安装
WSO2IS安装
5.10.0的改进: scim默认已经开启即[user_store]配置中scim_enabled = true
dpkg -i wso2is-linux-installer-x64-5.10.0.deb
安装后转到/usr/lib/wso2/wso2is/5.10.0
证书配置
cd repository/resources/security
mv wso2carbon.jks wso2carbon.jks.original
keytool -genkey -alias wso2carbon -keyalg RSA -keysize 2048 -keystore wso2carbon.jks -dname "CN=192.168.1.132, OU=Is,O=Wso2,L=SL,S=WS,C=LK" -storepass wso2carbon -keypass wso2carbon -ext SAN=dns:192.168.1.132,ip:192.168.1.132
keytool -export -alias wso2carbon -keystore wso2carbon.jks -file pubkey.pem
keytool -import -alias wso2 -file pubkey.pem -keystore client-truststore.jks -storepass wso2carbon
加入组件库
cd /usr/lib/wso2/wso2is/5.10.0
cp mysql-connector-java-8.0.18.jar repository/components/lib/
创建数据库regdb 并还原以下文件
- IS-HOME/dbscripts/identity/mysql.sql
- IS-HOME/dbscripts/identity/uma/mysql.sql
- IS-HOME/dbscripts/consent/mysql.sql
- IS-HOME/dbscripts/mysql.sql
备份repository/conf/deployment.toml
设置repository/conf/deployment.toml
[server]
hostname = 192.168.1.132
[user_store]
type = "database_unique_id"
[database.identity_db]
type = "mysql"
hostname = "localhost"
name = "regdb"
username = "root"
password = "root"
port = "3306"
[database.shared_db]
type = "mysql"
hostname = "localhost"
name = "regdb"
username = "root"
password = "root"
port = "3306"
[keystore.primary]
file_name = "wso2carbon.jks"
password = "wso2carbon"
[oauth.token.validation]
include_validation_context_as_jwt_in_reponse = "true"
validation_response_signing_algorithm = "SHA256withRSA"
validation_response_jwt_validity = "15m"
[oauth.extensions]
token_context_generator = "org.wso2.carbon.identity.oauth2.authcontext.JWTTokenGenerator"
token_context_claim_retriever = "org.wso2.carbon.identity.oauth2.authcontext.DefaultClaimsRetriever"
token_context_dialect_uri = "http://wso2.org/claims"
[oauth.token_generation]
access_token_type = "self_contained"
#[[apim.gateway.environment]]
#name = "Production and Sandbox"
#type = "hybrid"
#description = "This is a hybrid gateway that handles both production and sandbox #token traffic."
#service_url = "https://192.168.1.132:9543/services/"
#username= "${admin.username}"
#password= "${admin.password}"
#[[apim.throttling.url_group]]
#traffic_manager_urls=["tcp://192.168.1.132:9611"]
#traffic_manager_auth_urls=["ssl://192.168.1.132:9711"]
WSO2AM安装
从https://wso2.com/api-management/#下载deb包
dpkg -i wso2am-linux-installer-x64-3.1.0.deb
安装后转到/usr/lib/wso2/wso2am/3.1.0
证书配置
cd repository/resources/security
mv wso2carbon.jks wso2carbon.jks.original
cp /usr/lib/wso2/wso2is/5.10.0/repository/resources/security/wso2carbon.jks .
cp /usr/lib/wso2/wso2is/5.10.0/repository/resources/security/pubkey.pem .
keytool -import -alias wso2 -file pubkey.pem -keystore client-truststore.jks -storepass wso2carbon
加入组件库
cp mysql-connector-java-8.0.18.jar repository/components/lib/
cp entitlement-1.0-SNAPSHOT.jar repository/components/lib/
创建数据库apim_db并还原以下文件
- API-M_HOME/dbscripts/apimgt/mysql.sql
备份repository/conf/deployment.toml
设置repository/conf/deployment.toml
[server]
hostname = 192.168.1.132
offset = 10
[user_store]
type = "database_unique_id"
[database.apim_db]
type = "mysql"
url = "jdbc:mysql://localhost:3306/apim_db"
username = "root"
password = "root"
[database.shared_db]
type = "mysql"
url = "jdbc:mysql://localhost:3306/regdb"
username = "root"
password = "root"
[keystore.primary]
file_name = "wso2carbon.jks"
type = "JKS"
password = "wso2carbon"
alias = "wso2carbon"
key_password = "wso2carbon"
[keystore.tls]
file_name = "wso2carbon.jks"
type = "JKS"
password = "wso2carbon"
alias = "wso2carbon"
key_password = "wso2carbon"
[[apim.gateway.environment]]
name = "Production and Sandbox"
type = "hybrid"
display_in_api_console = true
description = "This is a hybrid gateway that handles both production and sandbox token traffic."
show_as_token_endpoint_url = true
service_url = "https://192.168.1.132:${mgt.transport.https.port}/services/"
username= "${admin.username}"
password= "${admin.password}"
ws_endpoint = "ws://192.168.1.132:9099"
wss_endpoint = "wss://192.168.1.132:8099"
http_endpoint = "http://192.168.1.132:${http.nio.port}"
https_endpoint = "https://192.168.1.132:${https.nio.port}"
[apim.devportal]
url = "https://192.168.1.132:${mgt.transport.https.port}/devportal"
#[apim.key_manager]
#service_url = "https://192.168.1.132:9443/services/"
开启wso2am服务后需要导入EntitlementMediator.xml
访问https://192.168.1.132:9443/carbon/resources/resource.jsp
定位到/_system/governance/apimgt/customsequences/in/
Add Resource选择EntitlementMediator.xml其内容如下:
<sequence xmlns="http://ws.apache.org/ns/synapse" name="EntitlementMediator">
<entitlementService xmlns="http://ws.apache.org/ns/synapse" remoteServiceUrl="https://192.168.1.132:9443/services" remoteServiceUserName="admin" remoteServicePassword="admin" callbackClass="org.wso2.sample.handlers.entitlement.APIEntitlementCallbackHandler"/>
</sequence>
开启服务
systemctl start wso2is-5.10.0
systemctl start wso2am-3.1.0
查看日志
tail -f repository/wso2carbon.log
调试
在repository/conf/log4j2.properties中加入
logger.apiEntitlementCallbackHandler.name = org.wso2.sample.handlers.entitlement.APIEntitlementCallbackHandler
logger.apiEntitlementCallbackHandler.level = ERROR
logger.apiEntitlementCallbackHandler.appenderRef.CARBON_LOGFILE.ref = CARBON_LOGFILE
logger.apiEntitlement.name = org.wso2.carbon.identity.entitlement.mediator.EntitlementMediator
logger.apiEntitlement.level = DEBUG
logger.apiEntitlement.appenderRef.CARBON_LOGFILE.ref = CARBON_LOGFILE
loggers = apiEntitlementCallbackHandler,apiEntitlement
应用访问凭据的认证
由于IS和APIM都有OAUTH2的token发放,因此IS的token在APIM中似乎无法正常解析
初步设想是APIM调用IS的认证服务,发现APIM似乎没有对所有认证请求做调用认证的案例
查找资料后有以下几种方案
方法1,不使用IS作为Service Provider管理器和认证服务器,而以APIM作为SP管理器和AuthenticationServer ,IS仅作为PBAC授权决策和管理角色, 即APIM自己完成认证工作
方法2,使用IS作认证,使用JWT格式的token作访问凭据,方法详情见
medium.com/wso2-learni…
这种方案似乎需要为每个Application设置相应的IdentityProvider,拿到JWT后还是需要向APIM换取access_token,即APIM不做认证,认证调用IS服务完成,认证通过后再向APIM拿访问许可token
方法3,使用IS作为key manager,从APIM调用IS下的services/APIKeyValidationService服务,这个是官方的配置,我的配置没有成功
最终采用方案1
添加Service Provider
访问https://192.168.1.132:9453/devportal/applications按照提示添加应用
注意
实例
开始实例之前需要把wso2carbon.jks复制到PROJECT_HOME/sso-samples/pickup-dispatch/src/main/resources中
参考
