||
Skip to end of metadata
Go to start of metadata

Tip: The steps below explain how to use  WSO2 Identity Server 5.2.0  with WSO2 API Manager 2.0.0.


Step 1 - Download WSO2 APIM and WSO2 IS

  • Download WSO2 Identity Server (WSO2 IS) 5.2.0 from Identity Server product page and install it.  <IS_HOME> will refer to the root folder of the unzipped WSO2 IS pack.
  • Download WSO2 API Manager (WSO2 APIM) 2.0.0 from here and install it<APIM_HOME> will refer to the root folder of the unzipped WSO2 APIM pack.

Step 2 - Optionally, configure port offset for WSO2 APIM or WSO2 IS

This is only required if you running WSO2 API Manager on the same Virtual Machine (VM) as the WSO2 Identity Server.

What is port offset?

The port offset feature allows you to run multiple WSO2 products, multiple instances of a WSO2 product, or multiple WSO2 product clusters on the same server or virtual machine (VM). The port offset defines the number by which all ports defined in the runtime such as the HTTP/S ports will be offset. For example, if the HTTP port is defined as 9763 and the portOffset is 1, the effective HTTP port will be 9764. Therefore, for each additional WSO2 product, instance, or cluster you add to a server, set the port offset to a unique value (the default is 0).

Open the <PRODUCT_HOME>/repository/conf/carbon.xml file and change the offset to 1. This increments the product's default port by one. <PRODUCT_HOME> refers to the product to which you are configuring a port offset and it can be either <IS_HOME> or <APIM_HOME>.

carbon.xml
<Offset>1</Offset>

Step 3 - Configure the Identity Server

  1. Log into the Identity Server and access the Management Console.
  2. After starting the Identity Server, install the Key Manager feature.

    Warning: Installing this feature will result in changes to some of the configuration files in Identity Server. The <IS_HOME>/repository/conf/identity.xml file and the <IS_HOME>/repository/conf/datasources/master-datasouces.xml file will lose their current configurations.

    To install the feature:

    1. Navigate to the Features section in the Configure menu of the management console.
    2. Add the following feature repository in the Feature Management section in the Identity Server. See Managing the Feature Repository for information on how to do this.
      P2 Repohttp://product-dist.wso2.com/p2/carbon/releases/wilkes/
    3. After adding the repository, navigate to the Available Features tab and find the feature in that repository by clicking the Find Features button. The list of available features appear.

      1. Expand the API Key Manager feature from the Features category and expand API Key Manager 6.0.4. Select Api management Key Manager from the list that appears.
      2. Click on the Install button and go through the wizard to complete the installation. See Installing Features if you require more information on how to do this.
      3. Open <IS_HOME>/repository/conf/identity.xml and replace WSO2CarbonDB with WSO2AM_DB, as shown below.

        <JDBCPersistenceManager>
                <DataSource>
                    <Name>jdbc/WSO2AM_DB</Name>
                </DataSource>
        ...
  3. Make the following changes in the api-manager.xml file. 

    1. Change the GatewayType property to the following. This is done because the default value here is Synapse. Synapse runtime is used for various ESB related functionality that is not available in the Identity Server, so this must be changed to None.
      <GatewayType>None</GatewayType>

    2. Change EnableThriftServer to false. The Identity Server does not come with a thrift server and this causes issues at runtime if not disabled.

      <EnableThriftServer>false</EnableThriftServer>

  4. Open the <IS_HOME>/repository/conf/datasources/master-datasources.xml file and add the following datasources.

    Ensure that you keep the 'WSO2_CARBON_DB' datasource the way it is and simply add the following datasources in the master-datasources.xml file. Also, note that the WSO2AM_DB is already added in the master-datasources.xml file so you do not need to add it again. However, you must edit this datasource to point to your new database as this still points to the default H2 database. The following code block includes a sample of the WSO2AM_DB datasource as a sample configuration when pointing to the new database.

    <datasource>
        <name>WSO2AM_DB</name>
        <description>The datasource used for API Manager database</description>
        <jndiConfig>
            <name>jdbc/WSO2AM_DB</name>
        </jndiConfig>
        <definition type="RDBMS">
            <configuration>  <url>jdbc:mysql://localhost:3306/apimgt?autoReconnect=true&amp;relaxAutoCommit=true&amp;</url>
                <username>apiuser</username>
                <password>apimanager</password>
                <driverClassName>com.mysql.jdbc.Driver</driverClassName>
                <maxActive>50</maxActive>
                <maxWait>60000</maxWait>
                <testOnBorrow>true</testOnBorrow>
                <validationQuery>SELECT 1</validationQuery>
                <validationInterval>30000</validationInterval>
                <defaultAutoCommit>false</defaultAutoCommit>
            </configuration>
        </definition>
    </datasource>
     
    <datasource>
        <name>WSO2REG_DB</name>
        <description>The datasource used for registry</description>
        <jndiConfig>
            <name>jdbc/WSO2REG_DB</name>
        </jndiConfig>
        <definition type="RDBMS">
            <configuration>
    <url>jdbc:mysql://localhost:3306/registry?autoReconnect=true&amp;relaxAutoCommit=true&amp;</url>
                <username>apiuser</username>
                <password>apimanager</password>
                <driverClassName>com.mysql.jdbc.Driver</driverClassName>
                <maxActive>50</maxActive>
                <maxWait>60000</maxWait>
                <testOnBorrow>true</testOnBorrow>
                <validationQuery>SELECT 1</validationQuery>
                <validationInterval>30000</validationInterval>
            </configuration>
        </definition>
    </datasource>
    
    <datasource>
        <name>WSO2UM_DB</name>
        <description>The datasource used for user management</description>
        <jndiConfig>
            <name>jdbc/WSO2UM_DB</name>
        </jndiConfig>
        <definition type="RDBMS">
            <configuration>
       <url>jdbc:mysql://localhost:3306/userstore?autoReconnect=true&amp;relaxAutoCommit=true&amp;
                </url>
                <username>apiuser</username>
                <password>apimanager</password>
                <driverClassName>com.mysql.jdbc.Driver</driverClassName>
                <maxActive>50</maxActive>
                <maxWait>60000</maxWait>
                <testOnBorrow>true</testOnBorrow>
                <validationQuery>SELECT 1</validationQuery>
                <validationInterval>30000</validationInterval>
            </configuration>
        </definition>
    </datasource>

    The following diagram illustrates how databases are shared between IS and APIM as per the above configuration.

    • WSO2REG_DB - This is used to keep the registry information. The registry database is shared between WSO2 IS as the Key Manager and WSO2 APIM to share artifacts such as, meta data configurations, policies, and API details.

    • WSO2UM_DB - This is used to store the permissions (i.e. permission store) and the internal roles of the users.

    • WSO2AM_DB - This will be used to keep the identity data and API-related data. This includes OAuth tokens and keys. When serving key-validation requests, the key manager validates whether there are subscriptions made by the particular key. For this WSO2AM_DB should be accessed.


  5. Make the following change to the  <IS_HOME>/repository/conf/registry.xml file. Create the registry mounts by inserting the following sections into the registry.xml file. 

    When doing this change, do not replace the existing <dbConfig> for "wso2registry". Simply add the following configuration to the existing configurations.

    CacheId is a unique identification of remote instance.  When configuring the remote instance, it is recommended  to modify <cacheId> with the corresponding values of your setup as in this format.
    <username>@<JDBC_URL to_registry_database>

    Note that you do not need to specify the remoteInstance URL in above configuration since it is not used because we are not using WS mounting in latest API Manager versions including this version.

    Please refer Configuring registry.xml for more information on the properties and values of remote mount configuration.

    <dbConfig name="govregistry">
            <dataSource>jdbc/WSO2REG_DB</dataSource>
    </dbConfig>
    
    <remoteInstance url="https://localhost">	
            <id>gov</id>
            <dbConfig>govregistry</dbConfig>
    		<cacheId>apiuser@jdbc:mysql://localhost:3306/registry</cacheId>
            <readOnly>false</readOnly>
            <enableCache>true</enableCache>
            <registryRoot>/</registryRoot>
    </remoteInstance>
    
    <mount path="/_system/governance" overwrite="true">
            <instanceId>gov</instanceId>
            <targetPath>/_system/governance</targetPath>
    </mount>
    
    <mount path="/_system/config" overwrite="true">
           <instanceId>gov</instanceId>
           <targetPath>/_system/config</targetPath>
    </mount>
  6. Change the datasource in the user-mgt.xml file found in the <IS_HOME>/repository/conf/ directory to WSO2UM_DB.

    user-mgt.xml configurations
    <Realm>
            <Configuration>
    			...
    			<Property name="dataSource">jdbc/WSO2UM_DB</Property>
            </Configuration>
    		...
    </Realm>
  7. Add the user store configuration correctly in the <IS_HOME>/repository/conf/user-mgt.xml file so that both the Identity Server and API Manager point to the same user store. For more information on configuring user stores, see here.

    You must change the <UserStoreManager> element here since the internal LDAP user store is used by default. The <UserStoreManager class="org.wso2.carbon.user.core.ldap.ReadWriteLDAPUserStoreManager"> code block needs to be removed or modified and the right code block must be used.

     

  8. Create the following databases in the MySQL database server.

    • userstore

    • registry

    • apimgt

    For creating the userstore and registry database, use the <IS_HOME>/dbscripts/mysql.sql script.

    Note that MySQL is used as an example here and you can use a different database if required.

    When creating the apimgt db, run the following script; <APIM_HOME>/dbscripts/apimgt/mysql.sql. The script found in the <APIM_HOME>/dbscripts/apimgt/ directory has all the tables required to manage OAuth access tokens and also includes other identity-related features.

    You can change the CREATE TABLE statements to CREATE TABLE IF NOT EXISTS when running the identity scripts after you have run the apimgt script.

  9. Create a user ‘apiuser’ with password ‘apimanager’. Grant all permissions for this user in the above three databases. For example:

    grant all on apimgt.* TO apiuser@localhost identified by "apimanager";
    grant all on userstore.* TO apiuser@localhost identified by "apimanager"; 
    grant all on registry.* TO apiuser@localhost identified by "apimanager";
  10. JWT configuration must be done in the <IS_HOME>/repository/conf/api-manager.xml file in the Identity Server. See here for more information on JWT Token generation. Enable the ClaimsRetrieverImplClassConsumerDialectURI and SignatureAlgorithm. Set SignatureAlgorithm to NONE.

  11. Start the server for the changes to take effect.

Step 4 - Configure the API Manager

  1. Open the <APIM_HOME>/repository/conf/datasources/master-datasources.xml file and add the following datasources.

    <datasource>
        <name>WSO2AM_DB</name>
        <description>The datasource used for API Manager database</description>
        <jndiConfig>
            <name>jdbc/WSO2AM_DB</name>
        </jndiConfig>
        <definition type="RDBMS">
            <configuration>  <url>jdbc:mysql://localhost:3306/apimgt?autoReconnect=true&amp;relaxAutoCommit=true&amp;</url>
                <username>apiuser</username>
                <password>apimanager</password>
                <driverClassName>com.mysql.jdbc.Driver</driverClassName>
                <maxActive>50</maxActive>
                <maxWait>60000</maxWait>
                <testOnBorrow>true</testOnBorrow>
                <validationQuery>SELECT 1</validationQuery>
                <validationInterval>30000</validationInterval>
    			<defaultAutoCommit>false</defaultAutoCommit>
            </configuration>
        </definition>
    </datasource>
    
    <datasource>
        <name>WSO2REG_DB</name>
        <description>The datasource used for registry and user manager</description>
        <jndiConfig>
            <name>jdbc/WSO2REG_DB</name>
        </jndiConfig>
        <definition type="RDBMS">
            <configuration>
    <url>jdbc:mysql://localhost:3306/registry?autoReconnect=true&amp;relaxAutoCommit=true&amp;</url>
                <username>apiuser</username>
                <password>apimanager</password>
                <driverClassName>com.mysql.jdbc.Driver</driverClassName>
                <maxActive>50</maxActive>
                <maxWait>60000</maxWait>
                <testOnBorrow>true</testOnBorrow>
                <validationQuery>SELECT 1</validationQuery>
                <validationInterval>30000</validationInterval>
            </configuration>
        </definition>
    </datasource>
    
    <datasource>
        <name>WSO2UM_DB</name>
        <description>The datasource used for registry and user manager</description>
        <jndiConfig>
            <name>jdbc/WSO2UM_DB</name>
        </jndiConfig>
        <definition type="RDBMS">
            <configuration>
       <url>jdbc:mysql://localhost:3306/userstore?autoReconnect=true&amp;relaxAutoCommit=true&amp;
                </url>
                <username>apiuser</username>
                <password>apimanager</password>
                <driverClassName>com.mysql.jdbc.Driver</driverClassName>
                <maxActive>50</maxActive>
                <maxWait>60000</maxWait>
                <testOnBorrow>true</testOnBorrow>
                <validationQuery>SELECT 1</validationQuery>
                <validationInterval>30000</validationInterval>
            </configuration>
        </definition>
    </datasource>
  2. Open the user-mgt.xml file found in the <APIM_HOME>/repository/conf directory and change the permission datasource.

    1. Add the datasource configuration as below

      user-mgt.xml configurations
      <Realm>
              <Configuration>
      			...
      			<Property name="dataSource">jdbc/WSO2UM_DB</Property>
              </Configuration>
      		...
      </Realm>
    2. Configure the <UserStoreManager> section of the <AM_HOME>/repository/conf/user-mgt.xml file of the API Manager.

      Make sure you add the user store configuration correctly. This is the same configuration that you did in the Identity Server. For more information on how to do this, see here.

  3. Create the registry mounts. Open the <APIM_HOME>/repository/conf/registry.xml file and insert the following sections. 

    CacheId is a unique identification of remote instance. When configuring the remote instance, it is recommended  to modify <cacheId> with the corresponding values of your setup as in this format.
    <username>@<JDBC_URL to_registry_database>

    Note that you do not need to specify the remoteInstance URL in above configuration since it is not used because we are not using WS mounting in latest API Manager versions including this version.

    <dbConfig name="govregistry">
           <dataSource>jdbc/WSO2REG_DB</dataSource>
    </dbConfig>
    
    <remoteInstance url="https://localhost">	
           <id>gov</id>
           <dbConfig>govregistry</dbConfig>
    	   <cacheId>apiuser@jdbc:mysql://localhost:3306/registry</cacheId>
           <readOnly>false</readOnly>
           <enableCache>true</enableCache>
           <registryRoot>/</registryRoot>
    </remoteInstance>
    
    <mount path="/_system/governance" overwrite="true">
           <instanceId>gov</instanceId>
           <targetPath>/_system/governance</targetPath>
    </mount>
    
    <mount path="/_system/config" overwrite="true">
           <instanceId>gov</instanceId>
           <targetPath>/_system/config</targetPath>
    </mount>
  4. Open the api-manager.xml file found in the <APIM_HOME>/repository/conf directory and change the following.
    1. Change the ServerURL of the AuthManager to point to IS.
      <ServerURL> https://${IS_SERVER_HOST}:{port}/services/ </ServerURL>
    2. Change the ServerURL of the APIKeyValidator to point to IS.
      <ServerURL> https://${IS_SERVER_HOST}:{port}/services/ </ServerURL>
    3. Change the KeyValidatorClientType from ThriftClient to WSClient.
    4. Change EnableThriftServer to false.
  5. Navigate to the <AM_HOME>/repository/deployment/server/synapse-configs/default/api directory and change the URLs specified in the following files of the API Manager so that they point to the IS node. Note that when you run the API Manager in distributed mode, these configurations should be done in the API Gateway node.
    • _AuthorizeAPI_.xml

    • _RevokeAPI_.xml

    • _TokenAPI_.xml

    For example
    <endpoint>
           <address uri="https://{ip_address_of_IS}:{IS_management_port}/oauth2/token"/>
    </endpoint>

Make sure you add the MySQL JDBC driver to both servers. I.e. put the .jar file into the <PRODUCT_HOME>/repository/components/lib directory.

  • No labels