Wednesday, November 30, 2016

Configure Cipher Suites for WSO2 Products

To configure required cipher suites, it is required to add cipher  attribute to the https connector configuration in the catalina-server.xml file. A comma separated list of ciphers that we want the server to support needs to be mentioned there as follows.

ciphers="<cipher-name>,<cipher-name>"



Following are the recommended cipher suites to use with TLS 1.2

Java 8 with JCE Unlimited Strength Jurisdiction Policy

TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
TLS_DHE_RSA_WITH_AES_256_CBC_SHA

Java 7 with JCE Unlimited Strength Jurisdiction Policy

TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
TLS_DHE_RSA_WITH_AES_256_CBC_SHA

The only difference between above 2 groups is, Java 7 doesn't contain GCM based ciphers since it was supported only from Java 8.

References:

[1] https://docs.wso2.com/display/ADMIN44x/Configuring+Transport+Level+Security
[2] https://docs.wso2.com/display/ADMIN44x/Supported+Cipher+Suites

Enable TLS 1.2 for WSO2 Services

Following configuration changes needs to be done in service to enable TLS 1.2 only.
  • Enforce TLS 1.2 for the servlet transport i.e. Port 9443. Do the following in /repository/conf/tomcat/catalina-server.xml file.
    • Find the Connector configuration corresponding to TLS (usually, this connector has the port set to 9443 and the sslProtocol as TLS). Remove the sslProtocol="TLS" attribute and replace it with sslEnabledProtocols="TLSv1.2".
        protocol="org.apache.coyote.http11.Http11NioProtocol"
                         port="9443"
                         bindOnInit="false"
                         sslEnabledProtocols="TLSv1.2"
      
  • Enforce TLS 1.2 for PassThrough transport  - i.e.  Port 8243 (Ex: In ESB) Do the following in /repository/conf/axis2/axis2.xml file.
    • Add the parameter "HttpsProtocols" under the below elements.

<transportReceiver name="https" class="org.apache.synapse.transport.passthru.PassThroughHttpSSLListener">


<transportSender name="https" class="org.apache.synapse.transport.passthru.PassThroughHttpSSLSender"> 


Parameter:

<parameter name="HttpsProtocols">TLSv1.2</parameter>

Saturday, November 5, 2016

WSO2 APIM 2.0.0 DB Configuraiton

APIM 2.0.0 uses the following databases.

  • Local database (WSO2_CARBON_DB) – Local registry space which is specific to each APIM instance.
  • User Manager database (WSO2UM_DB - Stores information related to users and user roles.
  • API Manager database (WSO2AM_DB) - Stores information related to the APIs along with the API subscription details
  • Registry database (WSO2REG_DB) - Content store and a metadata repository for SOA artifacts
  • Statistics database (WSO2AM_STATS_DB )- Stores information related to API statistics. After APIM analytics is configured, it writes summarized data to this database.
  • Message Broker database (WSO2_MB_STORE_DB) - Use as the message store for broker when advanced throttling is used. This is used in APIM instance which is used as Traffic Manager. If there is more than one Traffic Manager node, each Traffic Manager node must have its own message broker database.

Following are the databases required for APIM analytics.

  • WSO2_ANALYTICS_EVENT_STORE_DB - Analytics Record Store which stores event definitions
  • WSO2_ANALYTICS_PROCESSED_DATA_STORE_DB - Analytics Record Store which stores processed data
  • WSO2_GEO_LOCATION_DB - statistics generated for selected geographic locations
  • WSO2AM_STATS_DB – Store API statistics related data and this should be shared with APIM instances.
  • WSO2UM_DB – Stores information related to the users. This also should be shared with APIM instances.
  • WSO2_CARBON_DB – Local Database for the APIM Analytics.
  • WSO2REG_DB – Registry database for APIM analytics. We can configure a separate one or use the WSO2_CARBON_DB it self.

For two active-active all-in-one instances of WSO2 API Manager with analytics we can use DB connections as follows.