In this blog, I am going to explain step by step guide to how to configure WSO2 Identity Server 5.1.0 with a proxy port and proxy host.
Configuring Proxy Port
By default WSO2 Identity Server is running on 9443 port. Here I am going to explain the way of configuring a proxy port of 443.
- Open <wso2is-5.1.0>/repository/conf/tomcat/catalina-server.xml file and add the proxy port 443 in https connector as follows.
<Connector protocol="org.apache.coyote.http11.Http11NioProtocol" port="9443" proxyPort="443"
Note: It is not possible to configure proxy port from load balancer itself since there is a post request while authenticating to IS Dashboard. So, If you are planning to use Identity server Dashboard, this configuration is a must.
Configuring Proxy Host
1. Use the same hostname in both Identity Server and Loadbalancer
- Open <wso2is-5.1.0>/repository/conf/carbon.xml file and configure the hostname and management hostname as follows
<HostName>wso2.is.com</HostName> <MgtHostName>wso2.is.com</MgtHostName>
- Create a new Keystore with the new hostname. Following is the keytool command to create new
keytool -genkey -alias wso2carbon -keyalg RSA -keysize 1024 -dname "CN=wso2.is.com,OU=Home,O=Home,L=SL,S=WS,C=LK" -keypass wso2carbon -keystore wso2carbon.jks -storepass wso2carbon
Create new two keystores for client-trustore.jks and wso2carbon.jks.
You can follow [1] for more information on how to configure keystores in WSO2 servers.
- Configure Nginx configuration as follows
upstream ssl.wso2.as.com { server wso2.is.com:9443; } server { listen 443; server_name wso2.is.com; client_max_body_size 100M; ssl on; ssl_certificate /etc/ssl/nginx/nginx-repo.crt; ssl_certificate_key /etc/ssl/nginx/nginx-repo.key; location / { proxy_set_header X-Forwarded-Host $host; proxy_set_header X-Forwarded-Server $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_redirect https://ssl.wso2.as.com https://wso2.is.com; proxy_pass https://ssl.wso2.as.com; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; } }
You need to change the path of certificate and certificate_key.
- Configure proxy port and host in <wso2is-5.1.0> /repository/deployment/server/jaggeryapps/dashboard/conf/site.json file as follows
{
"proxy" : {
"proxyHost" : "wso2.is.com",
"proxyHTTPSPort" : "443",
"proxyContextPath" : "",
"servicePath" : "/services"
}
}
- Configure proxy port and host in <wso2is-5.1.0> /repository/deployment/server/jaggeryapps/portal/conf/site.json file as follows
{
{
"proxy" : {
"proxyHost" : "wso2.is.com",
"proxyHTTPSPort" : "443",
"proxyContextPath" : ""
},
"fido" : {
"appId" : ""
}
}
- Configure proxy port and host in <wso2is-5.1.0> /repository/deployment/server/webapps/shindig/WEB-INF/web.xml
<context-param> <param-name>system.properties</param-name> <param-value> <![CDATA[ shindig.host=wso2.is.com shindig.port=443 aKey=/shindig/gadgets/proxy?container=default&url= ]]>
- Import the load balancer certificate into client-trustore.jks file.
Note: Load balancer certificate should be IS hostname.
2. Configure a proxyName in catalina-server.xml file.
If you want to use a proxyname which is diffrent from the Identity Server hostname, you can do it configuring catalina-server.xml file.If your load balancer hostname is is.wso2.com and Identity Server hostname a-s00001572, following configurations need to be done inorder to work Identity Server behind that proxy name and port.
- Open <wso2is-5.1.0>/repository/conf/carbon.xml file and configure the hostname and management hostname as follows
<HostName>a-s00001572</HostName> <MgtHostName>a-s00001572</MgtHostName>
- Create a new Keystore with the new hostname. Following is the keytool command to create new
keytool -genkey -alias wso2carbon -keyalg RSA -keysize 1024 -dname "a-s00001572,OU=Home,O=Home,L=SL,S=WS,C=LK" -keypass wso2carbon -keystore wso2carbon.jks -storepass wso2carbon
Create new two keystores for client-trustore.jks and wso2carbon.jks.
You can follow [1] for more information on how to configure keystores in WSO2 servers.
- Configure Nginx configuration as follows
upstream ssl.wso2.as.com { server A-S00001572:9443; } server { listen 443; server_name is.wso2.com; client_max_body_size 100M; ssl on; ssl_certificate /etc/ssl/nginx/nginx-repo.crt; ssl_certificate_key /etc/ssl/nginx/nginx-repo.key; location / { proxy_set_header X-Forwarded-Host $host; proxy_set_header X-Forwarded-Server $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_redirect https://A-S00001572:9443 https://A-S00001572; proxy_pass https://ssl.wso2.as.com; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; } }
You need to change the path of certificate and certificate_key.
- Configure proxy port and host in <wso2is-5.1.0> /repository/deployment/server/jaggeryapps/dashboard/conf/site.json file as follows
{
"proxy" : {
"proxyHost" : "wso2.is.com",
"proxyHTTPSPort" : "443",
"proxyContextPath" : "",
"servicePath" : "/services"
}
}
- Configure proxy port and host in <wso2is-5.1.0> /repository/deployment/server/jaggeryapps/portal/conf/site.json file as follows
{
{
"proxy" : {
"proxyHost" : "wso2.is.com",
"proxyHTTPSPort" : "443",
"proxyContextPath" : ""
},
"fido" : {
"appId" : ""
}
}
- Configure proxy port and host in <wso2is-5.1.0> /repository/deployment/server/webapps/shindig/WEB-INF/web.xml
<context-param> <param-name>system.properties</param-name> <param-value> <![CDATA[ shindig.host=wso2.is.com shindig.port=443 aKey=/shindig/gadgets/proxy?container=default&url= ]]>
- Import the load balancer certificate into client-trustore.jks file.
Note : Load balancer certificate should be IS hostname.
Running the Server.
Now you are done. You will be able to log into Identity Server Management Console and Dashboard web app from following URLs.
Management Console : https://wso2.is.com/carbon/
Dashboard :https://wso2.is.com/dashboard
[1] https://docs.wso2.com/display/Carbon440/Configuring+Keystores+in+WSO2+Products
