Tuesday, April 25, 2017

Enabling SSL Tunneling through a Squid Proxy Server

This post will describe how we can proxy our outgoing requests through ESB using a Squid Proxy Server. For more information on the scenario, you can refer the WSO2 ESB documentation.

Step 1 - Setting up Squid Proxy Server

To setup a Squid Proxy Server locally, you can follow the instructions available here.

Step 2 - Configuring Squid Proxy Server - updating the squid.conf file

Add the following line under the acl section

acl squid.proxy.server src appserver.wso2.com


The following should be added before the http_access TAG

http_access allow squid.proxy.server


Note: We will be referring to this proxy server instance by the name squid.proxy.server. Hence, you need to add this entry to the /etc/hosts file which resides in your local instance as well as to the instance where the Squid server is running.

Add the following port information before the https_port TAG section

http_port 8888


Once the above is added to the squid.conf file, restart the Squid server

sudo service squid3 restart
 
Step 3 - Enabling the proxy configuration in WSO2 ESB

To do this, add the below configuation to the axis2.xml under the PassThroughHttpSender, PassThroughHttpSSLSender configuration

<parameter name="http.proxyHost" locked="false">squid.proxy.server</parameter> <parameter name="http.proxyPort" locked="false">8888</parameter>
 
Steps 4 - Creating a Proxy Service

Once the above configurations are done and the WSO2 ESB server is restarted, you can create a simple Passthrough Proxy service to test the scenario.
Note that as the endpoint, I am using a backend where I'm referring to from a host name called appserver.wso2.com. This was the hostname which we added to the squid.conf file above under the acl section.

<proxy name="SSLTunnelingProxy"
          transports="https http"
          startOnLoad="true"
          trace="disable">
      <description/>
      <target>
         <inSequence>
            <send>
               <endpoint>
                  <address uri="https://appserver.wso2.com/services/SimpleStockQuoteService"/>
               </endpoint>
            </send>
         </inSequence>
         <outSequence>
            <send/>
         </outSequence>
      </target>
   </proxy>


Steps 5 - Invoking the Proxy Service

Using a preferred client of yours you can test the scenario. If the message is sent through the Proxy server, you should see logs as shown below in /var/logs/squid/access.log file.

1493112155.126  49234 127.0.0.1 TCP_MISS/200 2335 CONNECT appserver.wso2.com:443 - HIER_DIRECT/192.168.53.176 -
1493112888.241      0 10.100.7.144 TCP_DENIED_REPLY/403 3429 CONNECT appserver.wso2.com:443 - HIER_NONE/- text/html


Reason for "PasswordInvalidAsk Password Feature is disabled" error when adding through RemoteUserStoreManager

When trying to add users from RemoteUserStoreManager it returned the following SOAP fault.


<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
       <soapenv:Body>
        <soapenv:Fault>
            <faultcode>soapenv:Server</faultcode>
            <faultstring>PasswordInvalidAsk Password Feature is disabled</faultstring>
            <detail/>
        </soapenv:Fault>
    </soapenv:Body>
</soapenv:Envelope>


The reason for this issue is that I have forgotten to add the element in the SOAP message.  Once this element was added, I was able to successfully create the user.

Wednesday, March 29, 2017

Why doesn't my WSO2 server restart as expected when the Windows instance restarts when WSO2 server is installed as a service

When the Startup Type of a Carbon server that is configured as a Windows service is set to Manual and when the instance that the WSO2 server is running on restarts, the WSO2 Server will not get restarted along with it.

For the WSO2 server to be restarted when the Windows instance restarts, you need to set Startup Type to Automatic instead as shown below. See attachment below.






To change this setting, go to Control Panel\All Control Panel Items\Administrative Tools\Services and change the type from Manual to Automatic.

Saturday, December 10, 2016

How to configure Elasticsearch, Filebeat and Kibana to view WSO2 Carbon logs

This blog will explain the most basic steps one should follow to configure Elasticsearch, Filebeat and Kibana to view WSO2 product logs.

Pre-requisites

I have written this document assuming that we are using the below product versions.

Download the below versions of Elasticsearch, filebeat and Kibana.
Elasticsearch - 5.1.1
Filebeat - 5.1.1
Kibana - 5.1.1

How to configure Filebeat

1. Download Filebeat to the server where you Carbon Product is running.
2. You can install it in any of the methods mentioned at [1].
3. Then, open up the filebeat.yml file and change the file path mentioned under filebeat.prospectors.

filebeat.prospectors:
- input_type: log
  paths:
    - /home/ubuntu/wso2esb-4.9.0/repository/logs/wso2carbon.log


4. Configure the output.elasticsearch and point to the server where you are running Elasticsearch.

output.elasticsearch:
  hosts: ["192.168.52.99:9200"]
 
5. If you are using a template other that what's being used by default, you can change the configuration as below.

output.elasticsearch:
  hosts: ["192.168.52.99:9200"]
  template.name: "filebeat"
  template.path: "filebeat.template-es2x.json"
  template.overwrite: false 



6. Once the above configuration are done, start your Filebeat server using the options given at [2].



Configuring ElasticSearch

1. For better performance, it is requested to use Elasticsearch on JDK 1.8. Hence, as the first step, make sure you install JDK 1.8.0 on your machine before continuing with the rest of the steps mentioned here.

2. Install Elasticsearch using the below command

sudo dpkg -i elasticsearch-5.1.1.deb


3. For the most basic scenario, you only need to configure the host by specifying the IP of the node that Elasticsearch is running on.

network.host: 192.168.52.99

4. Now start the ElasticSearch server.

sudo service elasticsearch start

Viewing the logs from Kibana

1. Extract Kibana to a preferred location.

2. Open the kibana.yml file and point to your Elasticsearch server.

elasticsearch.url: "http://192.168.52.99:9200"

3. Access the Kibana server from the URL http://localhost:5601 and you can view the WSO2 carbon logs.



[1]  - https://www.elastic.co/guide/en/beats/filebeat/5.x/filebeat-installation.html
[2] - https://www.elastic.co/guide/en/beats/filebeat/5.x/filebeat-starting.html

Tuesday, December 6, 2016

How to access an ActiveMQ queue from WSO2 ESB which is secured with a username/password

By default, a queue in ActiveMQ can be accessed without providing any credentials. However, in real world scenarios, you will have to deal with secured queues. So in this blog, I will explain how we can enable security for ActiveMQ and what configurations are required to be done in WSO2 ESB.

Pr-requisites - Enable the JMS transport for WSO2 ESB as explained in [1].

Step 1 - Secure the ActiveMQ instance with credentials.

To do this, add the below configuration to the activemq.xml under the <broker> tag and start the server.

<plugins>
    <simpleAuthenticationPlugin anonymousAccessAllowed="true">
        <users>
            <authenticationUser username="system" password="system" groups="users,admins"/>
            <authenticationUser username="admin" password="admin" groups="users,admins"/>
            <authenticationUser username="user" password="user" groups="users"/>
            <authenticationUser username="guest" password="guest" groups="guests"/>
        </users>
    </simpleAuthenticationPlugin>
</plugins>


Step 2 - Enable the JMS Listener configuration and configure it as shown below.

    <!--Uncomment this and configure as appropriate for JMS transport support, after setting up your JMS environment (e.g. ActiveMQ)-->
    <transportReceiver name="jms" class="org.apache.axis2.transport.jms.JMSListener">
        <parameter name="myTopicConnectionFactory" locked="false">
                <parameter name="java.naming.factory.initial" locked="false">org.apache.activemq.jndi.ActiveMQInitialContextFactory</parameter>
                <parameter name="java.naming.provider.url" locked="false">tcp://localhost:61616</parameter>
                <parameter name="java.naming.security.principal" locked="false">admin</parameter>
                <parameter name="java.naming.security.credentials" locked="false">admin</parameter>
                <parameter locked="false" name="transport.jms.UserName">admin</parameter>
                <parameter locked="false" name="transport.jms.Password">admin</parameter>
                <parameter name="transport.jms.ConnectionFactoryJNDIName" locked="false">TopicConnectionFactory</parameter>
                <parameter name="transport.jms.ConnectionFactoryType" locked="false">topic</parameter>
        </parameter>

        <parameter name="myQueueConnectionFactory" locked="false">
                <parameter name="java.naming.factory.initial" locked="false">org.apache.activemq.jndi.ActiveMQInitialContextFactory</parameter>
                <parameter name="java.naming.provider.url" locked="false">tcp://localhost:61616</parameter>
                <parameter name="java.naming.security.principal" locked="false">admin</parameter>
                <parameter name="java.naming.security.credentials" locked="false">admin</parameter>
                <parameter locked="false" name="transport.jms.UserName">admin</parameter>
                <parameter locked="false" name="transport.jms.Password">admin</parameter>
                <parameter name="transport.jms.ConnectionFactoryJNDIName" locked="false">QueueConnectionFactory</parameter>
                <parameter name="transport.jms.ConnectionFactoryType" locked="false">queue</parameter>
        </parameter>

        <parameter name="default" locked="false">
                <parameter name="java.naming.factory.initial" locked="false">org.apache.activemq.jndi.ActiveMQInitialContextFactory</parameter>
                <parameter name="java.naming.provider.url" locked="false">tcp://localhost:61616</parameter>
                <parameter name="java.naming.security.principal" locked="false">admin</parameter>
                <parameter name="java.naming.security.credentials" locked="false">admin</parameter>
                <parameter locked="false" name="transport.jms.UserName">admin</parameter>
                <parameter locked="false" name="transport.jms.Password">admin</parameter>
                <parameter name="transport.jms.ConnectionFactoryJNDIName" locked="false">QueueConnectionFactory</parameter>
                <parameter name="transport.jms.ConnectionFactoryType" locked="false">queue</parameter>
        </parameter>
    </transportReceiver>


Step 3 - Create a Proxy service to listen to a JMS queue in ActiveMQ.

Once the ESB server is started, create the below Proxy service and let it listen to the queue generated in ActiveMQ.


   <proxy name="StockQuoteProxy1" transports="jms" startOnLoad="true">
      <target>
         <endpoint>
            <address uri="http://localhost:9000/services/SimpleStockQuoteService"/>
         </endpoint>
         <inSequence>
            <property name="OUT_ONLY" value="true"/>
         </inSequence>
         <outSequence>
            <send/>
         </outSequence>
      </target>
      <publishWSDL uri="file:repository/samples/resources/proxy/sample_proxy_1.wsdl"/>
      <parameter name="transport.jms.ContentType">
         <rules>
            <jmsProperty>contentType</jmsProperty>
            <default>application/xml</default>
         </rules>
      </parameter>
   </proxy>

Once the above proxy service is deployed, send a request to the queue and observe how the message is processed and send to the backend. You can use the sample available in [2] to test this scenario out.

[1] - https://docs.wso2.com/display/ESB490/Configure+with+ActiveMQ
[2] - https://docs.wso2.com/display/ESB490/Sample+250%3A+Introduction+to+Switching+Transports

Friday, November 25, 2016

Disabling API Console/Swagger tools menu available from store console for anonymous/logged in users

If you need to disable the API Console/Swagger from the Store UI for anonymous users/logged in users, you can try out the below methods.

There is no straightforward configuration readily available with API Manager to do this. However, by doing a minor config change, this is possible. What you actually need to do is change the code of the block.jag which resides under wso2am-1.8.0/repository/deployment/server/jaggeryapps/store/site/blocks/api/api-info folder.

Method 1

Assuming you want the API Console (RESTClient) to be disable for anonymous users only, this can be done by changing/adding the below lines of code to the block.jag.

Step 1
Change the below code of line from

var showConsole=true;
to

var showConsole=false;

Step 2
Then add the below lines of code right after the line _var showConsole=false;_

        if(user){
        showConsole=true
        }

Method 2

If you need this feature to be completely invisible for anonymous and logged in users, all you have to do is change the below code.
Change the parameter from

var showConsole=true;
to

var showConsole=false;

Once the above changes are done, restart the API manager server and you will notice that the RESTClient tool is visible only to logged in users/not visible at all for anyone.

Wednesday, November 9, 2016

How to create custom references(usedBy, ownedBy, etc) that can be used to associate artifacts in WSO2 Governance Registry 5.3.0 onward

This support was available from G-Reg 5.3.0 onward. For more information, refer [1].

1. Added a new rxt with the below config.

<artifactType hasNamespace="true" iconSet="10" pluralLabel="Tests" shortName="tests"
singularLabel="Test" type="application/vnd.wso2-tests+xml">
        <storagePath>/tests/@{details_name}</storagePath>
        <nameAttribute>details_name</nameAttribute>
        <namespaceAttribute>details_address</namespaceAttribute>
        <ui>
            <list>
                <column name="Name">
                    <data href="@{storagePath}" type="path" value="details_name"/>
                </column>
            </list>
        </ui>
        <content>
            <table name="Details">
                <field required="true" type="text">
                    <name>Name</name>
                </field>
                <field required="true" type="text">
                    <name>Address</name>
                </field>
                <field required="true" type="text">
                    <name>ContactNumber1</name>
                </field>
                <field required="true" type="text">
                    <name>ContactNumber2</name>
                </field>
            </table>
        </content>
    </artifactType>
    
2. From the publisher, added a new artifact of type tests (I've added a test artifact by the name Test3)
3. Added the below config to the <G-REG_HOME</repository/conf/governance.xml file;
<tests reverseAssociation ="tests" iconClass="fw-globe">tests</tests>
so that the <Association type="soapservice"> looks like what's given below.

        <Association type="soapservice">
            <security reverseAssociation ="secures" iconClass="fw-security">policy</security>
            <ownedBy reverseAssociation ="owns" iconClass="fw-user">soapservice,restservice,wsdl</ownedBy>
            <usedBy reverseAssociation ="depends" iconClass="fw-globe">soapservice,restservice,wsdl</usedBy>
            <depends reverseAssociation ="usedBy" iconClass="fw-store">soapservice,restservice,wsdl,endpoint</depends>
            <contacts reverseAssociation ="refers" iconClass="fw-globe">contacts</contacts>
            <tests reverseAssociation ="tests" iconClass="fw-globe">tests</tests>
        </Association>


4. From the publisher, try to select the added test type artifact for your SOAP service. I typed in the name Test3 and it would list to be selected and added as an association for the SOAP Service.


Note that as mentioned in our documentation when doing the above, you need to add the values you defined as short name in the RXT file of the artifact, within the <Association type> element, to define the association types enabled for that particular asset type

[1] - https://docs.wso2.com/display/Governance520/Adding+Associations+for+an+Asset