Enabling SSO for WSO2 Servers

You can follow [1] for enabling SSO for WSO2 Servers.


When you configure SSO for WSO2 Servers, either you have to share the user stores or internal roles, otherwise you will end up with a authorization failure

In this blog post I am going to post the steps to share the internal roles in WSO2IS and WSO2ESB.


i)  Download WSO2IS 5.0.0 and WSO2ESB 4.8.1
ii) Configure WSO2ESB's offset to 1 from <ESB_HOME>/repository/conf/carbon.xml file

iii) Open <IS_HOME>/repository/conf/datasource/master-datasources.xml file and add following data-source configuration

     <datasource>
            <name>WSO2UM_DB</name>
            <description>The datasource used for user management</description>
            <jndiConfig>
                <name>jdbc/WSO2UM_DB</name>
            </jndiConfig>
            <definition type="RDBMS">
                <configuration>
           <url>jdbc:mysql://localhost:3306/userstore?autoReconnect=true&amp;relaxAutoCommit=true&amp;
                    </url>
                    <username>db_username</username>
                    <password>db_password</password>
                    <driverClassName>com.mysql.jdbc.Driver</driverClassName>
                    <maxActive>50</maxActive>
                    <maxWait>60000</maxWait>
                    <testOnBorrow>true</testOnBorrow>
                    <validationQuery>SELECT 1</validationQuery>
                    <validationInterval>30000</validationInterval>
                </configuration>
            </definition>
        </datasource>

iv) Open <ESB_HOME>/repository/conf/datasource/master-datasources.xml file and add following data-source configuration

     <datasource>
            <name>WSO2UM_DB</name>
            <description>The datasource used for user management</description>
            <jndiConfig>
                <name>jdbc/WSO2UM_DB</name>
            </jndiConfig>
            <definition type="RDBMS">
                <configuration>
           <url>jdbc:mysql://localhost:3306/userstore?autoReconnect=true&amp;relaxAutoCommit=true&amp;
                    </url>
                    <username>db_username</username>
                    <password>db_password</password>
                    <driverClassName>com.mysql.jdbc.Driver</driverClassName>
                    <maxActive>50</maxActive>
                    <maxWait>60000</maxWait>
                    <testOnBorrow>true</testOnBorrow>
                    <validationQuery>SELECT 1</validationQuery>
                    <validationInterval>30000</validationInterval>
                </configuration>
            </definition>
        </datasource>


v) Open <IS_HOME>/repository/conf/user-mgt.xml file and configure datasource as follows [change the property dataSource ]


<Configuration>
        <AddAdmin>true</AddAdmin>
                <AdminRole>admin</AdminRole>
                <AdminUser>
                     <UserName>admin</UserName>
                     <Password>admin</Password>
                </AdminUser>
            <EveryOneRoleName>everyone</EveryOneRoleName> <!-- By default users in this role sees the registry root -->
            <Property name="dataSource">jdbc/WSO2UM_DB</Property>
        </Configuration>

 vi)

v) Open <ESB_HOME>/repository/conf/user-mgt.xml file and configure datasource as follows [change the property dataSource ]


<Configuration>
        <AddAdmin>true</AddAdmin>
                <AdminRole>admin</AdminRole>
                <AdminUser>
                     <UserName>admin</UserName>
                     <Password>admin</Password>
                </AdminUser>
            <EveryOneRoleName>everyone</EveryOneRoleName> <!-- By default users in this role sees the registry root -->
            <Property name="dataSource">jdbc/WSO2UM_DB</Property>
        </Configuration>
 v) Open <IS_HOME>/repository/conf/user-mgt.xml file and configure datasource as follows [change the property dataSource ]


<Configuration>
        <AddAdmin>true</AddAdmin>
                <AdminRole>admin</AdminRole>
                <AdminUser>
                     <UserName>admin</UserName>
                     <Password>admin</Password>
                </AdminUser>
            <EveryOneRoleName>everyone</EveryOneRoleName> <!-- By default users in this role sees the registry root -->
            <Property name="dataSource">jdbc/WSO2UM_DB</Property>
        </Configuration>

vii) Add mysql connector jar [2] to <IS_HOME>/repository/components/lib folder


viii) Add mysql connector jar [2] to <ESB_HOME>/repository/components/lib folder

viii) Create Database named  WSO2UM_DB and run following script on it

<IS_HOME>/dbscripts/mysql.sql


viii) Now start both WSO2IS and WSO2ESB. When you add internal role in WSO2IS, it will show in the WSO2ESB as well.


ix) Now you can create a user in WSO2IS and assign a internal role which has login permission to that user. Then try to log into ESB, you will be able to successfully log in.








[1] https://docs.wso2.com/display/IS500/Enabling+SSO+for+WSO2+Servers
[2] http://dev.mysql.com/downloads/connector/j/

How to Lock, user account in WSO2 Identity Server 5.0.0

WSO2 Identity Server can be configured to lock the user account for exceeding maximum login attempts. It can be done from Identity Management feature and you can use [1] for configuring the identity management feature.

There can be scenarios where admin wants to lock and unlock  user account and Identity Server supports this feature through Management Console. Following steps can be used to lock user account through admin console.

Step1

Download and Install WSO2 Identity Server 5.0.0 from here.

 Step2

Open web browser and go to   https://localhost:9443/carbon/admin

1

Login with following credentials

Username :  admin
Password  : admin

Step3

Assign login permission to internal/everyone role.

Step4

Follow steps in here to add a new user and assign internal/everyone role to created user.

Step5

Sign out from the admin user and try to log to the Identity Server with newly added user's credentials
You should be able to log in since account is not lock by default.

Step6

Login as admin and go to configure tab and select claim Management. Then select 'http://wso2.org/claims' link and click edit the Account Lock claim. Click the Supported by Default chekbox and save the changes.

Step7

Then go to User Account Edit page and type true in Account Locked Field. Then the user is locked.







[1] https://docs.wso2.com/pages/viewpage.action?pageId=34612027

Secure passwords in Password Callback Handler using WSO2 Carbon Secure Vault

In WSO2 carbon products, password Callback handler class can be used to provide passwords needed for Rampart engine to build username tokens and create signatures when sending messages. Apache Rampart is the Axis2 module which providers WS-Security feature to Axis2 Web Services. You can find a detailed explanation of password callback from here.

Following is a sample callback handler class

public class PWCBHandler implements CallbackHandler {

    public void handle(Callback[] callbacks) throws IOException, UnsupportedCallbackException {

        for (Callback callback : callbacks) {
            WSPasswordCallback pwcb = (WSPasswordCallback) callback;
            String id = pwcb.getIdentifer();
            int usage = pwcb.getUsage();
            if (usage == WSPasswordCallback.USERNAME_TOKEN) {
                // Logic to get the password to build the username token
                if ("admin".equals(id)) {
                    pwcb.setPassword("admin");
                }
            } else if (usage == WSPasswordCallback.SIGNATURE || usage == WSPasswordCallback.DECRYPT) {
                // Logic to get the private key password for signature or decryption
                if ("client".equals(id)) {
                    pwcb.setPassword("apache");
                }
                if ("service".equals(id)) {
                    pwcb.setPassword("apache");
                }
            }
        }
    }
}

WSO2 Carbon is shipped with a Secure Vault implementation which is a modified version of synapse Secure Vault. It can be used to avoid the hard coding of password in above example and retrieve it from file in secured manner.

Following example will show you how to configure WSO2 Secure Vault for Password Callback Handler with WSO2 Identity Server 5.0.0


Step1 : Download the WSO2 Identity Server 5.0.0 from here 
Step2 : Create a config file named test_conf1.xml in <carbon_home>/repository/conf directory and add following text

<testconf>
   <module serverURL="local://services/" remote="false">
       <password>admin</password>
   </module> 
</testconf>

Step3 : Add following line to <carbon_home>/repository/conf/security/cipher-tool.properties file

testconf.module.password=test_conf1.xml//testconf/module/password,true

Step4 : Add following line to <carbon_home>/repository/conf/security/cipher-text.properties file

testconf.module.password=[admin]

Step5 : Go to <carbon_home>/bin directory and execute "sh ciphertool.sh -Dconfigure" command. Then it will ask you to enter the primary key store password. Type "wso2carbon" as the password

Step6 : Then test_conf1.xml file will be updated as follows

<<?xml version="1.0" encoding="UTF-8" standalone="no"?><testconf xmlns:svns="http://org.wso2.securevault/configuration">
   <module remote="false" serverURL="local://services/">
       <password svns:secretAlias="testconf.module.password">password</password>
   </module>
 </testconf>

you can see the cipher-text.properties file and the password should encrypted as follows

testconf.module.password=PFQC+qjKxmDePuiR5kSSTOx6suR48UKbDpcEEZ57TcXsHIlnP+I6E2ZXOBtZ91Fk+z3b8vWV84GB\nzn9q+ZQZ0XmdTUzNTMFMV/rpkT3OVhN9MUCjlHIORhcNMt9oWiVKaQ5tO2AmFg5IIqvG/FO51q3o\nx+L8a2sF3JH9G1m203s\=

Step7 : Following class can be used to resolve the password

/*
 * Copyright (c) 2006, WSO2 Inc. (http://www.wso2.org) All Rights Reserved.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *      http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */

package org.sample.securevault;


import org.apache.axiom.om.OMElement;
import org.apache.axiom.om.impl.builder.StAXOMBuilder;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.wso2.carbon.utils.CarbonUtils;
import org.wso2.securevault.SecretResolver;
import org.wso2.securevault.SecretResolverFactory;
import javax.xml.namespace.QName;
import javax.xml.stream.XMLStreamException;
import java.io.File;
import java.io.FileInputStream;
import java.io.IOException;
import java.io.InputStream;

public class TestConf {
    private static final Log log = LogFactory.getLog(TestConf.class);
    private String password;
    private String serverURL;
    private String remote;
    public TestConf() {
        InputStream fileInputStream = null;
        String configPath = CarbonUtils.getCarbonHome()+ File.separator + "repository" + File.separator + "conf" +
       File.separator + "conf-test1.xml";
       File registryXML = new File(configPath);
        if (registryXML.exists()) {
            try {
                fileInputStream = new FileInputStream(registryXML);
                StAXOMBuilder builder = new StAXOMBuilder(fileInputStream);
                builder.setNamespaceURIInterning(true);
                OMElement configElement = builder.getDocumentElement();
                //Initialize the SecretResolver providing the configuration element.
               SecretResolver secretResolver = SecretResolverFactory.create(configElement, false);
                OMElement module = configElement.getFirstChildWithName(new QName("module"));
                if (module != null) {
                   //same entry used in cipher-text.properties and cipher-tool.properties.
                    String secretAlias = "testconf.module.password";
                  //Resolved the secret password.
                    if (secretResolver != null && secretResolver.isInitialized()) {
                        if (secretResolver.isTokenProtected(secretAlias)) {
                            password = secretResolver.resolve(secretAlias);
                       } else {
                           password = module.getFirstChildWithName(new QName("password")).getText();
                        }
                   }
                    serverURL = module.getAttributeValue(new QName("serverURL"));
                    remote = module.getAttributeValue(new QName("remote"));
               }
            } catch (XMLStreamException e) {
                log.error("Unable to parse conf-test1.xml", e);
            } catch (IOException e) {
               log.error("Unable to read conf-test1.xml", e);
            } finally {
                if (fileInputStream != null) {
                    try {
                        fileInputStream.close();
                    } catch (IOException e) {
                        log.error("Failed to close the FileInputStream, file : " + configPath);
                    }
                }
           }
        }
    }


    public String getPassword() {
        return password;
    }

    public String getServerURL() {
        return serverURL;
    }

    public boolean isRemote() {
        return Boolean.valueOf(remote);
    }


}

You can checkout the complete code from here 
Step8 : Use maven to build the files. (mvn clean install)

Go to target directory and copy org.wso2.samples.pwcb-1.0.0.jar file to <carbon_home>/repository/lib directory and start the server. Then you will ask to enter the key store  password. It is "wso2carbon"

Now you are done.

SPML Provisioning Capability for WSO2 Identity Server

SPML (Service Provisioning Markup Language ) is  a specification , being developed by OASIS, for exchanging users, resources between organizations.  

With the WSO2 Identity Server 5.0, you can manage  users with SPML compliant providers. 

Step1

Install and configure a SPML compliant provider. Sun Identity Manager, Oracle waveset ,  ActiveRoles Server SPML provider, are some examples for SPML compliant providers.

Step2

Download and Intall WSO2 Identity Server 5.0. This release will be available within couple of week.

Step3

Open web browser and go to   https://localhost:9443/carbon/admin

1

Login with following credentials

Username :  admin
Password  : admin

Step4

Click "Add" button under Main/Identity/Identity providers. 

2

Step5

You will be redirect to following page. 

Type "spml Identity provider" as Identity Provider name

Go to "Outbound Provisioning Connectors"/ "SPML Provisioning Connector"

• Enable Connector
• Enter username for your SPML compliant provider
• Enter password for SPML compliant provider
• Enter  SPML endpoint url as SPML Endpoint
• Enter spml support object of server as objectClass
• Add Attribute claim mapping according to SPML provider
• Click update to save changes

Step6

Click Service Provider List link and then click Resident Service Provide link.

Then select "Outbound Provisioning Configuration" and add created Idp and select spml as following screenshot.

Step7

• Go to configuration tab / "Users and Roles" / Roles / "Add new Role"
• Add new role named "spml"

Step8

• Go to configuration tab / "Users and Roles" / Users/  Add User 
• Click on Add new User button and fill data and click next to assign role spml

Once you click finish button, user will provision in SPML provider server. You are done. Once you delete the user from IS, user will delete from server too.