Monday, February 23, 2015

Identity Server 5.0 User Account Recovery / User Account lock and unlocking


This article I'm gonna discuss about account registration methods, for the demo purpose I am going to use WSO2 IS 5.0.0 , InfomationRecovery sample (shared here with) which is hosted in Tomcat

Setting up IS 5.0.0
  • Update below parameters  wso2is-5.0.0\repository\conf\security\identity-mgt.properties
Identity.Listener.Enable=true
Notification.Sending.Enable=true
Notification.Expire.Time=7200
Notification.Sending.Internally.Managed=true
Authentication.Policy.Enable=true
Authentication.Policy.Account.Lock.On.Failure=true
Authentication.Policy.Account.Lock.On.Failure.Max.Attempts=2
Authentication.Policy.Account.Lock.Time=2

  • You need to configure the email sender and here we use the axis transport Sender. Following configureation needs to be done in the axis2.xml file located in the Identity Server installation under <is_home>/repository/conf/axis2 directory. Uncomment the following and give your email details.

<transportsender class="org.apache.axis2.transport.mail.MailTransportSender" name="mailto">
<parameter name="mail.smtp.from">wso2demomail@gmail.com</parameter> 
        <parameter name="mail.smtp.user">wso2demomail@gmail.com</parameter> 
        <parameter name="mail.smtp.password">mailpassword</parameter> 
        <parameter name="mail.smtp.host">smtp.gmail.com</parameter> 
        <parameter name="mail.smtp.port">587</parameter> 
        <parameter name="mail.smtp.starttls.enable">true</parameter> 
        <parameter name="mail.smtp.auth">true</parameter> 
</transportsender>
  • You also can configure the email format and confirmation code urls in the email-admin-config.xml under <is_home>/repository/conf/email directory. For password recovery sending email you need to have a email template type as “passwordReset”. Following shows a sample configuration.

  • Start IS server
  • Map Account Recovery Clam as given below



  • Start Tomcat or any Application server, deploy war file (project can be found from here)
  • Click user registration




















  • Configure IS for SP please see image






















  • Once click from Registration will be direct to SSO page








































  • Recover password if forgot..
































Tuesday, February 17, 2015

SAML2 bearer tokens with OAuth2 tokens in WSO2 API Manager


   Most of enterprise applications use SAML2 to engage a third-party identity provider to grant access to systems that are only authenticated against the enterprise application. These enterprise applications might need to consume OAuth-protected resources through APIs, after validating them against an OAuth2.0 authentication server. However, an enterprise application that already has a working SAML2.0 based Single Sign On infrastructure between itself and the IDP prefers to use the existing trust relationship, even if the OAuth authorization server is entirely different from the IDP. The SAML2 Bearer Assertion Profile for OAuth2.0 helps leverage this existing trust relationship by presenting the SAML2.0 token to the authorization server and exchanging it to an OAuth2.0 access token and then use that OAuth token to get access to APIs.



Ground work Understanding how this process can be implemented


  • Setup IDP in WSO2 Identity server (Uses IS 5.0.0)








  • Register a subscriber (user) in API-M


  • Now need to request SAML token for the user, for that have created a script as follows, make sure the SAML request being signed using the public certificate.

#!/bin/bash

#saml assertion issuer
ISSUER="SAML_ASSERTION_TEST_ISSUER"
#ISSUER="localhost"
#saml2_assertion_subject
SUBJECT="saman123"
#saml2_assertion_recipient
RECIPIENT="https://localhost:9444/oauth2/token/"
#saml2_asseertion_audience_restriction
AUDIENCE="https://localhost:9444/oauth2/token/"
#path to JKS store file
JKS_PATH="/Users/dushan/workspace/poc/apikeym/apim17/wso2is-5.0.0/repository/resources/security/wso2carbon.jks"

java -jar SAML2AssertionCreator/SAML2AssertionCreator.jar $ISSUER $SUBJECT $RECIPIENT $AUDIENCE $JKS_PATH wso2carbon wso2carbon wso2carbon



  • You can download SAML2AssertionCreator project from here
  • Exchange SAML token to Access Token
curl -k -d "grant_type=urn:ietf:params:oauth:grant-type:saml2-bearer&assertion=<SAML_ASSERTION obtained from above step >&scope=PRODUCTION" -H "Authorization: Basic <base 64[consumer_key:consumer_secret] of desired API, Content-Type: application/x-www-form-urlencoded" https://localhost:8243/token





Setting Proxy with mod_proxy with Basic Authorization

Install mod_proxy and setup reverse proxy in Apache Webserver

Follow the given below steps.
Note: In all given below example replace the value of ServerAdmin,ServerName & ServerAlias as per your server information

Step 1: Install the module

sudo apt-get install libapache2-mod-proxy-html

Step 2: Installing the dependency libxml2-dev

apt-get install libxml2-devStep 3: Load the module

a2enmod proxy proxy_http

Step 4: Create the Virtual Host in apache configuration file . If your configuration is located in conf.d you have to do changes in that file. I am giving example with default setting in Apache Webserver in Ubuntu

vi /etc/apache2/sites-enabled/000-default

Step 5: Following configuration allows user to access http service but it requires user to provide credentials, which is stored at /var/www/.htpasswd


<VirtualHost *:80>
ServerName 192.168.56.102
SSLEngine off
ProxyPass /foo/ http://192.168.56.1:8280/
<Proxy *>
Order Allow,Deny
Allow from all
AuthType Basic
AuthName "Authenticated proxy"
AuthUserFile /var/www/.htpasswd
Require valid-user
</Proxy>
</VirtualHost>







Step 6: Accessing https services, which requires to generate key pair of wso2carbon server and store as SSLCertificateFile/SSLCertificateKeyFile

generate key pair from wso2carbon.jks

keytool -importkeystore -srckeystore keystore.jks -destkeystore keystore.p12 -deststoretype PKCS12 -srcalias <jkskeyalias> -deststorepass <password> -destkeypass <password>
Export certificate.


openssl pkcs12 -in keystore.p12 -nokeys -out cert.pem
Export unencrypted private key.


openssl pkcs12 -in keystore.p12 -nodes -nocerts -out key.pem


Optional disabling CN check.

SSLProxyCheckPeerName off
SSLProxyCheckPeerCN off<VirtualHost *:443>
SSLProxyEngine On
SSLCertificateFile /home/dushan/cert.pem
SSLCertificateKeyFile /home/dushan/key.pem


SSLProxyCheckPeerName off
SSLProxyCheckPeerCN off
# CacheDisable *


SSLEngine on
ProxyPass /foo/ https://192.168.56.1:8243/


<Proxy *>
Order Allow,Deny
Allow from all
AuthType Basic
AuthName "Authenticated proxy"
AuthUserFile /var/www/.htpasswd
Require valid-user
</Proxy>


</VirtualHost>

Sunday, February 8, 2015

Secure File Transfer with VFS (ESB FTP+SSL certificates)



Hello, everyone this post I would discuss a new feature that enables us to share files between ESB and FTP server where FTP server establish connection through SSL certificates. will go step by step discussing how you could prepare FTP server to enable SSL and then share files between ESB
  • Generating KeyPair
    • openssl genrsa -des3 -out dushan.key 1024
    • openssl req -new -x509 -days 365 -key dushan.key -out dushan.crt
    • Import certificate to ESB client-trust store 
      • keytool -import -alias stan  -keystore client-truststore.jks -file dushan.crt

  • Used Filezilla client and server to demonstrate this scenario, 




  • You can configure VFS transport with https://docs.wso2.com/pages/viewpage.action?pageId=26838852
  • Proxy Configuration looks as below
    • Please notice the configuration (special notations) 'vfs.ssl.keystore' ,'vfs.ssl.truststore' ,'vfs.ssl.tspassword','vfs.ssl.kspassword'
<proxy xmlns="http://ws.apache.org/ns/synapse"
       name="VFSProxy"
       transports="vfs"
       statistics="disable"
       trace="disable"
       startOnLoad="true">
   <target>
      <inSequence>
         <property name="OUT_ONLY" value="true"/>
         <property name="transport.vfs.ReplyFileName"
                   expression="fn:concat(fn:substring-after(get-property('MessageID'), 'urn:uuid:'), '.csv')"
                   scope="transport"/>
         <property name="messageType" value="text/plain" scope="axis2"/>
         <property name="ClientApiNonBlocking" scope="axis2" action="remove"/>
         <send>
            <endpoint>
               <address uri="vfs:ftps://dushan:12345@192.168.56.102/test?vfs.ssl.keystore=/Users/dushan/workspace/onlinesupport/ESB/wso2esb-4.8.1/repository/resources/security/wso2carbon.jks&amp;vfs.ssl.truststore=/Users/dushan/workspace/onlinesupport/ESB/wso2esb-4.8.1/repository/resources/security/client-truststore.jks&amp;vfs.ssl.kspassword=wso2carbon&amp;vfs.ssl.tspassword=wso2carbon&amp;vfs.ssl.keypassword=wso2carbon"/>
            </endpoint>
         </send>
         <drop/>
      </inSequence>
   </target>
   <parameter name="transport.PollInterval">10</parameter>
   <parameter name="transport.vfs.ActionAfterProcess">MOVE</parameter>
   <parameter name="transport.vfs.FileURI">file:///Users/xx/in</parameter>
   <parameter name="transport.vfs.MoveAfterProcess">file:///Users/xx/processed</parameter>
   <parameter name="transport.vfs.MoveAfterFailure">file:///Users/xx/fail</parameter>
   <parameter name="transport.vfs.FileNamePattern">.*.csv</parameter>
   <parameter name="transport.vfs.ContentType">text/plain</parameter>
   <parameter name="transport.vfs.ActionAfterFailure">MOVE</parameter>
   <description>Custom file reader proxy for CAP mainframe file. This will perform transformation to DP v2 structure and store data into Vertica</description>
</proxy>

  • Fail to add public certificates would result errors as follows
... 16 more Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:385) at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292) at sun.security.validator.Validator.validate(Validator.java:260) at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:326) at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:231) at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:126) at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1421) ... 27 more Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target