Setting up PolicySets for Username token Authentication in WMB - ws-security

As per http://www.ibm.com/developerworks/websphere/library/techarticles/1008_fan/1008_fan.html I am trying to setup Policy Set and Policybinding in IBM Websphere Message Broker.
My query is,we setup Policy set and Policy binding and use those in Message flow SOAP nodes inorder to use the policies on the incoming or outgoing messages.
I have also read that the WSDL should contain "WS-Policy" headers only then the Policy sets can be applied.But the PI in this link does not contain WSDL with "WS-Policy" security headers.So,what is the actual procedure?Doesnt the WSDL need to be amended with this Policy related headers?Or defining Policy and binding in WMB explorer and using the name of policies in SOAP nodes is fine without having any Policy information in WSDL?Kindly let me know.

Related

Using managed identities for HTTP linked service

I am working on creating a flow where I get JSON data from a rest api authenticating with the managed identity of my ADF instance and copy the data to a Kusto cluster. To do this, I am following the instructions here: https://learn.microsoft.com/en-us/azure/data-factory/connector-http?tabs=data-factory
However, when I go to create a linked service I do not see any way to authenticate against the API using my managed identity: http linked service auth options
I was expecting something like the options given in the Web task in ADF, where I am allowed to selected managed identities:web task auth options
HTTP connector supports only Anonymous, Basic, Digest, Windows, and ClientCertificate as authentication types. To use Managed Identity authentication type, you can use Rest linked service.
Search for REST in the available list of linked service and select REST connector.
You can select Managed Identity as auth type.
Reference: MS doc on Data Fcatory - REST connector.

Metaflow: "Missing authentication token" when accessing the metadata/metaflow service URL in the browser

I’m currently experimenting on Metaflow. I followed the documentation and was able to deploy an aws setup with the given cloud formation template.
My question is why is that I’m always getting a:
message: "Missing Authentication Token"
when I access METAFLOW_SERVICE_URL in the browser, even if I made sure that the APIBasicAuth was set to false during the creation of cloudformation?
Shouldn’t this setting make the metadata/metaflow service accessible without the authentication/api key?
How can I resolve this? Or is this expected? That is, I cannot really view the metadata/metaflow service url via browser?
Thanks in advance
This was resolved under this github issue.
You still need to set the x-api-key header if you are trying to access the service url via the browser. To get the api-key you can go to the aws console
Api Gateway -> Api Keys -> show api key
Alternatively you can use the metaflow client in the sagemaker notebook which should be automatically setup for you via the template.
Also worth mentioning that there are two sets of endpoints: The one provided by the api gateway (which you seem to be hitting) and the one provided by the service itself. The api gateway forwards the requests the the service endpoints but needs the x-api-key to be set in the header. You can probably try hitting the service endpoints directly since you disabled auth.

WSO2 ESB-4.8.1 connecting to WSO2-5.0.0 IS and UserInformationRecoveryService?wsdl

I am trying to connect WSO2 Identity Server to the WSO2 ESB. I have installed both products to my local computer and have configured them to run simultaneously. WSO2-IS has an offset of 1 and I set hostnameverifier to AllowAll. Given that both are on my local machine, I did not see the need to adjust or set anything in the Keystore. In WSO2-IS I have exposed the admin-wsdl's.
What I am trying to do is create an endpoint wsdl that points to
https://localhost:9444/services/UserInformationRecoveryService?wsdl (which is in the WSO2-IS).
In the admin console, I add the endpoint with the variables
1. The Name is UserInformationRecoveryService
2. The URI is https://localhost:9444/services/UserInformationRecoveryService?wsdl
3. The Service is UserInformationRecoveryService
4. The port is 9444 (which is the offset from 9443)
When I test this service, it says it is valid. When I add it, it disappears and I get the errors:
[2015-01-16 17:59:20,923] ERROR - WSDL11EndpointBuilder Couldn't retrieve endpoint information from the WSDL.
[2015-01-16 17:59:20,924] ERROR - WSDLEndpointFactory Couldn't create endpoint from the given WSDL URI : Couldn't retrieve endpoint information from the WSDL.
org.apache.synapse.SynapseException: Couldn't retrieve endpoint information from the WSDL.
at org.apache.synapse.config.xml.endpoints.utils.WSDL11EndpointBuilder.handleException(WSDL11EndpointBuilder.java:199)
... (I removed many of the other at's)
I also tried adding it as a wsdl proxy, but receive the error
Couldn't create endpoint from the given WSDL URI : Couldn't retrieve endpoint information from the WSDL.
and the errors:
[2015-01-16 18:06:49,890] ERROR - ProxyServiceAdminClient Couldn't create endpoint from the given WSDL URI : Couldn't retrieve endpoint information from the WSDL.
org.wso2.carbon.proxyadmin.stub.ProxyServiceAdminProxyAdminException: Couldn't create endpoint from the given WSDL URI : Couldn't retrieve endpoint information from the WSDL.
at org.wso2.carbon.proxyadmin.ui.client.ProxyServiceAdminClient.addProxy(ProxyServiceAdminClient.java:105)
at org.apache.jsp.proxyservices.template_005fwsdl_002dbased_jsp._jspService(org.apache.jsp.proxyservices.template_005fwsdl_002dbased_jsp:343)
at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:111)
I am relatively new to the WSO2 suite, and have been unable to find many discussions on these two products working together.
From what I have read, WSO2-IS uses SOAP. The client that we are developing will be using REST. The ESB is to connect the client to WSO2-IS and convert SOAP-TO-REST.
My question is
1. Why do I receive these errors?
2. What is the best practice to connect the two services.
Thank you.
Enable option in carbon.xml and try your wsdl link in a browser and see whether you can access it or not.(All admin services's wsdls are hided) Later try to create proxy.
After more reading, I found that I was using the wrong port name. I was assuming the port was 9444, but having reread the wsdl again, I found that the ports were called
wsdl:port name="UserInformationRecoveryServiceHttpsSoap11Endpoint"
wsdl:port name="UserInformationRecoveryServiceHttpsSoap12Endpoint"
wsdl:port name="UserInformationRecoveryServiceHttpsEndpoint"

not recognized cas ticket

I have a REST api in my web application where I get cas ticket generated by another webapp.
That webapp intern use cas20proxyticketvalidator to validate the ticket. Therefore, I also use Cas20ProxyTicketValidator in my custom filter to validate the ticket.
But it always give me following error:
ticket = ST-148008-jWXKeEdHkxmuktvYqXF6-cas
org.jasig.cas.client.validation.TicketValidationException:
ticket 'ST-148008-jWXKeEdHkxmuktvYqXF6-cas' not recognized
at org.jasig.cas.client.validation.Cas20ServiceTicketValidator.parseResponseFromServer(Cas20ServiceTicketValidat
or.java:86)
at org.jasig.cas.client.validation.AbstractUrlBasedTicketValidator.validate(AbstractUrlBasedTicketValidator.java
:217)
Why my ticket is not recognized?
The way that cas validates tickets is:
Your client (or the other web app) requests a ticket from the relay
server for a particular service, for example case
http%3A%2F%2Fwww.mywebapp.com
The cas server generates a row that stores the user's ssoguid, the service and the ticket. It returns the ticket to the client (or
other web app)
The client (or other webapp) sends the ticket to your server
Your server then sends a request to the serviceValidate endpoint of the cas server with the ticket and the service,
http%3A%2F%2Fmywebapp.com
The cas server uses the ticket and service pair to find the row it generated. If it finds the row it: a) checks to see if the
service is real by sending a request to that url b) deletes the row
to invalidate the ticket after this validation check c) it returns
the user attached to the ticket to your server. Now the ticket can
not be validated again.
The problem you are experiencing could arise for several reasons:
The ticket has already been validated (I don't think that is the
case for you)
The service you send when generating the ticket is different to the service you send to the serviceValidate endpoint (they have to
be identical). (I would guess that this is the problem you are
experiencing, especially if another webapp generated the ticket. The
cas server would have http%3A%2F%2Fotherwebapp.com on file but would
be trying to find a row with http%3A%2F%2Fmywebapp.com, which
doesn't exist because you didn't create it)
The service sent can
not be contacted by the relay server (I'm not exactly sure of the
details about how this works or exactly when the check it done but
it is recommended that you use a service that can be contacted)
Check the serviceUrl generated, so change the log level for package org.jasig.
With SpringBoot, in the application.properties add
logging.level.org.jasig=DEBUG
In the console
org.jasig.cas.client.util.CommonUtils : serviceUrl generated: https://xxx
Verify and adapt your cas.client-host-url in the application.properties
## CAS[2.0]
cas.server-url-prefix=https://cashost.com/cas
cas.server-login-url=https://cashost.com/cas/login
cas.client-host-url=xxx
cas.validation-type=CAS
Be careful with cas.client-host-url, no slash at the end of url.
Don't forget mvn clean package after modifying .properties

WSO2 Identity Server PAP and PDP separation

I am trying to figure how do I deploy/config WSO2 IS PAP and PDP separately so that the servers have specific role. WSO2 comes up with one full package. Once I separate I would like to know how do I publish policies from PAP to PDP.
Thanks
Raj
Currently, You can not remove PDP or PAP functions from an WSO2 Identity Server instance completely. But you can disable PDP function using entitlement.properies file. But this would not remove management UI from the instance. However you can do the logic separation. Say you can run one instances as PAP and several other instances as PDP... Then your PAP instance can be used to create policies. And you can register PDP instances as the policy subscribers using the policy publisher management UI. Here you need to provide the PDP server url, user name (admin) and password (admin). So you can register one subscriber for each PDP instances. Using policy administration UI of the PAP, you can use publish option to publish policies to selected subscribers. More details on policy publishing can be found at here