Thursday, February 18, 2016

WSO2 Identity Server 5.1.0 behind Proxy(Load Balancer)

WSO2 Identity Server behind Proxy or Load Balancer.

In this blog, I am going to explain step by step guide to how to configure WSO2 Identity Server 5.1.0 with a proxy port and proxy host.

Configuring Proxy Port


By default WSO2 Identity Server is running on 9443 port. Here I am going to explain the way of configuring a proxy port of 443.

  • Open <wso2is-5.1.0>/repository/conf/tomcat/catalina-server.xml file and add the proxy port 443 in https connector as follows.
        
<Connector protocol="org.apache.coyote.http11.Http11NioProtocol"

           port="9443"

           proxyPort="443"

Note: It is not possible to configure proxy port from load balancer itself since there is a post request while authenticating to IS Dashboard. So, If you are planning to use Identity server Dashboard, this configuration is a must.




Configuring Proxy Host


1. Use the same hostname in both Identity Server and Loadbalancer
  • Open <wso2is-5.1.0>/repository/conf/carbon.xml file and configure the hostname and management hostname as follows


    <HostName>wso2.is.com</HostName>

    <MgtHostName>wso2.is.com</MgtHostName>


  • Create a new Keystore with the new hostname. Following is the keytool command to create new

keytool -genkey -alias wso2carbon -keyalg RSA -keysize 1024 -dname "CN=wso2.is.com,OU=Home,O=Home,L=SL,S=WS,C=LK" -keypass wso2carbon -keystore wso2carbon.jks -storepass wso2carbon


Create new two keystores for client-trustore.jks and wso2carbon.jks. 

You can follow [1] for more information on how to configure keystores in WSO2 servers. 

  • Configure Nginx configuration as follows


upstream ssl.wso2.as.com {
    server wso2.is.com:9443;
}

server {
listen 443;
    server_name wso2.is.com;
    client_max_body_size 100M;

    ssl on;
    ssl_certificate /etc/ssl/nginx/nginx-repo.crt;
    ssl_certificate_key /etc/ssl/nginx/nginx-repo.key;

    location / {
                proxy_set_header X-Forwarded-Host $host;
                proxy_set_header X-Forwarded-Server $host;
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;


                proxy_redirect https://ssl.wso2.as.com https://wso2.is.com;

                proxy_pass https://ssl.wso2.as.com;
                proxy_http_version 1.1;
                proxy_set_header Upgrade $http_upgrade;
                proxy_set_header Connection "upgrade";
    }

}


You need to change the path of certificate and certificate_key. 


  • Configure proxy port and host in <wso2is-5.1.0> /repository/deployment/server/jaggeryapps/dashboard/conf/site.json file as follows


{
    "proxy" : {
        "proxyHost" : "wso2.is.com",
        "proxyHTTPSPort" : "443",
        "proxyContextPath" : "",
        "servicePath" : "/services"
    }
}

  • Configure proxy port and host in <wso2is-5.1.0> /repository/deployment/server/jaggeryapps/portal/conf/site.json file as follows
{

{
    "proxy" : {
        "proxyHost" : "wso2.is.com",
        "proxyHTTPSPort" : "443",
        "proxyContextPath" : ""
    },
    "fido" : {
        "appId" : ""
    }
}

  • Configure proxy port and host in <wso2is-5.1.0> /repository/deployment/server/webapps/shindig/WEB-INF/web.xml

<context-param>
        <param-name>system.properties</param-name>
        <param-value>
            <![CDATA[
        shindig.host=wso2.is.com
        shindig.port=443
        aKey=/shindig/gadgets/proxy?container=default&url=
     ]]>

  • Import the load balancer certificate into client-trustore.jks file.


Note: Load balancer certificate should be IS hostname. 



2. Configure a proxyName in catalina-server.xml file. 




If you want to use a proxyname which is diffrent from the Identity Server hostname, you can do it configuring catalina-server.xml file.

If your load balancer hostname is is.wso2.com and Identity Server hostname a-s00001572, following configurations need to be done inorder to work Identity Server behind that proxy name and port.


  • Open <wso2is-5.1.0>/repository/conf/carbon.xml file and configure the hostname and management hostname as follows


    <HostName>a-s00001572</HostName>

    <MgtHostName>a-s00001572</MgtHostName>



    • Create a new Keystore with the new hostname. Following is the keytool command to create new

    keytool -genkey -alias wso2carbon -keyalg RSA -keysize 1024 -dname "a-s00001572,OU=Home,O=Home,L=SL,S=WS,C=LK" -keypass wso2carbon -keystore wso2carbon.jks -storepass wso2carbon
    


    Create new two keystores for client-trustore.jks and wso2carbon.jks. 

    You can follow [1] for more information on how to configure keystores in WSO2 servers. 


    • Configure Nginx configuration as follows

    upstream ssl.wso2.as.com {
        server A-S00001572:9443;
    }
    
    server {
    listen 443;
        server_name is.wso2.com;
    
        client_max_body_size 100M;
    
        ssl on;
        ssl_certificate /etc/ssl/nginx/nginx-repo.crt;
        ssl_certificate_key /etc/ssl/nginx/nginx-repo.key;
    
        location / {
                    proxy_set_header X-Forwarded-Host $host;
                    proxy_set_header X-Forwarded-Server $host;
                    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    
                    proxy_redirect https://A-S00001572:9443 https://A-S00001572;
    
    
                    proxy_pass https://ssl.wso2.as.com;
                    proxy_http_version 1.1;
                    proxy_set_header Upgrade $http_upgrade;
                    proxy_set_header Connection "upgrade";
        }
    
    }


    You need to change the path of certificate and certificate_key.

    • Configure proxy port and host in <wso2is-5.1.0> /repository/deployment/server/jaggeryapps/dashboard/conf/site.json file as follows


    {
        "proxy" : {
            "proxyHost" : "wso2.is.com",
            "proxyHTTPSPort" : "443",
            "proxyContextPath" : "",
            "servicePath" : "/services"
        }
    }
    

    • Configure proxy port and host in <wso2is-5.1.0> /repository/deployment/server/jaggeryapps/portal/conf/site.json file as follows
    {

    {
        "proxy" : {
            "proxyHost" : "wso2.is.com",
            "proxyHTTPSPort" : "443",
            "proxyContextPath" : ""
        },
        "fido" : {
            "appId" : ""
        }
    }
    

    • Configure proxy port and host in <wso2is-5.1.0> /repository/deployment/server/webapps/shindig/WEB-INF/web.xml

    <context-param>
            <param-name>system.properties</param-name>
            <param-value>
                <![CDATA[
            shindig.host=wso2.is.com
            shindig.port=443
            aKey=/shindig/gadgets/proxy?container=default&url=
         ]]>
    

    • Import the load balancer certificate into client-trustore.jks file.


    Note : Load balancer certificate should be IS hostname. 


    Running the Server. 



    Now you are done. You will be able to log into Identity Server Management Console and Dashboard web app from following URLs. 


    Management Console : https://wso2.is.com/carbon/
    Dashboard :https://wso2.is.com/dashboard



    [1] https://docs.wso2.com/display/Carbon440/Configuring+Keystores+in+WSO2+Products

    1 comment:

    1. Thank you very much, especially the nginx http upgrade for the shindig websocket was needed

      ReplyDelete