Sunday, March 16, 2014

SAML2.0 bearer token from OAuth2 - WSO2 API Manager 1.6


An enterprise application exchanges SAML2.0 bearer token which retrieves authentication against OAuth2 token from the API Manager.



These few steps explained how to create SAML2 token from Oauth2 token step by step

1. Configuring Trusted Identity Provider
  
Configure Trusted Identity Provider and create new Trusted Identity Provider

Figure 1 : Trusted Identity Provider Configuration



1.1 Create identity provide public certificate  


Create pem file from keystore:
Here, i have used wso2carbon.jks file in {produtc_home}/repository/resources/security



keytool -exportcert -alias wso2carbon -keypass wso2carbon -keystore wso2carbon.jks -rfc -file test-user.pem



Now you can uplaod  test-user.pem  file as public certificate



2. Create OAuth Application

Create application to manage OAuth token, Main --> OAuth


You can untick code and Implicit check box since those are not mandatory fields



Figure 2: OAuth Management Configuration
When you double click on the OAuth app, you can see the properties like this



3. SAML assertion creation


You can implement SAML assertion functionality in your code or else you can  download sample SAMLAssertionCreator.jar from this location

https://svn.wso2.org/repos/wso2/people/johann/SAML2-OAuth/

execute the lib as following to create the SAML assertion string: 


java -jar SAML2AssertionCreator.jar SAML2AssertionCreator admin https://10.100.4.28:9443/oauth2/token https://10.100.4.28:9443/oauth2/token ws02carbon.jks wso2carbon wso2carbon wso2carbon



NOTE: require JDK 1.7 for execute the lib



Now, you need to copy SAML assertion string for next step



4. Use following  cURL command used to generates an access token


4.1. Using Curl command



curl -k -d "grant_type=urn:ietf:params:oauth:grant-type:saml2-bearer&assertion=<to-be-replace-generated-token>&scope=PRODUCTION" --basic -u "<to-be-replace-client-id>:<to-be-replace-client-secure>" -H "Content-Type: application/x-www-form-urlencoded" https://10.100.4.28:8243/oauth2/token


4.2. Using RESTClient



Tools -->RESTClient


You can use following parameters to create POST request in RESTClient Request
image.png
Figure 3: RESTClient request configuration

You might get server_error exception, possible causes

1. expire the token
2. incorrect parameter or missing parameters

Tested only for API Manager 1.6


Above flows you can use for IS 4.6 as well. But in 4th step, the property scope is not required for the request since the scope property use only in the API Manager



Related reading:



http://shafreenanfar.blogspot.com/2014/02/exchanging-sml2-token-to-oauth2-token.html
https://docs.wso2.org/display/AM160/Token+API#TokenAPI-ExchangingSAML2bearertokenswithOAuth2SAMLextensiongranttype
http://nallaa.wordpress.com/2013/04/04/saml2-bearer-assertion-profile-for-oauth-2-0-with-wso2-identity-server/


Monday, January 13, 2014

WSO2 GREG 4.6.0 - Moving governed artifacts when promoting the lifecycles


These are the three places of registry spaces which keep configuration in carbon platform based all WSO2 products.

  •     Local Repository : Used to store configuration and runtime data that is local to the server.
  •     Configuration Repository : Used to store product-specific configuration.
  •     Governance Repository : Used to store configuration and data that are shared across the whole platform. This typically includes services, service descriptions, endpoints or datasources and can be         browsed under /_system/governance in the registry browser
                All service artifacts are going in to be in this repository based on the metadata  type user is importing
                  WSDLs are going to /_system/governance/wsdls/ directory.
                  Policies are going to /_system/governance/policies/ directory.
                  Schemas are going to /_system/governance/schemas/ directory.

Here I explained the process flow of moving configuration directories within the Governance Repository when promoting the lifecycles in the Governance Registry product.

 1. Configure the Life Cycle


 



Extensions --> Lifecycles


In there you can use existing ServiceLifeCycle modify or add new Lifecycle using DefaultLifeCycle class as  follow. 

<aspect name="ServiceLifeCycle34" class="org.wso2.carbon.governance.registry.extensions.aspects.DefaultLifeCycle">
    <configuration type="literal">
        <lifecycle>
            <scxml xmlns="http://www.w3.org/2005/07/scxml"
                   version="1.0"
                   initialstate="Development">
                <state id="Development">
                    <datamodel>
                        <data name="checkItems">
                            <item name="Code Completed" forEvent="">
                                <!--<permissions>
                                    <permission roles=""/>
                                </permissions>
                                <validations>
                                    <validation forEvent="" class="">
                                        <parameter name="" value=""/>
                                    </validation>
                                </validations>-->
                            </item>
                            <item name="WSDL, Schema Created" forEvent="">
                            </item>
                            <item name="QoS Created" forEvent="">
                            </item>
                        </data>
<data name="transitionExecution">
                            <execution forEvent="Promote" class="org.wso2.carbon.governance.registry.extensions.executors.ServiceVersionExecutor">
                                <parameter name="currentEnvironment" value="/_system/local/repository/components/{@resourcePath}/{@resourceName}"/>
                                <parameter name="targetEnvironment" value="/_system/governance/branches/testing/{@resourcePath}/{@version}/{@resourceName}"/>
                                <parameter name="service.mediatype" value="application/vnd.wso2-service+xml"/>
                                <parameter name="wsdl.mediatype" value="application/wsdl+xml"/>
                                <parameter name="endpoint.mediatype" value="application/vnd.wso2.endpoint"/>
                            </execution>
                        </data>
<data name="transitionUI">
                            <ui forEvent="Promote" href="../lifecycles/pre_invoke_aspect_ajaxprocessor.jsp?currentEnvironment=/_system/governance/trunk/"/>
                        </data>
                        <!--<data name="transitionValidation">
                            <validation forEvent="" class="">
                                <parameter name="" value=""/>
                            </validation>
                        </data>
                        <data name="transitionPermission">
                            <permission forEvent="" roles=""/>
                        </data>
                        <data name="transitionScripts">
                            <js forEvent="">
                                <console function="">
                                    <script type="text/javascript">
                                    </script>
                                </console>
                                <server function="">
                                    <script type="text/javascript"></script>
                                </server>
                            </js>
                        </data>
                        <data name="transitionApproval">
                            <approval forEvent="Promote" roles="" votes="2"/>
                        </data>-->
                        <data name="transitionScripts">
                            <js forEvent="Promote">
                                <console function="showServiceList">
<script type="text/javascript">
                                        showServiceList = function() { var element = document.getElementById('hidden_media_type'); var mediaType = ""; if (element) { mediaType = element.value;} if (mediaType == "application/vnd.wso2-service+xml") { location.href = unescape("../generic/list.jsp?region=region3%26item=governance_list_service_menu%26key=service%26breadcrumb=Services%26singularLabel=Service%26pluralLabel=Services"); } }
</script>
                                </console>
                            </js>
                        </data>
                    </datamodel>
                    <transition event="Promote" target="Testing"/>                  
                </state>
                <state id="Testing">
                    <datamodel>
                        <data name="checkItems">
                            <item name="Effective Inspection Completed" forEvent="">
                            </item>
                            <item name="Test Cases Passed" forEvent="">
                            </item>
                            <item name="Smoke Test Passed" forEvent="">
                            </item>
                        </data>
                        <data name="transitionExecution">
                            <execution forEvent="Promote" class="org.wso2.carbon.governance.registry.extensions.executors.ServiceVersionExecutor">
                                <parameter name="currentEnvironment" value="/_system/governance/branches/testing/{@resourcePath}/{@version}/{@resourceName}"/>
                                <parameter name="targetEnvironment" value="/_system/governance/branches/production/{@resourcePath}/{@version}/{@resourceName}"/>
                                <parameter name="service.mediatype" value="application/vnd.wso2-service+xml"/>
                                <parameter name="wsdl.mediatype" value="application/wsdl+xml"/>
                                <parameter name="endpoint.mediatype" value="application/vnd.wso2.endpoint"/>
                            </execution>
   <execution forEvent="Demote" class="org.wso2.carbon.governance.registry.extensions.executors.DemoteActionExecutor">
                            </execution>
                        </data>
<data name="transitionUI">
                            <ui forEvent="Promote" href="../lifecycles/pre_invoke_aspect_ajaxprocessor.jsp?currentEnvironment=/_system/governance/branches/testing/"/>
                        </data>
                        <data name="transitionScripts">
                            <js forEvent="Promote">
                                <console function="showServiceList">
<script type="text/javascript">
                                        showServiceList = function() { var element = document.getElementById('hidden_media_type'); var mediaType = ""; if (element) { mediaType = element.value;} if (mediaType == "application/vnd.wso2-service+xml") { location.href = unescape("../generic/list.jsp?region=region3%26item=governance_list_service_menu%26key=service%26breadcrumb=Services%26singularLabel=Service%26pluralLabel=Services"); } }
</script>
                                </console>
                            </js>
                        </data>
                    </datamodel>
                    <transition event="Promote" target="Production"/>
                    <transition event="Demote" target="Development"/>
                </state>
                <state id="Production">
                    <datamodel>
                        <data name="transitionExecution">
                            <execution forEvent="Demote" class="org.wso2.carbon.governance.registry.extensions.executors.DemoteActionExecutor">
                            </execution>
                            <execution forEvent="Publish" class="org.wso2.carbon.governance.registry.extensions.executors.apistore.ApiStoreExecutor">
                            </execution>
                        </data>
                    </datamodel>
                    <transition event="Publish" target="Published.to.APIStore"/>
                    <transition event="Demote" target="Testing"/>
                </state>
                <state id="Published.to.APIStore">
                </state>                
            </scxml>
        </lifecycle>
    </configuration>
</aspect>


2. Modify Artifact location  

 Change the directories as you want for targetEnvironment and  currentEnvironment  of each states  (Development, Testing, Production)   of the configuration by specify locations within the   / _system/governance directory.

3. Create the Service 













Then go to Main --> Metadata  --> Add   --> Service and Create the service

4. Assign the Life cycle

After saving the service, you can see Add Lifecycle button within the LifeCycle area. If you see already assign the lifecycle that you don't want to assign it, delete and re-assign lifecycle from the drop-down menu.

5. Moving Artifacts
 Now you can process the moving artifacts to  targetEnvironment from currentEnvironment by clicking Promote button within the life cycle.



Tuesday, July 16, 2013

How to be safe in the internet?

1. Safety in Social networks


This documentation focused improves security awareness of social networks, email account and Instant Messaging accounts. Most of the internet users don’t think about the security aspect of their accounts and they don’t have proper knowledge about how to secure them. Specially school level students and non IT internet users, they are lacking of knowledge of security on accounts in the web.

The main objective of this documentation is, protect our cyber users from threats and give knowledge about the security on their accounts on the cyber space.

1.1  General safe tips in social networks, mail servers and Instant Messaging Server


I try to explain most important tips which user needs to know about safety in social networks, email accounts and Instant messaging server. Many of tips are common to all the accounts, but mainly I explain using Facebook network whereas many of Sri Lankan user’s addicted in to Facebook than other network.


1.      When Login to an account
  •  Un-check "Keep you Login" check box
Do not tick/check the these kind of message on your login screen, “Stay sign in”, “keep me logged in”, “Sign in me when service Starts” or “Remember me”, specially when you are not logging from your personal machine.

  • Deny storing your account password in to browser when browser asks at the login

When you login to an account through a browser at first time or after clearing browser cash, it asks to save your password in to cookies. The Internet Explorer 10 displays that massage bottom of the window as in Image 01.

Image 01


In Image 02 display how Firefox show the same question and  click the icon “x” or click the      icon and select the option “Never save password on this site”. Then, it will not keep your password on the browser.  

Image 02
                                

If you give permission to save password, it will save in to browser cookies, next time browser automatically fill the password and log in to the account. As well as, others can see your passwords which are stored in the cookies. Remembering your password into browser cookies makes very un-secure your accounts.  
Different browser may ask same question in different way when you are log into accounts.

2.      Properly Logout from the account after using an account.

  •  Click logout button
Logout button normally you can see in  top right corner in many accounts home, few of accounts it is in top left corner. If you can’t see logout button in screen, it may have in menu after click in icon.

As an example;

Facebook; 

Logout by clicking "Log Out" item in the Menu on   icon  as in Image 03.

Image 03
                             
  •  Don’t close the browser or Tab without logout
Close the browser is not proper way to logout the account. If you close the browser without logout, next time when the browser starts, it is possible to keep your account without logout.


3.      Don’t put your mobile numbers or address visible to anyone on your account profiles.

If you put it visible to public, it may be very risky for your privacy and it helps to reach you for the people who come to harm you. This is the most common and easiest way to get victim by others.

4.      Double check for URL before enters password and username.
There are fake URLs  very similar to many of popular sites and networks but one or two letters different from real URLs.  As a example, It is possible of having same screen like Facebook but URL may be www.fecabook.com, at once eyes can’t recognized spelling differences, because screen may look like Facebook. When you enter your username and password, hackers can get your username and password easily. There are number of incident which happen similar  kind of situations.

What you should follow to avoid that ?

  •   Bookmark the URLs which you are frequently use
  •  Double checks the correct URL, before enter the username and password
  • If you feel any difference, carefully check the URL spellings again.

5.      Try to minimize log into networks or accounts in public places (Ex: Net Café), there are some sophisticated tools to find the password specially.

This can avoid

  • Changing character entering pattern- you can type backward by putting cursor at stating point, last letter at first, then next characterand first character at last.

6.      Don’t click URLs which are sent by anonymous users when you are at news feeds or networks wall or mail box
It may contains spams, viruses and may contain sexual explicit content which automatically post into your wall and post your friends wall as post by you.

7.      If your account is hacked by someone

  •   Immediately change your account password.

  •  If you unable to change your account password and if it is your Facebook account, asks your friends to report into Facebook from their account as much as. If you are threatened, inform to your parents or guardians.

  •   If your web site hack and valuable personal data stolen or threat by someone according to your issues seriousness, you can report to http://www.slcert.gov.lk/ or complaint to police.

  • Search for solution in the internet, you can get valuable information and  solution for the issue


8.      Don’t trust people who finds you from social networks and do not share your personal things with them. 


9.      Beware when accepting friend’s request

If you don’t know the person personally who request sent, don’t accept the request, just ignore or block it permanently.
Do you know, accepting request will allow seeing your private details by unknown person?  If you want to add unknown people, add to a restricted group like Acquaintances as in Image 04. This labeled group may provide many of the network.  

As an example:
In Facebook;

Image 04

10.  Finally respect others privacy and others security, others data. As you like to be safe on networks, do not try to harm others or not to make trouble others. You should respect to the computer ethics.

The Ten Commandments which you should know and follow to be a ethical user of computer

  • Thou shalt not use a computer in ways that may harm people.
  • Thou shalt not interfere with other people's computer work.
  •  Thou shalt not snoop around in other people's computer files.
  •  Thou shalt not use a computer to steal.
  • Thou shalt not use a computer to false witness
  •  Thou shalt not copy or use proprietary software for which you have not paid.
  •  Thou shalt not use other people's computer resources without authorization or proper compensation.
  •  Thou shalt not appropriate other people's intellectual output.
  • Thou shalt think about the social consequences of the program you are writing or the system you are designing.
  •  Thou shalt always use a computer in ways that ensure consideration and respect for your fellow humans.


2.       Things you should know about Facebook security to keep your FB account safe

2.1 Facebook


What people say about Facebook?
  •    World's Largest Online Community
  •   The website was launched in February 2004 and in July this year had more than 500 million active users.       
  • Just like mobile phones and TVs, Facebook is part of our everyday lives,
  •   People say it’s a social networking site but it causes more harm than good


2.2 Inside Facebook

Do you ever think that Facebook is dangerous and critical place this much?

  • A crime linked to Facebook is reported to police every 40 minutes.
  • UK police have reported a 540% increase in Facebook crimes over the past three years
  • More than 100,000 UK crimes linked to Facebook over the past five years 

  • Last year, officers logged 12,300 alleged offences involving the vastly popular social networking site.
  • Facebook was referenced in investigations of murder, rape, child sex offences, assault, kidnap, death threats, witness intimidation and fraud.


2.3 Facebook security Settings


The Facebook provide number of security issues to safe account users. It will very helpful to be safe on there.

1.      Manage who can contact and see you and how are restricted to can see and contact.

Under privacy icon on top of Facebook main screen, you can set many of security settings.
Under drop down list on privacy icon; by clicking each ? icon, you can see three screens as in Image 05 one by one.



Image 05



In there, you can set;
  •   Who see my stuff? -You can select which people can see your data  as in 1st image
  •  Whcan contact me?-There better to select Friends of Friends as in 2nd image
  • How do I stop someone from bothering me? - You can put names which you want to block

2.      If your mobile is lost or stolen


If you installed and used Facebook apps on your mobile, and if your mobile is lost or stolen, keep in mind to logout from the mobile by login in to Facebook account from some other devices.
Click privacy  icon,  click “See More Settings”,  Click on “Mobile” icon in Left side; then you can take screen like Image 06
Image  06




then Click on “Lose your phone?” and it pop-up the screen like Image 07 and  click “Log Out on Phone” button.

Image 07
3.      Manage Privacy settings

Click privacy  icon   click  on “See More Settings” label, you can take screen like Image 08. In here, you can set who can see your stuff and who can look up you. It will help to avoid others make you trouble.

Image 08
4.      Manage what others  can see on your time line and Manage tagging
Click privacy  icon, click “See More Settings”, Click on “Timeline and Tagging”  icon, you can take this screen like Image 09.
Following settings secures your timeline and manage tagging; it will help to avoid many of trouble.

Image 09
5.      Be alerting of activity done by others on your account

Click on privacy  icon, click “See More Settings”, Click on “Notifications”  icon, you can take screen as Image 10.
Following setting set to send notification for the above actions it will help to notify you when others do any action on your account.

Image 10


6.      Manage Followers of your account

Although you are not someone’s friend, others can your activities by making you as follower. In there, you can set what others can see from your account as a follower in here.
Click on privacy  icon, click “See More Settings”, Click on “Followers”  icon, you can take screen as Image 11.
Image 11
7.      When you publish anything especially photos, make sure not to publish for public

If you publish them in public, anyone in network can download your photos and they can use them for inappropriate manner.

In Albums, bottom right corner of each album you can see small icon.  Drop-down menu on that icon, you can select who can see the album as in Image 12


Image 12

Make sure that album publish not for “Public”( That right sign not ticked in front of “Public” label.)

8.      If you find something inappropriate items in your timeline.

Click the icon which shows when cursor move on top-right corner in  the item,  
choose  “Report/Mark as Spam” as in Image 13




Image 13

9.      If you found a photo of yourself or a tag you don’t like

Go to the screen which display image, click the icon which shows when cursor move on top-right corner on  the item.

Then select Report/Remove Tag... from drop down menu, then it will display screen like Image 14 and check the boxes as what you want to do.

Image 14
,