In this section: How to: |
This section describes how to install and configure WSO2 Identity Server.
http://wso2.com/products/identity-server
The WSO2 Identity Server binary is packaged as a .zip file (wso2is-4.1.0.zip).
Note: By default, WSO2 Identity Server uses port 9999 for the JMXServerManager. This conflicts with the default console port that is used by the iSM base configuration. For a quick workaround, you can start iSM before WSO2 Identity Server, which will start the WSO2 Identity Server without JMX. For a more permanent solution, change the console port of the iSM base configuration or can change the RMIRegistryPort setting in the carbon.xml file, which is located in the <WSO2_Home>\repository\conf directory. For example:
<RMIRegistryPort>9999</RMIRegistryPort>
https://localhost:9443/carbon/
Note: The browser will generate a message, which indicates that the certificate is not valid. You can ignore this message and continue. In addition, the menu might not appear correctly if you are using a Microsoft Internet Explorer Version 10 browser. However, it looks better using a Google Chrome browser.
The Secure Sockets Layer (SSL) certificate of WSO2 Identity Server is stored in the KeyStore defined by the <KeyStore> entry in the carbon.xml file, which is located in the <WSO2_Home>\repository\conf directory. For example:
<KeyStore> <Location>${carbon.home}/repository/resources/security/wso2carbon.jks </Location> <Type>JKS</Type> <Password>wso2carbon</Password> <KeyAlias>wso2carbon</KeyAlias> <KeyPassword>wso2carbon</KeyPassword> </KeyStore>
The default WSO2 SSL certificate is self-signed. Since there is no Certificate Authority (CA), you need that certificate itself in your TrustStore to validate it. This explains the warning message generated in the browser when accessing the console because the self-signed certificate is not in the browser trust store.
For a quick test, you can use the wso2carbon.jks KeyStore itself as a TrustStore. However, a better approach would be to extract the certificate by using the following command:
keytool -exportcert -alias wso2carbon -file wso2carbon.cert -keystore wso2carbon.jks -storetype JKS -storepass wso2carbon
Then import the certificate within an empty KeyStore or an existing TrustStore by using the following command:
keytool -importcert -trustcacerts -alias wso2carbon -file wso2carbon.cert -keystore wso2ts.jks -storetype JKS -storepass wso2password
This is the technique that was used to produce the wso2ts.jks KeyStore. For example:
iwcore/test/data/providers/keystores/wso2ts.jks
The best solution is to create a real SSL server certificate for WSO2 Identify Server and configure it in the carbon.xml file. Then you would put the CA of that certificate in our TrustStore. This is only required for production environments.
To view the WSDL files of web services implemented in WSO2 Identity Server, you must first instruct the server to unhide these files.
<HideAdminServiceWSDLs>false</HideAdminServiceWSDLs>
The description of the web services called by iSM can be viewed using the following URLs:
https://localhost:9443/services/RemoteUserStoreManagerService?wsdl
https://localhost:9443/services/EntitlementService?wsdl
To debug WSO2 Identity Server, you must enable log4j debugging by using one of the following options:
Note: Modifying these logging settings using the WSO2 Identity Server console saves the settings in the repository, but not in the log4j.properties file. The repository overrides what is defined in the log4j.properties file.
If you use WSO2 Identify Server only to authorize access with XACML, then there is no need to create users and roles. You can proceed directly to Configuring XACML Policies.
If you use WSO2 Identify Server only to authenticate users, then there is no need to create XACML policies.
To create an XACML policy from scratch, use the simple editor or the advanced editor.
There are two policy files that can be imported for testing:
components\iwcore\test\data\providers\xacml\policy1.txt
components\iwcore\test\data\providers\xacml\policy2.txt
WSO2 Identity Server Version 4.1.0 accepts the XACML Version 3 schema. You will receive an error if you try to import a policy written for the XACML Version 2 schema. Ensure that you have the correct version if you experiment with a sample policy you found on the web.
The XACML engine inside WSO2 Identity Server is called Balana.
To debug an XACML policy, you must enable log4j debugging by using one of the following options:
You want to turn on TRACE level for loggers with the word entitlement and/or the word balana in the name.
iWay Software |