Thursday, December 20, 2012

Creating a custom User Store with WSO2 IS 4.0.0


Generally, we can  configure an external LDAP with a WSO2 IS using <UserStoreManager> tag , and with the class attribute like this : 
<UserStoreManager class="org.wso2.carbon.user.core.ldap.LDAPUserStoreManager"> 
Apart from this, there are other default UserStoreManagers that are available with WSO2 IS, such as ActiveDirectoryUserStoreManager, JDBCUserStoreManager etc. You can find more from user-mgt.xml inside a WSO2 IS distribution's repository/conf directory

Similarly there we can define custom user stores as well.

Use Case

In the sample, CustomUserStoreManager reads a user credentials from an xml file (user.xml) and authenticates the user. This can be taken analogous to a CustomUserStoreManager that connects to a custom user store and authenticates users against the credentials stored there. The same CustomUserStoreManager has been extended to provide the functionality required by the STS configuration and issuing a SAML token with requested claim values.



0.  Download WSO2 IS 4.0.0 and extract it to a preferred location. We will refer to that as [IS_HOME]

1. Download the sample from here and extract.

2. Place the jar file in the sample: org.wso2.carbon.userstoremanager.sample-1.0.jar in [IS_HOME]/repository/components/lib.
    eg: /home/manisha/WSO2/wso2is-4.0.0/repository/components/lib
3. Replace the user-mgt.xml in [IS_HOME]/repository/conf with the user-mgt.xml comes with this.
4. Make the enable EmbeddedLDAP propety "false" in embedded-ldap.xml file in [IS_HOME]/repository/components/conf.
            <Property name="enable">false</Property>

5. Comment out the default CommonHybridLDAPTenantManager in tenant-mgt.xml in [IS_HOME]/repository/components/conf.

6. Uncomment the JDBCTenantManager property in tenant-mgt.xml

7. Delete the database folder in [IS_HOME]/repository if you are not using a newly extracted IS distribution.

8. Start the server with the command 'sh -Dsetup' if you followed the step 3.
   Or else, if you are using a newly extracted IS distribution, start the server with '' as usual.
   (Start up file changes according to the OS you are in, above commands listed for Linux environment.)

9. Login to the management console with the credentials mentioned in the user.xml that comes with this.

10. Configure the STS to use that with the related STS client.

11. Run STS client to obtain the SAML token.

PS: Courtesy goes to Hasini Gunasinghe

Wednesday, December 5, 2012

Getting NoSuchAlgorithmException when running Secure clients with WSO2 products?


Secured client   _____\    Secured Proxy  ______\   Unsecured Svc
   (external)                /         (ESB)                    /        (AS)

Apply security policy 5(Sign and Encrypt) on both the client and ESB proxy. 


You may encounter the error below. 
org.apache.axis2.AxisFault: Error in encryption
at org.apache.rampart.handler.RampartSender.invoke(
at org.apache.axis2.engine.Phase.invokeHandler(
at org.apache.axis2.engine.Phase.invoke(
at org.apache.axis2.engine.AxisEngine.invoke(
at org.apache.axis2.engine.AxisEngine.send(
at org.apache.axis2.description.OutInAxisOperationClient.send(
at org.apache.axis2.description.OutInAxisOperationClient.executeImpl(
at org.apache.axis2.client.OperationClient.execute(
at org.apache.axis2.client.ServiceClient.sendReceive(
at org.apache.axis2.client.ServiceClient.sendReceive(
at SecurityClient.runSecurityClient(
at SecurityClient.main(
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(
at sun.reflect.DelegatingMethodAccessorImpl.invoke(
at java.lang.reflect.Method.invoke(
at com.intellij.rt.execution.application.AppMain.main(
Caused by: org.apache.rampart.RampartException: Error in encryption
at org.apache.rampart.builder.AsymmetricBindingBuilder.doSignBeforeEncrypt(
at org.apache.rampart.handler.RampartSender.invoke(
... 16 more
Caused by: An unsupported signature or encryption algorithm was used (unsupported key transport encryption algorithm: No such algorithm:; nested exception is: Cannot find any provider supporting RSA/ECB/OAEPPadding
at org.apache.rampart.builder.AsymmetricBindingBuilder.doSignBeforeEncrypt(
... 19 more
Caused by: Cannot find any provider supporting RSA/ECB/OAEPPadding
at javax.crypto.Cipher.getInstance(DashoA13*..)
... 22 more

Import the bcprov-jdk15.jar jar which can be found in wso2esb-4.5.0/repository/axis2/client/lib to the class path of the secured client's project. 

Friday, November 30, 2012

How to Enable Secure Vault in a WSO2 Carbon Product

1. Extract the carbon product to a preferred location

2. Make sure that file is available in CARBON_HOME/repository/conf

3. Make sure that file is available in CARBON_HOME/bin

4. From a command line, navigate to CARBON_HOME/bin. From there, run the following command; In Linux, sh -Dconfigure 
In Windows,   ciphertool.bat -Dconfigure
This would prompt the following in the command line
[Please Enter Primary KeyStore Password of Carbon Server : ]There, you can give ‘wso2carbon’

5. After finishing the execution of, check the values in the file. It would contain an encrypted value as below.

6. Then start up the server normally with In Linux, sh In Windows,   wso2server.batDuring the server start up, it would prompt the following twice.
[Enter KeyStore and Private Key Password :] There also you  need to provide ‘wso2carbon’ in both the instances.

7. Now your server system is protected with the secure vault configuration, and all the passwords are encrypted and exposed to outside via aliases.


When configuring Secure Vault with WSO2 products : Error initializing Cipher

You can configure Secure Vault with WSO2 ESB (or any other Carbon product) to secure the data in the configuration files such as
 - User Store passwords
 - Database passwords           etc.
You may get this work completely if you follow this blog on How to configure Secure Vault in WSO2 Products.
If you try with a custom keystore, you might encounter the following error for certain instances.
Exception in thread "main" org.wso2.ciphertool.CipherToolException: Error initializing Cipher
at org.wso2.ciphertool.CipherTool.handleException(
at org.wso2.ciphertool.CipherTool.initCipher(
at org.wso2.ciphertool.CipherTool.main(
Caused by: Wrong key usage
at javax.crypto.Cipher.init(DashoA13*..)
at javax.crypto.Cipher.init(DashoA13*..)
at org.wso2.ciphertool.CipherTool.initCipher(
... 1 more
Then you can analyze the public certificates of the two jks's  - In default wso2carbon.jks, the KeyUsage is
KeyUsage [
 - In the custom .jks, the KeyUsage is
KeyUsage [
Since the custom key store's certificate does not have 'Data_Encipherment' it can't use the Ciphertool and encrypt data for secure vault. So they may have to generate a new key store with at least a Self signed certificate. 

Thursday, August 30, 2012

Monitor Stats of Carbon 3.2.x products with WSO2 BAM2

Configuring WSO2 ESB Server with Data Publishers
  1. Download WSO2 Enterprise Service Bus 4.0.2. Unzip the distribution to your preferred location. This directory will be referred as ESB_HOME.
  2. Remove the following jar from ESB_HOME/repository/components/plugins directory.

  1. Place the following set of jars into ESB_HOME/repository/components/dropins directory. These jars will act as data publishers of WSO2 ESB.
    1. gson-2.1.jar
    3. libthrift-0.7.wso2v1.jar   
    6. org.wso2.carbon.eventbridge.agent.thrift-3.2.3.jar
    8. org.wso2.carbon.eventbridge.commons-3.2.3.jar
    10. org.wso2.carbon.eventbridge.commons.thrift-3.2.3.jar
    12. org.wso2.carbon.statistics-3.2.4.jar
    14. org.wso2.carbon.utils-3.2.3.jar
The above jars can be downloaded from the FTP Location

  1. Start up the WSO2 AS with the following command from the ESB_HOME/bin directory.
  1. Log into the management console with the credentials. Go to “Configure” tab. You will see a new feature has been listed in the menu named “Service Data Publishing”. When you clicked on the the feature, the UI will be as follows.

  1. Check the “Enable Service stats” check box under “Service Configuration”.
  2. Specify the Stream Definition Configuration parameters as preferred.
  3. Specify the “BAM URL” under “BAM Credential” in the following format.
tcp://<ip_address>:7611 (eg:  tcp://

  1. Click on “Update”.

PS: Similarly, you can configure the other carbon server nodes as well (eg: WSO2 BPS, WSO2 DSS and WSO2 AS)

Configure Standalone WSO2 BAM and Monitor Data

  1. Change the port offset of WSO2 BAM server, so that it will not get port clashes with earlier configured WSO2 ESB.
Change the <Offset> parameter in carbon.xml file that resides in BAM_HOME/repository/conf directory.
  1. Start up the server with the following command from the BAM_HOME/bin directory.
  1. Invoke the service/s deployed in WSO2 ESB.
  2. Login to the WSO2 BAM Management Console. Go to “Main” tab --> “Manage” menu --> “Cassandra Explorer” --> “Connect to Cluster”.
Provide the following inputs
Connection URL: localhost:9160
Username: admin
Password: admin
Click on “Connect”.
  1. This will list the “Keyspaces”. Analyze the details of the respective Stream Name  under  “EVENT_KS” keyspace. A sample record will be as follows.
With these details, create a BAM Archive package and deploy as a “BAM Toolbox”.

  1. Create a Toolbox that contains the following components.
    1. Database script
    2. Gadget XMLs
    3. Jaggery scripts
The Toolbox should be packaged to a “.bar” package. The sample Toolbox can be found from the FTP location

  1. Deploy the Toolbox from “Main” tab --> “Manage” menu --> “BAM Toolbox” --> “Add” from the WSO2 BAM management console.

  1. From the Custom Toolbox table, browse for the created .bar package and hit on “Deploy”.
  2. Until the complete deployment, the status of the package will be shown as “Awaiting to Deploy”.

  1. Refresh the page until the status changes to “Deployed”.

  1. Go to “Main” tab --> “Manage” menu --> “Analytics” --> “List Scripts”.
  2. Click on “Edit”.

  1. This will open up the Script Editor and it will show the Database script that we have included in the deployed .bar package. Click on “Run”.

  1. With the successful execution of the script, it will show up the Results in the “Script Results” section below the “Script” editor section.
  2. Go to “Main” tab --> “Dashboard” menu --> “BAM Dashboard”. The deployed gadgets on the dashboard will be shown as follows.

Tuesday, August 28, 2012

Authentication on a deployed Web App??

Enterprises use Java Web Applications for various requirements. Often these applications may require to be implemented with access control and authentication as an organization policy. 
In the provided article, I have showed how WSO2 Application Server acts as a deployment container for a web application and authenticate the hosted application against a preferred User Store. Furthermore, the write-up focuses on enforcing secure connections via HTTPS enablement on the Web Application.