If you are a product administrator, the following content will provide an overview of the administration tasks that you need to perform when working with WSO2 Identity Server (WSO2 IS).
Administering WSO2 IS involves the following:
Upgrading from a previous release
If you are upgrading from WSO2 IS 5.4.0 to WSO2 IS 5.5.0 version, see the upgrade instructions for WSO2 Identity Server.
Configuring the server
WSO2 Identity Server is shipped with default configurations that allow you to download, install and get started with your product instantly. However, when you go into production, it is recommended to change some of the default settings to ensure that you have a robust system that is suitable for your operational needs. Also, you may have specific use cases that require specific configurations to the server.
Listed below are configurations for setting up your product server.
Changing the default database
By default, WSO2 products are shipped with an embedded H2 database, which is used for storing user management and registry data. We recommend that you use an industry-standard RDBMS such as Oracle, PostgreSQL, MySQL, MS SQL, etc. when you set up your production environment. You can change the default database configuration by simply setting up a new physical database and updating the configurations in the product server to connect to that database.
- See the section on working with databases in the WSO2 product administration guide for instructions on how to set up and configure databases. First you need to set up the database and then configure it to run with WSO2 Is.
- See Setting Up Separate Databases for Clustering for information on how to logically separate the databases and identity related database scripts.
- See the Data Dictionary for information on the data tables used in WSO2 Identity Server.
Configuring users, roles and permissions
The user management feature in your product allows you to create new users and define the permissions granted to each user. You can also configure the user stores that are used for storing data related to user management.
- See the section on working with users, roles and permissions in the WSO2 product administration guide for instructions on how to configure this feature.
- See the topic on role-based permissions for WSO2 Identity Server for descriptions of all the permissions.
- For information on how to remove references to a deleted user's identity, see Removing References to Deleted User Identities.
After you install WSO2 IS, it is recommended to change the default security settings according to the requirements of your production environment. As WSO2 Identity Server is built on top of the WSO2 Carbon Kernel, the main security configurations applicable to IS are inherited from the Carbon kernel.
See the section on Security in the WSO2 product administration guide for instructions on configuring security on your server. It includes the following sections:
- Configuring Transport-Level Security
- Using Asymmetric Encryption
- Using Symmetric Encryption
- Enabling Java Security Manager
- Securing Passwords in Configuration Files
- Resolving Hostname Verification
- Mitigating Cross Site Request Forgery Attacks
- Mitigating Cross Site Scripting Attacks
- Enabling or Customizing the Secure Vault Implementation
See the section on implementing security in the Identity Server for information and instructions on configuring security specific to the WSO2 Identity Server. It includes the following sections:
- Saving Access Tokens in Separate Tables
- Timestamp in WS-Security to Mitigate Replay Attacks
- Mitigating Authorization Code Interception Attacks
- Mitigating Cross Site Request Forgery (CSRF) Attacks
Certificate validation for REST APIs : When configuring intermediate certificate validation for REST APIs, it is recommended to add the
ExemptContextparameter and leave it empty. This is because authentication might fail for the exempted contexts. For more information, see the instructions in the 3rd point on Authenticating and Authorizing REST APIs.
You can create multiple tenants in your product server, which will allow you to maintain tenant isolation in a single server/cluster.
See the section on working with multiple tenants in the WSO2 product administration guide for information and instructions.
Configuring the registry
A registry is a content store and a metadata repository for various artifacts such as services, WSDLs and configuration files. In WSO2 products, all configurations pertaining to modules, logging, security, data sources and other service groups are stored in the registry by default.
See the section on working with the registry in the WSO2 product administration guide for information on how to set up and configure the registry.
You can optimize the performance of your product server by configuring the appropriate OS settings, JVM settings etc. Most of these are server-level settings that will improve the performance of any WSO2 product.
Changing the default ports
When you run multiple WSO2 products, multiple instances of the same product, or multiple WSO2 product clusters on the same server or virtual machines (VMs), you must change their default ports with an offset value to avoid port conflicts.
See the section on changing the default ports in the WSO2 product administration guide for instructions.
Installing, uninstalling and managing product features
Each WSO2 product is a collection of reusable software units called features where a single feature is a list of components and/or other feature. By default, WSO2 IS is shipped with the features that are required for your main use cases.
See the section on working with features in the WSO2 product administration guide for information on how you can install new features, or remove/update an existing feature.
Configuring custom proxy paths
This feature is particularly useful when multiple WSO2 products (fronted by a proxy server) are hosted under the same domain name. By adding a custom proxy path you can host all products under a single domain and assign proxy paths for each product separately .
See the section on adding a custom proxy path in the WSO2 product administration guide for instructions on how to configure this feature.
Customizing error pages
You can make sure that sensitive information about the server is not revealed in error messages, by customizing the error pages in your product.
See the section on customizing error pages in the WSO2 product administration guide for instructions.
Customizing the management console
Some of the WSO2 products, such as WSO2 IS consist of a web user interface named the management console. This allows administrators to configure, monitor, tune, and maintain the product using a simple interface. You can customize the look and feel of the management console for your product.
See the section on customizing the management console in the WSO2 product administration guide for instructions.
Monitoring the server
Monitoring is an important part of maintaining a product server. Listed below are the monitoring capabilities that are available for WSO2 IS.
A properly configured logging system is vital for identifying errors, security threats and usage patterns in your product server.
See the section on monitoring logs in the WSO2 product administration guide for information and instructions on how to set up and monitor the server.
Monitoring with statistics
The WSO2 IS is a powerful tool for collecting statistical information.
See the section on monitoring the WSO2 Identity Server in the WSO2 Identity Server guide for more information on how to use the statistics feature.
Monitoring using WSO2 metrics
WSO2 IS 5.3.0 onwards is shipped with JVM Metrics, which allows you to monitor statistics of your server using Java Metrics.
See the section on using WSO2 metrics in the WSO2 product administration guide for information on how to set up and use Carbon metrics.
See the section on JMX-based monitoring in the WSO2 product administration guide for instructions.
Monitoring server health
See the section on Monitoring Server Health in the WSO2 product administration guide for information on using the Carbon Health Check API to check server health.
Enabling mutual SSL
See the section on Enabling Mutual SSL to enable SSL authentication in WSO2 Identity Server.