Configuring
WSO2 Identity Server
as a Key Manager
WSO2 Identity Server
as a Key Manager
Index
1. Introduction
2. Install MySQL Server 5.7
3. Install WSO2 IS as the Key Manager
4. Install WSO2 API Manager 2.5
5. Create and configure the databases
- MySQL JDBC driver
- Create the user
- Create DBs
- Create tables per Database
6. Configure the data sources (master-datasource.xml)
7. Configure the user management (user-mgt.xml)
8. Configure the registry (registry.xml)
9. Configure the Key Manager (WSO2 IS) with WSO2 API-M (api-manager.xml)
10. Configure WSO2 API-M with the Key Manager (WSO2 IS) (identity.xml)
11. Startup IS server & APIM
12. Conclusion
1. Introduction
On this blog I am going to configure API Manager and Identity Server to use the Key Manager from the Identity Server. On that way the API Manager sends authorisation requests agains that component, for instance to get Oauth or JWT tokens. This PoC does not use WUM updates and all the servers are going to be installed on the same server, in localhost.
I am going to build a PoC with this components:
Windows 7, MySQL 5.7, WSO2Identity Server km 5.6.0, WSO2API Manager 2.5.0.
This is what I am going to achieve:
As you can see, both components, Identity Server and API Manager have their own Key Managers but I want to use only the Key Manager of the Identity Server, I mean, APIManager will use the Key Manager of the Identity Server.
2. Install MySQL Server 5.7
I have to use this version because it is the one tested by WSO2. First of all download the server for Windows from:
https://dev.mysql.com/downloads/windows/installer/5.7.html
After the installation, an icon notifier is going to be located on the taskbar.
I am going to use it to start, stop the server and to get access to the SQL Editor. To do so, select the icon and push left or right button. The first option displays how to manage the server:
The last option displays the set of actions available, like Launch the installer, Updates, Shell, etc.
3. Install WSO2 IS as the Key Manager
Download now the prepackaged IS that works as the Key Manager. I have unziped the file in: C:\Program Files\WSO2\wso2is-km-5.6.0
Note:
Do not forget to configure the Offset for IS in carbon.xml file. It needs an offset 1 because offset 0 is used by APIManager.
<IS>\repository\conf\carbon.xml
4. Install WSO2 API Manager 2.5
Download API manager version 2.5 from:
https://wso2.com/api-management/previous-releases/
I have decompressed the file in:
C:\Program Files\WSO2\API Manager\2.5.0_IS_KM
5. Create and configure the databases
There are four DBs that are shared between APIManager and IS: WSO2REG_DB, WSO2UM_DB, WSO2AM_DB, LDAP.
WSO2REG_DB - This database (DB) stores the registry information. The registry database is shared between WSO2 IS (as the Key Manager) and WSO2 API-M to share artifacts such as: metadata configurations, policies, and API details.
WSO2UM_DB - This DB stores the permissions (i.e., permission store) and the internal roles of the users.
WSO2AM_DB - This DB stores the identity data and API-related data and it includes OAuth tokens and keys. When serving key-validation requests, the Key Manager accesses the WSO2AM_DB, validates whether there are subscriptions made by the particular key.
LDAP - This DB stores the users and their role mapping. You do not need to configure the data source configuration in the master-datasources.xml file for the LDAP.
- MySQL JDBC driver.
Install jdbc driver mysql-connector-java-5.1.48-bin.jar into:
<API-M_HOME>\repository\components\lib
<wso2is-km-5.6.0>\repository\components\lib
- Create the user
First of all start MySQL server if it is not running:
After that, open SQL Editor and create the user: wso2carbon, password: wso2carbon.
Those credentials are going to be used by WSO2 API Manager and WSO2 Identity Server to get access to the DB through the datasources. To create the user go to SQL Editor (MySQL Workbench), Users and Privileges and Add Account:
Now, type user name: wso2carbon and password: wso2carbon
Select Administrative Roles, DBA and Apply:
The new user wso2carbon has been created:
- Create DBs
Five databases must to be created: apimgtdb, userdb, regdb, statdb, mbstoredb.
Select Create schema in the connected server, Charset latin1 and Collation: Default Collation and Apply.
Repeat the same with the rest of the databases.
- Create tables per Database
| DataBase | Script |
|---|---|
| apimgtdb | <API-M_HOME>/dbscripts/apimgt/mysql5.7.sql |
| userdb | <API-M_HOME>/dbscripts/mysql5.7.sql |
| regdb | <API-M_HOME>/dbscripts/mysql5.7.sql |
| statdb | It does not have script. |
| mbstoredb | <API-M_HOME>/dbscripts/mb-store/mysql-mb.sql |
Select Open SQL Script icon and now go to the folder described on the table above per database to select the script:
After the script has been loaded add to the script: use apimgtdb;
On this way the tables are going to be created into that database for that script.
Select Ejecute Script.
Repeat the same for the rest of the scripts. Do not forget to include 'use <database_name>' on the beginning of every script for every database.
6. Configure the data sources.
The data sources must be configured for the APIManager and the Identity Server and they are going to be the same because they share the databases.
master-datasources.xml
Data sources for the Identity server and API Manager:
<IS_HOME>/repository/conf/datasources/master-datasources.xml
<APIM_HOME>/repository/conf/datasources/master-datasources.xml
7. Configure the user management.
This configuration is the same for both the IS and APIManager:<IS_HOME>/repository/conf/user-mgt.xml
<APIM_HOME>/repository/conf/user-mgt.xml
8. Configure the registry.
This part of the xml is the same for both the IS and APIManager:registry.xml
<IS_HOME>/repository/conf/registry.xml
<APIM_HOME>/repository/conf/registry.xml
9. Configure the Key Manager (WSO2 IS) with WSO2 API-M
api-manager.xml
<IS_HOME>/repository/conf/api-manager.xml
Change the <ServerURL> element that appears under the <APIGateway> section, so that it points to the API Manager server:
Change the <RevokeAPIURL> element that appears under the <OAuthConfigurations> section, so that it points to the WSO2 API Manager server:
Configure the JSON Web Token (JWT), enabling ClaimsRetrieverImplClass, ConsumerDialectURI, and SignatureAlgorithm by uncommenting the respective elements. Set <SignatureAlgorithm> to one of the following values NONE or SHA256withRSA.
10. Configure WSO2 API-M with the Key Manager (WSO2 IS)
Change the ServerURL of the AuthManager and the ServerURL of the APIKeyValidator to point to WSO2 IS:
<API-M_HOME>/repository/conf/api-manager.xml
Enable WS Client and disable the Thrift Client:
Make sure data source name in JDBCPersistenceManager is jdbc/WSO2AM_DB in:
<API-M_HOME>/repository/conf/identity/identity.xml
<IS_HOME>/repository/conf/identity/identity.xml
11. Startup IS & APIM server.
First of all MySQL Server must to be up and running. Now run IS, it is the wso2server.bat file in the bin folder.
Make sure the virtual machine start up cleanly and with no errors. The console log must to show the port after the offset like: 9444 and 9764:
Now do the same with the API Manager:
The console log shows ports: 9443 for the store, publisher and carbon applications:
12. Conclusion
And that is all!!! This is a simple example explaining how to integrate API Manager with a 3rd party Key Manager. In this case is the internal Key Manager of the Identity Server from WSO2 too. On the other hand, I include all related config files from both APIManager and Identity Server.
