Re: [Dev] API 2.1.0 + Identity Server 5.3.0

2017-05-26 Thread Isura Karunaratne 
Hi Javier,

We need additional information to analyze the issue. Attach the
wso2carbon.log file after enabling the debug logs for
org.wso2.carbon.user.core package as follows.

Add following entry to /repository/conf/log4j.properties file

log4j.logger.org.wso2.carbon.user.core=DEBUG


Thanks
Isura.

On Fri, May 26, 2017 at 12:50 AM, Vazquez-Hidalgo, Javier <
javier.vazquez-hida...@tdsecurities.com> wrote:

> Hello,
>
>
>
> I’m trying to setup APIM 2.1.0 + Identity Server 5.3.0 on separate boxes,
> at this point I have all configurations in place with shared databases and
> I added a secondary User Store (Read-Only LDAP) on the Identity Server and
> I’m able to assign permissions, etc..
>
>
>
> The problem I’m having is that when I try to login to the API Store using
> a user from the secondary user store I get the following error in the login
> screen:
>
>
>
> “Error! Login failed. Insufficient Privileges.”
>
>
>
> APIM Logs:
>
> -
>
>
>
> [2017-05-25 14:49:52,812] ERROR - JDBCAuthorizationManager Error occurred
> while accessing Java Security Manager Privilege Block
>
> [2017-05-25 14:49:52,812] ERROR - APIStoreHostObject Login failed.
> Insufficient Privileges.
>
>
>
> IS Log:
>
> ---
>
> [2017-05-25 14:49:52,498]  INFO 
> {org.wso2.carbon.core.services.util.CarbonAuthenticationUtil}
> -  'DOMAIN/xxx@carbon.super [-1234]' logged in at [2017-05-25
> 14:49:52,497-0400]
>
>
>
> So, it seems that the user is authenticated but something is happening.
>
>
>
> Just to be clear, the user from the secondary user store has
> “Internal/subscriber” role which should be sufficient to login.
>
>
>
> I also created a test user in the IS primary store and assigned
> “Internal/subscriber” role and that worked fine.
>
>
>
>
>
> Any help or pointers is appreciated.
>
>
>
> Thanks,
>
> Javier Vazquez
>
>
>
>
>
>
>
> If you wish to unsubscribe from receiving commercial electronic messages
> from TD Bank Group, please click here  or go
> to the following web address: www.td.com/tdoptout
> Si vous souhaitez vous désabonner des messages électroniques de nature
> commerciale envoyés par Groupe Banque TD veuillez cliquer ici
>  ou vous rendre à l'adresse www.td.com/tddesab
>
>
> NOTICE: Confidential message which may be privileged. Unauthorized
> use/disclosure prohibited. If received in error, please go to
> www.td.com/legal for instructions.
> AVIS : Message confidentiel dont le contenu peut être privilégié.
> Utilisation/divulgation interdites sans permission. Si reçu par erreur,
> prière d'aller au www.td.com/francais/avis_juridique pour des
> instructions.
>
> ___
> Dev mailing list
> Dev@wso2.org
> http://wso2.org/cgi-bin/mailman/listinfo/dev
>
>


-- 

*Isura Dilhara Karunaratne*
Senior Software Engineer | WSO2
Email: is...@wso2.com
Mob : +94 772 254 810
Blog : http://isurad.blogspot.com/
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] SSO Configuration

2017-05-26 Thread Vazquez-Hidalgo, Javier 
Hi Abimaran,

I am using the default keystore on both servers.

I don’t think I have enabled signature verification on IDP and SP, do I have 
to?, if so, how do I do it? Docs don’t seem to have that step.


Javier

From: Abimaran Kugathasan [mailto:abima...@wso2.com]
Sent: Friday, May 26, 2017 12:21 AM
To: Vazquez-Hidalgo, Javier
Cc: dev@wso2.org
Subject: Re: [Dev] SSO Configuration

Hi Javier,

Have you enabled signature verification in both IDP and SP? Also, Are you using 
the default keystore in both servers?

On Fri, May 26, 2017 at 5:28 AM, Vazquez-Hidalgo, Javier 
mailto:javier.vazquez-hida...@tdsecurities.com>>
 wrote:
Hello,

I’m trying to configure APIM store/publisher/carbon sites to use SSO by 
following the steps provided at

https://docs.wso2.com/display/AM210/Configuring+API+Manager+for+SSO
https://docs.wso2.com/display/AM210/Configuring+Identity+Server+as+IDP+for+SSO

Identity Server is acting as the SSO IDP.

The problem is that I’m getting signature verification failed on all sites. I 
see the redirection happening and in the carbon site I get the login screen but 
it fails to authenticate the user

Logs when trying to login to “carbon” site:
[2017-05-25 19:48:58,727] ERROR - SAML2SSOAuthenticator Authentication Request 
is rejected. Signature validation failed.
[2017-05-25 19:48:58,730]  WARN - CarbonAuthenticationUtil Failed Administrator 
login attempt 'admin[-1234]' at [2017-05-25 19:48:58,730-0400]
[2017-05-25 19:48:58,734] ERROR - SAML2SSOUIAuthenticator Authentication failed.

Logs when trying to login to “publisher” site:
[2017-05-25 19:49:43,724] ERROR - jaggery_acs:jag SAML response signature is 
verification failed.



Any ideas?


Thanks,
Javier



If you wish to unsubscribe from receiving commercial electronic messages from 
TD Bank Group, please click here or go to the 
following web address: www.td.com/tdoptout
Si vous souhaitez vous désabonner des messages électroniques de nature 
commerciale envoyés par Groupe Banque TD veuillez cliquer 
ici ou vous rendre à l'adresse 
www.td.com/tddesab

NOTICE: Confidential message which may be privileged. Unauthorized 
use/disclosure prohibited. If received in error, please go to 
www.td.com/legal for instructions.
AVIS : Message confidentiel dont le contenu peut être privilégié. 
Utilisation/divulgation interdites sans permission. Si reçu par erreur, prière 
d'aller au 
www.td.com/francais/avis_juridique 
pour des instructions.

___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev



--
Thanks
Abimaran Kugathasan
Senior Software Engineer - API Technologies

Email : abima...@wso2.com
Mobile : +94 773922820

[Image removed by sender.] [Image 
removed by sender.]   [Image removed by 
sender.]   [Image removed by sender.] 
  [Image removed by sender.] 


___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] SSO Configuration

2017-05-26 Thread Vazquez-Hidalgo, Javier 
Hi Abimaran,

I was able to get SSO working. It turns out I didn’t have the default keystore, 
once I replaced it with the original one things worked.

Thanks for your help.

Regards,
Javier

From: Dev [mailto:dev-boun...@wso2.org] On Behalf Of Vazquez-Hidalgo, Javier
Sent: Friday, May 26, 2017 8:45 AM
To: Abimaran Kugathasan
Cc: dev@wso2.org
Subject: Re: [Dev] SSO Configuration

Hi Abimaran,

I am using the default keystore on both servers.

I don’t think I have enabled signature verification on IDP and SP, do I have 
to?, if so, how do I do it? Docs don’t seem to have that step.


Javier

From: Abimaran Kugathasan [mailto:abima...@wso2.com]
Sent: Friday, May 26, 2017 12:21 AM
To: Vazquez-Hidalgo, Javier
Cc: dev@wso2.org
Subject: Re: [Dev] SSO Configuration

Hi Javier,

Have you enabled signature verification in both IDP and SP? Also, Are you using 
the default keystore in both servers?

On Fri, May 26, 2017 at 5:28 AM, Vazquez-Hidalgo, Javier 
mailto:javier.vazquez-hida...@tdsecurities.com>>
 wrote:
Hello,

I’m trying to configure APIM store/publisher/carbon sites to use SSO by 
following the steps provided at

https://docs.wso2.com/display/AM210/Configuring+API+Manager+for+SSO
https://docs.wso2.com/display/AM210/Configuring+Identity+Server+as+IDP+for+SSO

Identity Server is acting as the SSO IDP.

The problem is that I’m getting signature verification failed on all sites. I 
see the redirection happening and in the carbon site I get the login screen but 
it fails to authenticate the user

Logs when trying to login to “carbon” site:
[2017-05-25 19:48:58,727] ERROR - SAML2SSOAuthenticator Authentication Request 
is rejected. Signature validation failed.
[2017-05-25 19:48:58,730]  WARN - CarbonAuthenticationUtil Failed Administrator 
login attempt 'admin[-1234]' at [2017-05-25 19:48:58,730-0400]
[2017-05-25 19:48:58,734] ERROR - SAML2SSOUIAuthenticator Authentication failed.

Logs when trying to login to “publisher” site:
[2017-05-25 19:49:43,724] ERROR - jaggery_acs:jag SAML response signature is 
verification failed.



Any ideas?


Thanks,
Javier



If you wish to unsubscribe from receiving commercial electronic messages from 
TD Bank Group, please click here or go to the 
following web address: www.td.com/tdoptout
Si vous souhaitez vous désabonner des messages électroniques de nature 
commerciale envoyés par Groupe Banque TD veuillez cliquer 
ici ou vous rendre à l'adresse 
www.td.com/tddesab

NOTICE: Confidential message which may be privileged. Unauthorized 
use/disclosure prohibited. If received in error, please go to 
www.td.com/legal for instructions.
AVIS : Message confidentiel dont le contenu peut être privilégié. 
Utilisation/divulgation interdites sans permission. Si reçu par erreur, prière 
d'aller au 
www.td.com/francais/avis_juridique 
pour des instructions.

___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev



--
Thanks
Abimaran Kugathasan
Senior Software Engineer - API Technologies

Email : abima...@wso2.com
Mobile : +94 773922820

[Image removed by sender.] [Image 
removed by sender.]   [Image removed by 
sender.]   [Image removed by sender.] 
  [Image removed by sender.] 


___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] [IOTS] MQTTAdapterListener Failed to create an https connection after change the SSL certificate in wso2carbon.jks in IOTS alpha version

2017-05-26 Thread Ayyoob Hamza 
Hi Jason,

It seems like there is a configuration issue. Could you please make sure to
follow below steps to ensure the configs are in order.

Once you create the new keys you can follow [1] to configure it. If you
have created a new hostname in the process of generating the new keys then
you might need to follow [2] as well.

In addition to above, if you have changed the IP and the keys then you
might need to check below configs as well.

1) If you have changed the alias of the default cert from wso2carbon then
make sure to enter the new values to the files listed in [1]. In addition,
make sure to change the "wso2carbon" alias to the new alias in the below
files.

core/repository/deployment/server/jaggeryapps/portal/configs/designer.json
(identityAlias)
core/repository/deployment/server/jaggeryapps/devicemgt/app/conf/app-conf.json
(identityAlias)
core/repository/conf/etc/webapp-authenticator-config.xml (there would be 3
entries)

2) wso2 IoT server uses JWT token for the server to server communication.
If you have changed the cert then could it be possible to update the
identity provider(IDP) with the new cert?. please follow below steps to
update the IDP.

2.1) export the public cert to pem format (if it is not already in the pem
format)

openssl x509 -inform DER -outform PEM -in mycert.cert -out server.crt.pem

2.2) Open server.crt.pem and copy the content between BEGIN CERTIFICATE and
END CERTIFICATE and replace the  element in the file based
IDP, which can be found in "core/repository/conf/
identity/identity-providers/iot_default.xml"

3) replace localhost for below entries in core/bin/wso2server.sh

-Diot.keymanager.host="wso2.exterminator.com" \

-Diot.gateway.host="wso2.exterminator.com" \

-Diot.core.host="wso2.exterminator.com" \

4) Set "true" to "EnabledUpdateApi"  in the file -
"core/repository/conf/etc/webapp-publisher-config.xml". This will republish
all the APIs with the new host.

5) In the 
"core/repository/deployment/server/jaggeryapps/portal/configs/designer.json",
Replace localhost to wso2.prokino.nl in the below json entry.

"host": {
"hostname": "wso2.prokino.nl",
"port": "",
"protocol": ""
  }

[1] https://docs.wso2.com/display/IoTS300/Configuring+Keystores+
in+WSO2+Products

[2] https://docs.wso2.com/display/IoTS300/Configuring+WSO2+IoT+
Server+with+the+IP

*Ayyoob Hamza*
*Senior Software Engineer*
WSO2 Inc.; http://wso2.com
email: ayy...@wso2.com cell: +94 77 1681010 <%2B94%2077%207779495>
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

[Dev] [MQTT][IOT] MQTT over web sockets for browser device communication

2017-05-26 Thread Waruna Jayaweera 
Hi team,
I am working implementing simple chat app for device and browser over mqtt.
JavaScript mqtt clients require support for mqtt over websockets to
directly access mqtt broker. ex.(ws://broker.host:8000/mqtt). I could find
similar jira from [1].
Is this support in latest andes component?

[1] https://wso2.org/jira/browse/MB-1688

Thanks,
Waruna


-- 
Regards,

Waruna Lakshitha Jayaweera
Senior Software Engineer
WSO2 Inc; http://wso2.com
phone: +94713255198
http://waruapz.blogspot.com/
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev