Thursday, December 20, 2012

Creating a custom User Store with WSO2 IS 4.0.0


Introduction

Generally, we can  configure an external LDAP with a WSO2 IS using <UserStoreManager> tag , and with the class attribute like this : 
<UserStoreManager class="org.wso2.carbon.user.core.ldap.LDAPUserStoreManager"> 
Apart from this, there are other default UserStoreManagers that are available with WSO2 IS, such as ActiveDirectoryUserStoreManager, JDBCUserStoreManager etc. You can find more from user-mgt.xml inside a WSO2 IS distribution's repository/conf directory

Similarly there we can define custom user stores as well.

Use Case

In the sample, CustomUserStoreManager reads a user credentials from an xml file (user.xml) and authenticates the user. This can be taken analogous to a CustomUserStoreManager that connects to a custom user store and authenticates users against the credentials stored there. The same CustomUserStoreManager has been extended to provide the functionality required by the STS configuration and issuing a SAML token with requested claim values.

 

Configurations

0.  Download WSO2 IS 4.0.0 and extract it to a preferred location. We will refer to that as [IS_HOME]

1. Download the sample from here and extract.

2. Place the jar file in the sample: org.wso2.carbon.userstoremanager.sample-1.0.jar in [IS_HOME]/repository/components/lib.
    eg: /home/manisha/WSO2/wso2is-4.0.0/repository/components/lib
3. Replace the user-mgt.xml in [IS_HOME]/repository/conf with the user-mgt.xml comes with this.
 
4. Make the enable EmbeddedLDAP propety "false" in embedded-ldap.xml file in [IS_HOME]/repository/components/conf.
    <EmbeddedLDAP>
            <Property name="enable">false</Property>
        ...................

5. Comment out the default CommonHybridLDAPTenantManager in tenant-mgt.xml in [IS_HOME]/repository/components/conf.

6. Uncomment the JDBCTenantManager property in tenant-mgt.xml

7. Delete the database folder in [IS_HOME]/repository if you are not using a newly extracted IS distribution.

8. Start the server with the command 'sh wso2server.sh -Dsetup' if you followed the step 3.
   Or else, if you are using a newly extracted IS distribution, start the server with 'sh.wso2server.sh' as usual.
   (Start up file changes according to the OS you are in, above commands listed for Linux environment.)

9. Login to the management console with the credentials mentioned in the user.xml that comes with this.

10. Configure the STS to use that with the related STS client.

11. Run STS client to obtain the SAML token.



PS: Courtesy goes to Hasini Gunasinghe

Wednesday, December 5, 2012

Getting NoSuchAlgorithmException when running Secure clients with WSO2 products?


Scenario: 

Secured client   _____\    Secured Proxy  ______\   Unsecured Svc
   (external)                /         (ESB)                    /        (AS)

Apply security policy 5(Sign and Encrypt) on both the client and ESB proxy. 

Problem:

You may encounter the error below. 
org.apache.axis2.AxisFault: Error in encryption
at org.apache.rampart.handler.RampartSender.invoke(RampartSender.java:117)
at org.apache.axis2.engine.Phase.invokeHandler(Phase.java:340)
at org.apache.axis2.engine.Phase.invoke(Phase.java:313)
at org.apache.axis2.engine.AxisEngine.invoke(AxisEngine.java:262)
at org.apache.axis2.engine.AxisEngine.send(AxisEngine.java:427)
at org.apache.axis2.description.OutInAxisOperationClient.send(OutInAxisOperation.java:406)
at org.apache.axis2.description.OutInAxisOperationClient.executeImpl(OutInAxisOperation.java:229)
at org.apache.axis2.client.OperationClient.execute(OperationClient.java:165)
at org.apache.axis2.client.ServiceClient.sendReceive(ServiceClient.java:555)
at org.apache.axis2.client.ServiceClient.sendReceive(ServiceClient.java:531)
at SecurityClient.runSecurityClient(SecurityClient.java:103)
at SecurityClient.main(SecurityClient.java:41)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at com.intellij.rt.execution.application.AppMain.main(AppMain.java:115)
Caused by: org.apache.rampart.RampartException: Error in encryption
at org.apache.rampart.builder.AsymmetricBindingBuilder.doSignBeforeEncrypt(AsymmetricBindingBuilder.java:568)
at org.apache.rampart.builder.AsymmetricBindingBuilder.build(AsymmetricBindingBuilder.java:90)
at org.apache.rampart.MessageBuilder.build(MessageBuilder.java:147)
at org.apache.rampart.handler.RampartSender.invoke(RampartSender.java:106)
... 16 more
Caused by: org.apache.ws.security.WSSecurityException: An unsupported signature or encryption algorithm was used (unsupported key transport encryption algorithm: No such algorithm: http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p); nested exception is: 
java.security.NoSuchAlgorithmException: Cannot find any provider supporting RSA/ECB/OAEPPadding
at org.apache.ws.security.util.WSSecurityUtil.getCipherInstance(WSSecurityUtil.java:785)
at org.apache.ws.security.message.WSSecEncryptedKey.prepareInternal(WSSecEncryptedKey.java:205)
at org.apache.ws.security.message.WSSecEncrypt.prepare(WSSecEncrypt.java:259)
at org.apache.rampart.builder.AsymmetricBindingBuilder.doSignBeforeEncrypt(AsymmetricBindingBuilder.java:534)
... 19 more
Caused by: java.security.NoSuchAlgorithmException: Cannot find any provider supporting RSA/ECB/OAEPPadding
at javax.crypto.Cipher.getInstance(DashoA13*..)
at org.apache.ws.security.util.WSSecurityUtil.getCipherInstance(WSSecurityUtil.java:777)
... 22 more

Solution:
Import the bcprov-jdk15.jar jar which can be found in wso2esb-4.5.0/repository/axis2/client/lib to the class path of the secured client's project.