pathberiya.org

How to Configure OpenDJ with WSO2 Identity Server (WSO2IS)

2012-02-02T05:03:00.000-08:00

This blog post explains how we can configure WSO2 Identity Server to connect with OpenDJ LDAP server.

First lets try to install OpenDJ server and configure it.

1. Download and Extract OpenDJ.zip file in to your file system.

2. Go to root directory and run "setup" script for configure the OpenDJ server.

3. Configure OpenDJ according your configuration.

Following are my sample configurations that i did

4. After configurations, you can manage the server using control panel. For that run "control-panel" script which can be found at bin directory

5. Add some users in to your domain. In my sample, for asela.com domain.

Now let see how we can connect to the OpenDJ user store using WSO2 Identity Server.

6. Download WSO2 Identity Server distribution from here and Extract it in to your file system. Let call root directory as IS_HOME

7. Open user-mgt.xml file which can be found at <IS_HOME>/repository/conf directory

8. Comment the default user store manager configuration



9. Uncomment LDAPUserStoreManager configuration and change it according to your OpenDJ configurations. Following is the sample configuration that is relevanted to my OpenDJ that i used above.

    
        <UserStoreManager class="org.wso2.carbon.user.core.ldap.LDAPUserStoreManager">
            <Property name="ReadOnly">true</Property>
            <Property name="MaxUserNameListLength">100</Property>
            <Property name="ConnectionURL">ldap://localhost:1389</Property>
            <Property name="ConnectionName">cn=TestServer</Property>
            <Property name="ConnectionPassword">test123</Property>
            <Property name="UserSearchBase">dc=asela,dc=com</Property>
            <Property name="UserNameListFilter">(objectClass=person)</Property>
            <Property name="UserNameAttribute">cn</Property>
            <Property name="GroupSearchBase">ou=system</Property>
            <Property name="GroupNameListFilter">(objectClass=groupOfNames)</Property>
            <Property name="GroupNameAttribute">cn</Property>
            <Property name="MembershipAttribute">member</Property>
            <Property name="UserRolesCacheEnabled">true</Property>
        <Property name="ReplaceEscapeCharactersAtUserLogin">true</Property>
        </UserStoreManager>

10. Configure admin user name. Then admin user of the WSO2 Identity Server must be a user in that OpenDJ search base. According to the my sample, i have configured the admin user as a user in "dc=asela,dc=com" UserSearchBase.

                <AdminUser>
                     <UserName>bob</UserName>
                     <Password></Password>
                </AdminUser>

If you are hoping to read groups from the OpenDJ, Please configure it in the LDAPUserStoreManager configurations and also configure one group as an admin role of the WSO2 Identity Server.

Please note that user who is configured as admin must be in the admin role.

11.Start Identity Server by running " wso2server" script which can be found at <IS_HOME>/bin directory.

WSO2Identity Server as OpenID consumer

2011-02-15T12:04:00.000-08:00

WSO2Identity Server can be act as both OpenId provider and OpenId consumer. My previous blog post described how we can use WSO2Identity Server as an OpenId provider. Today lets see how we can sign up to the WSO2Identity Server using external OpenId (myopenid).

1. Download latest versions of WSO2Identity from here.

2. Extract WSO2Identity zip file in to a directory in your file system. Lets call as IS_HOME

3. Start WSO2Identity by running wso2server.sh (in unix) or wso2server.bat (in windows) which can be found in IS_HOME/bin directory.

4. Go to WSO2IS Management console by pointing your browser to https://localhost:9443/carbon/

5. Go to the InfoCard/OpenID Sign-in Page and provide your OpenId (I have given my openId which is http://pathberiya.myopenid.com)

6. Provide your password and select your persona to associate

7. Sign up to the WSO2Identity server (As I am a new user)

8. Use associated openId to sign-in to the WSO2Identiry server.

2-legged OAuth for securing a RESTful service

2011-02-15T10:51:00.000-08:00

This is step by step guide to secure a RESTful service with 2-legged OAuth using WSO2Identity Server and WSO2ESB.

1. Download latest versions of WSO2Identity server and WSO2ESB from here.

2. Extract WSO2Identity and WSO2ESB zip files in to a directory in your file system. Lets call them as IS_HOME and ESB_HOME respectively

3. Start WSO2Identity and WSO2ESB by running wso2server.sh (in unix) or wso2server.bat (in windows) which can be found in IS_HOME/bin and ESB_HOME/bin directory respectively.

If Both servers are running in the localhost, You should change the default ports.

Here I changed the WSO2ESB https port to 9445 and http port to 9765 (default 9443 and 9763 respectively) by configuring mgt-transport.xml which can be found in ESB_HOME/repository/conf

4. Go to WSO2IS Management console by pointing your browser to https://localhost:9443/carbon/

5. Register a User with WSO2Identity Server by providing User name and password.

6. Download sample OAuth client source code from following svn location

https://svn.wso2.org/repos/wso2/trunk/carbon/components/identity/org.wso2.carbon.identity.samples.oauth

You can build the sample using maven (mvn clean install) or add the jars in IS_HOME/repository/components/plugins directory to sample project class path.

7. Go to ESB Management console by pointing your browser to https://localhost:9445/carbon/ and sign-in to it by providing admin user name and password.

8. Create a proxy service in WSO2ESB by adding following configuration in to the service bus configuration which can be found under Manage ->Service Bus -> Source View

(or simply update the synapse configuration of ESB with the content in org.wso2.carbon.identity.samples.oauth/src/main/resources/synapse.xml)

Please note that remoteServiceUrl contains the Host name and the port that WSO2Identity server is running.

9. Run sample Client........ Make sure to update variables IDENTITY_SERVER, ESB_SERVER, USER_NAME, PASSWORD according to your configurations

Lets briefly go through the scenario and identity what is happening here

Consumer secret is registered with WSO2Identity Server

1. Invoke AuthenticationAdmin service and user is authenticated with WSO2ISentity server

2. Invoke OAuthAdminService service and register consumer secret.

Consumer key would be the User Name of the User

Generate OAuth Authorization header and Sign it with OAuth Consumer Secret

Invoke the proxy service which is deployed in ESB

OAuth mediator in ESB invoke the OAuthService in WSO2Identity Server to verify that consumer is valid.

Verify consumer key (Valid User ?) and Verify oauth_signature value using consumer secret which has been registered by the user.

If Signature verification is done, request is Authenticated, and send it to the RESTful service

How to get the operation list from a given WSDL Uri

2011-02-03T06:17:00.000-08:00

Today i needed to list the operation of a given WSDL uri. I went through the axis2 source code.. and just found some code block in the CodeGenerationEngine class. Following is the java code that modified.. You want to have the axis2 and wsdl4j jars in your class path...

import org.apache.axis2.AxisFault;

import org.apache.axis2.description.AxisOperation;

import org.apache.axis2.description.AxisService;

import org.apache.axis2.description.WSDL11ToAxisServiceBuilder;

import org.apache.axis2.wsdl.codegen.CodeGenConfiguration;

import org.apache.axis2.wsdl.codegen.CodeGenerationEngine;

import org.apache.axis2.wsdl.codegen.CodeGenerationException;

import java.util.Iterator;

import javax.wsdl.Definition;

import javax.wsdl.WSDLException;

public class WSDLToOperation {

public static void main(String args[]) throws CodeGenerationException, WSDLException, AxisFault {

String wsdlUri = "http://10.100.1.162:9764/services/echo?wsdl";

CodeGenConfiguration codeGenConfiguration = null;

CodeGenerationEngine codeGenerationEngine = new CodeGenerationEngine(codeGenConfiguration);

Definition wsdl4jDef = codeGenerationEngine.readInTheWSDLFile(wsdlUri);

WSDL11ToAxisServiceBuilder wsdl11ToAxisServiceBuilder = new

WSDL11ToAxisServiceBuilder(wsdl4jDef, null, null, false);

AxisService axisService = wsdl11ToAxisServiceBuilder.populateService();

Iterator iterator = axisService.getOperations();

while (iterator.hasNext()) {

AxisOperation operation = (AxisOperation) iterator.next();

System.out.println(operation.getName().getLocalPart());

}

Sign-up for Liferay portal with OpenID provided By WSO2Identity Server

2010-08-12T02:27:00.000-07:00

Here i am going to describe the steps how we can configure to use openidprovided by identity server to sign-up with Liferay 4.4.2 portal

1. First download WSO2Identity server from here (Alpha3 Build of latest version) and you can extract in to a directory in your file system. Lets call as CARBON_HOME

2. Then configure host name (assume change it to "wso2is") First configure following parameters in carbon.xml which can be found in CARBON_HOME/conf

<ServerURL>https://wso2is:${carbon.management.port}${carbon.context}/services/</ServerURL>
<HostName>wso2is</HostName>

configure following parameters in identity.xml which can be found in same location

<OpenIDServerUrl>https://wso2is:9443/openidserver</OpenIDServerUrl>
<OpenIDUserPattern>https://wso2is:9443/openid/</OpenIDUserPattern>

if you are running in local machine, make sure to add your new host name in to the hosts file

3. You can start Identity server by running wso2server.sh (in unix) or wso2server.bat (in windows) file in the CARBON_HOME/bin directory

openid url of default admin will look like https://wso2is:9443/openid/admin

4. Import Identity server public certificate to the java cacerts which is the trust-store for Liferay (This step, if you use default keystore, wso2carbon.jks for identity server or any self sign key store)

Liferay use java cacerts as its trust-store. But wso2carbon.jks contains self signed certificate. So public key should be imported to the cacerts that is used by Liferay. Then Liferay can trust the Openid provided by wso2identity server.

first export wso2carbon cert from wso2carbon.jks which can be found in CARBON_HOME/resources/security directory. sample keytool command

> keytool -export -keystore wso2carbon.jks -file carbon.cert -alias localhost -keypass wso2carbon

Then import it to cacerts in JAVA_HOME/jre/lib/security

> keytool -import -keystore cacerts -file carbon.cert -alias carbon -keypass changeit

5. Download latest version of Liferay portal 4.4.2 from here and you can extract in to a directory in your file system. Lets call as LIFERAY_HOME

6. Set CATALINA_HOME =LIFERAY_HOME/tomcat_dir

7. Start Liferay portal by running catalina.sh run (in unix) or catalina.bat file in CATALINA_HOME/bin directory.

8. Add Full Name as a default attribute in identity user profiles and Fill the user profile

In order to perform the registration (sign-up)in Liferay using OpenID, when userfirst logins with an OpenID, Liferay asks some information fromWSO2Identity Server (Openidprovider) about the user. The provider must be able to provide thisinformation through OpenID protocol extensions (Identity Server haveimplemented the Simple Registration Extension protocol). Here FullName and Email attributes are retrieved from identity server. So thesetwo should be configure in user profiles.

--Full name is not supported by default. so first you need to update the claim mapping. Goto Claim management -> http://wso2.org/claims claim dialect -> full name claim mapping and tick on "Supported by Default" and update.

--Then Goto My profile and fill default or you can add a new profile.

9. Now try to sign-up by providing your openid , https://wso2is:9443/openid/admin

WSO2 Identity Server as OpenID Provider

2010-07-28T04:17:00.000-07:00

I am going to explain how we can use Openid issued by WSO2Identity server in an actual environment. Here I am using Liferay portal as Openid consumer and assume that Liferay portal and Identity server have been setup in different hosts in a LAN.

1. First download WSO2Identity server from here and you can extract in to a directory in your file system. Lets call as CARBON_HOME

2. You can start Identity server by running wso2server.sh (in unix) or wso2server.bat (in windows) file in the CARBON_HOME/bin directory

Identityserver will be started with default configuration. if you examineopenid url of a user(default admin username is admin) in identityserver. It will look like

https://localhost:9443/openid/admin

But this openid url can not be accessed by other hosts in your network. So Lets change our host name.

3. Lets assume we want to configure host name as "wso2identity" (or any ip address). First configure following parameters in carbon.xml which can be found in CARBON_HOME/conf

<ServerURL>https://wso2identity:${carbon.management.port}${carbon.context}/services/</ServerURL>
<HostName>wso2identity</HostName>

configure following parameters in identity.xml which can be found in same location

<OpenIDServerUrl>https://wso2identity:9443/openidserver</OpenIDServerUrl>
<OpenIDUserPattern>https://wso2identity:9443/openid/</OpenIDUserPattern>

4. Restart identity server. Now openid url

https://wso2identity:9443/openid/admin

5. Download latest version of Liferay portal from here and you can extract in to a directory in your file system. Lets call as LIFERAY_HOME

6. Set CATALINA_HOME =LIFERAY_HOME/tomcat_dir

7. Start Liferay portal by running catalina.sh run (in unix) or calalina.bat file in CATALINA_HOME/bin directory.

8. Create a user account in Liferay and configure an openid that is issued by identity server (https://wso2identity:9443/openid/admin)

9. Now try to sign in by providing your openid

10. You will probably get following error message. Because there are one configuration to do, if we use default keystore, wso2carbon.jks for identity server.

Liferay use java cacerts as its trust-store. But wso2carbon.jks contains self signed certificate. So public key should be imported to the cacerts that is used by Liferay. Then Liferay can trust the Openid provided by wso2identity server.

11. Import Identity server public certificate to the cacerts

first export wso2carbon cert from wso2carbon.jks which can be found in CARBON_HOME/resources/security directory. sample keytool command

> keytool -export -keystore wso2carbon.jks -file carbon.cert -alias localhost -keypass wso2carbon

Then import it to cacerts in JAVA_HOME/jre/lib/security

> keytool -import -keystore cacerts -file carbon.cert -alias carbon -keypass changeit

12. Then restart Liferay portal. Now you can sign in to Liferay portal using wso2identity server's Openid.........!!!

Apache Dircetory Studio as Your LDAP User Store

2010-07-25T11:40:00.000-07:00

1. You can downlaod Apache Dirctory Stido from here

2. Then you can extract in to a directory in your file system

3. Start Apache Directory Studio by running executable file called ApacheDirectoryStudio

Lets create a LDAP Server.

4. If you can not see the ApacheDS server window, First you must view it.

Window -> Show View -> Other -> Select ApacheDS Server

Now you can see the Server management window.

5. Then Lets create a new server. Click on new server icon (ctrl+E) and you must only enter a name for the server and New server will be created with default configurations

By double-clicking you can view the configuration file (server.xml) of created server. Your can configure it as your options. But Here i am continuing with default configuration

6. Now just click on Run icon (ctr+R), Your server will be started.

Now we are going to create a connection to the running LDAP server to browse it. (You can create connections with almost any LDAP server)

7. LDAP -> New Connection , New LDAP connection wizard will be promoted.

8. Configure Network parameters

Connection Name - Any name you like
Host Name - Host name of your LDAP server is running. Here LDAP server is also in within same machine. So localhost
Port - LDAP server running port. Here 10386, default port or which has configured in server.xml file
Encryption Method - if you want to secure the connection to LDAP server, use SSL. Also make sure to change user Port according ldap and ldaps

9. Configure Authentication parameters

Authentication method - You can select simple authentication , advance authentication method or no authentication, according what you have already configured in server.xml Here we must use the simple authentication.
Bind DN or User - uid=admin ,ou =system
Bind password - secret

when new LDAP server is created, by default, admin user is created with above DN and password. If LDAP server already contain any users, you can use any DN that you want. Browser option and edit option are kept as defaults and lets finished it.

10. Now open your connection by clicking open connection icon in your connection browser.

11. Then you can view your LDAP Browser by double clicking on your connection and display the tree of your LDAP Server.

Now you are able to create, delete and modify your entities in LDAP server....!!!

SSL profiles in WSO2 ESB

2010-07-01T04:26:00.000-07:00

"SSL profiles" is new feature which was introduced in WSO2 ESB 3.0.0. Using SSL profiles WSO2 ESB can be configured to communicate with SSL and Mutual SSL enabled target servers. Lets see how to configure it.

1. First, You can download WSO2 ESB 3.0.0 for here. then you can extract in to a directory in your file system. Lets call as ESB_HOME

2. Then define the appropriate SSL profiles under the HTTPS transport sender configuration, in the axis2.xml file which can be found in ESB_HOME/repository/conf .

Following shows the example configuration i am going to use.
Here, I have used localhost:9444 server for SSL communication and localhost:9445 for Mutual SSL. As you can see, it consists of a keystore-truststore pair. A single profile can be associated with one or more target servers. So you can define more than one target servers under one profile. A target server is identified by its hostname and port number. Once SSL profile is defined and associated with a target server, WSO2 ESB will use the truststore for SSL communicating and keystore-truststore pair for Mutual SSL communicating.

In this example configuration, localhost:9444 is WSO2 WSAS and localhost:9445 is WSO2 BPS server. Also It should be noted that trust-store must contains target server's certificate for SSL communication and target server must contains the key-store certificate for Mutual SSL communication

<parameter name="customSSLProfiles">

    <profile>
        <servers>www.test.org:80, localhost:9444</servers>
        <TrustStore>
            <Location>path/to/trust/store</Location>
            <Type>JKS</Type>
            <Password>password</Password>
        </TrustStore>
    </profile>

    <profile>
        <servers>localhost:9445</servers>
        <KeyStore>
            <Location>/path/to/identity/store</Location>
            <Type>JKS</Type>
            <Password>password</Password>
            <KeyPassword>password</KeyPassword>
        </KeyStore>
        <TrustStore>
            <Location>path/to/trust/store</Location>
            <Type>JKS</Type>
            <Password>password</Password>
        </TrustStore>
    </profile>

</parameter>

3. Start WSO2 ESB server, Run the wso2server.sh (in unix) or wso2server.bat (in windows) file in the ESB_HOME/bin directory
Once the server starts, point your Web browser to https://localhost:9443/carbon/   You can see following info logs when starting, If you have configured SSL Profile successfully.

[2010-07-01 15:22:26,300] INFO - HttpCoreNIOSSLSender Loading Trust Keystore from : path/to/trust/store
[2010-07-01 15:22:26,306] INFO - HttpCoreNIOSSLSender Loading Identity Keystore from : /path/to/identity/store
[2010-07-01 15:22:26,310] INFO - HttpCoreNIOSSLSender Loading Trust Keystore from : path/to/trust/store
[2010-07-01 15:22:26,322] INFO - HttpCoreNIOSSLSender Custom SSL profiles initialized for 3 servers

4. Lets create simple proxy services which endpoints are hosted in localhost:9444 and localhost:9445.

I created following two proxies..

<syn:proxy name="BPSProxy" transports="https http" startOnLoad="true" trace="disable">
        <syn:target>
            <syn:inSequence>
                <syn:send>
                    <syn:endpoint>
                        <syn:address uri="https://localhost:9444/services/TestE4XService"/>
                    </syn:endpoint>
                </syn:send>
            </syn:inSequence>
            <syn:outSequence>
                <syn:send/>
            </syn:outSequence>
        </syn:target>
    </syn:proxy>

    <syn:proxy name="WSASProxy" transports="https http" startOnLoad="true" trace="disable">
        <syn:target>
            <syn:inSequence>
                <syn:send>
                    <syn:endpoint>
                        <syn:address uri="https://localhost:9445/services/HelloService"/>
                    </syn:endpoint>
                </syn:send>
            </syn:inSequence>
            <syn:outSequence>
                <syn:send/>
            </syn:outSequence>
        </syn:target>
    </syn:proxy>

5. Now send your request messages to two proxy services, You can see ESB will successfully communicate with SSL and Mutual SSL enabled target servers using SSL Profiles.

Enabling JMS Transport in WSO2 BPS

2010-05-27T10:00:00.000-07:00

As I highlighted in my previous blog post, WSO2 BPS is a powerful open source BPEL engine.Here i am going to enable JMS Transport in WSO2 BPS. You can use any JMS provider as you preferred. I'm going to use Apache ActiveMQ-5.2.0 for this example.

1. You can download WSO2BPS (version 1.1.1) from here. then you can extract in to a directory in your file system. Lets call as BPS_HOME

2. Start ActiveMQ message broker. Go to (ActiveMQ_Install_directory)/bin and run activemq.sh (or activemq.bin in DOS)

3. Copy ActiveMQ libraries to BPS_HOME/repository/components/lib directory

activemq-core-5.2.0.jar and geronimo-j2ee-management_1.0_spec-1.0

4. Enable JMS Transport in WSO2 BPS. Uncomment following parameters in axis2.xml (BPS_HOME/conf directory) Here I have configured it for ActiveMQ environment.

For Receiver

<parameter name="myTopicConnectionFactory">
            <parameter name="java.naming.factory.initial">org.apache.activemq.jndi.ActiveMQInitialContextFactory</parameter>
            <parameter name="java.naming.provider.url">tcp://localhost:61616</parameter>
            <parameter name="transport.jms.ConnectionFactoryJNDIName">TopicConnectionFactory</parameter>
        </parameter>

        <parameter name="myQueueConnectionFactory">
            <parameter name="java.naming.factory.initial">org.apache.activemq.jndi.ActiveMQInitialContextFactory</parameter>
            <parameter name="java.naming.provider.url">tcp://localhost:61616</parameter>
            <parameter name="transport.jms.ConnectionFactoryJNDIName">QueueConnectionFactory</parameter>
        </parameter>

        <parameter name="default">
            <parameter name="java.naming.factory.initial">org.apache.activemq.jndi.ActiveMQInitialContextFactory</parameter>
            <parameter name="java.naming.provider.url">tcp://localhost:61616</parameter>
            <parameter name="transport.jms.ConnectionFactoryJNDIName">QueueConnectionFactory</parameter>
        </parameter>

For Sender
    <transportSender name="jms"
                     class="org.apache.axis2.transport.jms.JMSSender"/>

5. Start BPS server running the wso2server.sh (in unix) or wso2server.bat (in windows)
You can see following Logs when starting if you have correctly configured

[2010-05-27 22:19:55,019] INFO - JMS ConnectionFactory : default initialized
[2010-05-27 22:19:55,021] INFO - JMS ConnectionFactory : myTopicConnectionFactory initialized
[2010-05-27 22:19:55,022] INFO - JMS ConnectionFactory : myQueueConnectionFactory initialized
[2010-05-27 22:19:55,022] INFO - JMS Transport Receiver/Listener initialized...

We can see JMS endpoint has been added to BPEL service (See the wsdl also)

Note:-

Step 4, You can enable JMS and configure it using UI.

But there are some issues when disabling JMS from UI. So i recommended to use axis2.xml configure JMS in WSO2BPS version 1.1.1. This will be fixed in next WSO2BPS release.....!!!

WSO2 BPS in Cluster

2010-05-13T06:12:00.001-07:00

Clustering is one of a major requirement for web servers which are inproduction environment. because these servers have tofulfill two basic needs, high availability and scalability.

WSO2carbon based web products comes with theclustering functionality (Please refer this article for moreinformation on WSO2 carbon clustering) Here I am going to introduce toconfigure the WSO2BPS in a clustering environment.

1. You can download WSO2BPS (version 1.1.1) from here.

2. Allnodes in BPS cluster would share the same persistence storage (BPSdatasource) and same registry. So Each node must be connected to external datasource and external registry. This Post is described configurationof external BPS datasource. Use same configuration for all nodes, Butdon't forget to use different provider port for each node, if you are starting all nodes in same machine (same url).

3. Then registry.xml and user-mgt.xml (Both are in WSO2BPS/conf directory)must be configured to use a one central registry. Use same configuration for all nodes.

Sample configuration of registry.xml for Mysql database

        <dbConfig name="wso2registry">
            <url>jdbc:mysql://10.100.1.1:3306/regdb</url>
            <userName>regadmin</userName>
            <password>regadmin</password>
            <driverName>com.mysql.jdbc.Driver</driverName>
            <maxActive>80</maxActive>
            <maxWait>6000</maxWait>
            <minIdle>5</minIdle>
       </dbConfig>

Sample configuration of user-mgt.xml

<Database>
         <URL>jdbc:mysql://10.100.1.1:3306/regdb</URL>
         <UserName>regadmin</UserName>
         <Password>regadmin</Password>
         <Dialect>mysql</Dialect>
         <Driver>com.mysql.jdbc.Driver</Driver>
          <maxActive>30</maxActive>
          <maxWait>60000</maxWait>
          <minIdle>5</minIdle>
    </Database>

4. Then One BPS node must be started as the group management node. you can simply do this by configuring following basic parameters in axis2.xml (WSO2BPS/conf directory)

# Enable clustering for this node

<clustering class="org.apache.axis2.clustering.tribes.TribesClusteringAgent" enable="true">

# Clustering domain/group

<parameter name="domain">bps</parameter>

# Enable the group Management

<groupManagement enable="true">
            <applicationDomain name="bps"description="BPS group"agent="org.apache.axis2.clustering.management.DefaultGroupManagementAgent"/>
</groupManagement>

5. Other BPS nodes also should be started with enabling the clustering (Can enable or disable node management, but there is no effect for BPS. So here i did not use it)

# Enable clustering for this node

<clustering class="org.apache.axis2.clustering.tribes.TribesClusteringAgent" enable="true">

# Clustering domain/group

<parameter name="domain">bps</parameter>

6. Start every BPS node running the wso2server.sh (in unix) or wso2server.bat (in windows) file in the WSO2BPS/bin directory. Don't forget to use different http and https port for each node, if you are starting all nodes in same machine (same url). Configuration can be found in transport.xml and axis2.xml

By looking at Debug and INFO message you can understand what is happening there.

But WSO2BPS (version 1.1.1) have some limitations when setting on clustering ( Retiring of BPEL process not propagate to other node, Managing BPEL packages and processes should be disable for member nodes) which would be resolved in next BPS release.........!!!

How to create a Password Callback class for External partner BPEL service

2010-02-07T11:08:00.001-08:00

Most of web services have been secured using various WS security methods.

So client needed a Password callback class to invoke those secured web services, because to

1) Get the password to build the username token

2) Get the private key password for signture or decryption

It is very easy to write a Password callback. Following Java code is for simple Password callback class

package org.wso2.bps.samples.pwcb;

import org.apache.ws.security.WSPasswordCallback;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.callback.UnsupportedCallbackException;
import java.io.IOException;

public class PWCBHandler implements CallbackHandler {

        public void handle(Callback[] callbacks) throws IOException,
        UnsupportedCallbackException {

            for (int i = 0; i < callbacks.length; i++) {
                WSPasswordCallback pwcb = (WSPasswordCallback)callbacks[i];
                String id = pwcb.getIdentifer();
                int usage = pwcb.getUsage();

                   if (usage == WSPasswordCallback.USERNAME_TOKEN) {
                   // Logic to get the password to build the username token
                        if ("admin".equals(id)) {pwcb.setPassword("admin");}
                } else if (usage == WSPasswordCallback.SIGNATURE || usage == WSPasswordCallback.DECRYPT) {
                // Logic to get the private key password for signture or decryption
                        if ("client".equals(id)) {pwcb.setPassword("apache");}
                        if ("service".equals(id)) {pwcb.setPassword("apache");}
                }

            }
        }

}

But when external partner service is invoked by a BPEL is act as a client to the external web service. Here I have used WSO2BPS (which allows you to easily deploy and manage complex BPEL services) to deploy BPEL services.

So How can we use Password callback class in BPEL engine,WSO2BPS ???

It is easy..... First create a jar file from above sample Password callback

1. Copy sample Password callback in to text file and save it as PWCBHandler.java

2. Create a directory called "temp" ...any where you like,

3. Go in to temp directory and create following directory structure org/wso2/bps/samples/pwcb

4. Copy PWCBHandler.java in to pwcb directory

5. Download wss4j.jar from here (http://ws.apache.org/wss4j/) and copy it to temp directory

6. Compile PWCBHandler.java pointing classpath to wss4j.jar from pwcb directory

Ex:-
#javac PWCBHandler.java -classpath /home/asela/temp/PWC/org/wso2/bps/samples/pwcb/wss4j-1.5.8.jar

7. Go in to temp directory and create a jar file issuing following

#jar cf PWCBHandler.jar org/wso2/bps/samples/pwcb/*.class

Now you have created your PWCBHandler.jar and Copy jar in to /repository/components/lib (Remember to restart the Wso2bps server to apply the jar)

Also Remember to point your policy file of the External partner service to the password Callback jar (Here - org.wso2.bps.samples.pwcb.PWCBHandler).

That All........!!!

How Install PostgreSQL database in Ubuntu 9.04

2010-01-30T10:46:00.000-08:00

It is very simple to install postgreSQL in Ubuntu. Just run the following command in the command prompt

sudo apt-get install postgresql

This will install the latest postgreSQL and Now your are ready to use it.

But lets do some important configurations (that I did). The PostgreSQL configuration files are stored in the /etc/postgresql//main directory. In my case, I install PostgreSQL 8.3. So there are in /etc/postgresql/8.3/main

1. Enable TCP/IP connections

By default, connection via TCP/IP is disabled. PostgreSQL supports multiple client authentication methods. By default, IDENT authentication method is used for postgres and local users

To enable TCP/IP connections, edit the file /etc/postgresql/8.3/main/postgresql.conf

Locate the line #listen_addresses = 'localhost' and uncomment it.

To allow other computers to connect to your PostgreSQL server replace 'localhost' with the IP Address of your server.

2. Set a password for the postgres user

Run the following command at a terminal prompt to connect to the default PostgreSQL template database

sudo -u postgres psql template1

Then run following SQL command at the psql prompt to configure the password for the user postgres.

ALTER USER postgres with encrypted password 'your_password';

Remember to restart the PostgreSQL service to initialize the new configuration

Enter the following to restart

sudo /etc/init.d/postgresql-8.3 restart

How to Deploy Axis2 services in WSO2 BPS

2010-01-30T09:48:00.001-08:00

Wso2bps is powerful bpel engine which allows you to easily deploy and manage bpel services, can be download from here.

Also we can deploy Axis2 services in Wso2bps (But not from remotely). It is easy , Just copy your *.aar file in to repository/services directory in the extracted Wso2bps

After few second, your service will be list in the Deployed service page. You can configure QoS accessing Service Dashboard.

How to configure External Database for WSO2 Business Process Server

2009-11-04T19:00:00.000-08:00

WSO2BPS (which allows you to easily deploy and manage complex BPEL services) can be configured to use external database other than the embedded Derby database as it's persistence storage.

Lets configure External database for BPS

1. Set up and start your database server

WSO2BPS (version - 1.1.1) supports for Mysql ,Oracle and MSSQL Database server. Latest Vesion of WSO2BPS would support for PostgreSQL.

2. Create a database

3. Extract wso2wbps-1.1.1.zip and Load the BPS schema into that database using provided SQL scripts.

(For example if you are using mysql as your database server, use mysql.sql script located inside 'WSO2BPS/dbscripts/bps' directory to create the BPS schema)

use command "mysql -u root -p bps < /home/asela/BPS/wso2bps-1.1.0-SNAPSHO/dbscripts/bps/mysql.sql"

4. Create file named 'datasources.properties' inside WSO2BPS/conf directory

5. Add following configuration in datasources.properties file

Following is sample configuration for Mysql.

synapse.datasources=bpsds
synapse.datasources.icFactory=com.sun.jndi.rmi.registry.RegistryContextFactory
synapse.datasources.providerPort=2199

synapse.datasources.bpsds.registry=JNDI
synapse.datasources.bpsds.type=BasicDataSource
synapse.datasources.bpsds.driverClassName=com.mysql.jdbc.Driver
synapse.datasources.bpsds.url=jdbc:mysql://localhost:3306/bps
synapse.datasources.bpsds.username=root
synapse.datasources.bpsds.password=asela
synapse.datasources.bpsds.dsName=bpsds
synapse.datasources.bpsds.maxActive=100
synapse.datasources.bpsds.maxIdle=20
synapse.datasources.bpsds.maxWait=10000

in first three lines, data source names, initial context factory and provider port have been configured. Here "bpsds"is used as data source name.

other lines are specified the properties for previously created database. Make sure that your database url, username and password are correctly specified.

6.Open bps.xml file inside WSO2BPS/conf directory and add following parameters

7.Copy the JDBC driver jar file into the 'WSO2BPS/repository/components/lib' directory

8.Then start the WSO2BPS server

if correctly configured You will see following log in WSO2BPS startup..

[2010-05-01 17:49:56,056] INFO - DataSources will be registered in the JNDI context with provider PROP_URL : rmi://asela-laptop:2199
.....................................

[2010-05-01 17:49:59,490] INFO - ODE using external DataSource "bpsds".
[2010-05-01 17:49:59,491] INFO - Using DAO Connection Factory class: org.apache.ode.dao.jpa.BPELDAOConnectionFactoryImpl
[2010-05-01 17:49:59,491] INFO - Using DAO Connection Factory class org.apache.ode.dao.jpa.BPELDAOConnectionFactoryImpl.
[2010-05-01 17:50:00,701] INFO - Registering E4X Extension...
[2010-05-01 17:50:00,761] INFO - BPEL Server Started.
[2010-05-01 17:50:00,806] INFO - Starting OpenJPA 1.1.0
[2010-05-01 17:50:00,914] INFO - Using dictionary class "org.apache.openjpa.jdbc.sql.MySQLDictionary".

Sample BPEL to ensure the security in External partner service

2009-11-03T08:58:00.000-08:00

Resources you need

1.WSO2BPS (which allows you to easily deploy and manage bpel services)
2.WSO2WSAS
3.SecurePartnerBPEL.zip
4.SecurePartnerService.aar
5.sample_keys.zip
6.PWCBHandler.zip

First deploy External partner service in WSO2WSAS and secure it.

1. Extract wso2wsas-3.1.1.zip and run WSAS server.

wso2wsas-3.1.1/bin/wso2server.sh - in unix
wso2wsas-3.1.1/bin/wso2server.bat - in windows

Please refer README file and More details about WSO2WSAS is available at here

2. Upload SecurePartnerService.aar Axis2 service

3. Add new keystore to WSAS

Extract sample_keys.zip and browse to the service.jks

provide following passwords, Key store Password= apache Private Key Password=apache

4. Add new role and user

Add new role called bpsusers

Then add new user

provide username = client, password=apache (these username and password must be in PWCBHandler.jar)

select bpsusers role for client user

5.Go to Service Dashboard of SecurePartnerService and enable security

6. Select any security Scenarios (select service.jks as Trusted Key Stores, Private key store and bpsusers as User Groups)

Then deploy BPEL service in WSO2BPS

1. Extract wso2wbps-1.1.0.zip and copy PWCBHandler.jar to WSO2BPS/repository/components/lib and Extract sample_keys.zip in to WSO2BPS/samples. Then run BPS server.

wso2wsas-3.1.1/bin/wso2server.sh - in unix
wso2wsas-3.1.1/bin/wso2server.bat - in windows

Please refer README file and More details about WSO2BPS is available at here

2.Deploy bpel service in BPS (just click Add BPEL and browse the SecurePartnerBPEL.zip)

3.Under Deployed Services, you can see SecurePartnerBPELServiceService service.

4.Open tcpmon( WSO2BPS/bin/tcpmon.sh) and configure it to monitor the SOAP messages

Listen port=9765 Target port= port of your SecurePartnerService

5.Now try this service using Try it

Enter the security scenario number that is used to secure your External partner service.

Service returns the detail about security scenario that your External partner service is used.

Note = tcpmon can not use for UsernameToken security scenario. According to SecurePartnerBPEL.zip, you must start your External partner service in port=9444. To change http and https port, configure "port" parameter(9763) in your axis2.xml and transport.xml

Secured BPEL services

2009-10-18T03:34:00.000-07:00

Securityis one of the essential requirement for BPEL services as today BPELservices are mostly used for banking, paying and creditingapplications. So BPEL services must be able to secure very reliable andflexible manner. WSO2BPS is the Best solution for it. Also it provides to configure security for your BPEL service in a user friendly manner.

First Lets deploy a simple BPEL in WSO2BPS.

1. Download latest release of WSO2BPS from Here

2. Extract wso2bps-1.1.X.zip Lets define extracted location as BPS_HOME

3. Start BPS server Run the wso2server.sh (in unix) or wso2server.bat (in windows) file in the BPS_HOME/bin directory
Once the server starts, point your Web browser to https://localhost:9443/carbon/

4. Deploy BPEL package just click on Add BPEL button and browse the Location of Your BPEL Package. You can download sample BPEL Package (HelloWorld.zip) from here. Lets used it for further discussions.

In service list you will see our BPEL services (HelloService) and you can invoke this service. (by clicking on "Try this service" in WSO2BPS or Using Soapui).

So above BPEL service has not secured. Any one could be able to invoke it.

Now it is time to secure the our BPEL service

5.Go to Service Dashboard of BPEL service and enable security

You can see there are several QoS configurations for our BPEL service. Lets select the security

6. Select any security Scenarios

As you can see, 15 security configuration scenarios are pre-defined for our BPEL service. You can use any one out of this Because I am going to write a client that works for all...

Here i am used default key store (wso2carbon.jks) as the Trusted Key Stores and Private key Store. Or you can simply upload a New key store using BPS UI.

Now lets invoke secured service from security client

7. Create a Java project with SecurityClient.java and client.properties
files

8. Add Following configuration parameters to client.properties file

clientRepo = Path for Client repository location. Sample repo can be found in BPS_HOME/samples/axis2Server/repository location. or can download from here (must contains addressing.mar and rampart.mar in module directory)
clientKey =Path for Client's Key Store. Here I am using same key Store (wso2carbon.jks) which is used to secure BPEL service. you can find it from BPS_HOME/resources/security. You can use any key Store but remember to import BPS cert to client key store and client cert to BPS key store. Because to fulfill the requirement for signing and encryption
securityPolicyLocation=Path for the client side security policy files. You can download 15 policy files from here.
trustStore= This is trusted store that is used for ssl communication on https. It should contains the BPS cert.you can use same key store for this. (wso2carbon.jks)
securityScenarioNo=Security scenario number that used to secure the BPEL service.
SoapAction =You can find it from wsdl
endpointHttp =Http endpont of BPEL service
endpointHttpS=Https endpont of BPEL service
body = Body part of your Soap message

Sample configurations

clientRepo=/home/asela/Wso2/BPS/BPS_Client/Client_Repo
clientKey =/home/asela/Wso2/BPS/BPS_Client/sample_keys/client.jks
clientKey =/home/asela/Wso2/BPS/BPS_Client/sample_keys/wso2carbon.jks
securityPolicyLocation=/home/asela/Wso2/BPS/BPS_Client/security_scenarios
trustStore=/home/asela/Wso2/BPS/BPS_Client/sample_keys/wso2carbon.jks
securityScenarioNo=7
SoapAction =urn:hello
endpointHttp =http://localhost:9763/services/HelloService/
endpointHttpS =https://10.100.1.152:9443/services/HelloService/
body =<p:hello xmlns:p=\"http://ode/bpel/unit-test.wsdl\"> <TestPart>Wso2</TestPart> </p:hello>

9. Copy Following Java code

it is simple... Nothing to change...

import org.apache.neethi.Policy;
import org.apache.neethi.PolicyEngine;
import org.apache.axiom.om.impl.builder.StAXOMBuilder;
import org.apache.axiom.om.impl.llom.util.AXIOMUtil;
import org.apache.axiom.om.OMElement;
import org.apache.rampart.policy.model.RampartConfig;
import org.apache.rampart.policy.model.CryptoConfig;
import org.apache.rampart.RampartMessageData;
import org.apache.axis2.client.ServiceClient;
import org.apache.axis2.client.Options;
import org.apache.axis2.addressing.EndpointReference;
import org.apache.axis2.context.ConfigurationContext;
import org.apache.axis2.context.ConfigurationContextFactory;
import org.apache.ws.security.WSPasswordCallback;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.UnsupportedCallbackException;
import javax.security.auth.callback.CallbackHandler;
import java.io.File;
import java.io.IOException;
import java.io.FileInputStream;
import java.util.Properties;

public class SecurityClient implements CallbackHandler {

public static void main(String srgs[]) {

        SecurityClient securityCl = new SecurityClient();
        OMElement result = null;
          try {
                result = securityCl.runSecurityClient();
            } catch (Exception e) {
                e.printStackTrace();
            }
            System.out.println(result.toString());

        }

    public OMElement runSecurityClient( ) throws Exception {

        Properties properties = new Properties();
        FileInputStream freader=new FileInputStream("."+File.separator+"src"+File.separator+"client.properties");
        properties.load(freader);
        String clientRepo = properties.getProperty("clientRepo");
        String endpointHttpS   = properties.getProperty("endpointHttpS");
        String endpointHttp   = properties.getProperty("endpointHttp");
        int securityScenario =Integer.parseInt(properties.getProperty("securityScenarioNo"));
        String clientKey = properties.getProperty("clientKey");
        String SoapAction = properties.getProperty("SoapAction");
        String body = properties.getProperty("body");
        String trustStore=properties.getProperty("trustStore");
        String securityPolicy =properties.getProperty("securityPolicyLocation");

        OMElement result = null;

        System.setProperty("javax.net.ssl.trustStore", trustStore);
        System.setProperty("javax.net.ssl.trustStorePassword", "wso2carbon");

//        System.setProperty("javax.net.ssl.keyStore", keyStore + File.separator + "wso2carbon.jks");
//        System.setProperty("javax.net.ssl.keyStorePassword", "wso2carbon");

        ConfigurationContext ctx = ConfigurationContextFactory.createConfigurationContextFromFileSystem(clientRepo, null);
        ServiceClient sc = new ServiceClient(ctx, null);
        sc.engageModule("rampart");
        sc.engageModule("addressing");

        Options opts = new Options();

            if(securityScenario==1){
                opts.setTo(new EndpointReference(endpointHttpS));
            }else{
                opts.setTo(new EndpointReference(endpointHttp));
            }

        opts.setAction(SoapAction);

            if(securityScenario!=0){
                try {
                    String securityPolicyPath=securityPolicy+File.separator +"scenario"+securityScenario+"-policy.xml";
                    opts.setProperty(RampartMessageData.KEY_RAMPART_POLICY, loadPolicy(securityPolicyPath,clientKey));
                } catch (Exception e) {
                    e.printStackTrace();
                }
            }
        sc.setOptions(opts);
        result = sc.sendReceive(AXIOMUtil.stringToOM(body));
        System.out.println(result.getFirstElement().getText());
        return result;
    }

    public Policy loadPolicy(String xmlPath , String clientKey) throws Exception {

        StAXOMBuilder builder = new StAXOMBuilder(xmlPath);
        Policy policy = PolicyEngine.getPolicy(builder.getDocumentElement());

        RampartConfig rc = new RampartConfig();

        rc.setUser("admin");
        rc.setUserCertAlias("wso2carbon");
        rc.setEncryptionUser("wso2carbon");
        rc.setPwCbClass(SecurityClient.class.getName());

        CryptoConfig sigCryptoConfig = new CryptoConfig();
        sigCryptoConfig.setProvider("org.apache.ws.security.components.crypto.Merlin");

        Properties prop1 = new Properties();
        prop1.put("org.apache.ws.security.crypto.merlin.keystore.type", "JKS");
        prop1.put("org.apache.ws.security.crypto.merlin.file", clientKey);
        prop1.put("org.apache.ws.security.crypto.merlin.keystore.password", "wso2carbon");
        sigCryptoConfig.setProp(prop1);

        CryptoConfig encrCryptoConfig = new CryptoConfig();
        encrCryptoConfig.setProvider("org.apache.ws.security.components.crypto.Merlin");

        Properties prop2 = new Properties();
        prop2.put("org.apache.ws.security.crypto.merlin.keystore.type", "JKS");
        prop2.put("org.apache.ws.security.crypto.merlin.file", clientKey);
        prop2.put("org.apache.ws.security.crypto.merlin.keystore.password", "wso2carbon");
        encrCryptoConfig.setProp(prop2);

        rc.setSigCryptoConfig(sigCryptoConfig);
        rc.setEncrCryptoConfig(encrCryptoConfig);

        policy.addAssertion(rc);
        return policy;
    }

    public void handle(Callback[] callbacks) throws IOException, UnsupportedCallbackException {

        WSPasswordCallback pwcb = (WSPasswordCallback) callbacks[0];
        String id = pwcb.getIdentifer();
        int usage = pwcb.getUsage();

        if (usage == WSPasswordCallback.USERNAME_TOKEN) {

           if ("admin".equals(id)) {
               pwcb.setPassword("admin");
           }

        } else if (usage == WSPasswordCallback.SIGNATURE || usage == WSPasswordCallback.DECRYPT) {

            if ("wso2carbon".equals(id)) {
                pwcb.setPassword("wso2carbon");
            }
        }
    }
}

10. Add relevant libraries to your class path

How do we find those libraries.. there are many. It is easy Go to BPS_HOME/bin and run ant command. You will see created jar file in BPS_HOME/repository/lib directory. Do not forget to add xalan jar that is in BPS_HOME/lib/endorsed directory.

11.Then run your secured client
Now you are able to secure your BPEL service using all 15 security scenarios..........!!!

Note1 :- if You want to invoke a secured BPEL service(not HelloWorld).You can get the body part of soap message using soapui and SoapAction using WSDL
    1. Create a project in soapui using your service's WSDL
    2. Copy the body part from your soap request message.( make sure to copy the correct namespace)
    3. Find value of Action attribute from your service's WSDL

Note2 :- if you want to trace the secured soap messages , Open tcpmon( WSO2BPS/bin/tcpmon.sh) and configure it and change http end point of your client.properties file
     Listen port   = Port that you configure in client.properties file
     Target port = Actual port of your BPEL service