Re: [Architecture] WSO2 IS : what are the differences between OpenID Connect & OAuth 2.0 federated authenticators

[Farasath Ahamed]

On Friday, December 15, 2017, Youcef HILEM  wrote:

> Hi Hasanthi,
>
> Yes I know that the password grant is supported .
>
> My question is: can I use the password grant with our third party IDP OAuth
> 2.0 [3] just integrated with [2].


No. We do not support password grant type in our OAuth/OIDC federated
authenticator.

However, if you have a strong requirement to federate using password grant
type you can do so by extending the oauth/oidc authenticator. One thing to
keep in mind is that you might have to introduce and intermediate page to
prompt for credentials to be used in the password grant request.

As a user this means I am exposing my credentials at an intermediate
page(not at the trusted federated idp) which could be a security concerns.
Personally I would prefer the authorization code flow over password grant
flow to login using a third party idp.



>
>
> [1] Federated Authentication -
> https://docs.wso2.com/display/IS530/Federated+Authentication
> [2] Configuring OAuth2-OpenID Connect -
> https://docs.wso2.com/display/IS530/Configuring+OAuth2-OpenID+Connect
> [3] IBM Security Access Manager 9.0.3.1 - OAuth 2.0 endpoints -
> https://www.ibm.com/support/knowledgecenter/en/SSPREK_9.0.
> 3.1/com.ibm.isam.doc/config/concept/OAuthEndpoints.html#oauthendpoints
>
> Thanks
> Youcef HILEM
>
>
>
>
> --
> Sent from: http://wso2-oxygen-tank.10903.n7.nabble.com/WSO2-
> Architecture-f62919.html
> ___
> Architecture mailing list
> Architecture@wso2.org
> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
>


-- 
Farasath Ahamed
Senior Software Engineer, WSO2 Inc.; http://wso2.com
Mobile: +94777603866
Blog: blog.farazath.com
Twitter: @farazath619 

___
Architecture mailing list
Architecture@wso2.org
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture

Re: [Architecture] Gateway cache in APIM all in one active/active deployment without clustering

[Sanjeewa Malalgoda]

Yes we have to handle this case by case. If reaction time is important we
have to bear the cost of having smaller cache duration.
If performance is important we have to bear large reaction time.

Thanks.
sanjeewa.

On Fri, Dec 15, 2017 at 4:33 PM, Susankha Nirmala  wrote:

>
>
> On Fri, Dec 15, 2017 at 3:56 PM, Pubudu Gunatilaka 
> wrote:
>
>> Hi Susankha,
>>
>> On Fri, Dec 15, 2017 at 3:26 PM, Susankha Nirmala 
>> wrote:
>>
>>>
>>>
>>> On Fri, Dec 15, 2017 at 3:14 PM, Pubudu Gunatilaka 
>>> wrote:
>>>
 Hi Susankha,

 We have a guide which explains when to use hazelcast clustering in [1].

 If you don't have clustering enabled, the following are expected.

 1. Immediate revocation of tokens among the gateways

>>>
>>> How this happen when clustering disable?
>>>
>>>
>>
>> Sorry about the wording. I meant those will not work without clustering.
>> Let me rephrase this again.
>>
>> 1. Token revoke -  You need to have clustering enabled. Otherwise, from
>> the other node gateway node you can access the API until cache timeout
>> happens.
>>
>
> Yes, this is a known behavior and for that reason I have initiated this
> mail thread.
>
>
>> 2. Backend service throttling - As we are not sharing throttling limits
>> within the gateway nodes, backend service throttling will not work.
>>
>> Thank you!
>> --
>> *Pubudu Gunatilaka*
>> Committer and PMC Member - Apache Stratos
>> Senior Software Engineer
>> WSO2, Inc.: http://wso2.com
>> mobile : +94774078049 <%2B94772207163>
>>
>>
>
>
> --
> Susankha Nirmala
> Senior Software Engineer
> WSO2, Inc.: http://wso2.com
> lean.enterprise.middleware
>
> Mobile : +94 77 593 2146 <077%20593%202146>
> blog : https://susankhanirmala.wordpress.com/
>
> ___
> Architecture mailing list
> Architecture@wso2.org
> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
>
>


-- 

*Sanjeewa Malalgoda*
WSO2 Inc.
Mobile : +94713068779

blog
:http://sanjeewamalalgoda.blogspot.com/

___
Architecture mailing list
Architecture@wso2.org
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture

Re: [Architecture] Gateway cache in APIM all in one active/active deployment without clustering

[Susankha Nirmala]

On Fri, Dec 15, 2017 at 3:56 PM, Pubudu Gunatilaka  wrote:

> Hi Susankha,
>
> On Fri, Dec 15, 2017 at 3:26 PM, Susankha Nirmala 
> wrote:
>
>>
>>
>> On Fri, Dec 15, 2017 at 3:14 PM, Pubudu Gunatilaka 
>> wrote:
>>
>>> Hi Susankha,
>>>
>>> We have a guide which explains when to use hazelcast clustering in [1].
>>>
>>> If you don't have clustering enabled, the following are expected.
>>>
>>> 1. Immediate revocation of tokens among the gateways
>>>
>>
>> How this happen when clustering disable?
>>
>>
>
> Sorry about the wording. I meant those will not work without clustering.
> Let me rephrase this again.
>
> 1. Token revoke -  You need to have clustering enabled. Otherwise, from
> the other node gateway node you can access the API until cache timeout
> happens.
>

Yes, this is a known behavior and for that reason I have initiated this
mail thread.


> 2. Backend service throttling - As we are not sharing throttling limits
> within the gateway nodes, backend service throttling will not work.
>
> Thank you!
> --
> *Pubudu Gunatilaka*
> Committer and PMC Member - Apache Stratos
> Senior Software Engineer
> WSO2, Inc.: http://wso2.com
> mobile : +94774078049 <%2B94772207163>
>
>


-- 
Susankha Nirmala
Senior Software Engineer
WSO2, Inc.: http://wso2.com
lean.enterprise.middleware

Mobile : +94 77 593 2146
blog : https://susankhanirmala.wordpress.com/
___
Architecture mailing list
Architecture@wso2.org
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture

Re: [Architecture] WSO2 IS : what are the differences between OpenID Connect & OAuth 2.0 federated authenticators

[Youcef HILEM]

Hi Hasanthi,

Yes I know that the password grant is supported .

My question is: can I use the password grant with our third party IDP OAuth
2.0 [3] just integrated with [2].


[1] Federated Authentication - 
https://docs.wso2.com/display/IS530/Federated+Authentication
[2] Configuring OAuth2-OpenID Connect - 
https://docs.wso2.com/display/IS530/Configuring+OAuth2-OpenID+Connect  
[3] IBM Security Access Manager 9.0.3.1 - OAuth 2.0 endpoints - 
https://www.ibm.com/support/knowledgecenter/en/SSPREK_9.0.3.1/com.ibm.isam.doc/config/concept/OAuthEndpoints.html#oauthendpoints

Thanks
Youcef HILEM




--
Sent from: 
http://wso2-oxygen-tank.10903.n7.nabble.com/WSO2-Architecture-f62919.html
___
Architecture mailing list
Architecture@wso2.org
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture

Re: [Architecture] Gateway cache in APIM all in one active/active deployment without clustering

[Pubudu Gunatilaka]

Hi Susankha,

On Fri, Dec 15, 2017 at 3:26 PM, Susankha Nirmala  wrote:

>
>
> On Fri, Dec 15, 2017 at 3:14 PM, Pubudu Gunatilaka 
> wrote:
>
>> Hi Susankha,
>>
>> We have a guide which explains when to use hazelcast clustering in [1].
>>
>> If you don't have clustering enabled, the following are expected.
>>
>> 1. Immediate revocation of tokens among the gateways
>>
>
> How this happen when clustering disable?
>
>

Sorry about the wording. I meant those will not work without clustering.
Let me rephrase this again.

1. Token revoke -  You need to have clustering enabled. Otherwise, from the
other node gateway node you can access the API until cache timeout happens.
2. Backend service throttling - As we are not sharing throttling limits
within the gateway nodes, backend service throttling will not work.

Thank you!
-- 
*Pubudu Gunatilaka*
Committer and PMC Member - Apache Stratos
Senior Software Engineer
WSO2, Inc.: http://wso2.com
mobile : +94774078049 <%2B94772207163>
___
Architecture mailing list
Architecture@wso2.org
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture

Re: [Architecture] Gateway cache in APIM all in one active/active deployment without clustering

[Lakmal Warusawithana]

On Fri, Dec 15, 2017 at 10:05 AM, Susankha Nirmala 
wrote:

>
>
> On Fri, Dec 15, 2017 at 3:04 PM, Lakmal Warusawithana 
> wrote:
>
>> Hi Susanka,
>>
>> On Fri, Dec 15, 2017 at 9:18 AM, Susankha Nirmala 
>> wrote:
>>
>>> Hi All,
>>>
>>> When we using APIM all in one active/active deployment pattern, by
>>> default gateway caching enabled and clustering disable according to the
>>> document [1], Due to that
>>> distributed caching is not use with this deployment pattern. With this
>>> deployment pattern, If we revoke a token, it will not update in both APIM
>>> nodes and in one APIM node same token will be available as a valid token.
>>> Due to that can we recommend this deployment architecture pattern in
>>> production environments?
>>>
>>
>> Its depends on customers requirement. Many cases, token revocation does
>> not need to revoke immediately (realtime). It will automatically revoke
>> when cache is expires. (eg 15 min)
>>
>
> With the default cache expiry time (15 minue) also we can access the API
> using revoked token until cache expire in other node.AFAIU onece we revoke
> a token, that token should be invalidate from the cache in all nodes.
>
>

Thats why I said it depends on customer requirement :) . With our
experience very few customers wanted these kind of behavior. They have to
use clustering to achieve this. Majority is OK with expiring after 15 min.



>
>>
>>>
>>> [1] - https://docs.wso2.com/display/AM210/Configuring+an+Active-
>>> Active+Deployment
>>>
>>> Thanks,
>>> /Susankha.
>>>
>>>
>>>
>>> --
>>> Susankha Nirmala
>>> Senior Software Engineer
>>> WSO2, Inc.: http://wso2.com
>>> lean.enterprise.middleware
>>>
>>> Mobile : +94 77 593 2146 <+94%2077%20593%202146>
>>> blog : https://susankhanirmala.wordpress.com/
>>>
>>
>>
>>
>> --
>> Lakmal Warusawithana
>> Senior Director - Cloud Architecture; WSO2 Inc.
>> Mobile : +94714289692 <+94%2071%20428%209692>
>> Blogs : https://medium.com/@lakwarus/
>> http://lakmalsview.blogspot.com/
>>
>>
>>
>
>
> --
> Susankha Nirmala
> Senior Software Engineer
> WSO2, Inc.: http://wso2.com
> lean.enterprise.middleware
>
> Mobile : +94 77 593 2146 <+94%2077%20593%202146>
> blog : https://susankhanirmala.wordpress.com/
>



-- 
Lakmal Warusawithana
Senior Director - Cloud Architecture; WSO2 Inc.
Mobile : +94714289692
Blogs : https://medium.com/@lakwarus/
http://lakmalsview.blogspot.com/
___
Architecture mailing list
Architecture@wso2.org
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture

Re: [Architecture] Gateway cache in APIM all in one active/active deployment without clustering

[Susankha Nirmala]

On Fri, Dec 15, 2017 at 3:04 PM, Lakmal Warusawithana 
wrote:

> Hi Susanka,
>
> On Fri, Dec 15, 2017 at 9:18 AM, Susankha Nirmala 
> wrote:
>
>> Hi All,
>>
>> When we using APIM all in one active/active deployment pattern, by
>> default gateway caching enabled and clustering disable according to the
>> document [1], Due to that
>> distributed caching is not use with this deployment pattern. With this
>> deployment pattern, If we revoke a token, it will not update in both APIM
>> nodes and in one APIM node same token will be available as a valid token.
>> Due to that can we recommend this deployment architecture pattern in
>> production environments?
>>
>
> Its depends on customers requirement. Many cases, token revocation does
> not need to revoke immediately (realtime). It will automatically revoke
> when cache is expires. (eg 15 min)
>

With the default cache expiry time (15 minue) also we can access the API
using revoked token until cache expire in other node.AFAIU onece we revoke
a token, that token should be invalidate from the cache in all nodes.


>
>
>>
>> [1] - https://docs.wso2.com/display/AM210/Configuring+an+Active-
>> Active+Deployment
>>
>> Thanks,
>> /Susankha.
>>
>>
>>
>> --
>> Susankha Nirmala
>> Senior Software Engineer
>> WSO2, Inc.: http://wso2.com
>> lean.enterprise.middleware
>>
>> Mobile : +94 77 593 2146 <+94%2077%20593%202146>
>> blog : https://susankhanirmala.wordpress.com/
>>
>
>
>
> --
> Lakmal Warusawithana
> Senior Director - Cloud Architecture; WSO2 Inc.
> Mobile : +94714289692 <+94%2071%20428%209692>
> Blogs : https://medium.com/@lakwarus/
> http://lakmalsview.blogspot.com/
>
>
>


-- 
Susankha Nirmala
Senior Software Engineer
WSO2, Inc.: http://wso2.com
lean.enterprise.middleware

Mobile : +94 77 593 2146
blog : https://susankhanirmala.wordpress.com/
___
Architecture mailing list
Architecture@wso2.org
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture

Re: [Architecture] Gateway cache in APIM all in one active/active deployment without clustering

[Susankha Nirmala]

On Fri, Dec 15, 2017 at 3:14 PM, Pubudu Gunatilaka  wrote:

> Hi Susankha,
>
> We have a guide which explains when to use hazelcast clustering in [1].
>
> If you don't have clustering enabled, the following are expected.
>
> 1. Immediate revocation of tokens among the gateways
>

How this happen when clustering disable?


> 2. Backend service throttling - The endpoint throttling limits and the
> spike arrest throttling limits will not be shared
>
> The customer can decide based on their use case.
>
> [1] - https://docs.wso2.com/display/AM210/Working+with+
> Hazelcast+Clustering
>
> Thank you!
>
> On Fri, Dec 15, 2017 at 3:04 PM, Lakmal Warusawithana 
> wrote:
>
>> Hi Susanka,
>>
>> On Fri, Dec 15, 2017 at 9:18 AM, Susankha Nirmala 
>> wrote:
>>
>>> Hi All,
>>>
>>> When we using APIM all in one active/active deployment pattern, by
>>> default gateway caching enabled and clustering disable according to the
>>> document [1], Due to that
>>> distributed caching is not use with this deployment pattern. With this
>>> deployment pattern, If we revoke a token, it will not update in both APIM
>>> nodes and in one APIM node same token will be available as a valid token.
>>> Due to that can we recommend this deployment architecture pattern in
>>> production environments?
>>>
>>
>> Its depends on customers requirement. Many cases, token revocation does
>> not need to revoke immediately (realtime). It will automatically revoke
>> when cache is expires. (eg 15 min)
>>
>>
>>>
>>> [1] - https://docs.wso2.com/display/AM210/Configuring+an+Active-
>>> Active+Deployment
>>>
>>> Thanks,
>>> /Susankha.
>>>
>>>
>>>
>>> --
>>> Susankha Nirmala
>>> Senior Software Engineer
>>> WSO2, Inc.: http://wso2.com
>>> lean.enterprise.middleware
>>>
>>> Mobile : +94 77 593 2146 <+94%2077%20593%202146>
>>> blog : https://susankhanirmala.wordpress.com/
>>>
>>
>>
>>
>> --
>> Lakmal Warusawithana
>> Senior Director - Cloud Architecture; WSO2 Inc.
>> Mobile : +94714289692 <+94%2071%20428%209692>
>> Blogs : https://medium.com/@lakwarus/
>> http://lakmalsview.blogspot.com/
>>
>>
>>
>> ___
>> Architecture mailing list
>> Architecture@wso2.org
>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
>>
>>
>
>
> --
> *Pubudu Gunatilaka*
> Committer and PMC Member - Apache Stratos
> Senior Software Engineer
> WSO2, Inc.: http://wso2.com
> mobile : +94774078049 <%2B94772207163>
>
>


-- 
Susankha Nirmala
Senior Software Engineer
WSO2, Inc.: http://wso2.com
lean.enterprise.middleware

Mobile : +94 77 593 2146
blog : https://susankhanirmala.wordpress.com/
___
Architecture mailing list
Architecture@wso2.org
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture

Re: [Architecture] Gateway cache in APIM all in one active/active deployment without clustering

[Pubudu Gunatilaka]

Hi Susankha,

We have a guide which explains when to use hazelcast clustering in [1].

If you don't have clustering enabled, the following are expected.

1. Immediate revocation of tokens among the gateways
2. Backend service throttling - The endpoint throttling limits and the
spike arrest throttling limits will not be shared

The customer can decide based on their use case.

[1] - https://docs.wso2.com/display/AM210/Working+with+Hazelcast+Clustering

Thank you!

On Fri, Dec 15, 2017 at 3:04 PM, Lakmal Warusawithana 
wrote:

> Hi Susanka,
>
> On Fri, Dec 15, 2017 at 9:18 AM, Susankha Nirmala 
> wrote:
>
>> Hi All,
>>
>> When we using APIM all in one active/active deployment pattern, by
>> default gateway caching enabled and clustering disable according to the
>> document [1], Due to that
>> distributed caching is not use with this deployment pattern. With this
>> deployment pattern, If we revoke a token, it will not update in both APIM
>> nodes and in one APIM node same token will be available as a valid token.
>> Due to that can we recommend this deployment architecture pattern in
>> production environments?
>>
>
> Its depends on customers requirement. Many cases, token revocation does
> not need to revoke immediately (realtime). It will automatically revoke
> when cache is expires. (eg 15 min)
>
>
>>
>> [1] - https://docs.wso2.com/display/AM210/Configuring+an+Active-
>> Active+Deployment
>>
>> Thanks,
>> /Susankha.
>>
>>
>>
>> --
>> Susankha Nirmala
>> Senior Software Engineer
>> WSO2, Inc.: http://wso2.com
>> lean.enterprise.middleware
>>
>> Mobile : +94 77 593 2146 <+94%2077%20593%202146>
>> blog : https://susankhanirmala.wordpress.com/
>>
>
>
>
> --
> Lakmal Warusawithana
> Senior Director - Cloud Architecture; WSO2 Inc.
> Mobile : +94714289692 <+94%2071%20428%209692>
> Blogs : https://medium.com/@lakwarus/
> http://lakmalsview.blogspot.com/
>
>
>
> ___
> Architecture mailing list
> Architecture@wso2.org
> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
>
>


-- 
*Pubudu Gunatilaka*
Committer and PMC Member - Apache Stratos
Senior Software Engineer
WSO2, Inc.: http://wso2.com
mobile : +94774078049 <%2B94772207163>
___
Architecture mailing list
Architecture@wso2.org
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture

Re: [Architecture] Gateway cache in APIM all in one active/active deployment without clustering

[Lakmal Warusawithana]

Hi Susanka,

On Fri, Dec 15, 2017 at 9:18 AM, Susankha Nirmala  wrote:

> Hi All,
>
> When we using APIM all in one active/active deployment pattern, by default
> gateway caching enabled and clustering disable according to the document
> [1], Due to that
> distributed caching is not use with this deployment pattern. With this
> deployment pattern, If we revoke a token, it will not update in both APIM
> nodes and in one APIM node same token will be available as a valid token.
> Due to that can we recommend this deployment architecture pattern in
> production environments?
>

Its depends on customers requirement. Many cases, token revocation does not
need to revoke immediately (realtime). It will automatically revoke when
cache is expires. (eg 15 min)


>
> [1] - https://docs.wso2.com/display/AM210/Configuring+an+
> Active-Active+Deployment
>
> Thanks,
> /Susankha.
>
>
>
> --
> Susankha Nirmala
> Senior Software Engineer
> WSO2, Inc.: http://wso2.com
> lean.enterprise.middleware
>
> Mobile : +94 77 593 2146 <+94%2077%20593%202146>
> blog : https://susankhanirmala.wordpress.com/
>



-- 
Lakmal Warusawithana
Senior Director - Cloud Architecture; WSO2 Inc.
Mobile : +94714289692
Blogs : https://medium.com/@lakwarus/
http://lakmalsview.blogspot.com/
___
Architecture mailing list
Architecture@wso2.org
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture

Re: [Architecture] Secure MQTT Receiver for DAS

[Sumedha Rubasinghe]

There is an OAuth2 token based topic protector done for IoT scenarios.

On Thu, Dec 14, 2017 at 5:25 PM, Kalaiyarasi Ganeshalingam <
kalaiyar...@wso2.com> wrote:

> Hi all,
>
> DAS already has MQTT Receiver but It is not enabled for secure MQTT
> Communication. So, now I am going to work on this feature to enable secure
> MQTT. In the Secure connection, the broker and the client talk over the
> SSL. Here, SSL provide a secure communication channel between a client and
> a server. For this implementation, I am going to get the following optional
> parameters from the user:
> tlsTruststoreLocation : the trustStore file path .
> tlsTruststorePassword : the password of truststore.
> tlsTruststoreType :  the trustStore type.
> tlsVersion : the standard name of the requested protocol.
>
> Please let me know if you have any suggestions on this?
>
> Regards,
> Kalaiyarasi Ganeshalingam
> Associate Software Engineer| WSO2
> WSO2 Inc : http://wso2.org
> 
> Tel:+94 076 6792895 <076%20679%202895>
> LinkedIn :www.linkedin.com/in/kalaiyarasiganeshalingam
> Blogs : https://kalaiyarasig.blogspot.com/ 
>



-- 
/sumedha
m: +94 773017743
b :  bit.ly/sumedha
___
Architecture mailing list
Architecture@wso2.org
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture

Re: [Architecture] Secure MQTT Receiver for DAS

[Dimuthu Leelarathne]

Hi Kalai,

I cannot think of a valid user story that would require a separate trust
store. Others, WDYT?

thanks,
Dimuthu

On Fri, Dec 15, 2017 at 2:59 PM, Kalaiyarasi Ganeshalingam <
kalaiyar...@wso2.com> wrote:

> hi Dimuthu,
>
> Yes,I'm going to use the existing trust store from the DAS's carbon.xml as
> the default value.
>
> Regards,
>
> Kalaiyarasi Ganeshalingam
> Associate Software Engineer| WSO2
> WSO2 Inc : http://wso2.org
> 
> Tel:+94 076 6792895 <076%20679%202895>
> LinkedIn :www.linkedin.com/in/kalaiyarasiganeshalingam
> Blogs : https://kalaiyarasig.blogspot.com/ 
>
> On Fri, Dec 15, 2017 at 12:06 PM, Dimuthu Leelarathne 
> wrote:
>
>> Hi Kalai,
>>
>> Why can't we reuse the existing trust store from the DAS's carbon.xml,
>> without introducing a new one?
>>
>> thanks,
>> Dimuthu
>>
>> On Fri, Dec 15, 2017 at 11:59 AM, Kalaiyarasi Ganeshalingam <
>> kalaiyar...@wso2.com> wrote:
>>
>>> Hi Dimuthu,
>>>
>>> All are optional parameters.Yes,user can simply process with valid CA.
>>>
>>> Regards,
>>>
>>> Kalaiyarasi Ganeshalingam
>>> Associate Software Engineer| WSO2
>>> WSO2 Inc : http://wso2.org
>>> 
>>> Tel:+94 076 6792895 <076%20679%202895>
>>> LinkedIn :www.linkedin.com/in/kalaiyarasiganeshalingam
>>> Blogs : https://kalaiyarasig.blogspot.com/ 
>>>
>>> On Fri, Dec 15, 2017 at 11:24 AM, Dimuthu Leelarathne >> > wrote:
>>>
 Hi Kalai,

 Are these optional parameters or mandatory parameters? In other words,
 if MQTT client has a certificate signed by valid CA he/she can simply
 proceed isn't it?

 thanks,
 Dimuthu

 On Thu, Dec 14, 2017 at 5:25 PM, Kalaiyarasi Ganeshalingam <
 kalaiyar...@wso2.com> wrote:

> Hi all,
>
> DAS already has MQTT Receiver but It is not enabled for secure MQTT
> Communication. So, now I am going to work on this feature to enable secure
> MQTT. In the Secure connection, the broker and the client talk over the
> SSL. Here, SSL provide a secure communication channel between a client and
> a server. For this implementation, I am going to get the following 
> optional
> parameters from the user:
> tlsTruststoreLocation : the trustStore file path .
> tlsTruststorePassword : the password of truststore.
> tlsTruststoreType :  the trustStore type.
> tlsVersion : the standard name of the requested protocol.
>
> Please let me know if you have any suggestions on this?
>
> Regards,
> Kalaiyarasi Ganeshalingam
> Associate Software Engineer| WSO2
> WSO2 Inc : http://wso2.org
> 
> Tel:+94 076 6792895 <076%20679%202895>
> LinkedIn :www.linkedin.com/in/kalaiyarasiganeshalingam
> Blogs : https://kalaiyarasig.blogspot.com/
> 
>



 --
 Dimuthu Leelarathne
 Director, Solutions Architecture

 WSO2, Inc. (http://wso2.com)
 email: dimut...@wso2.com
 Mobile: +94773661935 <+94%2077%20366%201935>
 Blog: http://muthulee.blogspot.com

 Lean . Enterprise . Middleware

>>>
>>>
>>
>>
>> --
>> Dimuthu Leelarathne
>> Director, Solutions Architecture
>>
>> WSO2, Inc. (http://wso2.com)
>> email: dimut...@wso2.com
>> Mobile: +94773661935 <+94%2077%20366%201935>
>> Blog: http://muthulee.blogspot.com
>>
>> Lean . Enterprise . Middleware
>>
>
>


-- 
Dimuthu Leelarathne
Director, Solutions Architecture

WSO2, Inc. (http://wso2.com)
email: dimut...@wso2.com
Mobile: +94773661935
Blog: http://muthulee.blogspot.com

Lean . Enterprise . Middleware
___
Architecture mailing list
Architecture@wso2.org
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture

Re: [Architecture] Secure MQTT Receiver for DAS

[Kalaiyarasi Ganeshalingam]

hi Dimuthu,

Yes,I'm going to use the existing trust store from the DAS's carbon.xml as
the default value.

Regards,

Kalaiyarasi Ganeshalingam
Associate Software Engineer| WSO2
WSO2 Inc : http://wso2.org

Tel:+94 076 6792895
LinkedIn :www.linkedin.com/in/kalaiyarasiganeshalingam
Blogs : https://kalaiyarasig.blogspot.com/ 

On Fri, Dec 15, 2017 at 12:06 PM, Dimuthu Leelarathne 
wrote:

> Hi Kalai,
>
> Why can't we reuse the existing trust store from the DAS's carbon.xml,
> without introducing a new one?
>
> thanks,
> Dimuthu
>
> On Fri, Dec 15, 2017 at 11:59 AM, Kalaiyarasi Ganeshalingam <
> kalaiyar...@wso2.com> wrote:
>
>> Hi Dimuthu,
>>
>> All are optional parameters.Yes,user can simply process with valid CA.
>>
>> Regards,
>>
>> Kalaiyarasi Ganeshalingam
>> Associate Software Engineer| WSO2
>> WSO2 Inc : http://wso2.org
>> 
>> Tel:+94 076 6792895 <076%20679%202895>
>> LinkedIn :www.linkedin.com/in/kalaiyarasiganeshalingam
>> Blogs : https://kalaiyarasig.blogspot.com/ 
>>
>> On Fri, Dec 15, 2017 at 11:24 AM, Dimuthu Leelarathne 
>> wrote:
>>
>>> Hi Kalai,
>>>
>>> Are these optional parameters or mandatory parameters? In other words,
>>> if MQTT client has a certificate signed by valid CA he/she can simply
>>> proceed isn't it?
>>>
>>> thanks,
>>> Dimuthu
>>>
>>> On Thu, Dec 14, 2017 at 5:25 PM, Kalaiyarasi Ganeshalingam <
>>> kalaiyar...@wso2.com> wrote:
>>>
 Hi all,

 DAS already has MQTT Receiver but It is not enabled for secure MQTT
 Communication. So, now I am going to work on this feature to enable secure
 MQTT. In the Secure connection, the broker and the client talk over the
 SSL. Here, SSL provide a secure communication channel between a client and
 a server. For this implementation, I am going to get the following optional
 parameters from the user:
 tlsTruststoreLocation : the trustStore file path .
 tlsTruststorePassword : the password of truststore.
 tlsTruststoreType :  the trustStore type.
 tlsVersion : the standard name of the requested protocol.

 Please let me know if you have any suggestions on this?

 Regards,
 Kalaiyarasi Ganeshalingam
 Associate Software Engineer| WSO2
 WSO2 Inc : http://wso2.org
 
 Tel:+94 076 6792895 <076%20679%202895>
 LinkedIn :www.linkedin.com/in/kalaiyarasiganeshalingam
 Blogs : https://kalaiyarasig.blogspot.com/
 

>>>
>>>
>>>
>>> --
>>> Dimuthu Leelarathne
>>> Director, Solutions Architecture
>>>
>>> WSO2, Inc. (http://wso2.com)
>>> email: dimut...@wso2.com
>>> Mobile: +94773661935 <+94%2077%20366%201935>
>>> Blog: http://muthulee.blogspot.com
>>>
>>> Lean . Enterprise . Middleware
>>>
>>
>>
>
>
> --
> Dimuthu Leelarathne
> Director, Solutions Architecture
>
> WSO2, Inc. (http://wso2.com)
> email: dimut...@wso2.com
> Mobile: +94773661935 <+94%2077%20366%201935>
> Blog: http://muthulee.blogspot.com
>
> Lean . Enterprise . Middleware
>
___
Architecture mailing list
Architecture@wso2.org
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture

[Architecture] Gateway cache in APIM all in one active/active deployment without clustering

[Susankha Nirmala]

Hi All,

When we using APIM all in one active/active deployment pattern, by default
gateway caching enabled and clustering disable according to the document
[1], Due to that
distributed caching is not use with this deployment pattern. With this
deployment pattern, If we revoke a token, it will not update in both APIM
nodes and in one APIM node same token will be available as a valid token.
Due to that can we recommend this deployment architecture pattern in
production environments?

[1] -
https://docs.wso2.com/display/AM210/Configuring+an+Active-Active+Deployment

Thanks,
/Susankha.



-- 
Susankha Nirmala
Senior Software Engineer
WSO2, Inc.: http://wso2.com
lean.enterprise.middleware

Mobile : +94 77 593 2146
blog : https://susankhanirmala.wordpress.com/
___
Architecture mailing list
Architecture@wso2.org
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture

Re: [Architecture] WSO2 IS : what are the differences between OpenID Connect & OAuth 2.0 federated authenticators

[Hasanthi Purnima Dissanayake]

Hi Youcef,

>From wso2 IS server and APIM we support for password Grant as well. If you
can elaborate much on your use case may be I will able to help you with
much details.

[1] https://docs.wso2.com/display/IS530/Try+Password+Grant
[2] https://docs.wso2.com/display/AM210/Password+Grant

Thanks,

On Thu, Dec 14, 2017 at 6:19 PM, Youcef HILEM 
wrote:

> Hi Hasanthi,
>
> Our third party OAuth2 server supports Authorization Code Grant and
> Password
> Grant.
>
> Authorization Code is very well explained (ex :
> http://nuwanzone.blogspot.fr/2015/10/getting-access-tokens-
> for-wso2-api.html).
>
> My question : Can we also use Password Grant ?
>
> Thanks
> Youcef HILEM
>
>
>
> --
> Sent from: http://wso2-oxygen-tank.10903.n7.nabble.com/WSO2-
> Architecture-f62919.html
> ___
> Architecture mailing list
> Architecture@wso2.org
> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
>



-- 

Hasanthi Dissanayake

Senior Software Engineer | WSO2

E: hasan...@wso2.com
M :0718407133| http://wso2.com 
___
Architecture mailing list
Architecture@wso2.org
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture

Re: [Architecture] [Dev] WSO2 Identity Server 5.4.0 Update1 Released !!!

[Cyril Rognon]

Hello

Thank you for the good work !
Is there any prepackaged version of this release to use it as km for apim
2.1.0?

Thanks
Cyril


Le 14 déc. 2017 6:03 PM, "Maduranga Siriwardena"  a
écrit :

The WSO2 Identity and Access Management team is pleased to announce the
release of WSO2 Identity Server 5.4.0 Update1.

You can build the distribution from the source tag,

Runtime: https://github.com/wso2/product-is/releases/tag/v5.4.0-update1
Analytics: https://github.com/wso2/analytics-is/releases/tag/v5.4.0-update1

following the steps given below.

*Building from the source*

   1. Install Java8 or above
   2. Install Apache Maven 3.x.x(https://maven.apache.org/download.cgi#)
   3. Get the source,
  - For the Runtime: Get a clone from https://github.com/wso2/p
  roduct-is.git and checkout to v5.4.0-update1 tag or you can directly
  download the source for the tag from https://github.com/wso2/p
  roduct-is/releases/tag/v5.4.0-update1
  
  - For the Analytics: Get a clone from https://github.com/wso2/a
  nalytics-is.git and checkout to v5.4.0-update1 tag or you can
  directly download the source for the tag from
  https://github.com/wso2/analytics-is/releases/tag/v5.4.0-update1
  
   4. Run the one of the below maven commands from product-is directory,
  - *mvn** clean install* (To build the binary and source distributions
  with the tests)
  - *mvn** clean install -Dmaven.test.skip=true* (To build the binary
  and source distributions, without running any of the
unit/integration tests)
   5. You can find the,
  - wso2is-5.4.0-update1.zip binary distribution in
  product-is/modules/distribution/target directory.
  - wso2is-analytics-5.4.0-update1.zip binary distribution in
  analytics-is/modules/distribution/target directory.

The following list contains all the features, improvements, and bug fixes
available with the WSO2 Identity Server 5.4.0 Update1 release.
Bug

   - [IDENTITY-7034 ] - Update
   the links to Docs to 5.4.0 and content in the pack
   - [IDENTITY-7149 ] - Cannot
   configure multiple URLs for callback URI

Improvement

   - [IDENTITY-7131 ] -
   Update/Remove inbuilt user guides in IS distribution


*Contribute to WSO2 Identity Server*

*Mailing Lists*

Join our mailing lists and correspond with the developers directly. We also
encourage you to take part in discussions related to the product in the
architecture mailing list. If you have any questions regarding the product
you can use our StackOverflow forum to raise them as well.

   - Developer List: d...@wso2.org
   - Architecture List: architecture@wso2.org
   - User Forum: StackOverflow
   

Reporting Issues
We encourage you to report issues, improvements, and feature requests
regarding WSO2 Identity Server through our public WSO2 IS GIT Issues
.

~ The WSO2 Identity and Access Management Team ~

-- 
Maduranga Siriwardena
Senior Software Engineer
WSO2 Inc; http://wso2.com/

Email: madura...@wso2.com
Mobile: +94718990591 <+94%2071%20899%200591>
Blog: *https://madurangasiriwardena.wordpress.com/
*


___
Dev mailing list
d...@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev
___
Architecture mailing list
Architecture@wso2.org
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture