_ERROR_11">Both are in WSO</span>2BPS/conf directory)must be configured to use a one central registry. Use same configuration for all nodes.<br />
<br />
Sample configuration of registry.xml for Mysql database<br />
<br />
<dbConfig name="wso2registry"><br />
<url>jdbc:mysql://10.100.1.1:<wbr></wbr>3306/regdb</url><br />
<userName>regadmin</userName><br />
<password>regadmin</password><br />
<driverName>com.mysql.jdbc.<wbr></wbr>Driver</driverName><br />
<maxActive>80</maxActive><br />
<maxWait>6000</maxWait><br />
<minIdle>5</minIdle><br />
</dbConfig><br />
<br />
Sample configuration of user-mgt.xml<br />
<br />
<Database><br />
<URL>jdbc:mysql://10.100.1.1:<wbr></wbr>3306/regdb</URL><br />
<UserName>regadmin</UserName><br />
<Password>regadmin</Password><br />
<Dialect>mysql</Dialect><br />
<Driver>com.mysql.jdbc.Driver<<wbr></wbr>/Driver><br />
<maxActive>30</maxActive>
<br />
<maxWait>60000</maxWait>
<br />
<minIdle>5</minIdle><br />
</Database><br />
<br />
<br />
4. Then One BPS node must be started as the <b>group management node</b>. you can simply do this by configuring following basic parameters in <b>axis2.xml </b>(<span id="SPELLING_ERROR_11">WSO</span>2BPS/conf directory)<br />
<br />
# Enable clustering for this node<br />
<br />
<b><clustering class="org.apache.axis2.</b><wbr></wbr><b>clustering.tribes.</b><wbr></wbr><b>TribesClusteringAgent" enable="true"> </b><br />
<br />
# Clustering domain/group<br />
<br />
<b><parameter name="domain">bps</parameter>
</b><br />
<br />
# Enable the group Management<br />
<br />
<b><groupManagement enable="true">
</b><br />
<b> <applicationDomain name="bps"
description="BPS group"
agent="org.apache.axis2.</b><wbr></wbr><b>clustering.management.</b><wbr></wbr><b>DefaultGroupManagementAgent"/>
</b><br />
<b></groupManagement></b><br />
<br />
5. Other BPS nodes also should be started with enabling the clustering (Can enable or disable node management, but there is no effect for BPS. So here i did not use it)<br />
<br />
# Enable clustering for this node<br />
<br />
<clustering class="org.apache.axis2.<wbr></wbr>clustering.tribes.<wbr></wbr>TribesClusteringAgent" enable="true"><br />
<br />
# Clustering domain/group<br />
<br />
<parameter name="domain">bps</parameter><br />
<br />
<br />
6. Start every BPS node running the <span id="SPELLING_ERROR_8">wso</span>2server.sh (in <span id="SPELLING_ERROR_9">unix</span>) or <span id="SPELLING_ERROR_10">wso</span>2server.bat (in windows) file in the <span id="SPELLING_ERROR_11">WSO</span>2BPS/bin directory. Don't forget to use different http and https port for each node, if you are starting all nodes in same machine (same url). Configuration can be found in transport.xml and axis2.xml<br />
<br />
By looking at Debug and INFO message you can understand what is happening there. <br />
<br />
But WSO2BPS (version 1.1.1) have some limitations when setting on clustering ( Retiring of BPEL process not propagate to other node, Managing BPEL packages and processes should be disable for member nodes) which would be resolved in <b>next BPS release.</b>........!!!Aselahttp://www.blogger.com/profile/08941025038081812446noreply@blogger.com0tag:blogger.com,1999:blog-7814469042984115284.post-8443710419167421382010-02-07T11:08:00.001-08:002012-11-05T02:01:27.027-08:00How to create a Password Callback classMost of web services have been secured using various WS security methods. Therefore we need to implements clients that support WS-Security to invoke these web services.<br />
<br />
If you are using Rampart or WSS4J for WS-Security for processing in client side, you may need to create a password callback class for following<br />
<br />
1) Get the password to build the username token<br />
<br />
2) Get the private key password for signture or decryption<br />
<br />
<br />
It is very easy to write a Password callback. Following Java code is for simple Password callback class<br />
<br />
package org.wso2.samples.pwcb;<br />
<br />
import org.apache.ws.security.WSPasswordCallback;<br />
import javax.security.auth.callback.Callback;<br />
import javax.security.auth.callback.CallbackHandler;<br />
import javax.security.auth.callback.UnsupportedCallbackException;<br />
import java.io.IOException;<br />
<br />
public class PWCBHandler implements CallbackHandler {<br />
<br />
public void handle(Callback[] callbacks) throws IOException,<br />
UnsupportedCallbackException {<br />
<br />
for (int i = 0; i < callbacks.length; i++) {<br />
WSPasswordCallback pwcb = (WSPasswordCallback)callbacks[i];<br />
String id = pwcb.getIdentifer();<br />
int usage = pwcb.getUsage();<br />
<br />
<br />
if (usage == WSPasswordCallback.USERNAME_TOKEN) {<br />
// Logic to get the password to build the username token<br />
if ("admin".equals(id)) {pwcb.setPassword("admin");}<br />
} else if (usage == WSPasswordCallback.SIGNATURE || usage == WSPasswordCallback.DECRYPT) {<br />
// Logic to get the private key password for signture or decryption<br />
if ("client".equals(id)) {pwcb.setPassword("apache");}<br />
if ("service".equals(id)) {pwcb.setPassword("apache");}<br />
}<br />
<br />
}<br />
}<br />
}<br />
<br />
Lets see how you can use this password class back class with the WSO2 products such as ESB and BPS. For ESB, we need a class back class to invoke a secured BE services where ESB Proxy service would act as client for BE service. Also when external partner service is invoked by a BPEL<b> </b>is act as a client to the external web service.<br />
<br />
Therefore we need to create a jar file<b> ... </b><br />
<b><br /></b>
<b>Step1 : Creating a jar file </b><br />
<b><br /></b>
<i><b>Note :</b> If you are familiar with <a href="http://maven.apache.org/">maven</a>. Please find the maven project of callback class from <a href="https://svn.wso2.org/repos/wso2/people/asela/ws-security/password-callback/">here</a> </i><br />
<br />
1. Copy sample Password callback in to text file and save it as PWCBHandler.java<br />
<br />
2. Create a directory called "temp" ...any where you like,<br />
<br />
3. Go in to temp directory and create following directory structure org/wso2/samples/pwcb <br />
<br />
4. Copy PWCBHandler.java in to pwcb directory<br />
<br />
5. Download wss4j.jar from <a href="http://ws.apache.org/wss4j/">here</a> (http://ws.apache.org/wss4j/) and copy it to temp directory<br />
<br />
6. Compile PWCBHandler.java pointing classpath to wss4j.jar from pwcb directory<br />
<br />
Ex:-<br />
#javac PWCBHandler.java -classpath /home/asela/temp/PWC/org/wso2/samples/pwcb/wss4j-1.5.8.jar<br />
<br />
7. Go in to temp directory and create a jar file issuing following <br />
<br />
#jar cf PWCBHandler.jar org/wso2/samples/pwcb/*.class<br />
<br />
<b>Step2 : Adding jar file in to classpath</b><br />
<br />
1. Now you have created your PWCBHandler.jar and Copy jar in to <CARBON_HOME> /repository/components/lib<br />
<b><br /></b>
2. Restart Server<br />
<br />
<br />
That All........!!!Aselahttp://www.blogger.com/profile/08941025038081812446noreply@blogger.com5tag:blogger.com,1999:blog-7814469042984115284.post-82158942142475232332010-01-30T10:46:00.000-08:002010-01-30T10:46:00.334-08:00How Install PostgreSQL database in Ubuntu 9.04It is very simple to install postgreSQL in Ubuntu. Just run the following command in the command prompt<br />
<br />
<b>sudo apt-get install postgresql</b><br />
<br />
This will install the latest postgreSQL and Now your are ready to use it.<br />
<br />
But lets do some important configurations (that I did). The PostgreSQL configuration files are stored in the /etc/postgresql/<version>/main directory. In my case, I install PostgreSQL 8.3. So there are in /etc/postgresql/8.3/main<br />
<br />
<b>1. Enable TCP/IP connections</b><br />
<br />
By default, connection via TCP/IP is disabled. PostgreSQL supports multiple client authentication methods. By default, IDENT authentication method is used for postgres and local users<br />
<br />
To enable TCP/IP connections, edit the file /etc/postgresql/8.3/main/postgresql.conf<br />
<br />
Locate the line #listen_addresses = 'localhost' and uncomment it.<br />
<br />
To allow other computers to connect to your PostgreSQL server replace 'localhost' with the IP Address of your server. <br />
<br />
<b>2. Set a password for the postgres user</b><br />
<br />
<br />
Run the following command at a terminal prompt to connect to the default PostgreSQL template database<br />
<br />
<b> sudo -u postgres psql template1</b><br />
<br />
Then run following SQL command at the psql prompt to configure the password for the user postgres. <br />
<br />
<b>ALTER USER postgres with encrypted password 'your_password';</b><br />
<br />
Remember to restart the PostgreSQL service to initialize the new configuration<br />
<br />
Enter the following to restart<br />
<b> </b></version><br />
<b>sudo /etc/init.d/postgresql-8.3 restart</b>Aselahttp://www.blogger.com/profile/08941025038081812446noreply@blogger.com0tag:blogger.com,1999:blog-7814469042984115284.post-14206407003142027062010-01-30T09:48:00.001-08:002010-05-13T10:45:51.408-07:00How to Deploy Axis2 services in WSO2 BPSWso2bps is powerful bpel engine which allows you to easily deploy and manage bpel services, can be download from here. <br />
<br />
Also we can deploy Axis2 services in Wso2bps (But not from remotely). It is easy , Just copy your *.aar file in to repository/services directory in the extracted Wso2bps<br />
<br />
After few second, your service will be list in the Deployed service page. You can configure QoS accessing Service Dashboard.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhLKoAJjEtjspp1i9aD3Xajl_rqXg9rcoHmq1CKACyL5z1uNsrT3we0ThCU-k6aRm85brl4sY1pQMdAW7_-BZJdGE29WPWhffJo7VV1TGF2CPMiXg2M4Gx6ZFtETrMu2Lg6rCucfm84YD_y/s1600-h/Screenshot.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhLKoAJjEtjspp1i9aD3Xajl_rqXg9rcoHmq1CKACyL5z1uNsrT3we0ThCU-k6aRm85brl4sY1pQMdAW7_-BZJdGE29WPWhffJo7VV1TGF2CPMiXg2M4Gx6ZFtETrMu2Lg6rCucfm84YD_y/s640/Screenshot.png" width="640" /></a></div>Aselahttp://www.blogger.com/profile/08941025038081812446noreply@blogger.com2tag:blogger.com,1999:blog-7814469042984115284.post-71868344622853393982009-11-04T19:00:00.000-08:002010-05-01T06:19:05.019-07:00How to configure External Database for WSO2 Business Process Server<a href="http://wso2.org/projects/bps"><span class="blsp-spelling-error" id="SPELLING_ERROR_3">WSO</span>2BPS</a> (which allows you to easily deploy and manage complex BPEL services) can be configured to use external database other than the embedded Derby <span class="blsp-spelling-corrected" id="SPELLING_ERROR_4">database</span> as it's persistence storage.<br />
<br />
Lets configure External database for BPS<br />
<br />
<span style="font-weight: bold;">1. Set up and start your database server</span><br />
<br />
WSO2BPS (version - 1.1.1) supports for Mysql ,Oracle and MSSQL Database server. Latest Vesion of WSO2BPS would support for PostgreSQL. <br />
<a href="http://wso2.org/projects/wsas/java"></a><br />
<span style="font-weight: bold;"><br />
</span><span style="font-weight: bold;">2. Create a database </span><br />
<br />
<span style="font-weight: bold;">3. </span><span style="font-weight: bold;">Extract wso2wbps-1.1.1.zip and </span><span style="font-weight: bold;">Load the BPS schema into that database using provided <span class="blsp-spelling-error" id="SPELLING_ERROR_8">SQL</span> scripts.</span><br />
<br />
(For example if you are using <span class="blsp-spelling-error" id="SPELLING_ERROR_9">mysql</span> as your <span class="blsp-spelling-corrected" id="SPELLING_ERROR_10">database</span> server, use <span class="blsp-spelling-error" id="SPELLING_ERROR_11">mysql</span>.<span class="blsp-spelling-error" id="SPELLING_ERROR_12">sql</span> script located inside '<span class="blsp-spelling-error" id="SPELLING_ERROR_13">WSO</span>2BPS/<span class="blsp-spelling-error" id="SPELLING_ERROR_14">dbscripts</span>/bps' directory to create the BPS schema)<br />
<br />
use command "<span class="blsp-spelling-error" id="SPELLING_ERROR_15">mysql</span> -u root -p bps < /home/asela/BPS/wso2bps-1.1.0-SNAPSHO/dbscripts/bps/mysql.sql"<br />
<span style="font-weight: bold;"> </span><br />
<span style="font-weight: bold;">4. Create file named '<span class="blsp-spelling-error" id="SPELLING_ERROR_16">datasources</span>.properties' inside <span class="blsp-spelling-error" id="SPELLING_ERROR_17">WSO</span>2BPS/<span class="blsp-spelling-error" id="SPELLING_ERROR_18">conf</span> directory</span><br />
<br />
<span style="font-weight: bold;">5. Add following configuration in <span class="blsp-spelling-error" id="SPELLING_ERROR_19">datasources</span>.properties file </span><br />
<span style="font-weight: bold;"><br />
</span><br />
Following is sample configuration for Mysql.<span style="font-weight: bold;"><br />
</span><br />
<br />
synapse.<span class="blsp-spelling-error" id="SPELLING_ERROR_20">datasources</span>=<span class="blsp-spelling-error" id="SPELLING_ERROR_21">bpsds</span><br />
synapse.datasources.icFactory=com.sun.jndi.rmi.registry.RegistryContextFactory<br />
synapse.datasources.providerPort=2199<br />
<br />
synapse.datasources.bpsds.registry=JNDI<br />
synapse.datasources.bpsds.type=BasicDataSource<br />
synapse.datasources.bpsds.driverClassName=com.mysql.jdbc.Driver<br />
synapse.datasources.bpsds.url=jdbc:mysql://localhost:3306/bps<br />
synapse.datasources.bpsds.username=root<br />
synapse.datasources.bpsds.password=asela<br />
synapse.datasources.bpsds.dsName=bpsds<br />
synapse.datasources.bpsds.maxActive=100<br />
synapse.datasources.bpsds.maxIdle=20<br />
synapse.datasources.bpsds.maxWait=10000<br />
<br />
<br />
in first three lines, data source names, initial context factory and provider port have been configured. Here "<span class="blsp-spelling-error" id="SPELLING_ERROR_22">bpsds</span>"is used as data source name.<br />
<br />
other lines are specified the properties for previously created database. <span class="blsp-spelling-corrected" id="SPELLING_ERROR_23">Make sure</span> that your database <span class="blsp-spelling-error" id="SPELLING_ERROR_24">url</span>, <span class="blsp-spelling-error" id="SPELLING_ERROR_25">username</span> and password are correctly specified.<br />
<br />
<span style="font-weight: bold;">6.Open bps.<span class="blsp-spelling-error" id="SPELLING_ERROR_26">xml</span> file inside <span class="blsp-spelling-error" id="SPELLING_ERROR_27">WSO</span>2BPS/<span class="blsp-spelling-error" id="SPELLING_ERROR_28">conf</span> directory and add following parameters </span><br />
<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhbObdjfzOawkaLPGn48GtxTQQR_3h_MMaIqp0gsu21eh08QQE7XY2jIHqSyD3vKEiHtPhegPN3mlet-HZnxzuapbZTjiVWNqtOS9hB_bsw0Jr6ViR1kFEMf_qdOZ8ICPQHcJ7_Cw8PT0l2/s1600-h/database.GIF" onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}"><img alt="" border="0" id="BLOGGER_PHOTO_ID_5400453306094617858" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhbObdjfzOawkaLPGn48GtxTQQR_3h_MMaIqp0gsu21eh08QQE7XY2jIHqSyD3vKEiHtPhegPN3mlet-HZnxzuapbZTjiVWNqtOS9hB_bsw0Jr6ViR1kFEMf_qdOZ8ICPQHcJ7_Cw8PT0l2/s400/database.GIF" style="cursor: pointer; display: block; height: 102px; margin: 0px auto 10px; text-align: center; width: 400px;" /></a><dbconf mode="EXTERNAL"><dbconf mode="EXTERNAL"><datasource name="bpsds"><jndi contextfactory="com.sun.jndi.rmi.registry.RegistryContextFactory" providerurl="rmi://localhost:2199"></jndi></datasource><br />
<span style="font-weight: bold;">7.Copy the <span class="blsp-spelling-error" id="SPELLING_ERROR_29">JDBC</span> driver jar file into the '<span class="blsp-spelling-error" id="SPELLING_ERROR_30">WSO</span>2BPS/repository/components/lib' directory</span><br />
<br />
<br />
<span style="font-weight: bold;">8.Then start the <span class="blsp-spelling-error" id="SPELLING_ERROR_31">WSO</span>2BPS server </span></dbconf></dbconf><br />
<br />
<dbconf mode="EXTERNAL"><dbconf mode="EXTERNAL">if correctly configured You will see following log in WSO2BPS startup..</dbconf></dbconf><br />
<br />
<dbconf mode="EXTERNAL"><dbconf mode="EXTERNAL">[2010-05-01 17:49:56,056] INFO - DataSources will be registered in the JNDI context with provider PROP_URL : rmi://asela-laptop:2199<br />
..................................... </dbconf></dbconf><br />
<br />
<dbconf mode="EXTERNAL"><dbconf mode="EXTERNAL">[2010-05-01 17:49:59,490] INFO - ODE using external DataSource "bpsds".<br />
[2010-05-01 17:49:59,491] INFO - Using DAO Connection Factory class: org.apache.ode.dao.jpa.BPELDAOConnectionFactoryImpl<br />
[2010-05-01 17:49:59,491] INFO - Using DAO Connection Factory class org.apache.ode.dao.jpa.BPELDAOConnectionFactoryImpl.<br />
[2010-05-01 17:50:00,701] INFO - Registering E4X Extension...<br />
[2010-05-01 17:50:00,761] INFO - BPEL Server Started.<br />
[2010-05-01 17:50:00,806] INFO - Starting OpenJPA 1.1.0<br />
[2010-05-01 17:50:00,914] INFO - Using dictionary class "org.apache.openjpa.jdbc.sql.MySQLDictionary".<br />
</dbconf></dbconf><br />
<dbconf mode="EXTERNAL"><dbconf mode="EXTERNAL"><span style="font-weight: bold;"> </span></dbconf></dbconf><br />
<dbconf mode="EXTERNAL"><dbconf mode="EXTERNAL"><span style="font-weight: bold;"> </span></dbconf></dbconf>Aselahttp://www.blogger.com/profile/08941025038081812446noreply@blogger.com0