Thursday, February 18, 2016

WSO2 Identity Server 5.1.0 behind Proxy(Load Balancer)

WSO2 Identity Server behind Proxy or Load Balancer.

In this blog, I am going to explain step by step guide to how to configure WSO2 Identity Server 5.1.0 with a proxy port and proxy host.

Configuring Proxy Port


By default WSO2 Identity Server is running on 9443 port. Here I am going to explain the way of configuring a proxy port of 443.

  • Open <wso2is-5.1.0>/repository/conf/tomcat/catalina-server.xml file and add the proxy port 443 in https connector as follows.
        
<Connector protocol="org.apache.coyote.http11.Http11NioProtocol"

           port="9443"

           proxyPort="443"

Note: It is not possible to configure proxy port from load balancer itself since there is a post request while authenticating to IS Dashboard. So, If you are planning to use Identity server Dashboard, this configuration is a must.




Configuring Proxy Host


1. Use the same hostname in both Identity Server and Loadbalancer
  • Open <wso2is-5.1.0>/repository/conf/carbon.xml file and configure the hostname and management hostname as follows


    <HostName>wso2.is.com</HostName>

    <MgtHostName>wso2.is.com</MgtHostName>


  • Create a new Keystore with the new hostname. Following is the keytool command to create new

keytool -genkey -alias wso2carbon -keyalg RSA -keysize 1024 -dname "CN=wso2.is.com,OU=Home,O=Home,L=SL,S=WS,C=LK" -keypass wso2carbon -keystore wso2carbon.jks -storepass wso2carbon


Create new two keystores for client-trustore.jks and wso2carbon.jks. 

You can follow [1] for more information on how to configure keystores in WSO2 servers. 

  • Configure Nginx configuration as follows


upstream ssl.wso2.as.com {
    server wso2.is.com:9443;
}

server {
listen 443;
    server_name wso2.is.com;
    client_max_body_size 100M;

    ssl on;
    ssl_certificate /etc/ssl/nginx/nginx-repo.crt;
    ssl_certificate_key /etc/ssl/nginx/nginx-repo.key;

    location / {
                proxy_set_header X-Forwarded-Host $host;
                proxy_set_header X-Forwarded-Server $host;
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;


                proxy_redirect https://ssl.wso2.as.com https://wso2.is.com;

                proxy_pass https://ssl.wso2.as.com;
                proxy_http_version 1.1;
                proxy_set_header Upgrade $http_upgrade;
                proxy_set_header Connection "upgrade";
    }

}


You need to change the path of certificate and certificate_key. 


  • Configure proxy port and host in <wso2is-5.1.0> /repository/deployment/server/jaggeryapps/dashboard/conf/site.json file as follows


{
    "proxy" : {
        "proxyHost" : "wso2.is.com",
        "proxyHTTPSPort" : "443",
        "proxyContextPath" : "",
        "servicePath" : "/services"
    }
}

  • Configure proxy port and host in <wso2is-5.1.0> /repository/deployment/server/jaggeryapps/portal/conf/site.json file as follows
{

{
    "proxy" : {
        "proxyHost" : "wso2.is.com",
        "proxyHTTPSPort" : "443",
        "proxyContextPath" : ""
    },
    "fido" : {
        "appId" : ""
    }
}

  • Configure proxy port and host in <wso2is-5.1.0> /repository/deployment/server/webapps/shindig/WEB-INF/web.xml

<context-param>
        <param-name>system.properties</param-name>
        <param-value>
            <![CDATA[
        shindig.host=wso2.is.com
        shindig.port=443
        aKey=/shindig/gadgets/proxy?container=default&url=
     ]]>

  • Import the load balancer certificate into client-trustore.jks file.


Note: Load balancer certificate should be IS hostname. 



2. Configure a proxyName in catalina-server.xml file. 




If you want to use a proxyname which is diffrent from the Identity Server hostname, you can do it configuring catalina-server.xml file.

If your load balancer hostname is is.wso2.com and Identity Server hostname a-s00001572, following configurations need to be done inorder to work Identity Server behind that proxy name and port.


  • Open <wso2is-5.1.0>/repository/conf/carbon.xml file and configure the hostname and management hostname as follows


    <HostName>a-s00001572</HostName>

    <MgtHostName>a-s00001572</MgtHostName>



    • Create a new Keystore with the new hostname. Following is the keytool command to create new

    keytool -genkey -alias wso2carbon -keyalg RSA -keysize 1024 -dname "a-s00001572,OU=Home,O=Home,L=SL,S=WS,C=LK" -keypass wso2carbon -keystore wso2carbon.jks -storepass wso2carbon
    


    Create new two keystores for client-trustore.jks and wso2carbon.jks. 

    You can follow [1] for more information on how to configure keystores in WSO2 servers. 


    • Configure Nginx configuration as follows

    upstream ssl.wso2.as.com {
        server A-S00001572:9443;
    }
    
    server {
    listen 443;
        server_name is.wso2.com;
    
        client_max_body_size 100M;
    
        ssl on;
        ssl_certificate /etc/ssl/nginx/nginx-repo.crt;
        ssl_certificate_key /etc/ssl/nginx/nginx-repo.key;
    
        location / {
                    proxy_set_header X-Forwarded-Host $host;
                    proxy_set_header X-Forwarded-Server $host;
                    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    
                    proxy_redirect https://A-S00001572:9443 https://A-S00001572;
    
    
                    proxy_pass https://ssl.wso2.as.com;
                    proxy_http_version 1.1;
                    proxy_set_header Upgrade $http_upgrade;
                    proxy_set_header Connection "upgrade";
        }
    
    }


    You need to change the path of certificate and certificate_key.

    • Configure proxy port and host in <wso2is-5.1.0> /repository/deployment/server/jaggeryapps/dashboard/conf/site.json file as follows


    {
        "proxy" : {
            "proxyHost" : "wso2.is.com",
            "proxyHTTPSPort" : "443",
            "proxyContextPath" : "",
            "servicePath" : "/services"
        }
    }
    

    • Configure proxy port and host in <wso2is-5.1.0> /repository/deployment/server/jaggeryapps/portal/conf/site.json file as follows
    {

    {
        "proxy" : {
            "proxyHost" : "wso2.is.com",
            "proxyHTTPSPort" : "443",
            "proxyContextPath" : ""
        },
        "fido" : {
            "appId" : ""
        }
    }
    

    • Configure proxy port and host in <wso2is-5.1.0> /repository/deployment/server/webapps/shindig/WEB-INF/web.xml

    <context-param>
            <param-name>system.properties</param-name>
            <param-value>
                <![CDATA[
            shindig.host=wso2.is.com
            shindig.port=443
            aKey=/shindig/gadgets/proxy?container=default&url=
         ]]>
    

    • Import the load balancer certificate into client-trustore.jks file.


    Note : Load balancer certificate should be IS hostname. 


    Running the Server. 



    Now you are done. You will be able to log into Identity Server Management Console and Dashboard web app from following URLs. 


    Management Console : https://wso2.is.com/carbon/
    Dashboard :https://wso2.is.com/dashboard



    [1] https://docs.wso2.com/display/Carbon440/Configuring+Keystores+in+WSO2+Products

    6 comments:

    1. Thank you very much, especially the nginx http upgrade for the shindig websocket was needed

      ReplyDelete
    2. So when having more than one nodes behind a nginx RP , only the second approach will work or am i wrong?

      ReplyDelete
    3. Hi Isura, helpful info! I am still having an issue. Maybe my situation is different from your example? I just want to proxy from nginx to wso2-is. My wso2-is is already doing SSL on 9443, I have one server block in nginx for the proxy resembling the first proxy example above (but not exactly the same). I have edited the 3 files in repository/deployment/... as well as catalina-server.xml (https connector proxy port/name), set EnableThriftService false in identity.xml (may have been that way by default), and set host and mgthost in carbon.xml. Everything seems to work, nginx proxies to wso2-is on 9443, I can login to the console without :9443. So I closed 9443 on the firewall thinking it's no longer required with my local proxy, but trying to make a comment here, I am redirected to :9443/authenticationendpoint/login.do?... - note the 9443 :(, I still need to keep 9443 open (on the firewall) for this comment to work, ideally, I'd like everything to go through https/443 on nginx. Maybe this is an issue with nginx following redirects from wso2-is? Thanks for any help.

      ReplyDelete
    4. Here are 2 unrelated questions I also asked here:

      http://manulachathurika.blogspot.com/2014/01/import-ssl-certificate-to-wso2-identity.html

      - Is is possible to configure wso2-is so Blogger displays not my uid but rather my preferred/friendly name?
      - Is it possible to set an avatar on my /openid/ page (right now a broken image), and one that blogger might display?

      Thanks again!

      ReplyDelete