Hello !
Sure. Here is my api-manager.xml AM configuration file:
<APIManager>
<!-- JNDI name of the data source to be used by the API publisher, API
store and API
key manager. This data source should be defined in the
master-datasources.xml file
in conf/datasources directory. -->
<DataSourceName>jdbc/WSO2AM_DB</DataSourceName>
<!-- This parameter is used when adding api management capability to
other products like GReg, AS, DSS etc.-->
<!--GatewayType>Synapse</GatewayType-->
<GatewayType>None</GatewayType>
<!-- This parameter is used to enable the securevault support when try
to publish endpoint secured APIs. Values should be "true" or "false".
By default secure vault is disabled.-->
<EnableSecureVault>false</EnableSecureVault>
<!-- Authentication manager configuration for API publisher and API
store. This is
a required configuration for both web applications as their user
authentication
logic relies on this. -->
<AuthManager>
<!-- Server URL of the Authentication service -->
<!--ServerURL>https://localhost:
${mgt.transport.https.port}${carbon.context}services/</ServerURL-->
<ServerURL>https://localhost:9448/services/</ServerURL>
<!-- Admin username for the Authentication manager. -->
<Username>${admin.username}</Username>
<!-- Admin password for the Authentication manager. -->
<Password>${admin.password}</Password>
<!-- Indicates whether the permissions checking of the user (on the
Publisher and Store) should be done
via a remote service. The check will be done on the local server
when false. -->
<CheckPermissionsRemotely>false</CheckPermissionsRemotely>
</AuthManager>
<JWTConfiguration>
<!-- Enable/Disable JWT generation. Default is false. -->
<!-- EnableJWTGeneration>false</EnableJWTGeneration-->
<!-- Name of the security context header to be added to the
validated requests. -->
<JWTHeader>X-JWT-Assertion</JWTHeader>
<!-- Fully qualified name of the class that will retrieve
additional user claims
to be appended to the JWT. If not specified no claims will be
appended.If user wants to add all user claims in the
jwt token, he needs to enable this parameter.
The DefaultClaimsRetriever class adds user claims from the
default carbon user store. -->
<!--ClaimsRetrieverImplClass>org.wso2.carbon.apimgt.impl.token.DefaultClaimsRetriever</ClaimsRetrieverImplClass-->
<!-- The dialectURI under which the claimURIs that need to be
appended to the
JWT are defined. Not used with custom ClaimsRetriever
implementations. The
same value is used in the keys for appending the default
properties to the
JWT. -->
<!--ConsumerDialectURI>http://wso2.org/claims</ConsumerDialectURI-->
<!-- Signature algorithm. Accepts "SHA256withRSA" or "NONE". To
disable signing explicitly specify "NONE". -->
<!--SignatureAlgorithm>SHA256withRSA</SignatureAlgorithm-->
<!-- This parameter specifies which implementation should be used
for generating the Token. JWTGenerator is the
default implementation provided. -->
<JWTGeneratorImpl>org.wso2.carbon.apimgt.keymgt.token.JWTGenerator</JWTGeneratorImpl>
<!-- This parameter specifies which implementation should be used
for generating the Token. For URL safe JWT
Token generation the implementation is provided in
URLSafeJWTGenerator -->
<!--<JWTGeneratorImpl>org.wso2.carbon.apimgt.keymgt.token.URLSafeJWTGenerator</JWTGeneratorImpl>-->
<!-- Remove UserName from JWT Token -->
<!--
<RemoveUserNameFromJWTForApplicationToken>true</RemoveUserNameFromJWTForApplicationToken>-->
</JWTConfiguration>
<!-- Primary/secondary login configuration for APIstore. If user likes
to keep two login attributes in a distributed setup, to login the APIstore,
he should configure this section. Primary login doesn't have a claimUri
associated with it. But secondary login, which is a claim attribute,
is associated with a claimuri.-->
<!--LoginConfig>
<UserIdLogin primary="true">
<ClaimUri></ClaimUri>
</UserIdLogin>
<EmailLogin primary="false">
<ClaimUri>http://wso2.org/claims/emailaddress</ClaimUri>
</EmailLogin>
</LoginConfig-->
<!-- Credentials for the API gateway admin server. This configuration
is mainly used by the API publisher and store to connect to the
API gateway and
create/update published API configurations. -->
<APIGateway>
<!-- The environments to which an API will be published -->
<Environments>
<!-- Environments can be of different types. Allowed values are
'hybrid', 'production' and 'sandbox'.
An API deployed on a 'production' type gateway will only
support production keys
An API deployed on a 'sandbox' type gateway will only
support sandbox keys
An API deployed on a 'hybrid' type gateway will support
both production and sandbox keys. -->
<!-- api-console element specifies whether the environment
should be listed in API Console or not -->
<Environment type="hybrid" api-console="true">
<Name>Production and Sandbox</Name>
<Description>This is a hybrid gateway that handles both
production and sandbox token traffic.</Description>
<!-- Server URL of the API gateway -->
<ServerURL>https://localhost:
${mgt.transport.https.port}${carbon.context}services/</ServerURL>
<!-- Admin username for the API gateway. -->
<Username>${admin.username}</Username>
<!-- Admin password for the API gateway.-->
<Password>${admin.password}</Password>
<!-- Endpoint URLs for the APIs hosted in this API
gateway.-->
<GatewayEndpoint>http://
${carbon.local.ip}:${http.nio.port},https://
${carbon.local.ip}:${https.nio.port}</GatewayEndpoint>
</Environment>
</Environments>
</APIGateway>
<CacheConfigurations>
<!-- Enable/Disable token caching at the Gateway-->
<EnableGatewayTokenCache>true</EnableGatewayTokenCache>
<!-- Enable/Disable API resource caching at the Gateway-->
<EnableGatewayResourceCache>true</EnableGatewayResourceCache>
<!-- Enable/Disable API key validation information caching at
key-management server -->
<EnableKeyManagerTokenCache>false</EnableKeyManagerTokenCache>
<!-- This parameter specifies whether Recently Added APIs will be
loaded from the cache or not.
If there are multiple API modification during a short time
period, better to disable cache. -->
<EnableRecentlyAddedAPICache>false</EnableRecentlyAddedAPICache>
<!-- JWT claims Cache expiry in seconds -->
<!--JWTClaimCacheExpiry>900</JWTClaimCacheExpiry-->
<!-- Expiry time for the apim key mgt validation info cache -->
<!--TokenCacheExpiry>900</TokenCacheExpiry-->
<!-- This parameter specifies the expiration time of the TagCache.
TagCache will
only be created when this element is uncommented. When the
specified
time duration gets elapsed ,tag cache will get re-generated.
-->
<!--TagCacheDuration>120000</TagCacheDuration-->
</CacheConfigurations>
<!--
API usage tracker configuration used by the DAS data publisher and
Google Analytics publisher in API gateway.
-->
<Analytics>
<!-- Enable Analytics for API Manager -->
<Enabled>false</Enabled>
<!-- Server URL of the remote DAS/CEP server used to collect
statistics. Must
be specified in protocol://hostname:port/ format.
An event can also be published to multiple Receiver Groups
each having 1 or more receivers. Receiver
Groups are delimited by curly braces whereas receivers are
delimited by commas.
Ex - Multiple Receivers within a single group
tcp://localhost:7612/,tcp://localhost:7613/,tcp://localhost:7614/
Ex - Multiple Receiver Groups with two receivers each
{tcp://localhost:7612/,tcp://localhost:7613},{tcp://localhost:7712/,tcp://localhost:7713/}
-->
<DASServerURL>{tcp://localhost:7612}</DASServerURL>
<!--DASAuthServerURL>{ssl://localhost:7712}</DASAuthServerURL-->
<!-- Administrator username to login to the remote DAS server. -->
<DASUsername>${admin.username}</DASUsername>
<!-- Administrator password to login to the remote DAS server. -->
<DASPassword>${admin.password}</DASPassword>
<!-- For APIM implemented Statistic client for RDBMS -->
<StatsProviderImpl>org.wso2.carbon.apimgt.usage.client.impl.APIUsageStatisticsRdbmsClientImpl</StatsProviderImpl>
<!-- DAS REST API configuration -->
<DASRestApiURL>https://localhost:9444</DASRestApiURL>
<DASRestApiUsername>${admin.username}</DASRestApiUsername>
<DASRestApiPassword>${admin.password}</DASRestApiPassword>
<!-- Below property is used to skip trying to connect to event
receiver nodes when publishing events even if
the stats enabled flag is set to true. -->
<SkipEventReceiverConnection>false</SkipEventReceiverConnection>
<!-- API Usage Data Publisher. -->
<PublisherClass>org.wso2.carbon.apimgt.usage.publisher.APIMgtUsageDataBridgeDataPublisher</PublisherClass>
<!-- If below property set to true,then the response message size
will be calculated and publish
with each successful API invocation event. -->
<PublishResponseMessageSize>false</PublishResponseMessageSize>
<!-- Data publishing stream names and versions of API requests,
responses and faults. If the default values
are changed, the toolbox also needs to be changed accordingly.
-->
<Streams>
<Request>
<Name>org.wso2.apimgt.statistics.request</Name>
<Version>1.1.0</Version>
</Request>
<Response>
<Name>org.wso2.apimgt.statistics.response</Name>
<Version>1.1.0</Version>
</Response>
<Fault>
<Name>org.wso2.apimgt.statistics.fault</Name>
<Version>1.0.0</Version>
</Fault>
<Throttle>
<Name>org.wso2.apimgt.statistics.throttle</Name>
<Version>1.0.0</Version>
</Throttle>
<Workflow>
<Name>org.wso2.apimgt.statistics.workflow</Name>
<Version>1.0.0</Version>
</Workflow>
<ExecutionTime>
<Name>org.wso2.apimgt.statistics.execution.time</Name>
<Version>1.0.0</Version>
</ExecutionTime>
<AlertTypes>
<Name>org.wso2.analytics.apim.alertStakeholderInfo</Name>
<Version>1.0.0</Version>
</AlertTypes>
</Streams>
</Analytics>
<!--
API key validator configuration used by API key manager (IS), API
store and API gateway.
API gateway uses it to validate and authenticate users against the
provided API keys.
-->
<APIKeyValidator>
<!-- Server URL of the API key manager -->
<!--ServerURL>https://localhost:
${mgt.transport.https.port}${carbon.context}services/</ServerURL-->
<ServerURL>https://localhost:9448/services/</ServerURL>
<!-- Admin username for API key manager. -->
<Username>${admin.username}</Username>
<!-- Admin password for API key manager. -->
<Password>${admin.password}</Password>
<!--Username>admin</Username>
<Password>admin</Password-->
<!-- Configurations related to enable thrift support for
key-management related communication.
If you want to switch back to Web Service Client, change the
value of "KeyValidatorClientType" to "WSClient".
In a distributed environment;
-If you are at the Gateway node, you need to point
"ThriftClientPort" value to the "ThriftServerPort" value given at
KeyManager node.
-If you need to start two API Manager instances in the same
machine, you need to give different ports to "ThriftServerPort" value in
two nodes.
-ThriftServerHost - Allows to configure a hostname for the
thrift server. It uses the carbon hostname by default.
-The Gateway uses this parameter to connect to the key validation
thrift service. -->
<KeyValidatorClientType>WSClient</KeyValidatorClientType>
<ThriftClientConnectionTimeOut>10000</ThriftClientConnectionTimeOut>
<!--ThriftClientPort>10397</ThriftClientPort-->
<EnableThriftServer>false</EnableThriftServer>
<ThriftServerHost>localhost</ThriftServerHost>
<!--ThriftServerPort>10397</ThriftServerPort-->
<!--ConnectionPool>
<MaxIdle>100</MaxIdle>
<InitIdleCapacity>50</InitIdleCapacity>
</ConnectionPool-->
<!-- Specifies the implementation to be used for
KeyValidationHandler. Steps for validating a token can be controlled by
plugging in a
custom KeyValidation Handler -->
<KeyValidationHandlerClassName>org.wso2.carbon.apimgt.keymgt.handlers.DefaultKeyValidationHandler</KeyValidationHandlerClassName>
</APIKeyValidator>
<!-- Uncomment this section only if you are going to have an instance
other than KeyValidator as your KeyManager.
Unless a ThirdParty KeyManager is used, you don't need to
configure this section. -->
<!--APIKeyManager>
<KeyManagerClientImpl>org.wso2.carbon.apimgt.impl.AMDefaultKeyManagerImpl</KeyManagerClientImpl>
<Configuration>
<ServerURL>https://localhost:
${mgt.transport.https.port}${carbon.context}services/</ServerURL>
<Username>${admin.username}</Username>
<Password>${admin.password}</Password>
<TokenURL>https://
${carbon.local.ip}:${https.nio.port}/token</TokenURL>
<RevokeURL>https://
${carbon.local.ip}:${https.nio.port}/revoke</RevokeURL>
</Configuration>
</APIKeyManager-->
<OAuthConfigurations>
<!-- Remove OAuth headers from outgoing message. -->
<!--RemoveOAuthHeadersFromOutMessage>true</RemoveOAuthHeadersFromOutMessage-->
<!-- Scope used for marking Application Tokens. If a token is
generated with this scope, they will be treated as Application Access
Tokens -->
<ApplicationTokenScope>am_application_scope</ApplicationTokenScope>
<!-- All scopes under the ScopeWhitelist element are not
validating against roles that has assigned to it.
By default ^device_.* and openid scopes have been white listed
internally. -->
<!--ScopeWhitelist>
<Scope>^device_.*</Scope>
<Scope>openid</Scope>
</ScopeWhitelist-->
<!-- Name of the token API -->
<TokenEndPointName>/oauth2/token</TokenEndPointName>
<!-- This the API URL for revoke API. When we revoke tokens revoke
requests should go through this
API deployed in API gateway. Then it will do cache
invalidations related to revoked tokens.
In distributed deployment we should configure this property in
key manager node by pointing
gateway https( /http, we recommend users to use 'https'
endpoints for security purpose) url.
Also please note that we should point gateway revoke service
to key manager -->
<RevokeAPIURL>https://localhost:
${https.nio.port}/revoke</RevokeAPIURL>
<!-- Whether to encrypt tokens when storing in the Database
Note: If changing this value to true, change the value of
<TokenPersistenceProcessor> to
org.wso2.carbon.identity.oauth.tokenprocessor.EncryptionDecryptionPersistenceProcessor
in the identity.xml -->
<EncryptPersistedTokens>false</EncryptPersistedTokens>
</OAuthConfigurations>
<!-- Settings related to managing API access tiers. -->
<TierManagement>
<!-- Enable the providers to expose their APIs over the special
'Unlimited' tier which
basically disables tier based throttling for the specified
APIs. -->
<EnableUnlimitedTier>true</EnableUnlimitedTier>
</TierManagement>
<!-- API Store Related Configurations -->
<APIStore>
<!--GroupingExtractor>org.wso2.carbon.apimgt.impl.DefaultGroupIDExtractorImpl</GroupingExtractor-->
<!--This property is used to indicate how we do user name
comparision for token generation
https://wso2.org/jira/browse/APIMANAGER-2225-->
<CompareCaseInsensitively>true</CompareCaseInsensitively>
<DisplayURL>false</DisplayURL>
<URL>https://localhost:${mgt.transport.https.port}/store</URL>
<!-- Server URL of the API Store. -->
<ServerURL>https://localhost:
${mgt.transport.https.port}${carbon.context}services/</ServerURL>
<!-- Admin username for API Store. -->
<Username>${admin.username}</Username>
<!-- Admin password for API Store. -->
<Password>${admin.password}</Password>
<!-- This parameter specifies whether to display multiple versions
of same
API or only showing the latest version of an API. -->
<DisplayMultipleVersions>false</DisplayMultipleVersions>
<!-- This parameter specifies whether to display all the APIs
[which are having DEPRECATED/PUBLISHED status] or only display
the APIs
with having their status is as 'PUBLISHED' -->
<DisplayAllAPIs>false</DisplayAllAPIs>
<!-- Uncomment this to limit the number of APIs in api the API
Store -->
<!--APIsPerPage>5</APIsPerPage-->
<!-- This parameter specifies whether to display the comment
editing facility or not.
Default is "true". If user wants to disable, he must set this
param as "false" -->
<DisplayComments>true</DisplayComments>
<!-- This parameter specifies whether to display the ratings or
not.
Default is "true". If user wants to disable, he must set this
param as "false" -->
<DisplayRatings>true</DisplayRatings>
<!--set isStoreForumEnabled to false for disable forum in store-->
<!--isStoreForumEnabled>false</isStoreForumEnabled-->
</APIStore>
<APIPublisher>
<DisplayURL>false</DisplayURL>
<URL>https://localhost:${mgt.transport.https.port}/publisher</URL>
<!-- This parameter specifies enabling the capability of setting
API documentation level granular visibility levels.
By default any document associate with an API will have the
same permissions set as the API.With enabling below
property,it will show two additional permission levels as
visible only to all registered users in a particular
domain or only visible to API doc creator -->
<!--EnableAPIDocVisibilityLevels>true</EnableAPIDocVisibilityLevels-->
<!-- Uncomment this to limit the number of APIs in api the API
Publisher -->
<!--APIsPerPage>30</APIsPerPage-->
</APIPublisher>
<!-- Status observers can be registered against the API Publisher to
listen for
API status update events. Each observer must implement the
APIStatusObserver
interface. Multiple observers can be engaged if necessary and in
such situations
they will be notified in the order they are defined here.
This configuration is unused from API Manager version 1.10.0 -->
<!--StatusObservers>
<Observer>org.wso2.carbon.apimgt.impl.observers.SimpleLoggingObserver</Observer>
</StatusObservers-->
<!-- Use this configuration Create APIs at the Server startup -->
<StartupAPIPublisher>
<!-- Enable/Disable the API Startup Publisher -->
<Enabled>false</Enabled>
<!-- Configuration to create APIs for local endpoints.
Endpoint will be computed as http://
${carbon.local.ip}:${mgt.transport.http.port}/Context.
Define many LocalAPI elements as below to create many APIs
for local Endpoints.
IconPath should be relative to CARBON_HOME. -->
<LocalAPIs>
<LocalAPI>
<Context>/resource</Context>
<Provider>admin</Provider>
<Version>1.0.0</Version>
<IconPath>none</IconPath>
<DocumentURL>none</DocumentURL>
<AuthType>Any</AuthType>
</LocalAPI>
</LocalAPIs>
<!-- Configuration to create APIs for remote endpoints.
When Endpoint need to be defined use this configuration.
Define many API elements as below to create many APIs
for external Endpoints.
If you do not need to add Icon or Documentation set
'none' as the value for IconPath & DocumentURL. -->
<!--APIs>
<API>
<Context>/resource</Context>
<Endpoint>http://localhost:9764/resource</Endpoint>
<Provider>admin</Provider>
<Version>1.0.0</Version>
<IconPath>none</IconPath>
<DocumentURL>none</DocumentURL>
<AuthType>Any</AuthType>
</API>
</APIs-->
</StartupAPIPublisher>
<!-- Configuration to enable/disable sending CORS headers in the
Gateway response
and define the Access-Control-Allow-Origin header value.-->
<CORSConfiguration>
<!-- Configuration to enable/disable sending CORS headers from the
Gateway-->
<Enabled>true</Enabled>
<!-- The value of the Access-Control-Allow-Origin header. Default
values are
API Store addresses, which is needed for swagger to function.
-->
<Access-Control-Allow-Origin>*</Access-Control-Allow-Origin>
<!-- Configure Access-Control-Allow-Methods -->
<Access-Control-Allow-Methods>GET,PUT,POST,DELETE,PATCH,OPTIONS</Access-Control-Allow-Methods>
<!-- Configure Access-Control-Allow-Headers -->
<Access-Control-Allow-Headers>authorization,Access-Control-Allow-Origin,Content-Type,SOAPAction</Access-Control-Allow-Headers>
<!-- Configure Access-Control-Allow-Credentials -->
<!-- Specifying this header to true means that the server allows
cookies (or other user credentials) to be included on cross-origin requests.
It is false by default and if you set it to true then make
sure that the Access-Control-Allow-Origin header does not contain the
wildcard (*) -->
<Access-Control-Allow-Credentials>false</Access-Control-Allow-Credentials>
</CORSConfiguration>
<!-- This property is there to configure velocity log output into
existing Log4j carbon Logger.
You can enable this and set preferable Logger name. -->
<!-- VelocityLogger>VELOCITY</VelocityLogger -->
<RESTAPI>
<!--Configure white-listed URIs of REST API. Accessing white-listed
URIs does not require credentials (does not require Authorization header).
-->
<WhiteListedURIs>
<WhiteListedURI>
<URI>/api/am/publisher/{version}/swagger.json</URI>
<HTTPMethods>GET,HEAD</HTTPMethods>
</WhiteListedURI>
<WhiteListedURI>
<URI>/api/am/store/{version}/swagger.json</URI>
<HTTPMethods>GET,HEAD</HTTPMethods>
</WhiteListedURI>
<WhiteListedURI>
<URI>/api/am/admin/{version}/swagger.json</URI>
<HTTPMethods>GET,HEAD</HTTPMethods>
</WhiteListedURI>
<WhiteListedURI>
<URI>/api/am/store/{version}/apis</URI>
<HTTPMethods>GET,HEAD</HTTPMethods>
</WhiteListedURI>
<WhiteListedURI>
<URI>/api/am/store/{version}/apis/{apiId}</URI>
<HTTPMethods>GET,HEAD</HTTPMethods>
</WhiteListedURI>
<WhiteListedURI>
<URI>/api/am/store/{version}/apis/{apiId}/swagger</URI>
<HTTPMethods>GET,HEAD</HTTPMethods>
</WhiteListedURI>
<WhiteListedURI>
<URI>/api/am/store/{version}/apis/{apiId}/documents</URI>
<HTTPMethods>GET,HEAD</HTTPMethods>
</WhiteListedURI>
<WhiteListedURI>
<URI>/api/am/store/{version}/apis/{apiId}/documents/{documentId}</URI>
<HTTPMethods>GET,HEAD</HTTPMethods>
</WhiteListedURI>
<WhiteListedURI>
<URI>/api/am/store/{version}/apis/{apiId}/documents/{documentId}/content</URI>
<HTTPMethods>GET,HEAD</HTTPMethods>
</WhiteListedURI>
<WhiteListedURI>
<URI>/api/am/store/{version}/apis/{apiId}/thumbnail</URI>
<HTTPMethods>GET,HEAD</HTTPMethods>
</WhiteListedURI>
<WhiteListedURI>
<URI>/api/am/store/{version}/tags</URI>
<HTTPMethods>GET,HEAD</HTTPMethods>
</WhiteListedURI>
<WhiteListedURI>
<URI>/api/am/store/{version}/tiers/{tierLevel}</URI>
<HTTPMethods>GET,HEAD</HTTPMethods>
</WhiteListedURI>
<WhiteListedURI>
<URI>/api/am/store/{version}/tiers/{tierLevel}/{tierName}</URI>
<HTTPMethods>GET,HEAD</HTTPMethods>
</WhiteListedURI>
</WhiteListedURIs>
<ETagSkipList>
<ETagSkipURI>
<URI>/api/am/store/{version}/apis</URI>
<HTTPMethods>GET</HTTPMethods>
</ETagSkipURI>
<ETagSkipURI>
<URI>/api/am/store/{version}/apis/generate-sdk</URI>
<HTTPMethods>POST</HTTPMethods>
</ETagSkipURI>
<ETagSkipURI>
<URI>/api/am/store/{version}/apis/{apiId}/documents</URI>
<HTTPMethods>GET</HTTPMethods>
</ETagSkipURI>
<ETagSkipURI>
<URI>/api/am/store/{version}/applications</URI>
<HTTPMethods>GET</HTTPMethods>
</ETagSkipURI>
<ETagSkipURI>
<URI>/api/am/store/{version}/applications/generate-keys</URI>
<HTTPMethods>POST</HTTPMethods>
</ETagSkipURI>
<ETagSkipURI>
<URI>/api/am/store/{version}/subscriptions</URI>
<HTTPMethods>GET,POST</HTTPMethods>
</ETagSkipURI>
<ETagSkipURI>
<URI>/api/am/store/{version}/tags</URI>
<HTTPMethods>GET</HTTPMethods>
</ETagSkipURI>
<ETagSkipURI>
<URI>/api/am/store/{version}/tiers/{tierLevel}</URI>
<HTTPMethods>GET</HTTPMethods>
</ETagSkipURI>
<ETagSkipURI>
<URI>/api/am/store/{version}/tiers/{tierLevel}/{tierName}</URI>
<HTTPMethods>GET</HTTPMethods>
</ETagSkipURI>
<ETagSkipURI>
<URI>/api/am/publisher/{version}/apis</URI>
<HTTPMethods>GET,POST</HTTPMethods>
</ETagSkipURI>
<ETagSkipURI>
<URI>/api/am/publisher/{version}/apis/{apiId}</URI>
<HTTPMethods>GET,DELETE,PUT</HTTPMethods>
</ETagSkipURI>
<ETagSkipURI>
<URI>/api/am/publisher/{version}/apis/{apiId}/swagger</URI>
<HTTPMethods>GET,PUT</HTTPMethods>
</ETagSkipURI>
<ETagSkipURI>
<URI>/api/am/publisher/{version}/apis/{apiId}/thumbnail</URI>
<HTTPMethods>GET,POST</HTTPMethods>
</ETagSkipURI>
<ETagSkipURI>
<URI>/api/am/publisher/{version}/apis/{apiId}/change-lifecycle</URI>
<HTTPMethods>POST</HTTPMethods>
</ETagSkipURI>
<ETagSkipURI>
<URI>/api/am/publisher/{version}/apis/{apiId}/copy-api</URI>
<HTTPMethods>POST</HTTPMethods>
</ETagSkipURI>
<ETagSkipURI>
<URI>/api/am/publisher/{version}/applications/{applicationId}</URI>
<HTTPMethods>GET</HTTPMethods>
</ETagSkipURI>
<ETagSkipURI>
<URI>/api/am/publisher/{version}/apis/{apiId}/documents</URI>
<HTTPMethods>GET,POST</HTTPMethods>
</ETagSkipURI>
<ETagSkipURI>
<URI>/api/am/publisher/{version}/apis/{apiId}/documents/{documentId}/content</URI>
<HTTPMethods>GET,POST</HTTPMethods>
</ETagSkipURI>
<ETagSkipURI>
<URI>/api/am/publisher/{version}/apis/{apiId}/documents/{documentId}</URI>
<HTTPMethods>GET,PUT,DELETE</HTTPMethods>
</ETagSkipURI>
<ETagSkipURI>
<URI>/api/am/publisher/{version}/environments</URI>
<HTTPMethods>GET</HTTPMethods>
</ETagSkipURI>
<ETagSkipURI>
<URI>/api/am/publisher/{version}/subscriptions</URI>
<HTTPMethods>GET</HTTPMethods>
</ETagSkipURI>
<ETagSkipURI>
<URI>/api/am/publisher/{version}/subscriptions/block-subscription</URI>
<HTTPMethods>POST</HTTPMethods>
</ETagSkipURI>
<ETagSkipURI>
<URI>/api/am/publisher/{version}/subscriptions/{subscriptionId}</URI>
<HTTPMethods>GET</HTTPMethods>
</ETagSkipURI>
<ETagSkipURI>
<URI>/api/am/publisher/{version}/subscriptions/unblock-subscription</URI>
<HTTPMethods>POST</HTTPMethods>
</ETagSkipURI>
<ETagSkipURI>
<URI>/api/am/publisher/{version}/tiers/{tierLevel}</URI>
<HTTPMethods>GET,POST</HTTPMethods>
</ETagSkipURI>
<ETagSkipURI>
<URI>/api/am/publisher/{version}/tiers/{tierLevel}/{tierName}</URI>
<HTTPMethods>GET,PUT,DELETE</HTTPMethods>
</ETagSkipURI>
<ETagSkipURI>
<URI>/api/am/publisher/{version}/tiers/update-permission</URI>
<HTTPMethods>POST</HTTPMethods>
</ETagSkipURI>
</ETagSkipList>
</RESTAPI>
<ThrottlingConfigurations>
<EnableAdvanceThrottling>true</EnableAdvanceThrottling>
<DataPublisher>
<Enabled>true</Enabled>
<Type>Binary</Type>
<ReceiverUrlGroup>tcp://${carbon.local.ip}:${receiver.url.port}</ReceiverUrlGroup>
<AuthUrlGroup>ssl://${carbon.local.ip}:${auth.url.port}</AuthUrlGroup>
<Username>${admin.username}</Username>
<Password>${admin.password}</Password>
<DataPublisherPool>
<MaxIdle>1000</MaxIdle>
<InitIdleCapacity>200</InitIdleCapacity>
</DataPublisherPool>
<DataPublisherThreadPool>
<CorePoolSize>200</CorePoolSize>
<MaxmimumPoolSize>1000</MaxmimumPoolSize>
<KeepAliveTime>200</KeepAliveTime>
</DataPublisherThreadPool>
</DataPublisher>
<PolicyDeployer>
<ServiceURL>https://localhost:
${mgt.transport.https.port}${carbon.context}services/</ServiceURL>
<Username>${admin.username}</Username>
<Password>${admin.password}</Password>
</PolicyDeployer>
<BlockCondition>
<Enabled>true</Enabled>
<!--InitDelay>300000</InitDelay>
<Period>3600000</Period-->
</BlockCondition>
<JMSConnectionDetails>
<Enabled>true</Enabled>
<ServiceURL>tcp://${carbon.local.ip}:${jms.port}</ServiceURL>
<Username>${admin.username}</Username>
<Password>${admin.password}</Password>
<Destination>throttleData</Destination>
<!--InitDelay>300000</InitDelay-->
<JMSConnectionParameters>
<transport.jms.ConnectionFactoryJNDIName>TopicConnectionFactory</transport.jms.ConnectionFactoryJNDIName>
<transport.jms.DestinationType>topic</transport.jms.DestinationType>
<java.naming.factory.initial>org.wso2.andes.jndi.PropertiesFileInitialContextFactory</java.naming.factory.initial>
<connectionfactory.TopicConnectionFactory>amqp://${jms.username}:${jms.password}@clientid
/carbon?brokerlist='${jms.url}'</connectionfactory.TopicConnectionFactory>
</JMSConnectionParameters>
<JMSTaskManager>
<MinThreadPoolSize>20</MinThreadPoolSize>
<MaxThreadPoolSize>100</MaxThreadPoolSize>
<KeepAliveTimeInMillis>1000</KeepAliveTimeInMillis>
<JobQueueSize>10</JobQueueSize>
</JMSTaskManager>
</JMSConnectionDetails>
<JMSEventPublisherParameters>
<java.naming.factory.initial>org.wso2.andes.jndi.PropertiesFileInitialContextFactory</java.naming.factory.initial>
<java.naming.provider.url>repository/conf/jndi.properties</java.naming.provider.url>
<transport.jms.DestinationType>topic</transport.jms.DestinationType>
<transport.jms.Destination>throttleData</transport.jms.Destination>
<transport.jms.ConcurrentPublishers>allow</transport.jms.ConcurrentPublishers>
<transport.jms.ConnectionFactoryJNDIName>TopicConnectionFactory</transport.jms.ConnectionFactoryJNDIName>
</JMSEventPublisherParameters>
<!--DefaultLimits>
<SubscriptionTierLimits>
<Gold>5000</Gold>
<Silver>2000</Silver>
<Bronze>1000</Bronze>
<Unauthenticated>60</Unauthenticated>
</SubscriptionTierLimits>
<ApplicationTierLimits>
<50PerMin>50</50PerMin>
<20PerMin>20</20PerMin>
<10PerMin>10</10PerMin>
</ApplicationTierLimits>
<ResourceLevelTierLimits>
<50KPerMin>50000</50KPerMin>
<20KPerMin>20000</20KPerMin>
<10KPerMin>10000</10KPerMin>
</ResourceLevelTierLimits>
</DefaultLimits-->
<EnableUnlimitedTier>true</EnableUnlimitedTier>
<EnableHeaderConditions>false</EnableHeaderConditions>
<EnableJWTClaimConditions>false</EnableJWTClaimConditions>
<EnableQueryParamConditions>false</EnableQueryParamConditions>
</ThrottlingConfigurations>
<WorkflowConfigurations>
<Enabled>false</Enabled>
<ServerUrl>https://localhost:9445/bpmn</ServerUrl>
<ServerUser>${admin.username}</ServerUser>
<ServerPassword>${admin.password}</ServerPassword>
<WorkflowCallbackAPI>https://localhost:
${mgt.transport.https.port}/api/am/publisher/v0.11/workflows/update-workflow-status</WorkflowCallbackAPI>
<TokenEndPoint>https://localhost:
${https.nio.port}/token</TokenEndPoint>
<DCREndPoint>https://localhost:
${mgt.transport.https.port}/client-registration/v0.11/register</DCREndPoint>
<DCREndPointUser>${admin.username}</DCREndPointUser>
<DCREndPointPassword>${admin.password}</DCREndPointPassword>
</WorkflowConfigurations>
<SwaggerCodegen>
<ClientGeneration>
<GroupId>org.wso2</GroupId>
<ArtifactId>org.wso2.client.</ArtifactId>
<ModelPackage>org.wso2.client.model.</ModelPackage>
<ApiPackage>org.wso2.client.api.</ApiPackage>
<!-- Configure supported languages/Frameworks as comma
separated values,
Supported Languages/Frameworks : android, java, scala, csharp,
cpp, dart, flash, go, groovy, javascript, jmeter,
nodejs, perl, php, python, ruby, swift, clojure, aspNet5,
asyncScala, spring, csharpDotNet2, haskell-->
<SupportedLanguages>java,android</SupportedLanguages>
</ClientGeneration>
</SwaggerCodegen>
</APIManager>
Do you need my IS one, too?
Regards,
Thomas
2017-06-15 22:16 GMT+02:00 Farasath Ahamed <[email protected]>:
> Would be better if you could share the api-manager.xml configuration file
> to see if there are any errors in configs.
>
>
>
>
> Farasath Ahamed
> Software Engineer, WSO2 Inc.; http://wso2.com
> Mobile: +94777603866
> Blog: blog.farazath.com
> Twitter: @farazath619 <https://twitter.com/farazath619>
> <http://wso2.com/signature>
>
>
>
> On Thu, Jun 15, 2017 at 8:40 PM, Thomas LEGRAND <
> [email protected]> wrote:
>
>> Hello again,
>>
>> I followed the tutorial in [1] to configure my Identity Server (IS) as a
>> key manager for my API Manager (AM). When I create my Production & Sandbox
>> applications in the AM, I can see service providers created in the IS. I
>> configures them to use SAML to retrieve informations like the roles, if the
>> authentication is successfull. And I can "exchange" my SAML assertion for a
>> OAuth token. So, everything is cool, here.
>>
>> But, when I try to reuse this OAuth token to access to a resource via the
>> AM, it rejects me with this sweet message:
>>
>> <ams:fault xmlns:ams="http://wso2.org/apimanager/security";>
>> <ams:code>900900</ams:code>
>> <ams:message>Unclassified Authentication Failure</ams:message>
>> <ams:description>Resource forbidden</ams:description>
>> </ams:fault>
>>
>> But no errors in the logs but just a WARN. So, I activated the DEBUG mode
>> and then, I can see some intersting things:
>>
>> [2017-06-15 16:44:52,954] WARN - APIAuthenticationHandler API
>> authentication failure due to Unclassified Authentication Failure
>> [2017-06-15 16:44:52,954] DEBUG - APIAuthenticationHandler API
>> authentication failed with error 900900
>> org.wso2.carbon.apimgt.gateway.handlers.security.APISecurityException:
>> Resource forbidden
>> at org.wso2.carbon.apimgt.gateway.handlers.security.keys.
>> WSAPIKeyDataStore.getAPIKeyData(WSAPIKeyDataStore.java:51)
>> at org.wso2.carbon.apimgt.gateway.handlers.security.APIKeyValid
>> ator.doGetKeyValidationInfo(APIKeyValidator.java:253)
>> at org.wso2.carbon.apimgt.gateway.handlers.security.APIKeyValid
>> ator.getKeyValidationInfo(APIKeyValidator.java:209)
>> at org.wso2.carbon.apimgt.gateway.handlers.security.oauth.
>> OAuthAuthenticator.authenticate(OAuthAuthenticator.java:196)
>> at org.wso2.carbon.apimgt.gateway.handlers.security.APIAuthenti
>> cationHandler.handleRequest(APIAuthenticationHandler.java:117)
>> at org.apache.synapse.rest.API.process(API.java:325)
>> at org.apache.synapse.rest.RESTRequestHandler.dispatchToAPI(RES
>> TRequestHandler.java:90)
>> at org.apache.synapse.rest.RESTRequestHandler.process(RESTReque
>> stHandler.java:69)
>> at org.apache.synapse.core.axis2.Axis2SynapseEnvironment.inject
>> Message(Axis2SynapseEnvironment.java:304)
>> at org.apache.synapse.core.axis2.SynapseMessageReceiver.receive
>> (SynapseMessageReceiver.java:78)
>> at org.apache.axis2.engine.AxisEngine.receive(AxisEngine.java:
>> 180)
>> at org.apache.synapse.transport.passthru.ServerWorker.processNo
>> nEntityEnclosingRESTHandler(ServerWorker.java:325)
>> at org.apache.synapse.transport.passthru.ServerWorker.run(Serve
>> rWorker.java:158)
>> at org.apache.axis2.transport.base.threads.NativeWorkerPool$1.
>> run(NativeWorkerPool.java:172)
>> at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPool
>> Executor.java:1142)
>> at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoo
>> lExecutor.java:617)
>> at java.lang.Thread.run(Thread.java:745)
>> Caused by:
>> org.wso2.carbon.apimgt.gateway.handlers.security.APISecurityException:
>> Error while accessing backend services for API key validation
>> at org.wso2.carbon.apimgt.gateway.handlers.security.keys.
>> APIKeyValidatorClient.getAPIKeyData(APIKeyValidatorClient.java:114)
>> at org.wso2.carbon.apimgt.gateway.handlers.security.keys.
>> WSAPIKeyDataStore.getAPIKeyData(WSAPIKeyDataStore.java:48)
>> ... 16 more
>> Caused by: org.apache.axis2.AxisFault: org.apache.axis2.AxisFault:
>> Mapping qname not fond for the package: java.util
>>
>> From here, I don't know what to do since I tried some fancy URLs for the
>> ServerURL value in the elements AuthManager and APIKeyValidator.
>> My IS has an offset of 5 so the port is 9448. Here is the URL I used to
>> point to the IS server: https://localhost:9448/services/
>>
>> Is there a way to know in which URL the IS deploy its Key Manager feature
>> web services (WS)?
>> Should I reinstall the Key Manager feature in the IS?
>>
>> Regards,
>>
>> Thomas
>>
>> [1] https://docs.wso2.com/display/AM210/Configuring+WSO2+
>> Identity+Server+as+a+Key+Manager
>>
>> _______________________________________________
>> Dev mailing list
>> [email protected]
>> http://wso2.org/cgi-bin/mailman/listinfo/dev
>>
>>
>
_______________________________________________
Dev mailing list
[email protected]
http://wso2.org/cgi-bin/mailman/listinfo/dev
