Friday, December 2, 2016

How to Read file Stored in Registry - WSO2 ESB

Sometimes we need to read file content in the mediation flow of WSO2 ESB.

Let's say we have a file named EndPoints.xml with the below content in the registry path of /_system/config/repository/demo as follows.

File Content :



<EndPointsList xmlns:ns1="http://endpoints">
<EP>www.google.com</EP>
<EP>www.yahoo.com</EP>
</EndPointsList>


Registry Path:



Sample Proxy:

In this proxy service, the file named EndPoints.xml is read and content is printed using log mediator.


<?xml version="1.0" encoding="UTF-8"?>
<proxy xmlns="http://ws.apache.org/ns/synapse"
       name="TestFileReadProxy"
       transports="https,http"
       statistics="disable"
       trace="disable"
       startOnLoad="true">
   <target>
      <inSequence>
         <property name="EndPointList"
                   expression="get-property('registry','conf:/repository/demo/EndPoints.xml')"
                   scope="default"
                   type="OM"/>
         <foreach xmlns:nm="http://endpoints"
                  id="foreach_1"
                  expression="$ctx:EndPointList//EP">
            <sequence>
               <log level="custom">
                  <property name="EP:" expression="//EP"/>
               </log>
            </sequence>
         </foreach>
         <respond/>
      </inSequence>
   </target>
   <description/>
</proxy>
                                


Log Output:



TID: [-1234] [] [2016-12-02 11:58:13,964]  INFO {org.apache.synapse.mediators.builtin.LogMediator} -  EP: = www.google.com {org.apache.synapse.mediators.builtin.LogMediator}
TID: [-1234] [] [2016-12-02 11:58:13,966]  INFO {org.apache.synapse.mediators.builtin.LogMediator} -  EP: = www.yahoo.com {org.apache.synapse.mediators.builtin.LogMediator}

Thursday, December 1, 2016

WSO2 ESB 5.0 DB Configuration with ESB Analytics

Following are the databases used with ESB 5.0 and ESB analytics 5.0


  • WSO2_CARBON_DB - Local registry space which is specific to each APIM instance.
  • WSO2UM_DB - User Manager Database which stores information related to users and user roles.
  • WSO2REG_DB - Registry database which is a content store and a metadata repository for SOA artifacts
  • WSO2_ANALYTICS_EVENT_STORE_DB - Analytics Record Store which stores event definitions 
  • WSO2_ANALYTICS_PROCESSED_DATA_STORE_DB - Analytics Record Store which stores processed data
  • WSO2_METRICS_DB used to store Carbon metrics



How to use WSO2 ESB Enrich Mediator To Remove Elements from Payload.

The Enrich Mediator can process a message based on a given source configuration and then perform the specified action on the message by using the target configuration. In this example it is used to remove some elements from the message payload. In this example we need to find jsonObject elements which has jsonArray elements within that and remove the jsonObject element for them.

Sample Request:


<root:rootelement xmlns:root="www.test.com">
   <jsonObject xmlns="http://ws.apache.org/ns/synapse">
      <jsonArray>
         <jsonElement>
            <account_name>XYZ</account_name>
            <account_id>20</account_id>
         </jsonElement>
      </jsonArray>
   </jsonObject>
   <jsonObject>
      <account_name>DEF</account_name>
      <account_id>22</account_id>
   </jsonObject>
   <jsonObject xmlns="http://ws.apache.org/ns/synapse">
      <jsonArray>
         <jsonElement>
            <account_name>PQR</account_name>
            <account_id>10</account_id>
         </jsonElement>
         <jsonElement>
            <account_name>JKL</account_name>
            <account_id>11</account_id>
         </jsonElement>
         <jsonElement>
            <account_name>QWE</account_name>
            <account_id>12</account_id>
         </jsonElement>
      </jsonArray>
   </jsonObject>
   <jsonObject>
      <account_name>ABC</account_name>
      <account_id>42</account_id>
   </jsonObject>
</root:rootelement>

Sample Response:


<root:rootelement xmlns:root="www.test.com">
   <jsonArray xmlns="http://ws.apache.org/ns/synapse">
      <jsonElement>
         <account_name>XYZ</account_name>
         <account_id>20</account_id>
      </jsonElement>
   </jsonArray>
   <jsonObject>
      <account_name>DEF</account_name>
      <account_id>22</account_id>
   </jsonObject>
   <jsonArray xmlns="http://ws.apache.org/ns/synapse">
      <jsonElement>
         <account_name>PQR</account_name>
         <account_id>10</account_id>
      </jsonElement>
      <jsonElement>
         <account_name>JKL</account_name>
         <account_id>11</account_id>
      </jsonElement>
      <jsonElement>
         <account_name>QWE</account_name>
         <account_id>12</account_id>
      </jsonElement>
   </jsonArray>
   <jsonObject>
      <account_name>ABC</account_name>
      <account_id>42</account_id>
   </jsonObject>
</root:rootelement>


Example Proxy Service:

<proxy xmlns="http://ws.apache.org/ns/synapse"
       name="TestXPath"
       transports="https,http"
       statistics="disable"
       trace="disable"
       startOnLoad="true">
   <target>
      <inSequence>
         <foreach expression="//*[local-name()='jsonObject']">
            <sequence>
               <filter xpath="boolean(//*[local-name()='jsonObject']/*[name()='jsonArray'])">
                  <then>
                     <enrich>
                        <source clone="true" xpath="//*[local-name()='jsonArray']"/>
                        <target type="body"/>
                     </enrich>
                  </then>
               </filter>
            </sequence>
         </foreach>
         <respond/>
      </inSequence>
      <outSequence>
         <send/>
      </outSequence>
   </target>
   <description/>
</proxy>

Wednesday, November 30, 2016

Configure Cipher Suites for WSO2 Products

To configure required cipher suites, it is required to add cipher  attribute to the https connector configuration in the catalina-server.xml file. A comma separated list of ciphers that we want the server to support needs to be mentioned there as follows.

ciphers="<cipher-name>,<cipher-name>"



Following are the recommended cipher suites to use with TLS 1.2

Java 8 with JCE Unlimited Strength Jurisdiction Policy

TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
TLS_DHE_RSA_WITH_AES_256_CBC_SHA

Java 7 with JCE Unlimited Strength Jurisdiction Policy

TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
TLS_DHE_RSA_WITH_AES_256_CBC_SHA

The only difference between above 2 groups is, Java 7 doesn't contain GCM based ciphers since it was supported only from Java 8.

References:

[1] https://docs.wso2.com/display/ADMIN44x/Configuring+Transport+Level+Security
[2] https://docs.wso2.com/display/ADMIN44x/Supported+Cipher+Suites

Enable TLS 1.2 for WSO2 Services

Following configuration changes needs to be done in service to enable TLS 1.2 only.
  • Enforce TLS 1.2 for the servlet transport i.e. Port 9443. Do the following in /repository/conf/tomcat/catalina-server.xml file.
    • Find the Connector configuration corresponding to TLS (usually, this connector has the port set to 9443 and the sslProtocol as TLS). Remove the sslProtocol="TLS" attribute and replace it with sslEnabledProtocols="TLSv1.2".
        protocol="org.apache.coyote.http11.Http11NioProtocol"
                         port="9443"
                         bindOnInit="false"
                         sslEnabledProtocols="TLSv1.2"
      
  • Enforce TLS 1.2 for PassThrough transport  - i.e.  Port 8243 (Ex: In ESB) Do the following in /repository/conf/axis2/axis2.xml file.
    • Add the parameter "HttpsProtocols" under the below elements.

<transportReceiver name="https" class="org.apache.synapse.transport.passthru.PassThroughHttpSSLListener">


<transportSender name="https" class="org.apache.synapse.transport.passthru.PassThroughHttpSSLSender"> 


Parameter:

<parameter name="HttpsProtocols">TLSv1.2</parameter>

Saturday, November 5, 2016

WSO2 APIM 2.0.0 DB Configuraiton

APIM 2.0.0 uses the following databases.

  • Local database (WSO2_CARBON_DB) – Local registry space which is specific to each APIM instance.
  • User Manager database (WSO2UM_DB - Stores information related to users and user roles.
  • API Manager database (WSO2AM_DB) - Stores information related to the APIs along with the API subscription details
  • Registry database (WSO2REG_DB) - Content store and a metadata repository for SOA artifacts
  • Statistics database (WSO2AM_STATS_DB )- Stores information related to API statistics. After APIM analytics is configured, it writes summarized data to this database.
  • Message Broker database (WSO2_MB_STORE_DB) - Use as the message store for broker when advanced throttling is used. This is used in APIM instance which is used as Traffic Manager. If there is more than one Traffic Manager node, each Traffic Manager node must have its own message broker database.

Following are the databases required for APIM analytics.

  • WSO2_ANALYTICS_EVENT_STORE_DB - Analytics Record Store which stores event definitions
  • WSO2_ANALYTICS_PROCESSED_DATA_STORE_DB - Analytics Record Store which stores processed data
  • WSO2_GEO_LOCATION_DB - statistics generated for selected geographic locations
  • WSO2AM_STATS_DB – Store API statistics related data and this should be shared with APIM instances.
  • WSO2UM_DB – Stores information related to the users. This also should be shared with APIM instances.
  • WSO2_CARBON_DB – Local Database for the APIM Analytics.
  • WSO2REG_DB – Registry database for APIM analytics. We can configure a separate one or use the WSO2_CARBON_DB it self.

For two active-active all-in-one instances of WSO2 API Manager with analytics we can use DB connections as follows.