Wednesday, November 21, 2012

How to install "Webseal based authenticator feature" to WSO2 Governance Registry.

The Equinox P2 has integrated with WSO2 Carbon. Therefore it provides the  provisioning capabilities by allowing users to install new features(or remove existing feature) to any Carbon based product. This is the recommended way to customize the default product.

1) Add p2-repo

Go to the Configure --> Features and add the p2-repository.

2) Add the remote repository name and the URL.

     Name : any value
     Location : http://dist.wso2.org/p2/carbon/releases/4.0.3/

3) Select the newly added repository and find the features.

4) Expand the Identity server feature and select the "Webseal based authenticator feature". Now you can install that feature.

5) Accept the license agreement and install.

6) After complete the installation restart the server.


Note: If you want to verify the installation you can start the Governance Registry server with OSGI console (sh wso2server.sh -DosgiConsole). After successfully started press enter. Now you will be able to see the OSGI console.

i) Execute the "ss" command to list jars. (type ss and press enter).

ii) Now you can see the jars which are related to "Webseal authenticator feature" are in "activate" state.


** You can follow the above steps to install any feature to any Carbon based product. 



How to configure WSO2 Governance Registry with Webseal


The main objective of this blog post is to provide the necessary steps to configure WSO2 Governance Registry with the IBM Webseal.



1) Configure the Governance Registry.

i) Download the WSO2 Governance Registry (4.5.0) from here.

ii) Copy the Webseal authentication jars to the GREG_HOME/repository/components/dropins.

Jars location : https://svn.wso2.org/repos/wso2/people/ajith/deployment/blogs/jars/authenticators

(Or you can install "Webseal based authenticator  feature" from the p2-repo, because it is not  shipped with Governance Registry.)

iii) Open the authenticators.xml which is reside the GREG_HOME/repository/conf/security and add the following entry.
<Authenticator disabled="false" name="WebSealUIAuthenticator">
        <Priority>3</Priority>
</Authenticator>
iv) Start the Governance Registry server.

v) Login to the management console using default user name and password (admin and admin).

vi) Go to the Configure → users and roles , and create a new user called “webSealUser”.

vii) Go to the Configure → users and roles and create a new role called “delegated-admin” and assign the “webSealUser” to this role.

Note: This user name and it's password will be used by Webseal to authenticate to Governance Registry server.

vii) Grant “login” permission to the “everyone” role.

2) Configure the IBM WebSeal.

i) Add the above user name and password to the iv.conf file in Webseal.

basic_auth_username=webSealUser
basic_auth_password=password

Note : Those values will be set as the headers in the request that is going from the Webseal to Governance Registry server.

ii) You should add the login redirect page to
https://{ip}:{port}/carbon/admin/login_action.jsp 

Note: This is the URL which is going to be redirected after login to the Webseal.

3) Test without Webseal setup

Here, we are going to create the request manually that is going from Webseal to Governance Registry.
I'm going to use “Modify Header” plugin [1] in  Firefox browser.

[1] https://addons.mozilla.org/en-us/firefox/addon/modify-headers/

We can inject the required headers(iv-user and Authorization) to the request using this plugin.

i) Install that plugin to your browser and open the plugin.

ii) Add the following two headers.

Name : iv-user
Value : name of the user who is going to login to Governance Registry.

Name: Authorization
Value: Basic <Base 64 encoded value of the webSealUser:password>

Eg :

If the user name of the delegated-admin is “webSealUser” and password is “123456” then you should generate the value of the Authorization header using webSealUser:123456 .

You can use some online services[2] to easily generate the value of the Authorization header.




Note: You should click on the “Start” button of the plugin window.

Iii) Restart the browser.

iii) Point your browser to the
https://{ip}:{port}/carbon/admin/login_action.jsp 

iv) Now you should be able to login to the Governance Registry server without see the login page :) .

 


Tcpmon view.