WSO2 IS 5.8.0 dashboard via NGINX
WSO2 Identity Server dashboard helps the end users to manage their profit, their account, sessions, revoke/update the password, manage OpenID profile, etc.
When you proxy the Identity Server of version smaller than 5.8.0 with a load balancer, sometimes you might get “SSL Peer failed hostname validation for name ”. Since dashboard is a webapp running inside the identity server, it needs to call Identity server admin service Url. But when it is fronted with a load balancer, those backend Service calls went through the load balancer. So If we have not configured hostname in carbon.xml, the SSL hostname validations fails.
In order to overcome those complexities, with the current product-is (IS 5.8), all the backend service calls are utilising the local transport calls. So this hostname validation won’t fail anymore.
Configuring NGINX
Creating self-signed certificate for Load balancer and import it
- Create a new self signed certificate
openssl req -newkey rsa:2048 -nodes -keyout key.pem -x509 -days 365 -out <
LB_Public crt>
openssl req -newkey rsa:2048 -nodes -keyout key.pem -x509 -days 365 -out nginx.pem- Import the generated certificate into the truststore (client-truststore.jks) of Identity Server.
key tool -import -trustcacerts -alias <LB_Alias> -file <LB_Public crt> -keystore client-trustore.jks -storepass wso2carbon
keytool -importcert -file nginx.pem -keystore client-truststore.jks -alias “nginx” -storepass wso2carbonConfigure Nginx configuration as follows
upstream ssl.wso2.is.com {
server localhost:9443;
}
server {
listen 443;
server_name wso2.is.com;
ssl on;
ssl_certificate /etc/nginx/ssl/wrk.crt;
ssl_certificate_key /etc/nginx/ssl/wrk.key;
location / {
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_read_timeout 5m;
proxy_send_timeout 5m;
proxy_pass https://ssl.wso2.is.com;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection “upgrade”;
}
}
1. If reverse proxy is not enabled in load balancer/firewall
Then we need to enable reverse proxy in IS side.
In case if reverse proxy cannot be enabled in the load balancer, By changing proxy host in carbon.xml file and proxy port in catalina-server.xml file, reverse proxy can be enabled from WSO2 Identity Server.
1.1. Configuring Proxy Port
By default WSO2 Identity Server is running on 9443 port. Here I am going to explain the way of configuring a proxy port of 443
- Open <IS-HOME>/repository/conf/tomcat/catalina-server.xml file and add the proxy port 443 in https connector as follows.
<Connector protocol=”org.apache.coyote.http11.Http11NioProtocol”
port=”9443"
proxyPort=”443"1.2. Configuring Proxy Host
- Open <IS-HOME>/repository/conf/carbon.xml file and configure the hostname and management hostname as follows
<HostName>ssl.wso2.is.com</HostName>If you have configured proxy host and port, then dashboard will work without any further configurations. But in this situation, backend service URLs also pass through the proxy. To overcome this issue, we have implemented configurations for utilising local transport calls.
So if you wish to not to send the backend service calls through proxy, then you need to configure the following in site.json files. But configuring in site.json, you can define the path for backend service calls.
1.3. Configuring dashboard and portal to use local transport for backend service calls
In site.json file in <IS_HOME>/repository/deployment/server/jaggeryapps/dashboard/conf/ directory, configure the serviceOrigin (backend service URL).
"service" : {
"serviceOrigin" : "https://localhost:9443"
},
"proxy" : {
"proxyHost" : "",
"proxyHTTPSPort" : "",
"proxyContextPath" : "",
"servicePath" : "/services"
}Similarly in <IS_HOME>/repository/deployment/server/jaggeryapps/portal/conf/site.json also change the serviceOrigin (backend service URL).
"service" : {
"serviceOrigin" : "https://localhost:9443"
},
"proxy" : {
"proxyHost" : "",
"proxyHTTPSPort" : "",
"proxyContextPath" : ""
},
"fido" : {
"appId" : ""
}2. If reverse proxy is enabled in load balancer.
Then we don’t need to enable reverse proxy in IS side.
2.1. Configuring sso-idp-config.xml
- Open <IS_HOME>/repository/conf/identity/sso-idp-config.xml and modify <AssertionConsumerServiceURL> and <DefaultAssertionConsumerServiceURL>
Currently it is,
<AssertionConsumerServiceURL>${carbon.protocol}://${carbon.host}:${carbon.management.port}/dashboard/acs</AssertionConsumerServiceURL><DefaultAssertionConsumerServiceURL>${carbon.protocol}://${carbon.host}:${carbon.management.port}/dashboard/acs</DefaultAssertionConsumerServiceURL>
Modify ${carbon.host} into your load balancer’s host name and ${carbon.management.port} into your load balancer’s port.
Now it is,
<AssertionConsumerServiceURL>${carbon.protocol}://ssl.wso2.is.com:443/dashboard/acs</AssertionConsumerServiceURL><DefaultAssertionConsumerServiceURL>${carbon.protocol}://ssl.wso2.is.com:443/dashboard/acs</DefaultAssertionConsumerServiceURL>
2.2. Configuring SAML.IdPUrl in dashboard
- Open <IS_HOME>/deployment/webapps/dashboard/authentication/auth_config.json and go to “saml_config” element. We have to modify SAML.IdPUrl. Currently it is as “SAML.IdPUrl” : “samlsso",
According to my configurations, it will be
“SAML.IdPUrl” : “https://ssl.wso2.is.com:443/samlsso”,2.3. Configuring proxy host and proxy port in dashboard
- In site.json file in <IS_HOME>/repository/deployment/server/jaggeryapps/dashboard/conf/ directory, configure the host name and port
"service" : {
"serviceOrigin" : "${carbon.protocol}://${carbon.host}:${carbon.management.port}"
},
"proxy" : {
"proxyHost" : "ssl.wso2.is.com",
"proxyHTTPSPort" : "443",
"proxyContextPath" : "",
"servicePath" : "/services"
}- Similarly in <IS_HOME>/repository/deployment/server/jaggeryapps/portal/conf/site.json also change the host name and proxy port.
"service" : {
"serviceOrigin" : "${carbon.protocol}://${carbon.host}:${carbon.management.port}"
},
"proxy" : {
"proxyHost" : "ssl.wso2.is.com",
"proxyHTTPSPort" : "443",
"proxyContextPath" : ""
},
"fido" : {
"appId" : ""
}
