Account Locking with WSO2 API Manager – 2.0.0
Account locking is a part of Account and Credential Management in Identity Governance and Administration.
Let's see how to install Account Locking feature with WSO2 API Manager;
Note: (Before you are doing any changes)
Let's see how to install Account Locking feature with WSO2 API Manager;
Note: (Before you are doing any changes)
- Shutdown the APIM server (If already running).
- Keep a backup on your identity.xml (APIM_HOME/repository/conf/identity/identity.xml) file beforehand.
- Save the following content as a pom.xml file and replace all the APIM_HOME locations inside the pom file with your APIM location (There are 3 places).
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
<modelVersion>4.0.0</modelVersion>
<groupId>org.wso2.dev</groupId>
<artifactId>dev-feature-addons</artifactId>
<version>1.0.0</version>
<packaging>pom</packaging>
<name>WSO2 Feature addons for DEV</name>
<url>http://wso2.org</url>
<build>
<plugins>
<plugin>
<groupId>org.wso2.maven</groupId>
<artifactId>carbon-p2-plugin</artifactId>
<version>1.5.8</version>
<executions>
<execution>
<id>uninstall-feature</id>
<phase>package</phase>
<goals>
<goal>p2-profile-gen</goal>
</goals>
<configuration>
<profile>default</profile>
<metadataRepository>http://product-dist.wso2.com/p2/carbon/releases/wilkes/</metadataRepository>
<artifactRepository>http://product-dist.wso2.com/p2/carbon/releases/wilkes/</artifactRepository>
<destination>APIM_HOME/repository/components</destination>
<deleteOldProfileFiles>false</deleteOldProfileFiles>
<uninstall>true</uninstall>
<features>
<feature>
<id>org.wso2.carbon.security.mgt.server.feature.group</id>
<version>5.2.0</version>
</feature>
<feature>
<id>org.wso2.carbon.security.mgt.ui.feature.group</id>
<version>5.2.0</version>
</feature>
<feature>
<id>org.wso2.carbon.security.mgt.feature.group</id>
<version>5.2.0</version>
</feature>
<feature>
<id>org.wso2.carbon.identity.core.feature.group</id>
<version>5.2.0</version>
</feature>
</features>
</configuration>
</execution>
<execution>
<id>feature-install</id>
<phase>package</phase>
<goals>
<goal>p2-profile-gen</goal>
</goals>
<configuration>
<profile>default</profile>
<metadataRepository>http://product-dist.wso2.com/p2/carbon/releases/wilkes/</metadataRepository>
<artifactRepository>http://product-dist.wso2.com/p2/carbon/releases/wilkes/</artifactRepository>
<destination>APIM_HOME/repository/components</destination>
<deleteOldProfileFiles>false</deleteOldProfileFiles>
<features>
<feature>
<id>org.wso2.carbon.security.mgt.ui.feature.group</id>
<version>5.2.2</version>
</feature>
<feature>
<id>org.wso2.carbon.security.mgt.server.feature.group</id>
<version>5.2.2</version>
</feature>
<feature>
<id>org.wso2.carbon.security.mgt.feature.group</id>
<version>5.2.2</version>
</feature>
<feature>
<id>org.wso2.carbon.identity.core.feature.group</id>
<version>5.2.2</version>
</feature>
<feature>
<id>org.wso2.carbon.identity.mgt.feature.group</id>
<version>5.2.2</version>
</feature>
</features>
</configuration>
</execution>
</executions>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-antrun-plugin</artifactId>
<version>1.1</version>
<executions>
<execution>
<phase>package</phase>
<configuration>
<tasks>
<replace token="false" value="true" dir="APIM_HOME/repository/components/default/configuration/org.eclipse.equinox.simpleconfigurator">
<include name="**/bundles.info"/>
</replace>
</tasks>
</configuration>
<goals>
<goal>run</goal>
</goals>
</execution>
</executions>
</plugin>
</plugins>
</build>
<repositories>
<repository>
<id>wso2-nexus</id>
<name>WSO2 internal Repository</name>
<url>http://maven.wso2.org/nexus/content/groups/wso2-public/</url>
<releases>
<enabled>true</enabled>
<updatePolicy>daily</updatePolicy>
<checksumPolicy>ignore</checksumPolicy>
</releases>
</repository>
</repositories>
<pluginRepositories>
<pluginRepository>
<id>wso2-maven-releases-repository</id>
<url>http://maven.wso2.org/nexus/content/repositories/releases/</url>
</pluginRepository>
</pluginRepositories>
</project>
As you can see on the executions, this will uninstall some features and install/update the relevant features for account locking.
- Then run the pom file using mvn clean install
This will install/update the required feature versions related to account locking.If you get an exception like - /components/artifacts.xml (No such file or directory), don't worry. - Then open APIM_HOME/repository/conf/identity/identity.xml and do the following changes.
- Change the DataSource name to <Name>jdbc/WSO2AM_DB</Name> (it will have WSO2CarbonDB)
- Replace the SupportedGrantTypes with the following
<SupportedGrantTypes> <SupportedGrantType> <GrantTypeName>authorization_code</GrantTypeName> <GrantTypeHandlerImplClass> org.wso2.carbon.apimgt.keymgt.handlers.ExtendedAuthorizationCodeGrantHandler </GrantTypeHandlerImplClass> </SupportedGrantType> <SupportedGrantType> <GrantTypeName>password</GrantTypeName> <GrantTypeHandlerImplClass> org.wso2.carbon.apimgt.keymgt.handlers.ExtendedPasswordGrantHandler </GrantTypeHandlerImplClass> </SupportedGrantType> <SupportedGrantType> <GrantTypeName>refresh_token</GrantTypeName> <GrantTypeHandlerImplClass> org.wso2.carbon.identity.oauth2.token.handlers.grant.RefreshGrantHandler </GrantTypeHandlerImplClass> </SupportedGrantType> <SupportedGrantType> <GrantTypeName>client_credentials</GrantTypeName> <GrantTypeHandlerImplClass> org.wso2.carbon.apimgt.keymgt.handlers.ExtendedClientCredentialsGrantHandler </GrantTypeHandlerImplClass> </SupportedGrantType> <SupportedGrantType> <GrantTypeName>urn:ietf:params:oauth:grant-type:saml2-bearer</GrantTypeName> <GrantTypeHandlerImplClass> org.wso2.carbon.apimgt.keymgt.handlers.ExtendedSAML2BearerGrantHandler </GrantTypeHandlerImplClass> </SupportedGrantType> <SupportedGrantType> <GrantTypeName>iwa:ntlm</GrantTypeName> <GrantTypeValidatorImplClass> org.wso2.carbon.identity.oauth.common.NTLMAuthenticationValidator </GrantTypeValidatorImplClass> <GrantTypeHandlerImplClass> org.wso2.carbon.identity.oauth2.token.handlers.grant.iwa.ntlm.NTLMAuthenticationGrantHandlerWithHandshake </GrantTypeHandlerImplClass> </SupportedGrantType> </SupportedGrantTypes>
4. Change the OAuthCallbackHandlers and add the OAuthScopeValidator as following<OAuthCallbackHandlers> <OAuthCallbackHandler Class="org.wso2.carbon.apimgt.keymgt.util.APIManagerOAuthCallbackHandler"/> </OAuthCallbackHandlers> <OAuthScopeValidator class="org.wso2.carbon.identity.oauth2.validators.JDBCScopeValidator"/>
5. In the EventListeners make the following Listeners "true"
- org.wso2.carbon.user.mgt.workflow.userstore.UserStoreActionListener
- org.wso2.carbon.identity.mgt.IdentityMgtEventListener
- org.wso2.carbon.identity.scim.common.listener.SCIMUserOperationListener
6. After doing the above changes, change the followings in identity-mgt.properties at the same location
- Notification.Expire.Time=20
- UserAccount.Verification.Enable=true
- Authentication.Policy.Enable=true
- Authentication.Policy.Account.Lock.Time=2
- Authentication.Policy.Account.Lock.On.Failure=true
- Authentication.Policy.Account.Lock.On.Failure.Max.Attempts=3
7. Start the APIM server.
8. Check User Account Locking through Admin Services on the following link,
http://chanukadissanayake.blogspot.com/2017/08/wso2-user-account-locking-through-admin.html
8. Check User Account Locking through Admin Services on the following link,
http://chanukadissanayake.blogspot.com/2017/08/wso2-user-account-locking-through-admin.html
Comments
Post a Comment