Capturing/Decoding messages with JWT using wire logs in WSO2 API Manager 1.7.0

This is intended for the users who have configured WSO2 API Manager 1.7.0 with JWT and wants to see the messages with JWT. If you haven’t configured it, please refer this

1. Enable debug logs for the following loggers in WSO2APIM_HOME/repository/conf/log4j.properties file 

       log4j.category.org.apache.synapse.transport.nhttp.wire=DEBUG

       log4j.category.org.apache.synapse.transport=DEBUG

2. Restart the WSO2 API Manager if already started

3. Access your API and have a look at carbon logs

4. You will get something similar to the following log

[2014-11-30 22:09:22,610] DEBUG - headers http-outgoing-2 >> X-JWT-Assertion: eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6Ik5tSm1PR1V4TXpabFlqTTJaRFJoTlRabFlUQTF
ZemRoWlRSaU9XRTBOV0kyTTJKbU9UYzFaQT09In0=.eyJpc3MiOiJ3c28yLm9yZy9wcm9kdWN0cy
9hbSIsImV4cCI6MTQxNzM2NjQ2MTk5OCwiaHR0cDovL3dzbzIub3JnL2NsYWltcy9zdWJzY3JpYmV
yIjoicmFqa3VtYXIiLCJodHRwOi8vd3NvMi5vcmcvY2xhaW1zL2FwcGxpY2F0aW9uaWQiOiIxIiwiaHR0
cDovL3dzbzIub3JnL2NsYWltcy9hcHBsaWNhdGlvbm5hbWUiOiJEZWZhdWx0QXBwbGljYXRpb24iLC
JodHRwOi8vd3NvMi5vcmcvY2xhaW1zL2FwcGxpY2F0aW9udGllciI6IlVubGltaXRlZCIsImh0dHA6Ly9
3c28yLm9yZy9jbGFpbXMvYXBpY29udGV4dCI6Ii9waG9uZXZlcmlmeSIsImh0dHA6Ly93c28yLm9yZy
9jbGFpbXMvdmVyc2lvbiI6IjEuMC4wIiwiaHR0cDovL3dzbzIub3JnL2NsYWltcy90aWVyIjoiVW5saW1pd
GVkIiwiaHR0cDovL3dzbzIub3JnL2NsYWltcy9rZXl0eXBlIjoiUFJPRFVDVElPTiIsImh0dHA6Ly93c28yL
m9yZy9jbGFpbXMvdXNlcnR5cGUiOiJBUFBMSUNBVElPTiIsImh0dHA6Ly93c28yLm9yZy9jbGFpbX
MvZW5kdXNlciI6InJhamt1bWFyQGNhcmJvbi5zdXBlciIsImh0dHA6Ly93c28yLm9yZy9jbGFpbXMvZ
W5kdXNlclRlbmFudElkIjoiLTEyMzQiLCAiaHR0cDovL3dzbzIub3JnL2NsYWltcy9lbWFpbGFkZHJlc3Mi
OiJyYWprdW1hcnJAd3NvMi5jb20iLCAiaHR0cDovL3dzbzIub3JnL2NsYWltcy9naXZlbm5hbWUiOiJtb2
1vIiwgImh0dHA6Ly93c28yLm9yZy9jbGFpbXMvbGFzdG5hbWUiOiJtb20iLCAiaHR0cDovL3dzbzIub3J
nL2NsYWltcy9yb2xlIjoiSW50ZXJuYWwvc3Vic2NyaWJlcixJbnRlcm5hbC9ldmVyeW9uZSJ9.eczrlpBg3
+38Y90voBIhei3wXMZqZWV5z4q4nSQoUPPlUYXAo6UGmsiwBkT17BivS16K0I69tGwpxKzju/Tg8slT
06bLVmOwIeFtMH86HLh/VPKqnZ0WKgsZw5fFxccIYDgIfnzo8Gg+x9+tL+R2i71e5EOc7098FXZOXH
nlYm0=

5. As you can see, this is the JWT token in encoded format. The above message contains three parts separated by dots. We can decode this message and see what it represents. You can go https://www.base64decode.org/  and decode this message party by part.

6. If you copy paste the first part of the message (blue) into the decoder, you will get something like below

 And that contains JWT headers.

7. If you copy paste the second part of the message (pink), into the decoder, you will get something like below

 
 And that contains JWT claims set.

 8. That’s it. You have decoded and viewed the end user details that have been sent to the back end.

WSO2 Identity Server - How to add users containing special characters?

You can't create users containing special characters like "raj-kumar", "raj.kumar", "raj_kumar" etc. by default in WSO2 IS.

If you try to create users like above, you will the following error.

However, you can configure WSO2 IS to allow what type of characters a username can contain.

In order to allow usernames with special characters you can do the following.

* Open IS_HOME/repository/conf/user-mgt.xml

* Change the value of the property 'UsernameJavaRegEx' in the user store configuration that is applicable as below.

* Restart the server.

* Now you should be able to add users like "raj-kumar", "raj.kumar" and "raj_kumar"

Limitations - Pipe character

The pipe character is used as a special character in WSO2 code base. Still you will be able to create users like "test|user".

But you will end up with several problems as mentioned below.

* Users will be created and populated in LDAP. But when you list the users from IS management console, you will see only the second part of the username. For example, if you create a user "test|user", then you will see only "user" is listed in management console.
 
* You will not be able to delete this user. It will report "Cannot delete user. Error is: Cannot delete user who is not exist".

 
Hence, avoid creating users with pipe character.

WSO2 ESB and RabbitMQ

The Scenario of Interest

1. Client submits an API request with a correlation id and a call back queue to RabbitMQ
2. ESB receives the request from RabbitMQ
3. ESB forwards the request to Endpoint
4. ESB receives the response from Endpoint
5. ESB if receives a response from Endpoint, publishes it at the call back queue specified in the request with the correlation id of the request
6. ESB if doesn't receive a response in timely manner posts an error in the Dead Letter MQ with the correlation id of the request
7. Client receives the response from the call back queue
8. Since request and response have the correlation id, client knows which response is for which request

* Configure the ESB to use rabbitmq transport as explained in https://docs.wso2.com/display/ESB481/RabbitMQ+AMQP+Transport

* Start axis2 server and deploy SimpleStockQuote Service as explained in https://docs.wso2.com/display/ESB481/Setting+Up+the+ESB+Samples

* Go to the management console of ESB and click on 'Source View'

* Copy paste the following synapse configuration into the 'Source View" and click update

* Now you have deployed a rabbitmq proxy service which will,
      consume messages from a queue called "rpc-queue"
      calling the back end simple stock quote service for the symbol found in that request message
      receiving response from back end
      setting the correlation id of the request to the response
      publishes the response to the call back queue found in the request
      if ESB is not getting any response from back end, it will publish an error message, with the correlation id of the request, to a queue called "dead-queue"

* Now run the following RPCClient.java

* Now login to the management console of the rabbitmq server (http://localhost:15672)

* You will see that there is message in your call back queue. This message is the response sent by the ESB.

* Now run the following RPCReceiver.java

* You will get the message in your console. This is the message RPCReceiver pulled from your call back queue. This will have the correlation id of the request too.

* Have a look at in rabbitmq management console, the previous message will not be there, as it is pulled by the RPCReceiver.

* Now shutdown axis2 server

* Run RPCClient.java

* Have a look at rabbitmq management console, you will find that there is a message in a queue called "dead-queue". Since the back end service is unavailable, ESB sends the response to dead queue with the correlation id of the request

I will explain this scenario in detail soon.

WSO2 API Manager - How to send additional headers in Swagger API Console?

WSO2 API Manager's Swagger API Console allows you to send authorization header by default. If you want to send additional headers, follow these steps.

* Go to the publisher and click on your API.
* Click on Docs.

* Click on Edit Contents of swagger API definition. You will get swagger API definition editor

* Under parameter section of the each HTTP method, you can add what ever parameters you want. It can be headers, body etc.

* For example, if you want to add tenant and enterprise headers to PUT method, you will add the following entries under parameters section of PUT method of your API.

* And then you should add these two headers under Access-Control-Allow-Headers of CORS configuration in api-manager.xml, like below.

* Finally restart the API Manager if already started.

* Go to the API Console in store and click on PUT method

Now you should be able to send additional headers from API Console.

WSO2 API Manager's Swagger API Console does not return any results?

When you click “Try it out!” option, sometimes you will see nothing happens other than some dots are moving.

There can be several reason for this problem.

First you need to verify whether CORS configurations are correct in api-manager.xml
It is clearly explained here. Please make sure your settings are correct according to this guide.

If you are accessing the store via HTTPS, you will not be able to use API Console most of the times.

Reason is swagger base path is set to HTTP production endpoint by default. So swagger client can't connect to it.

You can change the swagger base path as explained here.

* Go to publisher and click on your API.

* Click on Docs

* Click Edit Contents of swagger API definition. You will get swagger API definition editor

* You will see that the base path is set to HTTP production url like http://10.100.5.84:8280/phoneverify/1.0.0

* Change it to HTTPS production url like https://10.100.5.84:8243/phoneverify/1.0.0

* Please note that the ports are different in each url.

* Save and close the swagger API definition editor

* Now click on “Try it out!” option from store, you will get response

There you go! You got the response!

You don't have permission to access / on this server - Openstack Horizon UI

While logging into the Openstack Horizon UI, you might get the following error.

  Forbidden
  You don't have permission to access / on this server.
   Apache/2.4.6 (Ubuntu) Server at 192.168.57.30 Port 80

You can simply solve it.

Step1

Modify /etc/apache2/sites-available/horizon.conf with the line "Require all granted" as per below:

Step2 

Restart apache server by running following command on your terminal.

sudo service apache2 restart

You should be able to access horizon now. Hope it will work.

ssh: connect to host 192.168.57.30 port 22: Connection refused

If you have a machine with a user wso2 and you are trying to ssh to it from another machine, you will do something like below.

ssh wso2@192.168.57.30

Sometimes you will get the following error while doing the above.

ssh: connect to host 192.168.57.30 port 22: Connection refused

There might be several reasons for this.

If you don't have openssh-server installed on your machine, you will get the above error.

Run this command to install openssh-server.

sudo apt-get install openssh-server

You will be able to ssh now.