WSO2 4.2 cluster setup with step by step testing

here's the link

https://docs.google.com/document/d/1aksWeZD5KEPqhozabu0V2rudRdV0kJ7MYTKZkFCyuLM/pub

Reverse proxy and Active/Passive load balace with HAProxy

Consider a requirement where you want to implement both high availability and url mapping.

Here you want your service to be exposed as yourserver.com/yourservice however actual service is running in your DMZ in yourserver:8280/yourservice (i.e with a port). And also you want to implement higha vailability by maintaining a standby node (yourserver-standby:8280/yourservice). Following text describes how to achive this using HAProxy. 

HAproxy is a lightweight open source proxy/load balancer which you can easily configure for your needs. Described below are the minimal steps required to implement a scenario like above.

Install HAproxy.
sudo apt-get install haproxy

Enable HAproxy.

Open /etc/default/haproxy file and set the ENABLED value to 1.

ENABLED=1

Configure HAproxy.

Open /etc/haproxy/haproxy.cfg file and add the following configuration at the bottom.

frontend haproxyfrontend
  # replace XXX.XXX.XXX.XXX with the ip address of haproxy
   bind XXX.XXX.XXX.XXX:80
   option http-server-close
   acl url_esbapi path_beg /myapi
   use_backend esb-backend if url_esbapi

backend esb-backend
   reqrep ^([^\ :]*)\ /myapi/(.*) \1\ /\2
   #replace xxx.xxx.xxx.xxx with your actual backend server ip addresses.
   server esb-1 xxx.xxx.xxx.xx1:8280 check
   server esb-2 xxx.xxx.xxx.xx2:8280 backup check

listen stats :1936
   stats enable
   stats scope esb-backend
   stats uri /
   stats realm Haproxy\ Statistics
   stats auth admin:admin

Start the HAproxy
sudo service haproxy start {stop, restart, status}

Definitions of the configs
Frontend named "haproxyfrontend", is use to handle incoming traffic, and it is bind/listen to port 80.

acl url_esbapi path_beg /myapi
use_backend esb-backend if url_esbapi

Any request comes to path begins with  "/myapi" would map to esb-backend, esb-backend configs are defined under backend esb-backend.

server esb-2 xxx.xxx.xxx.xx2:8280 backup check
This says that esb-2 server is a loadbalance member and 'backup' says that this act as the passive node.


config under listen stats :1936 defines how HAproxy status is defined. This is optional, however by enabling this you will be able to see the status of nodes in localhost(or ip of haproxy):1936 as follows

Reverse Proxy with Apache2

Suppose that you already have a service tunning at 127.0.0.1:8080/docs, and you want it to make avaialable via 127.0.0.1/docs then we have to employ some url mappings. Following steps describes how to do this via apache2 server.

Install Apache2

apt-get install apache2

Get the module and dependencies.

apt-get install libapache2-mod-proxy-html libxml2-dev

Activate the modules

a2enmod proxy
a2enmod proxy_http
a2enmod proxy_ajp
a2enmod rewrite
a2enmod deflate
a2enmod headers
a2enmod proxy_balancer
a2enmod proxy_connect
a2enmod proxy_html

Modify the default configuration file

nano /etc/apache2/sites-enabled/000-default.conf

Add following as appropriate

   ProxyPreserveHost On
   ProxyPass / http://127.0.0.1:8080/
   ProxyPassReverse / http://127.0.0.1:8080/
   ServerName localhost

Restart Apache2

sudo service apache2 restart or sudo apache2ctl restart

Test

Once restarted check typing localhost/docs if you get the same site which gives you when you type localhost:8080/docs then you have properly configured the reverse proxy.


For https

Activate the module
a2enmod _ssl

Add following to the default configuration file (/etc/apache2/sites-enabled/000-default.conf)

SSLEngine on
SSLCertificateFile /home/path/to/ca.crt
SSLCertificateKeyFile /home/path/to/ca.key

ProxyPreserveHost On
SSLProxyEngine on

# Proxy path which user wants to map with actual backend
ProxyPass /myapp https://localhost:9443/app/
ProxyPassReverse /myapp https://localhost:9443/app/
ProxyPassReverseCookiePath /app /myapp

Restart Apahe2 and test similar to above setup.


Reference

[1] - https://www.digitalocean.com/community/tutorials/how-to-use-apache-http-server-as-reverse-proxy-using-mod_proxy-extension

WSO2-IS - How to add a AD LDAP as a secondary userstore

Its very simple, only 5 steps

1. Create a file (lets say MyLdapUserStore.xml) in IS_HOME/repository/conf/deployment/server/userstores

2. Copy paste following lines[1] into the file, make relevant changes according to your ldap server, eg server-ip, port, UserSearchBase, GroupSearchBase etc

3. Save the file, make sure the file name is same as the domainname property(i.e. Property name="DomainName" MyLdapUserStore) in UserStoreManager config[1]

4. Import ldap servers cretificate to client truststore in IS_HOME/repository/resources/security/client-truststore.jks

5. Start the server, And check  'User Store Management' in mangement console , you will see the user store you created. Also if you looked at 'Users' section you will see your userstores domain is listed in 'Select Domain' combo box


[1]

            org.wso2.carbon.user.core.tenant.CommonHybridLDAPTenantManager
            WSO2.TEST
     MyLdapUserStore
            false                                   
            false
            ldaps://: 
            CN=Administrator,CN=Users,DC=wso2,DC=test
            xxxxxx
     PLAIN_TEXT
            CN=Users,DC=wso2,DC=test
            user
            cn
            false
     512
            (objectClass=user)
     (&(objectClass=user)(cn=?))
            [a-zA-Z0-9._-|//]{3,30}$
            ^[\S]{3,30}$
            ^[\S]{5,30}$
     ^[\S]{3,30}$
            [a-zA-Z0-9._-|//]{3,30}$
     true
     true
     true
            CN=Users,DC=wso2,DC=test
     group
            cn
            cn
            CN=Users,DC=wso2,DC=test
            groups
            (object=organizationalUnit)
            ou
            organizationalUnit
            member
            (objectcategory=group)
     (&(objectClass=group)(cn=?))
            true
            follow
     true
            100
            100

Creating a WSO2 IS cluster

Do the registry mounting as described in previous blog (

http://susinda.blogspot.com/2014/09/is-moving-user-db-registry-and-local.html)

Create another IS Node, by copy pasting the Node we created at previous blog, B

Configure the shared registry database and mounting details in another node (lets say Node2), And create another database called REGISTRY_LOCAL2 and configure that as the local registry for Node2 

In Node2 Do following configs

is_home/repository/conf/registry.xml of the worker node as shown below:

Set ReadOnly true for the shared registry

    instanceid

    sharedregistry

    true

Set embedded false for EmbeddedLDAP
In embedded-ldap.xml make embedded false since this will use nodeA's ldap

  
    true

Point node 2 to the default user store of node1. 
You need to configure the connection URL in user-mgt.xml of node2 as given below (default port is 10389). By default, the connection URL given in the file is ldap://localhost:${Ports.EmbeddedLDAP.LDAPServerPort}.

    <------------>
    ldap://[IP_of_node1]:10389

Manager node do the Following Configurations

1.In axis2.xml

Enable clustering

Set membership sceme

wka


set domain

wso2.is.domain


set sub domain as "mgt"

   
   
   



Set localmemberHost

127.0.0.1


set localmember port

4000


Add ELB as a member in memebers section, use ELBs group_mgt_port as the port

        127.0.0.1
        4500




2. In carbon.xml do the following

Set host name
 wso2.is.com

Set management host name
 wso2.is.com

3. In catalina-server.xml set proxyports in http and https respectively
proxyPort="80"
proxyPort="443"


Configure ELB
1. Edit loadbalacer.conf as follows
services {
    identity {
    domains {
         wso2.is.domain {
            tenant_range *;
            group_mgt_port 4500;
            mgt{
                hosts wso2.is.com;
            }
        }
    }
}
}


2.In axis2.xml configure following

Enable clustering


Set membership sceme
wka

set domain
wso2.lb.domain

set localmember port
4200

Running the cluster

1. Start the ELB (you need to be the superuser of that computer to start ELB since we are running ELB on default ports) and the IS nodes.
2. Now you can access the management console using the following URL: https://wso2.is.com/carbon/

WSO2-IS Mounting User_Db and Registry in MySql

1. Create Mysql databases

Use following commands

mysql -u root -p
//Note that my username and password for mysql is root root

create database WSO2_USER_DB;
use WSO2_USER_DB;
source /dbscripts/mysql.sql;
source /dbscripts/identity/mysql.sql;
source /dbscripts/identity/application-mgt/mysql.sql;
grant all on WSO2_USER_DB.* TO root@"carbondb.mysql-wso2.com" identified by "root";

 create database REGISTRY_DB;
 use REGISTRY_DB;
source /dbscripts/mysql.sql;
 grant all on REGISTRY_DB.* TO root@"carbondb.mysql-wso2.com" identified by "root";

 create database REGISTRY_LOCAL1;
 use REGISTRY_LOCAL1;
 source /dbscripts/mysql.sql;
 grant all on REGISTRY_LOCAL1.* TO root@"carbondb.mysql-wso2.com" identified by "root";

2. Define the host name
For configuring permissions for the new database add the following line in  /etc/hosts file  
MYSQL-DB-SERVER-IP carbondb.mysql-wso2.com

3. Add MySQL JDBC driver 
Download MySQL driver  and copy the MySQL JDBC driver JAR (mysql-connector-java-x.x.xx-bin.jar) into the /repository/components/lib directory .

4. Configure master-datasources

        org.wso2.carbon.ndatasource.rdbms.RDBMSDataSourceReader 
     
     
         
            REGISTRY_LOCAL1 
            The datasource used for registry- local 
             
                jdbc/WSO2CarbonDB 
             
             
                 
                    jdbc:mysql://carbondb.mysql-wso2.com:3306/REGISTRY_LOCAL1?autoReconnect=true 
                    root 
                    root 
                    com.mysql.jdbc.Driver 
                    50 
                    60000 
                    true 
                    SELECT 1 
                    30000 
                 
             
         
         
            REGISTRY_DB 
            The datasource used for registry- config/governance 
             
                jdbc/WSO2RegistryDB 
             
             
                 
                    jdbc:mysql://carbondb.mysql-wso2.com:3306/REGISTRY_DB?autoReconnect=true 
                    root 
                    root 
                    com.mysql.jdbc.Driver 
                    50 
                    60000 
                    true 
                    SELECT 1 
                    30000 
                 
             
         
          
            WSO2_USER_DB 
            The datasource used for registry and user manager 
             
                jdbc/WSO2UMDB 
             
             
                 
                    jdbc:mysql://carbondb.mysql-wso2.com:3306/WSO2_USER_DB 
                    root 
                    root 
                    com.mysql.jdbc.Driver 
                    50 
                    60000 
                    true 
                    SELECT 1 
                    30000 
                 

5.Configuring user-mgt.xml

 
jdbc/WSO2UMDB

6. Configure registry xml
 Add following config

        
    
     jdbc/WSO2RegistryDB
    
  
 
     instanceid
     sharedregistry
     false
     true
     /
     root@jdbc:mysql://carbondb.mysql-wso2.com:3306/REGISTRY_DB?autoReconnect=true
 
  
 
     instanceid
     /_system/asNodes
 
  
 
     instanceid
     /_system/governance
 

7. Configure identity.xml 
Change dataSource name as follows

jdbc/WSO2UMDB

8.Configure application-authentication.xml 
Change dataSource name as follows

jdbc/WSO2UMDB

References
[1] - https://docs.wso2.com/display/CLUSTER420/Setting+up+the+Database

Encrypted content in registry.

Just thought to post this info, in case of someone might need this in future.

Server	Data	Registry location
Common	KeyStore info	governance/repository/security/key-stores/
Common	Logger config info	config/repository/components/org.wso2.carbon.logging/loggers/
GREG	"Report Schedule" configuration info	config/repository/components/org.wso2.carbon.registry.reporting/configurations/
BAM	JMX profiles	governance/repository/components/org.wso2.carbon.publish.jmx.agent/
ESB	BAM server profiles	config/bamServerProfiles
APIM	BAM server profiles	config/bamServerProfiles
APIM	Secure endpoints	config/repository/components/secure-vault
IS	Policies	governance/repository/identity/entitlement/
DSS	Passwords of ndatasource configuration	config/repository/components/org.wso2.carbon.ndatasource

Expose secured backend service as a insecure service

Suppose we have a Secured Backend service, and from esb we want to access that. For this we may need to create the authentication headers. This can be done by using Header mediator, script mediator or class mediator (refer [1] http://sajithblogs.blogspot.com/2013/08/wso2-esb-adding-complex-soap-headers-to.html).  This blog (soasecurity[2] http://soasecurity.org/2014/03/25/how-to-esb-invoking-username-token-secured-backend-service/) describes how to do this via a class mediator. Another way to do this by using security policy in ESB. This is defined in the sagara's blog ([3] - http://ssagara.blogspot.com/2013/07/wso2-esb-set-ws-security-ut-user-names.html)



Here i'm going to describe a test setup for [3]

Implement a Secured backend using WSO2AS

Start wso2 AS

Create a role called aliceRole
Create a user called alice and password is "alicePW"
Assign alice to aliceRole

Secure the "Version" (service which comes by default in AS) by using management console.
Select yes in EnableSecurity dropdown
Select UsernameToken from Basic Scenarios and click next
Check on aliceRole (that we have created in previous step) and click finish.


ESB Configurations

Start ESB

Create a endpoint for the secured Version service in the AS

Create a proxy service that uses this endpoint

Create PasswordCallback handler
Refer the soasecurity blog ([4] http://soasecurity.org/2010/02/07/how-to-create-a-password-callback-class/)
Svn checkout https://svn.wso2.org/repos/wso2/people/asela/ws-security/password-callback/
Modify the logic as follows (since we need to add password set functionality for alice)

// Logic to get the password to build the username token
                if ("alice".equals(id)) {
                    pwcb.setPassword("alicePW");
                }
if ("bob".equals(id)) {
                    pwcb.setPassword("bobPW");
                }

Build using mvn clean install
Copy the output jar in to ESB/repository/components/lib

Add following policy to ESB registry (to gov:/repository/policy_1.xml)

 

    
        
            
                
                    
                        
                            
                        
                    
                    
                        
                            
                        
                    
                    
                        
                            
                        
                    
                    
                
            
            
                
                    
                
            

            
                alice
                org.wso2.samples.pwcb.PWCBHandler
            
        
    

Make the asEndpoint a secured endpoint
Goto endpoint view and select asEndpoint and click on edit,
Then under Advanced Options check on WS-Security and on Policy Key specify the path as gov:/repository/policy_1.xml (the path where we save the policy in registry)
Click on 'Save & Close'

Restart the ESB server (since we have put our jar in components/lib)

Try the versionProxy using ESBs tryit tool, If everything configured properly you should get the following response in tryit tool.

 

   Application Server-5.2.1

References
[1] - http://sajithblogs.blogspot.com/2013/08/wso2-esb-adding-complex-soap-headers-to.html
[2] - http://soasecurity.org/2014/03/25/how-to-esb-invoking-username-token-secured-backend-service/
[3] - http://ssagara.blogspot.com/2013/07/wso2-esb-set-ws-security-ut-user-names.html
[4] - http://soasecurity.org/2010/02/07/how-to-create-a-password-callback-class/

Configuring WSO2 ESB with MB for Guaranteed Delivery

In this post i'm going to discuss about how to configure WSO2 ESB and MB for Guranteed deleivery. In my previous post I have discussed similar implementation using activeMQ. I recommend to read that for detailed instruction since i'm going to make this very brief.

ESB Configurations

Add required jars
Copy and paste following jars from WSO2MB/clent-lib folder to ESB/repository/components/lib folder.
andes-client-0.13.wso2v4
geronimo-jms_1.1_spec-1.1.0.wso2v1

Enable the jms transports in axis2.xml for MB
Open the /repository/conf/axis2/axis2.xml with a text editor. 

• Uncomment the xml config below the '!--Uncomment this and configure as appropriate for JMS transport support with WSO2 MB 2.x.x --'
• Uncomment the line below '!-- uncomment this and configure to use connection pools for sending messages'

Edit jndi.ptoperties
Open /repository/conf/jndi.properties with a text editor and edit it as it has following config

# register some connection factories
# connectionfactory.[jndiname] = [ConnectionURL]
connectionfactory.QueueConnectionFactory = amqp://admin:admin@clientID/carbon?brokerlist='tcp://localhost:5673'
connectionfactory.TopicConnectionFactory = amqp://admin:admin@clientID/carbon?brokerlist='tcp://localhost:5673'

# register some queues in JNDI using the form
# queue.[jndiName] = [physicalName]
queue.JMSMS_MB=JMSMS_MB

# register some topics in JNDI using the form
# topic.[jndiName] = [physicalName]
topic.MyTopic = myTopic


Create a proxy service, message-store and message-processor in ESB.
You can use the following code

 
   
      

   



   
      org.wso2.andes.jndi.PropertiesFileInitialContextFactory
      repository/conf/jndi.properties
      JMSMSMB
   


   
      1000
      1000
      true
   


   
      
      
         
            
            
            
         
      
      
   

Start backend service (refer the previous blog)

Start WSO2 MB
go to WSO2MB/bin and use the command ./wso2server.sh

Start ESB and copy paste the above configuration in source view.

Test

Invoke the sampleProxy using tryit tool, observe the backend services terminal and you would see something like follows

samples.services.SimpleStockQuoteService :: Generating quote for : APPLE

Observe the web console of MB, 

Goto the management console of MB and click on the Browse button under Queue you would see something like follows

You may see the queue named JSMMSMB is created there. And you may see the message count is zero. 

Shutdown the backend service and test again, 

You will see errors in ESB terminal like follows

ERROR - BlockingMsgSender Error sending Message to url : http://localhost:9000/services/SimpleStockQuoteService

org.apache.axis2.AxisFault: Connection refused

Observe the WSO2 MBs queue.

Goto the management console of MB and click on the Browse button under Queue you may see the queue named JSMMSMB is created there. And you may see the message count is one.

Then start the backend service again

You will see on backend service's console that it rreceived the messages.

Also look at the MB's web console and refresh the page, you will see that message count is now equal to zero again. That is there are no messages that it did not deliver.

This concludes the guaranteed delivery demonstration.

Implementing Guaranteed delivery in WSO2 ESB

Start apacheMQ
~/activeMQ/apache-activemq-5.9.1/bin
./activemq start

Check the web console and make sure it is running
http://localhost:8161/admin

Copy following jars from apacheMq/lib to ESB_HOME/repository/components/lib
activemq-broker-5.9.1.jar  
activemq-client-5.9.1.jar 
geronimo-j2ee-management_1.1_spec-1.0.1.jar  
geronimo-jms_1.1_spec-1.1.1.jar

Build the SimpleStockQuoteService in ESB samples
~/ESB/wso2esb-4.8.1/samples/axis2Server/src/SimpleStockQuoteService$
ant

Start the axis2Server in ESB samples
~/products/ESB/wso2esb-4.8.1/samples/axis2Server$
./axis2server.sh

Make sure SimpleStockQuoteService is running by pointing the browser to
http://localhost:9000/services/SimpleStockQuoteService?wsdl


Start ESB
~/ESB/wso2esb-4.8.1/bin$
 ./wso2server.sh

Log into management console
https://10.100.0.115:9443/carbon/admin/index.jsp

Go to source view and paste this code

   


      org.apache.activemq.jndi.ActiveMQInitialContextFactory
      tcp://localhost:61616
      1.1




   

   




      1000
      1000
      true





 
  
     
     
     
  
 

Log in to the management console and invoke the SampleProxy via TryIt tool. You will not see a response their (due to our proxy implementation here). But if you check the terminal of axis2Service you will see something like follows.
samples.services.SimpleStockQuoteService :: Generating quote for : APPLE
That means messagestore and processor has worked successfully and your message has hit the backend (i.e SimpleStockQuoteService) Also if you looked at web console of activeMQ for queues @
http://localhost:8161/admin/queues.jsp you would see that enqueued and dequeued messages are equal to one.

Test On guaranteed Delivery

Stop the SimpleStockQuoteService  Again invoke the SampleProxy from tryit tool (this time for symbol IBM) then if you check on activeMQ web console you would see that enqueued messages are 2 but dequeued message count is 1.

Also notice the error in ESB terminal.
ERROR - ForwardingService BlockingMessageSender of message processor [Forwarder] failed to send message to the endpoint NFO - ForwardingService Pausing the service of message processor [Forwarder] INFO - HTTPSender Unable to sendViaPost to url[http://localhost:9000/services/SimpleStockQuoteService] java.net.ConnectException: Connection refused

Then again start the SimpleStockQuoteService 
View the activeMQ web console you would see that both enqueued and dequeued messages count is 2.

Also in the axis2Server terminal you would see that it has received the request for symbol IBM

samples.services.SimpleStockQuoteService :: Generating quote for : IBM

Conclusion

Once the server is restarted enqueued messages have been delivered to the backend. This concludes the guaranteed delivery.

Add your own keystore in WSO2 Server

In this post i'll explian how you can add your own keystore in wso2 server.

All WSO2 servers comes with a default keystore named wso2carbon.jks. This keystores are used to hold the certificates/keys used for SSL communication and data encription of passwords. There are situations that you need to replace this wso2carbon.jks with your keystore.

Here i'll explain the minimum modifications you need to follow to add your keystore.

You can find the wso2carbon.jks  under WSO2Server/reposotory/resourses/security. And configuration details for this is listed in  WSO2Server/reposotory/conf/carbon.xml as follows

           

            ${carbon.home}/repository/resources/security/wso2carbon.jks

            

            JKS

            

            wso2carbon

            

            wso2carbon

            

            wso2carbon

        

Also in  WSO2Server/repository/conf/security/secret-conf.properties you can see following configurations

##KeyStores configurations
#
#keystore.identity.location=repository/resources/security/wso2carbon.jks
#keystore.identity.type=JKS
#keystore.identity.alias=wso2carbon
#keystore.identity.store.password=wso2carbon
##keystore.identity.store.secretProvider=
#keystore.identity.key.password=wso2carbon


As you have seen above when you chnage the keystore, you have to chenge the configs of following files accordingly. (Note that thiis is the minimal configuration, you may have to change in other places if you have used this keystore)

• WSO2Server/reposotory/conf/carbon.xml
• WSO2Server/repository/conf/security/secret-conf.properties
• WSO2Server/repository/conf/sec.policy
• WSO2Server/repository/conf/security/cipher-text.properties

Additionally you mey need to change the entries of following files depending on the product (eg ESB) and version you use.

• WSO2Server/repository/conf/tomcat/catalina-server.xml
• WSO2Server/reposotory/conf/axis2/axis2.xml

Initial content of the WSO2Server/repository/conf/security/cipher-text.properties file

# This is the default file based secret repository, used by Secret Manager of synapse secure vault
# By default, This file contains the secret alias names Vs the plain text passwords enclosed with '[]' brackets
# In Production environments, It is recommend to replace those plain text password by the encrypted values. CipherTool can be used for it.

Carbon.Security.KeyStore.Password=[wso2carbon]
Carbon.Security.KeyStore.KeyPassword=[wso2carbon]
Carbon.Security.TrustStore.Password=[wso2carbon]
UserManager.AdminUser.Password=[admin]
Datasources.WSO2_CARBON_DB.Configuration.Password=[wso2carbon]


Create a KeyStore with keytool

To work with wso2server you can create your key with following format.

keytool -genkey -keystore susinda.jks -keyalg RSA -alias susinda  -ext ku=dataEncipherment,digitalSignature,nonRepudiation,keyEncipherment
Note : Here(while you create the keystore) you have to provice the keypassword same as the keystore password


keytool -list -v -keystore  susinda.jks 
Enter keystore password:  
Give your keystore password here, then you can see the comand output as follows.


Keystore type: JKS
Keystore provider: SUN

Your keystore contains 1 entry

Alias name: susinda
Creation date: Jul 15, 2014
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=Susinda, OU=susiOU, O=susiORG, L=Colombo, ST=Srilanka, C=SL
Issuer: CN=Susinda, OU=susiOU, O=susiORG, L=Colombo, ST=Srilanka, C=SL
Serial number: 50eed9f5
Valid from: Tue Jul 15 10:33:49 IST 2014 until: Mon Oct 13 10:33:49 IST 2014
Certificate fingerprints:
MD5:  54:9E:71:11:F5:81:2D:4E:58:E1:72:4D:B0:E8:19:1D
SHA1: D5:86:16:42:3D:18:88:79:E9:D8:34:17:C6:A9:39:33:5A:62:24:95
SHA256: 44:2B:48:F2:1F:66:10:B9:37:95:EB:11:59:FF:AA:A1:A4:1A:6D:E0:19:C9:0A:6F:72:57:5D:F0:1D:CC:19:72
Signature algorithm name: SHA256withRSA
Version: 3

Extensions: 

#1: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 5F 70 2F AD DB DC 5A 1B   A2 A6 AE 72 04 B1 80 29  _p/...Z....r...)
0010: 5B E1 4A 8E                                        [.J.
]

*******************************************

Encript sensitive data with ciphertool

In wso2 servers there is a tool called cipher-tool to encription nad decription purposes This tool use the keystore defined in carbn.xml for encript. You can find this under WSO2Server/bin/


To run this toool use the comand  ./ciphertool.sh -Dconfigure, Then it will prompt following

[Please Enter Primary KeyStore Password of Carbon Server : ]

Here give the password that you have provided for your keystore, then you see the command output as follows.

Primary KeyStore of Carbon Server is initialized Successfully

Protected Token [Carbon.Security.TrustStore.Password] is updated in carbon.xml successfully

Protected Token [Carbon.Security.KeyStore.KeyPassword] is updated in carbon.xml successfully

Protected Token [UserManager.AdminUser.Password] is updated in user-mgt.xml successfully

Protected Token [Datasources.WSO2_CARBON_DB.Configuration.Password] is updated in master-datasources.xml successfully

Protected Token [Carbon.Security.KeyStore.Password] is updated in carbon.xml successfully

Encryption is done Successfully

Encryption is done Successfully

Encryption is done Successfully

Encryption is done Successfully

Encryption is done Successfully

Secret Configurations are written to the property file successfully

Now if you looked at carbon.xml you may see that password has been chnaged as Password svns:secretAlias="Carbon.Security.KeyStore.KeyPassword".

            

            ${carbon.home}/repository/resources/security/susinda.jks

            

            JKS

            

            password

            

            susinda

            

            password

        

In secret-conf.properties file it has chaged as follows

keystore.identity.location=/home/susinda/wso2as-5.2.1/repository/resources/security/susinda.jks
keystore.identity.type=JKS
keystore.identity.store.password=identity.store.password
keystore.identity.store.secretProvider=org.wso2.carbon.securevault.DefaultSecretCallbackHandler
secretRepositories.file.provider=org.wso2.securevault.secret.repository.FileBaseSecretRepositoryProvider
secretRepositories.file.location=repository/conf/security/cipher-text.properties
secretRepositories=file
keystore.identity.key.password=identity.key.password


If you looked at /security/cipher-text.properties file you can see the encipted values.

Carbon.Security.KeyStore.Password=D8GH2NqKEQyW8BKB51PluBmTDTaILUWlS6aTTz6sQJgIj4ExgZ4SZxiFsuJJhFFiVDzj4xqAun09\n6+X7Q4zerCHlJhvdh4E6GEJXtWsuoqz/66JpJ4Jtp/nEpKDs1j49T0KrxERAQ9frPRwpXJNqeLQr\nyKU1mngasfbdfo88xwM8dRgsP5fV//3gbSOiEKu1e5jFdXvIkGT8BKAx0rKsVzzwCyUassggmd4V\nlc/TxlVoz3s69ZOg85T9n1wVkP6N40Kn4U8EqX++oeeIWX404pUR9uqekuTDY+JHfZ22DMm6+HlT\nhfedxc1Q23IyWTcN728IBe2l9R3DqOagB8RuAQ\=\=
Carbon.Security.KeyStore.KeyPassword=FxfyvDztx4e4NgLUh7Zzhbv+dOPBbsLUI9fwJx6N0eitsaNq6+cijD2mht8S8AXWDRkFu89Fdnrb\nf5/8IHx4rKQ1zsAShj/UYwvT9nShHlLYc4qjyvY/IkbKkjY+Fhs03nzJMKM1Kza242EWcrGshCpu\nLiy60pqdIOt1ipsFXY232qdVWSYCuDTxWq6JAkfQtScheGbPaRRNQZFXD7bPl8g4r7DB3s9W+X8w\nWCyDUatdOHmVEc4sVYnbN1aXs8pyHOjeEUITkskTCRQHJwCaAaADkwTGg+iCJuRXd8WdmvBOLyda\ng4QdU8cYwNy0kbf7cy8MRPtC+jdRl47zi3jddA\=\=

Once you sart the server it will ask your keystore password.

[Enter KeyStore and Private Key Password :]

Special note on Keystore and Registrykeystore
The primary keystore mainly stores the keys certifying SSL connections to Carbon servers and the keys for encrypting administrator passwords as well as other confidential information.

RegistryKeyStore is a separate keystore element configurable in the carbon.xml file. This configuration applies for the keystore which stores the keys that certify encrypting/decrypting meta data to the registry. Therefore, using the registry keystore in addition to the primary keystore in the carbon.xml file allows you to maintain a separate keystore for the purpose of encrypting/decrypting meta data to the registry.
http://docs.wso2.com/pages/viewpage.action?pageId=31884668

Adding a Registrykeystore
Add following properties in cipher-tool.properties file
Carbon.Security.RegistryKeyStore.Password=carbon.xml//Server/Security/RegistryKeyStore/KeyPassword,true

Carbon.Security.RegistryKeyStore.KeyPassword=carbon.xml//Server/Security/RegistryKeyStore/Password,true

Also add following in cipher-text.properties file
Carbon.Security.RegistryKeyStore.KeyPassword=[regkeypassword]

Carbon.Security.RegistryKeyStore.Password=[regkeypassword]

Note : For additional information you can rever "Secure plain text passwords in WSO2 Carbon configuration files" @ http://soasecurity.org/2012/08/12/secure-plain-text-passwords-in-wso2-carbon-configuration-files/

Run cipher tool

Run the server 
Give the regkeypassword, when it is asked for primary password

Developer Studio - How to create a BPEL Process to invoke a Partner Service

In this post i will discuss on how you can use DeveloperStudio to create a BPEL process which invokes another service (partner service)

Suppose you have a already deployed service.  Lets say this service as  'WeatherService' which has a web method call getTemeprature where it will return the temperature when you provide the city as argument. make sure you have the wsdl of this service since we need this to create a Partner Link. Here is the wsdl of the service that i used. And here you can download the aar of the web service.

Create The BPEL Project
Click on BPEL Workflow in Developer Studio DashBoard

Select Create New BPEL Workflow radio button and click on next

Set the project name as WeatherServiceWorkflow and Template as Synchonous BPEL process.

Click on finish. You will then see a page like follows.

Double click and open WeatherServiceWorkflowArtifacts.wsdl file and hover the mouse on top of blue color arrow next to WeatherServiceWorkFlowResponse and you may see something like follows.

Then click on that arrow and it will open the above window in another editor. In that change the type of the result parameter of WeatherServiceWorkFlowResponseType  to double (since backend service returns temperature as a double value).

Save this editor and close. Now lets define the workflow for the invoke operation. Open WeatherServiceWorkFlow.bpel and delete the FIX_ME-Add_Business_Logic_Here component from the flow. Then add a Invoke operation from the palette to the workflow and rename it as Invoke WeatherService.

Then add a Assign action just before the InvokeWeatherService and rename it as AssignInputs. Similarly add another Assign action just after the InvokeWeatherService action and rename it as AssignOutputs.

Now we are done with the bpel flow configuration but we have to configure each element in the flow. Here we have added 3 elements called AssignInputs, InvokeWeatherService and AssignOutputs. Objective of AssignInputs is to map the inputs receiving in the bpel flow to the invoke service and AssignOutput does the other way.

First we will configure InvokeWeatherService to invoke the backend service, for this we need to have the wsdl of that service. Download it from here and import it into bpelContent folder in the project. To invoke a partner service we need to create a Partnerlink. Click on InvokeWeatherService element in the flow and select the details tab on the properties view. From the dropdown list select GlobalPartnerLink .

Then it wil prompt a dialog box to provide a name for the PartnerLink, give the name as WeatherServicePL and click OK.  Then it will open up another dialog to select partnerlink Type.

Click on Add WSDL button and browse for the WeatherService.wsdl (that we have imported to the bpelContent folder in earlier step) and add it. Then you may see that new field called WeatherServicePortType appears in the dialog. select that and click OK.

Then it will again promts a dialog to provide a partnerlink type name, Give a name as WeatherServicePLType and click next. Then in next page ask for a Role Name, give a name as TestRole and click finish.

Then again go to the properties view and from the Quick Pick section select getTemeprature be double click on getTemperature. Then that fill up the other fields automatically.

Now we are done with creating the partner link for the invoke action. Now lets map inputs and outputs with Assign actions. Click on AssignInputs and on properties view click on Details tab, there click on New button at the left bottom side. Then in 'From' side expand input : WeatherServiceWorkflowrequestMessage and select 'payload : WeatherServiceWorkflowRequest' and in 'To' side expand WeatherServicePLRequest:getTemperatureRequest and select 'parameters : getTemperature'.

Once you select both from From side and To side for the first time, it will prompt a message to ask you weather it should initialize the variables for you.

Click Yes, Once you do that you may see that another entry (Variable to Variable) automatically added in the left hand side list. Click on that 'Variable to Variable' and in 'From' side expand the payload  'payload : WeatherServiceWorkflowRequest' and select 'input : string'. Similarly select 'city : string' from 'To' side.

Do the same steps on AssignOutputs action to map 'WeatherServicePLResponse : getTemperatureResponse' to 'output : WeatherServiceWorkflowResponseMessage'

Now we are done with configuring invoke and varible assignmnet actions and lets move to configure deploy options.

Double click and open deploy.xml. In the Inbound Interfaces list you may notice that Partner Link is set to client but other fields are not set. From the dropdown menu there select WeatherServiceWorkflowPort and it will fill out the other fields for you.

In the Outbound Interfaces you may see that partner link is already set to WeatherServicePL, select the Associated Port as WeatherServiceHttpSoap11Endpoint from the dropdown menu and it will fill the other feilds.

Now we are done with all the configurations and we are ready to deploy this and test. Right click on WeatherServiceWorkflow project and click on 'Export Project as Deployable Archive' from the context menu. Give a export destination and click finish. Here i'm attaching the exported project.

Start WSO2 AS and deploy WeatherService.aar. Goto management console -> Services -> Add -> AAR service. Then test it from try it tool.

Start a WSO2 BPS server (with port offset 1 avoid port conflicts with WSO2 AS). Deploy the Exported WeatherServiceWorkflow_1.0.0 in BPS server. (Goto managment console of the server -> Process -> Add ). Then we will test this using servers inbuilt try it tool . In management console goto Services and click on list under that, you may see that WeatherServiceWorkflow is in deplyoed list. Click on the Try this service in the right hand side, bY giving a city name as colombo fro a test parameter.

You may see that you got the same output. In summary what we did was invoke the WeatherService hosted in wso2 AS via a bpel process. This is a very simple example to demonstrate the invoke function but there are many.. Upto you to try. You can refer BPS docs [1] and Developer Studio docs [2] for more information.

[1] https://docs.wso2.org/display/BPS320/WSO2+Business+Process+Server+Documentation
[2] https://docs.wso2.org/display/DVS360/WSO2+Developer+Studio+Documentation