Account Locking with WSO2 API Manager – 2.0.0

Account locking is a part of Account and Credential Management in Identity Governance and Administration.

Let's see how to install Account Locking feature with WSO2 API Manager;

 Note: (Before you are doing any changes)
  • Shutdown the APIM server (If already running).
  • Keep a backup on your identity.xml (APIM_HOME/repository/conf/identity/identity.xml) file beforehand.
  • Save the following content as a pom.xml file and replace all the APIM_HOME locations inside the pom file with your APIM location (There are 3 places).


<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">

    <modelVersion>4.0.0</modelVersion>

    <groupId>org.wso2.dev</groupId>

    <artifactId>dev-feature-addons</artifactId>
    <version>1.0.0</version>
    <packaging>pom</packaging>
    <name>WSO2 Feature addons for DEV</name>
    <url>http://wso2.org</url>
    <build>
        <plugins>
            <plugin>
                <groupId>org.wso2.maven</groupId>
                <artifactId>carbon-p2-plugin</artifactId>
                <version>1.5.8</version>
                <executions>
                   <execution>
                        <id>uninstall-feature</id>
                        <phase>package</phase>
                        <goals>
                            <goal>p2-profile-gen</goal>
                        </goals>
                        <configuration>
                            <profile>default</profile>
                            <metadataRepository>http://product-dist.wso2.com/p2/carbon/releases/wilkes/</metadataRepository>
                            <artifactRepository>http://product-dist.wso2.com/p2/carbon/releases/wilkes/</artifactRepository>
                            <destination>APIM_HOME/repository/components</destination>
                            <deleteOldProfileFiles>false</deleteOldProfileFiles>
                            <uninstall>true</uninstall>
                            <features>
                                <feature>
                                    <id>org.wso2.carbon.security.mgt.server.feature.group</id>
                                    <version>5.2.0</version>
                                </feature>

                                 <feature>
                                    <id>org.wso2.carbon.security.mgt.ui.feature.group</id>
                                    <version>5.2.0</version>
                                </feature>

                                 <feature>
                                    <id>org.wso2.carbon.security.mgt.feature.group</id>
                                    <version>5.2.0</version>
                                </feature>
                                 <feature>
                                    <id>org.wso2.carbon.identity.core.feature.group</id>
                                    <version>5.2.0</version>
                                </feature>
                            </features>
                        </configuration>
                    </execution> 
                    <execution>
                        <id>feature-install</id>
                        <phase>package</phase>
                        <goals>
                            <goal>p2-profile-gen</goal>
                        </goals>
                        <configuration>
                            <profile>default</profile>
                            <metadataRepository>http://product-dist.wso2.com/p2/carbon/releases/wilkes/</metadataRepository>
                            <artifactRepository>http://product-dist.wso2.com/p2/carbon/releases/wilkes/</artifactRepository>
                            <destination>APIM_HOME/repository/components</destination>
                            <deleteOldProfileFiles>false</deleteOldProfileFiles>                           
                            <features>
                                <feature>
                                    <id>org.wso2.carbon.security.mgt.ui.feature.group</id>
                                    <version>5.2.2</version>
                                </feature>
                                <feature>
                                    <id>org.wso2.carbon.security.mgt.server.feature.group</id>
                                    <version>5.2.2</version>
                                </feature>
                                <feature>
                                    <id>org.wso2.carbon.security.mgt.feature.group</id>
                                    <version>5.2.2</version>
                                </feature>
                                 <feature>
                                    <id>org.wso2.carbon.identity.core.feature.group</id>
                                    <version>5.2.2</version>
                                </feature>

                                <feature>
                                    <id>org.wso2.carbon.identity.mgt.feature.group</id>
                                    <version>5.2.2</version>
                                </feature>
                        
                            </features>
                        </configuration>
                    </execution>

                </executions>
            </plugin>
            <plugin>
                <groupId>org.apache.maven.plugins</groupId>
                <artifactId>maven-antrun-plugin</artifactId>
                <version>1.1</version>
                <executions>
                    <execution>
                        <phase>package</phase>
                        <configuration>
                            <tasks>
                                <replace token="false" value="true" dir="APIM_HOME/repository/components/default/configuration/org.eclipse.equinox.simpleconfigurator">
                                    <include name="**/bundles.info"/>
                                </replace>
                            </tasks>
                        </configuration>
                        <goals>
                            <goal>run</goal>
                        </goals>
                    </execution>
                </executions>
            </plugin>
        </plugins>
    </build>
    <repositories>
        <repository>
            <id>wso2-nexus</id>
            <name>WSO2 internal Repository</name>
            <url>http://maven.wso2.org/nexus/content/groups/wso2-public/</url>
            <releases>
                <enabled>true</enabled>
                <updatePolicy>daily</updatePolicy>
                <checksumPolicy>ignore</checksumPolicy>
            </releases>
        </repository>
    </repositories>
    <pluginRepositories>
        <pluginRepository>
            <id>wso2-maven-releases-repository</id>
            <url>http://maven.wso2.org/nexus/content/repositories/releases/</url>
        </pluginRepository>
    </pluginRepositories>
</project>

As you can see on the executions, this will uninstall some features and install/update the relevant features for account locking. 

  1. Then run the pom file using mvn clean install
    This will install/update the required feature versions related to account locking.

    If you get an exception like - /components/artifacts.xml (No such file or directory), don't worry.
  2. Then open APIM_HOME/repository/conf/identity/identity.xml and do the following changes.
  • Change the DataSource name to <Name>jdbc/WSO2AM_DB</Name> (it will have WSO2CarbonDB)
  • Replace the SupportedGrantTypes with the following
     <SupportedGrantTypes>
            <SupportedGrantType>
                <GrantTypeName>authorization_code</GrantTypeName>
              <GrantTypeHandlerImplClass>
               org.wso2.carbon.apimgt.keymgt.handlers.ExtendedAuthorizationCodeGrantHandler
               </GrantTypeHandlerImplClass>
            </SupportedGrantType>
            <SupportedGrantType>
                <GrantTypeName>password</GrantTypeName>
                <GrantTypeHandlerImplClass>
                 org.wso2.carbon.apimgt.keymgt.handlers.ExtendedPasswordGrantHandler
                </GrantTypeHandlerImplClass>
              </SupportedGrantType>
            <SupportedGrantType>
                <GrantTypeName>refresh_token</GrantTypeName>
                <GrantTypeHandlerImplClass>
                org.wso2.carbon.identity.oauth2.token.handlers.grant.RefreshGrantHandler
              </GrantTypeHandlerImplClass>
            </SupportedGrantType>
            <SupportedGrantType>
                <GrantTypeName>client_credentials</GrantTypeName>
              <GrantTypeHandlerImplClass>
              org.wso2.carbon.apimgt.keymgt.handlers.ExtendedClientCredentialsGrantHandler
              </GrantTypeHandlerImplClass>
            </SupportedGrantType>
            <SupportedGrantType>
                <GrantTypeName>urn:ietf:params:oauth:grant-type:saml2-bearer</GrantTypeName>
                <GrantTypeHandlerImplClass>
                 org.wso2.carbon.apimgt.keymgt.handlers.ExtendedSAML2BearerGrantHandler
             </GrantTypeHandlerImplClass>
            </SupportedGrantType>
            <SupportedGrantType>
                <GrantTypeName>iwa:ntlm</GrantTypeName>
                <GrantTypeValidatorImplClass>
                 org.wso2.carbon.identity.oauth.common.NTLMAuthenticationValidator
                </GrantTypeValidatorImplClass>
                <GrantTypeHandlerImplClass>
  org.wso2.carbon.identity.oauth2.token.handlers.grant.iwa.ntlm.NTLMAuthenticationGrantHandlerWithHandshake
  </GrantTypeHandlerImplClass>
            </SupportedGrantType>
        </SupportedGrantTypes>
    4. Change the OAuthCallbackHandlers and add the OAuthScopeValidator as following
     <OAuthCallbackHandlers>
            <OAuthCallbackHandler Class="org.wso2.carbon.apimgt.keymgt.util.APIManagerOAuthCallbackHandler"/>
        </OAuthCallbackHandlers>
        <OAuthScopeValidator class="org.wso2.carbon.identity.oauth2.validators.JDBCScopeValidator"/>
5. In the EventListeners make the following Listeners "true"
  • org.wso2.carbon.user.mgt.workflow.userstore.UserStoreActionListener
  • org.wso2.carbon.identity.mgt.IdentityMgtEventListener
  • org.wso2.carbon.identity.scim.common.listener.SCIMUserOperationListener
6. After doing the above changes, change the followings in identity-mgt.properties at the same location
  • Notification.Expire.Time=20
  • UserAccount.Verification.Enable=true
  • Authentication.Policy.Enable=true
  • Authentication.Policy.Account.Lock.Time=2
  • Authentication.Policy.Account.Lock.On.Failure=true
  • Authentication.Policy.Account.Lock.On.Failure.Max.Attempts=3

7. Start the APIM server.

8. Check  User Account Locking through Admin Services on the following link,

 http://chanukadissanayake.blogspot.com/2017/08/wso2-user-account-locking-through-admin.html

Comments

Post a Comment

Popular posts from this blog

How to fix SoapUI freeze in Mac OS

Follow these steps carefully, which will fix SoapUI freeze in Mac OS. [Note: Tested in my OS X 10.11.6] Start ‘Activity Monitor’ and Force Kill your dead soapUI process. [Or use Command-Option-Escape to force quit it.] In Finder, /Applications/SmartBear/soapUI-5.0.0.app > Show Package Contents. Edit /Applications/SmartBear/soapUI-5.0.0.app/Contents/ java/app/bin/soapui.sh. Uncomment this line# JAVA_OPTS="$JAVA_OPTS -Dsoapui.browser.disabled=true". [In other words, remove the "#" to stop it being a comment.] Edit /Applications/SmartBear/soapUI-5.0.0.app/Contents/ vmoptions.txt. Add -Dsoapui.browser.disabled=true. Start soapUI. [In those paths, change  soapUI-5.0.0  to match your version. For me it is  soapUI-5.1.3 .] Referenced from:  https://community.smartbear.com/t5/SoapUI-NG/SoapUI-Pro-5-1-2-hangs-on-Mac-OS-X-10-8-5/td-p/95626
Read more

Salesforce Auto generate renewal Opportunity with Line Items (i.e. Opportunity Products)

Image
First,  let's take a look at the business scenario of this.  Each Account(customer) have a set of opportunities and its Line Items which also know as Products of that Opportunity. Once the salesperson enters those opportunity and product details in the Salesforce, those are likely to be renewed (quarterly, yearly...etc) by the customer if they are planning to go ahead with the same vendor in the next year as well. Therefore, we need to again enter the same data into Salesforce which is almost similar to the previous details which are a time-consuming tedious task.    Our objective is to automate this renewal scenario. What are the available options Writing a class which is invoked by a Visualforce page to create the new opportunity and line items (by acquiring data through SOQL in the Apex class). Writing a trigger to fire on the opportunity once the particular conditions are met. Configuring a process builder follows by a flow to create the op
Read more

Salesforce Create multiple child records based on a number field in the parent using flow

Image
For this example, I'm using salesforce flow to create Ramp plans (child object) based on a number value field in opportunity (parent object) The flow starts from a process builder after an Opportunity closed won In here my number value field is  Contract Term Length (In Months) This is kind of a custom loop which iterate   the   Contract Term Length  Final flow diagram Start by creating an Auto launched flow Let's create the variables we need to store the object data. Note: Please check my previous post to get an idea to create variables you need. First, we need to get the opportunity ID To do that we are adding a Get Records element to the canvas Then store the Opportunity Id on VarT_Opportunity ID In the same panel allocate the value for VarT_ContractTermLength Add a decision element  Configure two outcomes as following Then add an Assignment Element  If the contr
Read more