Creating a custom User Store with WSO2 IS 4.0.0

Introduction

Generally, we can  configure an external LDAP with a WSO2 IS using <UserStoreManager> tag , and with the class attribute like this : 
<UserStoreManager class="org.wso2.carbon.user.core.ldap.LDAPUserStoreManager"> 

Apart from this, there are other default UserStoreManagers that are available with WSO2 IS, such as ActiveDirectoryUserStoreManager, JDBCUserStoreManager etc. You can find more from user-mgt.xml inside a WSO2 IS distribution's repository/conf directory

Similarly there we can define custom user stores as well.

Use Case

In the sample, CustomUserStoreManager reads a user credentials from an xml file (user.xml) and authenticates the user. This can be taken analogous to a CustomUserStoreManager that connects to a custom user store and authenticates users against the credentials stored there. The same CustomUserStoreManager has been extended to provide the functionality required by the STS configuration and issuing a SAML token with requested claim values.

 

Configurations

0.  Download WSO2 IS 4.0.0 and extract it to a preferred location. We will refer to that as [IS_HOME]

1. Download the sample from here and extract.

2. Place the jar file in the sample: org.wso2.carbon.userstoremanager.sample-1.0.jar in [IS_HOME]/repository/components/lib.
    eg: /home/manisha/WSO2/wso2is-4.0.0/repository/components/lib
3. Replace the user-mgt.xml in [IS_HOME]/repository/conf with the user-mgt.xml comes with this.
 

4. Make the enable EmbeddedLDAP propety "false" in embedded-ldap.xml file in [IS_HOME]/repository/components/conf.
    <EmbeddedLDAP>
            <Property name="enable">false</Property>
        ...................

5. Comment out the default CommonHybridLDAPTenantManager in tenant-mgt.xml in [IS_HOME]/repository/components/conf.

6. Uncomment the JDBCTenantManager property in tenant-mgt.xml

7. Delete the database folder in [IS_HOME]/repository if you are not using a newly extracted IS distribution.

8. Start the server with the command 'sh wso2server.sh -Dsetup' if you followed the step 3.
   Or else, if you are using a newly extracted IS distribution, start the server with 'sh.wso2server.sh' as usual.
   (Start up file changes according to the OS you are in, above commands listed for Linux environment.)

9. Login to the management console with the credentials mentioned in the user.xml that comes with this.

10. Configure the STS to use that with the related STS client.

11. Run STS client to obtain the SAML token.

PS: Courtesy goes to Hasini Gunasinghe

Getting NoSuchAlgorithmException when running Secure clients with WSO2 products?

Scenario: 

Secured client   _____\    Secured Proxy  ______\   Unsecured Svc
   (external)                /         (ESB)                    /        (AS)

Apply security policy 5(Sign and Encrypt) on both the client and ESB proxy. 

Problem:

You may encounter the error below. 

org.apache.axis2.AxisFault: Error in encryption

at org.apache.rampart.handler.RampartSender.invoke(RampartSender.java:117)

at org.apache.axis2.engine.Phase.invokeHandler(Phase.java:340)

at org.apache.axis2.engine.Phase.invoke(Phase.java:313)

at org.apache.axis2.engine.AxisEngine.invoke(AxisEngine.java:262)

at org.apache.axis2.engine.AxisEngine.send(AxisEngine.java:427)

at org.apache.axis2.description.OutInAxisOperationClient.send(OutInAxisOperation.java:406)

at org.apache.axis2.description.OutInAxisOperationClient.executeImpl(OutInAxisOperation.java:229)

at org.apache.axis2.client.OperationClient.execute(OperationClient.java:165)

at org.apache.axis2.client.ServiceClient.sendReceive(ServiceClient.java:555)

at org.apache.axis2.client.ServiceClient.sendReceive(ServiceClient.java:531)

at SecurityClient.runSecurityClient(SecurityClient.java:103)

at SecurityClient.main(SecurityClient.java:41)

at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)

at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)

at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)

at java.lang.reflect.Method.invoke(Method.java:597)

at com.intellij.rt.execution.application.AppMain.main(AppMain.java:115)

Caused by: org.apache.rampart.RampartException: Error in encryption

at org.apache.rampart.builder.AsymmetricBindingBuilder.doSignBeforeEncrypt(AsymmetricBindingBuilder.java:568)

at org.apache.rampart.builder.AsymmetricBindingBuilder.build(AsymmetricBindingBuilder.java:90)

at org.apache.rampart.MessageBuilder.build(MessageBuilder.java:147)

at org.apache.rampart.handler.RampartSender.invoke(RampartSender.java:106)

... 16 more

Caused by: org.apache.ws.security.WSSecurityException: An unsupported signature or encryption algorithm was used (unsupported key transport encryption algorithm: No such algorithm: http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p); nested exception is: 

java.security.NoSuchAlgorithmException: Cannot find any provider supporting RSA/ECB/OAEPPadding

at org.apache.ws.security.util.WSSecurityUtil.getCipherInstance(WSSecurityUtil.java:785)

at org.apache.ws.security.message.WSSecEncryptedKey.prepareInternal(WSSecEncryptedKey.java:205)

at org.apache.ws.security.message.WSSecEncrypt.prepare(WSSecEncrypt.java:259)

at org.apache.rampart.builder.AsymmetricBindingBuilder.doSignBeforeEncrypt(AsymmetricBindingBuilder.java:534)

... 19 more

Caused by: java.security.NoSuchAlgorithmException: Cannot find any provider supporting RSA/ECB/OAEPPadding

at javax.crypto.Cipher.getInstance(DashoA13*..)

at org.apache.ws.security.util.WSSecurityUtil.getCipherInstance(WSSecurityUtil.java:777)

... 22 more

Solution:

Import the bcprov-jdk15.jar jar which can be found in wso2esb-4.5.0/repository/axis2/client/lib to the class path of the secured client's project. 

How to Enable Secure Vault in a WSO2 Carbon Product

1. Extract the carbon product to a preferred location

2. Make sure that cipher-text.properties file is available in CARBON_HOME/repository/conf

3. Make sure that ciphertool.sh file is available in CARBON_HOME/bin

4. From a command line, navigate to CARBON_HOME/bin. From there, run the following command; In Linux, sh ciphertool.sh -Dconfigure 
In Windows,   ciphertool.bat -Dconfigure
This would prompt the following in the command line
[Please Enter Primary KeyStore Password of Carbon Server : ]There, you can give ‘wso2carbon’

5. After finishing the execution of ciphertool.sh, check the values in the cipher-text.properties file. It would contain an encrypted value as below.
bUJNAEp+hrzC97bxZfdehpi78SoQVCdy0Nnv/5KUvyi14BEc3b4d9Z7fD5TRyWgRyE8rZqZSVg7jFSBxcWnHRmdldTkPBT4x8wZhRDIFtvnI7KzCj9kUdPwol849EDno6ogsG3K+jlm7wEPvE1dGsw46dimb3JiNFJiw1HxQi+g\=

6. Then start up the server normally with In Linux, sh wso2server.sh In Windows,   wso2server.batDuring the server start up, it would prompt the following twice.
[Enter KeyStore and Private Key Password :] There also you  need to provide ‘wso2carbon’ in both the instances.

7. Now your server system is protected with the secure vault configuration, and all the passwords are encrypted and exposed to outside via aliases.

x

When configuring Secure Vault with WSO2 products : Error initializing Cipher

You can configure Secure Vault with WSO2 ESB (or any other Carbon product) to secure the data in the configuration files such as
 - User Store passwords
 - Database passwords           etc.
You may get this work completely if you follow this blog on How to configure Secure Vault in WSO2 Products.
If you try with a custom keystore, you might encounter the following error for certain instances.
Exception in thread "main" org.wso2.ciphertool.CipherToolException: Error initializing Cipher
at org.wso2.ciphertool.CipherTool.handleException(CipherTool.java:861)
at org.wso2.ciphertool.CipherTool.initCipher(CipherTool.java:202)
at org.wso2.ciphertool.CipherTool.main(CipherTool.java:80)
Caused by: java.security.InvalidKeyException: Wrong key usage
at javax.crypto.Cipher.init(DashoA13*..)
at javax.crypto.Cipher.init(DashoA13*..)
at org.wso2.ciphertool.CipherTool.initCipher(CipherTool.java:200)
... 1 more
Then you can analyze the public certificates of the two jks's  - In default wso2carbon.jks, the KeyUsage is
KeyUsage [
  DigitalSignature
  Non_repudiation
  Key_Encipherment
  Data_Encipherment
]
 - In the custom .jks, the KeyUsage is
KeyUsage [
  DigitalSignature
  Key_Encipherment
]
Since the custom key store's certificate does not have 'Data_Encipherment' it can't use the Ciphertool and encrypt data for secure vault. So they may have to generate a new key store with at least a Self signed certificate. 

Monitor Stats of Carbon 3.2.x products with WSO2 BAM2

Configuring WSO2 ESB Server with Data Publishers

1. Download WSO2 Enterprise Service Bus 4.0.2. Unzip the distribution to your preferred location. This directory will be referred as ESB_HOME.
2. Remove the following jar from ESB_HOME/repository/components/plugins directory.

org.wso2.carbon.statistics-3.2.2.jar

3. Place the following set of jars into ESB_HOME/repository/components/dropins directory. These jars will act as data publishers of WSO2 ESB.
1. gson-2.1.jar
2. org.wso2.carbon.bam.service.data.publisher.ui-3.2.3.jar
3. libthrift-0.7.wso2v1.jar   
4. org.wso2.carbon.bam.services.stub-3.2.3.jar
5. org.wso2.carbon.bam.activity.mediation.data.publisher.stub-3.2.3.jar
6. org.wso2.carbon.eventbridge.agent.thrift-3.2.3.jar
7. org.wso2.carbon.bam.data.publisher.util-3.2.3.jar
8. org.wso2.carbon.eventbridge.commons-3.2.3.jar
9. org.wso2.carbon.bam.mediationstats.data.publisher.stub-3.2.3.jar
10. org.wso2.carbon.eventbridge.commons.thrift-3.2.3.jar
11. org.wso2.carbon.bam.service.data.publisher-3.2.3.jar
12. org.wso2.carbon.statistics-3.2.4.jar
13. org.wso2.carbon.bam.service.data.publisher.stub-3.2.3.jar
14. org.wso2.carbon.utils-3.2.3.jar

The above jars can be downloaded from the FTP Location

4. Start up the WSO2 AS with the following command from the ESB_HOME/bin directory.

sh wso2server.sh

5. Log into the management console with the credentials. Go to “Configure” tab. You will see a new feature has been listed in the menu named “Service Data Publishing”. When you clicked on the the feature, the UI will be as follows.

6. Check the “Enable Service stats” check box under “Service Configuration”.
7. Specify the Stream Definition Configuration parameters as preferred.
8. Specify the “BAM URL” under “BAM Credential” in the following format.

tcp://<ip_address>:7611 (eg:  tcp://10.10.12.79:7611)

9. Click on “Update”.

PS: Similarly, you can configure the other carbon server nodes as well (eg: WSO2 BPS, WSO2 DSS and WSO2 AS)

Configure Standalone WSO2 BAM and Monitor Data

1. Change the port offset of WSO2 BAM server, so that it will not get port clashes with earlier configured WSO2 ESB.

Change the <Offset> parameter in carbon.xml file that resides in BAM_HOME/repository/conf directory.

2. Start up the server with the following command from the BAM_HOME/bin directory.

sh wso2server.sh

3. Invoke the service/s deployed in WSO2 ESB.
4. Login to the WSO2 BAM Management Console. Go to “Main” tab --> “Manage” menu --> “Cassandra Explorer” --> “Connect to Cluster”.

Provide the following inputs

Connection URL: localhost:9160

Username: admin

Password: admin

Click on “Connect”.

5. This will list the “Keyspaces”. Analyze the details of the respective Stream Name  under  “EVENT_KS” keyspace. A sample record will be as follows.

With these details, create a BAM Archive package and deploy as a “BAM Toolbox”.

6. Create a Toolbox that contains the following components.
1. Database script
2. Gadget XMLs
3. Jaggery scripts

The Toolbox should be packaged to a “.bar” package. The sample Toolbox can be found from the FTP location

7. Deploy the Toolbox from “Main” tab --> “Manage” menu --> “BAM Toolbox” --> “Add” from the WSO2 BAM management console.

8. From the Custom Toolbox table, browse for the created .bar package and hit on “Deploy”.
9. Until the complete deployment, the status of the package will be shown as “Awaiting to Deploy”.

10. Refresh the page until the status changes to “Deployed”.

11. Go to “Main” tab --> “Manage” menu --> “Analytics” --> “List Scripts”.
12. Click on “Edit”.

13. This will open up the Script Editor and it will show the Database script that we have included in the deployed .bar package. Click on “Run”.

11. With the successful execution of the script, it will show up the Results in the “Script Results” section below the “Script” editor section.
12. Go to “Main” tab --> “Dashboard” menu --> “BAM Dashboard”. The deployed gadgets on the dashboard will be shown as follows.

Authentication on a deployed Web App??

Enterprises use Java Web Applications for various requirements. Often these applications may require to be implemented with access control and authentication as an organization policy. 

In the provided article, I have showed how WSO2 Application Server acts as a deployment container for a web application and authenticate the hosted application against a preferred User Store. Furthermore, the write-up focuses on enforcing secure connections via HTTPS enablement on the Web Application.

Read more on this in http://wso2.org/library/knowledge-base/2012/07/authenticate-deployed-webapp-against-ldap-enforce-https/#Enforce HTTPS when Accessing the Web-app

Process Automation Facet in WSO2 BPS, Mechanizes Human Interaction

Every heterogeneous business revolves around tasks that need human interactions. There are computerized procedures that execute much of these bulky tasks. Still they have to be incorporated with human communications. In a business process flow, there are multiple tasks performed by multiple Human Roles and Human Users. Some need to be synchronized, while some needs the pipeline implementation.

For an instance, consider Tasks A and B and Human Roles X and Y that would be completed synchronously. Task A will be accomplished by Human Role X. For the invoke of next task, Task B in line which will be handled by Human Role Y needs a trigger after the completion of Task A. This activator should be prompted for the particular Role Y; not for the Task B.  

WS-BPEL standards facilitated the integration of Human Interaction onto the Process flow. This has been demonstrated by a sample implemented for the WSO2 Product Pack Release Process Automation flow. 

Existing Work Flow of Product Release Process

Build Manager is a person who triggers this process at first place. A build manager can play any role within any product team. He is solely responsible for building products for testing. In the milestones that development teams come across routinely, the build manager builds the products and releases the built pack for the QA for testing. 

Once the issues are being tracked in the product, those are reported and assigned to a developer to resolve. When the issues are fixed by the assignees and after thorough sessions of testing, those products are released as Release Candidates (RC). These RCs too are built by Build Manager and notifications are sent through mails to Carbon – Dev. If they come across any more issues or bugs, then again they are fixed and build the packs again. There can be versions of RCs like RC1, RC2 etc. These package builds are being uploaded to a location where accessible via web. This is followed by checking published packs which includes, ensuring that the binaries are functioning appropriately and completing preparation of documentation and release notes. Then a notification is sent to the relevant groups informing that the particular RC is equipped for the release. 

Then the product managers download the packs and sign them using their private key and upload the signature in a separate location different from the RC hosting site. When that task is completed, the infrastructure people upload the RCs to the relevant correct server where all the finalized releases are maintained. 

Subsequently Oxygen Tank (OT) staff takes up the task of creating a page for the newly done RC and publish it on OT and host the pack there as showed in [1].

Ultimately the Product Release Process comes to an end when the release notes are sent to the relevant mailing lists and forums and blogs are properly updated.

 

Automated Product Release Process

Currently no means of automation is involved with this Product Release Process. Synchronization issues and tracking issues engrossed in the manual release process, will be easily resolved by this automation initiative making the process flow less complicated.

The process is triggered or initialized when an RC is being finalized for the release by the Build Manager. Then the normal work flow will be followed and tasks will be assigned to various members. There will be a “TASK” list for each party who is involved with the process which will display the tasks that have been assigned to each ‘User Role’. This has become a convenient and efficient way of tracking the tasks that takes place during the process. Even the bottle necks of the process, the current progress etc. too can be identified without much difficulty through this system. 

Once a member finishes a task, the system generates a notification saying that the task is ‘COMPLETED’ and the task next in-line will be triggered for the relevant User Role with the ‘READY’ tag. Then all the synchronizations take place and the relevant places get updated appropriately with the proper notices. 

The detailed configuration for Human Task related process automation will be posted soon...

References

[1]. http://dist.wso2.org/downloads/bps/2.0.1/wso2bps-2.0.1.zip