WSO2 API Manager Customisations in a Distributed (Clustered) Implementation

1
votes

We have implemented a small number of WSO2 API Manager (v1.10.0) customisations in our standalone (DEV environment) implementation.

However, now that I'm coming to implement this in the distributed UAT and PRD environments, I'm unsure of exactly which servers each of these customisations/configurations should go on.

We have the following distributed architecture:

  • Gateway (x2)
  • Publisher & Store (on a single server)
  • Key Manager (x2)

This follows this design from the online documentation:

API Manager distributed architecture diagram

The standard distributed install is all configured and working as expected.

The customisations that we've implemented are as follows:

1. Configure Custom Login Pages

By default, WSO2 uses its own logon page for the authentication of users. An example of this is shown in the screenshot below:

WSO2 default login screen

This is done by updating the contents of the `/repository/deployment/server/webapps/authenticationendpoint' folder.

2. Configure to Skip User Consent

By default, the user is prompted to consent to the web application accessing their OpenID profile information:

enter image description here

This is done by changing the <OpenIDConnect><SkipUserConsent> value from false to true the Open the \repostiory\conf\identity\identity.xml file

3. Configuring User Account Recovery and Notifications

This is done by:

  1. Installing the ‘Account Recovery and Credential Management’ feature in the WSO2 Admin interface
  2. Setting the IdentityMgtEventListener to true in the \repository\conf\carbon.xml file
  3. Updating the notification and useraccount settings in the /repository\conf\identity\identity-mgt.properties file
  4. Uncommenting the <transportSender name="mailto"...> block in the \repository\conf\axis2\axis2.xml file

(Using the Password Recovery instructions from the online documentation)

4. Configuring A Custom User Store Manager

Unfortunately, WSO2 currently does not support renaming users in the existing User Stores through the User Store Management APIs it exposes.

To enable our application to do this, we’ve implemented the Custom JDBC User Manager Store identified here: http://tharindue.blogspot.co.uk/2015/05/a-workaround-for-renaming-username-of.html

5. Creating Claims

Here we have deleted the default Username claim and added two other claims (Rename Username & User ID) by following the instructions here: http://soasecurity.org/2012/05/02/claim-management-with-wso2-identity-server/

Here's the question...

Which of the (distributed) servers or components should each of these customisations be done on?

My initial investigation suggests the following, but I wanted to confirm before starting to update configurations:

1. Configure Custom Login Pages - Gateway servers Key Manager servers

2. Configure to Skip User Consent - Gateway servers Key Manager servers

3. Configuring User Account Recovery and Notifications - Key Manager servers

4. Configuring A Custom User Store Manager - Key Manager servers

5. Creating Claims - Key Manager servers

Are these correct? Is there anything else that I need to be aware of?

Many thanks in advance! Jon

1
wso2wso2carbonwso2-am
in 1, which login are you talking about? Is that store, publisher or admin console of gateway manager? are you using identity server as keymanager? - Bee
Thanks for the response @Bhathiya. This is not the login for any of the WSO2 API Manager components (store,publisher nor admin), it is the login page that my application users see when logging in to my site. - Jonathan Williams
are you using identity server as keymanager? - Bee
No. We're using API Manager for the Key Manager. - Jonathan Williams
Your 1st screenshot is of identity server. Do you have a separate IS? - Bee

1 Answers

1
votes

As I understand, you are trying to use API Manager as an Identity Provider. Even though API manager is capable of doing some of identity provider tasks as it has some features from Identity Server, you shouldn't use it as an identity server. Instead you should use a separate identity server, and do all your customizations for it.

You can also use the same identity servers as key manager nodes. IS as keymanager docs can be found here. You simply have to install some API Manager features in Identity Server and do some configuration changes. Also there is a pre-packaged IS as Keymanager pack you can directly use. That's the recommended approach now. See docs here.