WSO2 Identity Server Clustering with WSO2 Elastic Load Balancer

Wso2 IS is most useful product in the world, so many people are using this to achieve their day to day security  operations. So once we go to the hi available and high scalable system we need have multiple IS instances. So I'm going to explain how to make the IS cluster with two nodes.

First of all we need know about the high level scenarios so lets look at following diagram.



There is two proxy ports in LB to communicate the different transports According to the above diagram so we need to do this mapping in the IS nodes.
Here we are using one of clustering mechanism call "Well-Known Address based multicasting"

Lets look at the LB configuration

1. By default it has two proxy ports exposed for http(8290) and https(8243) in $WSO2_ELB/repository/conf/axis2/axis2.xml
[sourcecode language="xml"]
<!-- ================================================= -->
<!-- Transport Ins (Listeners) -->
<!-- ================================================= -->
<!--Default trasnport will be passthrough if you need to change please add it here -->
<transportReceiver name="http" class="org.apache.synapse.transport.passthru.PassThroughHttpListener">
<parameter name="port">8290</parameter>
<parameter name="non-blocking"> true</parameter>
<parameter name="httpGetProcessor" locked="false">org.wso2.carbon.transport.nhttp.api.PassThroughNHttpGetProcessor</parameter>
</transportReceiver>
<transportReceiver name="https" class="org.apache.synapse.transport.passthru.PassThroughHttpSSLListener">
<parameter name="port" locked="false">8243</parameter>
<parameter name="non-blocking" locked="false">true</parameter>
<parameter name="httpGetProcessor" locked="false">org.wso2.carbon.transport.nhttp.api.PassThroughNHttpGetProcessor</parameter>
<!--parameter name="bind-address" locked="false">hostname or IP address</parameter-->
<!--parameter name="WSDLEPRPrefix" locked="false">https://apachehost:port/somepath</parameter-->
<parameter name="keystore" locked="false">
<KeyStore>
<Location>repository/resources/security/wso2carbon.jks</Location>
<Type>JKS</Type>
<Password>wso2carbon</Password>
<KeyPassword>wso2carbon</KeyPassword>
</KeyStore>
</parameter>
<parameter name="truststore" locked="false">
<TrustStore>
<Location>repository/resources/security/client-truststore.jks</Location>
<Type>JKS</Type>
<Password>wso2carbon</Password>
</TrustStore>
</parameter>
<!--<parameter name="SSLVerifyClient">require</parameter>
supports optional|require or defaults to none -->
</transportReceiver>
[/sourcecode]

2. You have to go to $WSO2_ELB/repository/conf/loadbalancer.conf and define the cluster details as follows.
[sourcecode language="xml"]
identity {
hosts is.cloud.wso2.com;
domains {
wso2.is.domain {
tenant_range *;
}
}
}
[/sourcecode]

3. Now you can put the entry into the hosts file in linux to map the "is.cloud.wso2.com" and your IP

4. Start the load balancer.

5. Now go to IS node 1 and do the following configuration on $WSO2_IS_node/repository/conf/axis2/axis2.xml
* first you have to enable the clustering in node 1.
[sourcecode language="xml"]
<clustering class="org.apache.axis2.clustering.tribes.TribesClusteringAgent" enable="true">
[/sourcecode]
* put membership schema as "wka"
[sourcecode language="xml"]
<parameter name="membershipScheme">wka</parameter>
[/sourcecode]
* Domain specification
[sourcecode language="xml"]
<parameter name="domain">wso2.is.domain</parameter>
[/sourcecode]
* Local member port - this should be unique for each node. Local member port in ELB is 4000 by default
[sourcecode language="xml"]
<parameter name="localMemberPort">4100</parameter>
[/sourcecode]
* You have to define the well known member as well.
[sourcecode language="xml"]
<members>
<member>
<hostName>is.cloud.wso2.com</hostName>
<port>4000</port>
</member>
</members>
[/sourcecode]
* You have to map the http and https to the ELB proxy ports.
[sourcecode language="xml"]
<!-- ================================================= -->
<!-- In Transports -->
<!-- ================================================= -->
<transportReceiver name="http"
class="org.wso2.carbon.core.transports.http.HttpTransportListener">
<!--
Uncomment the following if you are deploying this within an application server. You
need to specify the HTTP port of the application server
-->
<parameter name="port">9763</parameter>

<!--
Uncomment the following to enable Apache2 mod_proxy. The port on the Apache server is 80
in this case.
-->
<parameter name="proxyPort">8290</parameter>
</transportReceiver>

<transportReceiver name="https"
class="org.wso2.carbon.core.transports.http.HttpsTransportListener">
<!--
Uncomment the following if you are deploying this within an application server. You
need to specify the HTTPS port of the application server
-->
<parameter name="port">9443</parameter>

<!--
Uncomment the following to enable Apache2 mod_proxy. The port on the Apache server is 443
in this case.
-->
<parameter name="proxyPort">8243</parameter>
</transportReceiver>
[/sourcecode]

* Put the offset as 5 in $WSO2_IS_node/repository/conf/carbon.xml and start the IS node 1
[sourcecode language="xml"]
<Offset>5</Offset>
[/sourcecode]



In ELB side you can see this


Same as you have to do the configuration in IS node 2 download the axis2.xml here for node 2

6. Now you can start the identity server node 2

7. Then you can access the Identity server through the "https://is.cloud.wso2.com:8243/carbon/admin/login.jsp"

Authentication and Authorization with WSO2ESB and WSO2IS

This is very impotent post because I'm going to discuss how to secure the proxy service with Username Token  as well as Authorization with XACML policies.

For Authorization we are using the WSO2 Identity server and Inbuilt Entitlement mediator in WSO2 ESB.



You can see the high level view of the ESB and IS communication. Let me explain the scenario.

1. User going to access the proxy service with the user credentials.
2. ESB authenticate the user first
3. If the authentication pass then go to Identity Server through the Entitlement Mediator and call the get decision method with above credentials
4. Identity Server will look the XACML policies and return the decision.
5. If decision is "Permit" then proxy service allow to access the echo service
6. If decision is "Deny" or "Not applicable" proxy service not allow to access the echo service.

Lets look at the configuration of this setup. We are using ESB-4.6.0 and IS-4.1.0

1. You have to share the same User store with WSO2ESB and WSO2IS
refer the ESB user-mgt.xml and IS user-mgt.xml - this is done for Embedded LDAP coming with WSO2IS but you can configure any DB as your user store and share with both ESB and IS

2. Start the IS first and then ESB with port offset 1
3. Create "In sequence" in ESB
here you need to add the entitlement mediator as a first child of In Sequence


Select the entitlement and set the entitlement server url, username and password.
entitlement server url = https://localhost:9443/services/
username = admin
password = admin


Set the Fault mediators under OnReject as well as set the Send mediator under OnAccept

Set the Header mediator as follows and remove the security headers.


Click on the Namespaces and put the following entry.
Prefix - wsse
URI - http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd


3. Create "Out sequence" in ESB
just put send and log mediators as follows


4. Now we need create the proxy service for echo service already in WSO2ESB
Add new proxy -> custom proxy then you can see the following window and you have to specify the following details.
Name - EchoProxy
Publishing WSDL - Specify source URI
then put the wsdl of the echo service as "http://localhost:8281/services/echo?wsdl"


Move next and select the "InSequence" that we created before.


Move next again and select the "OutSequence" as well.


finally click the finish
Now you have to create the new role "testRole" with admin permission and new user "testuser" with password "testuser" and assign the "testRole" because we are using this to control the access . then secure the created proxy with Username Token as follows







Now you complete the proxy service creation and lets move to Identity server configurations.

5. In Identity server we need to add the XACML Policy
Here I'm going to create the simple User base XACML policy.

Name - EchoServicePolicy
Specify the Role name as "testRole" as well as you have to specify the action as "read" because our Entitlement mediator send the action string as "read"


Finish the policy and enable the policy to test.


Now you can evaluate the policy through the Tryit.



But if you click on the "Evaluate with PDP" you will not get Premit because still you not promote the XACML policy to the PDP.

to promote XACML policy to the PDP you can click on the button in front of the policy "sync with PDP". Now try to "Evaluate with PDP".

Now we done the configuration on Identity Server.

6. Go to ESB and select the EchoProxy service and go to TryIt.


Here we are using "testuser" which is under the role "testRole" so the XACML engine will permit to access the resource


Now go and remove the "testRole" form user "testuser" and try to access the service. Now you can see XACML engine is not permit to user to access the resource.