wso2 : Can't log in wso2 API-M via new tenant admin

Question

Environment : wso2 API-M + wso2 Identity server (Key manager) and they shared the same user store.

1.Create a new tenant TA. (done)

2.TA admin try to log in publisher. (fail)

ps: even the [email protected] also can't log in.

API-M error logs :

    TID: [-1234] [] [2016-06-15 02:52:50,150] INFO {org.apache.axis2.transport.http.HTTPSender} - Unable to sendViaPost to url[https://my-idp:9443/services/LoggedUserInfoAdmin] {org.apache.axis2.transport.http.HTTPSender} 
    org.apache.axis2.AxisFault: Transport error: 401 Error: Unauthorized 
            at org.apache.axis2.transport.http.HTTPSender.handleResponse(HTTPSender.java:331) 
            at org.apache.axis2.transport.http.HTTPSender.sendViaPost(HTTPSender.java:196) 
            at org.apache.axis2.transport.http.HTTPSender.send(HTTPSender.java:77) 
            at org.apache.axis2.transport.http.CommonsHTTPTransportSender.writeMessageWithCommons(CommonsHTTPTransportSender.java:451) 
            at org.apache.axis2.transport.http.CommonsHTTPTransportSender.invoke(CommonsHTTPTransportSender.java:278) 
            at org.apache.axis2.engine.AxisEngine.send(AxisEngine.java:442) 
            at org.apache.axis2.description.OutInAxisOperationClient.send(OutInAxisOperation.java:430) 
            at org.apache.axis2.description.OutInAxisOperationClient.executeImpl(OutInAxisOperation.java:225) 
            at org.apache.axis2.client.OperationClient.execute(OperationClient.java:149) 
            at org.wso2.carbon.core.commons.stub.loggeduserinfo.LoggedUserInfoAdminStub.getUserInfo(LoggedUserInfoAdminStub.java:187) 
            at
    org.wso2.carbon.apimgt.impl.utils.APIUtil.getLoggedInUserInfo(APIUtil.java:2064) 
            at org.wso2.carbon.apimgt.hostobjects.APIProviderHostObject.jsFunction_login(APIProviderHostObject.java:228) 
            at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) 
            at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) 
            at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) 
            at java.lang.reflect.Method.invoke(Method.java:498) 
            at org.mozilla.javascript.MemberBox.invoke(MemberBox.java:126) 
            at org.mozilla.javascript.FunctionObject.call(FunctionObject.java:386) 
            at org.mozilla.javascript.optimizer.OptRuntime.call2(OptRuntime.java:42) 
            at org.jaggeryjs.rhino.publisher.modules.user.c1._c_anonymous_1(/publisher/modules/user/login.jag:19) 
            at org.jaggeryjs.rhino.publisher.modules.user.c1.call(/publisher/modules/user/login.jag) 
            at org.mozilla.javascript.ScriptRuntime.applyOrCall(ScriptRuntime.java:2430) 
            at org.mozilla.javascript.BaseFunction.execIdCall(BaseFunction.java:269) 
            at org.mozilla.javascript.IdFunctionObject.call(IdFunctionObject.java:97)
     at org.mozilla.javascript.optimizer.OptRuntime.call2(OptRuntime.java:42) 
            at org.jaggeryjs.rhino.publisher.modules.user.c0._c_anonymous_1(/publisher/modules/user/module.jag:5) 
            at org.jaggeryjs.rhino.publisher.modules.user.c0.call(/publisher/modules/user/module.jag) 
            at org.mozilla.javascript.optimizer.OptRuntime.callN(OptRuntime.java:52) 
            at org.jaggeryjs.rhino.publisher.site.blocks.user.login.ajax.c0._c_anonymous_1(/publisher/site/blocks/user/login/ajax/login.jag:26) 
            at org.jaggeryjs.rhino.publisher.site.blocks.user.login.ajax.c0.call(/publisher/site/blocks/user/login/ajax/login.jag) 
            at org.mozilla.javascript.optimizer.OptRuntime.call0(OptRuntime.java:23) 
            at org.jaggeryjs.rhino.publisher.site.blocks.user.login.ajax.c0._c_script_0(/publisher/site/blocks/user/login/ajax/login.jag:5) 
            at org.jaggeryjs.rhino.publisher.site.blocks.user.login.ajax.c0.call(/publisher/site/blocks/user/login/ajax/login.jag) 
            at org.mozilla.javascript.ContextFactory.doTopCall(ContextFactory.java:394) 
            at org.mozilla.javascript.ScriptRuntime.doTopCall(ScriptRuntime.java:3091) 
            at org.jaggeryjs.rhino.publisher.site.blocks.user.login.ajax.c0.call(/publisher/site/blocks/user/login/ajax/login.jag)

org.wso2.carbon.tomcat.ext.valves.CarbonContextCreatorValve.invoke(CarbonContextCreatorValve.java:57) 
            at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116) 
            at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:421) 
            at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1074) 
            at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:611) 
            at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1739) 
            at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1698) 
            at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) 
            at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) 
            at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) 
            at java.lang.Thread.run(Thread.java:745)

Identity server error logs :

[2016-06-15 03:53:38,767] ERROR {AUDIT_LOG}- Illegal access attempt at [2016-06-15 03:53:38,0767] from IP address 10.10.81.176 while trying to authenticate access to service LoggedUserInfoAdmin

My questions:

1.Should I config something after I create a new tenant?

2.I found there are 10 applications(show in Manage/applications/list) in the carbon.super tenant but no one in the new tenant TA.Should I add publisher and store application (jaggery) to Manage/applications?

2016-08-11 new

<UserStoreManager class="org.wso2.carbon.user.core.ldap.ReadOnlyLDAPUserStoreManager"> 
      <Property name="TenantManager">org.wso2.carbon.user.core.tenant.CommonHybridLDAPTenantManager</Property> 
      <Property name="ConnectionURL">ldap://LDAP_IP:389</Property> 
      <Property name="ConnectionName">uid=manager,ou=admins,dc=dc,dc=com</Property> 
      <Property name="ConnectionPassword">password</Property> 
      <Property name="UserSearchBase">ou=system,dc=dc,dc=com</Property> 
      <Property name="UserNameAttribute">uid</Property> 
      <Property name="UserNameSearchFilter">(&amp;(objectClass=OpenLDAPperson)(uid=?))</Property> 
      <Property name="UserNameListFilter">(objectClass=OpenLDAPperson)</Property> 
      <Property name="DisplayNameAttribute"/> 
      <Property name="ReadGroups">true</Property> 
      <Property name="GroupSearchBase">ou=groups,dc=dc,dc=com</Property> 
      <Property name="GroupNameAttribute">cn</Property> 
      <Property name="GroupNameSearchFilter">(&amp;(objectClass=groupOfNames)(cn=?))</Property> 
      <Property name="GroupNameListFilter">(objectClass=groupOfNames)</Property> 
      <Property name="MembershipAttribute">member</Property> 
      <Property name="BackLinksEnabled">false</Property> 
      <Property name="UsernameJavaRegEx">[a-zA-Z0-9._-|//]{3,30}$</Property> 
      <Property name="PasswordJavaRegEx">^[\S]{5,30}$</Property> 
      <Property name="RolenameJavaRegEx">[a-zA-Z0-9._-|//]{3,30}$</Property> 
      <Property name="SCIMEnabled">false</Property> 
      <Property name="PasswordHashMethod">PLAIN_TEXT</Property> 
      <Property name="MultiAttributeSeparator">,</Property> 
      <Property name="MaxUserNameListLength">100</Property> 
      <Property name="MaxRoleNameListLength">100</Property> 
      <Property name="UserRolesCacheEnabled">true</Property> 
      <Property name="ConnectionPoolingEnabled">true</Property> 
      <Property name="LDAPConnectionTimeout">5000</Property> 
      <Property name="ReadTimeout"/> 
      <Property name="RetryAttempts"/> 
      <Property name="ReplaceEscapeCharactersAtUserLogin">true</Property> 
    </UserStoreManager>

thanks

Tom

Did you create the tenant from API Manager Management Console? Can you login to API Manager Management Console using new tenant admin? — Lahiru Sandaruwan Gamage
I can login to API-M mgt console using all tenant admin but can't login to publisher and store even carbon.super tenant admin. — 羊湯姆

Isuru Wijesinghe Isuru Wijesinghe · Accepted Answer · 2016-08-08T04:37:47

I think the issue is in your user store configuration. Could you please add below user store configuration to user-mgt.xml file in both APIM node and IS node and verify the result. This file is located in /repository/conf folder.

<UserStoreManager class="org.wso2.carbon.user.core.jdbc.JDBCUserStoreManager">
     <Property name="TenantManager">org.wso2.carbon.user.core.tenant.JDBCTenantManager</Property>
     <Property name="ReadOnly">false</Property>
     <Property name="MaxUserNameListLength">100</Property>
     <Property name="IsEmailUserName">false</Property>
     <Property name="DomainCalculation">default</Property>
     <Property name="PasswordDigest">SHA-256</Property>
     <Property name="StoreSaltedPassword">true</Property>
     <Property name="UserNameUniqueAcrossTenants">false</Property>
     <Property name="PasswordJavaRegEx">[\S]{5,30}$</Property>
     <Property name="PasswordJavaScriptRegEx">[\\S]{5,30}</Property>
     <Property name="UsernameJavaRegEx">^[^~!#$;%^*+={}\\|\\\\&lt;&gt;,\'\"]{3,30}$</Property>
     <Property name="UsernameJavaScriptRegEx">[\\S]{3,30}</Property>
     <Property name="RolenameJavaRegEx">^[^~!@#$;%^*+={}\\|\\\\&lt;&gt;,\'\"]{3,30}$</Property>
     <Property name="RolenameJavaScriptRegEx">[\\S]{3,30}</Property>
     <Property name="UserRolesCacheEnabled">true</Property>
</UserStoreManager>

Hope this information helps you.

wso2 : Can't log in wso2 API-M via new tenant admin

1 Answers