Showing posts with label wso2. Show all posts
Showing posts with label wso2. Show all posts

Thursday, November 3, 2016

Deploying WSO2 products in Google Container Cloud




This blog explains the steps of deploying WSO2 products in Google Container Cloud.
More info can be found in following WSO2 Official documentation.

 Kubernetes Artifacts
Puppet Modules


1) Download and Install


 Google Cloud SDK 

 kubectl 


2) Subscribe


 Subscribe to 'Google Cloud Trial'


3) Setup / Configure


i) A container cluster


WHAT : This is the cluster of container hosts.

HOW :

  • Go to Google Container Engine 
  • Create a container cluster. (Change the machine type and node count if you need)

ii) kubectl 


WHY : kubectl should be configured with Google Container Cloud, so that the kubectl commands can be invoked against the cloud.

HOW : Instructions can be found by clicking on 'connect' on container cluster entry we just created in the previous step.

4) Git Clone


IMPORTANT : Please make sure you checkout a release tag of these repos since the master branch would contain not production ready RnD stuff.

 i) https://github.com/wso2/kubernetes-artifacts

 WHAT : The repo of services and replication controllers for WSO2 products

 ii) https://github.com/wso2/dockerfiles

 WHAT : Docker files to build WSO2 product images.

 iii) https://github.com/wso2/puppet-modules

 WHAT : Puppet scripts to deploy WSO2 products in a host.

 WHY : These puppet scripts are used by the docker files to build an image with WSO2 product deployments.


5) Build Images


TWEAK :

 WSO2 Kubernetes clustering scheme talks to the Kubernetes API to get node data. Because of the JVM version difference in WSO2 Docker Images (Java 7) and Google VMs (Java 8), we need to add the following line to PUPPET_MODULES_GIT_REPO/modules/<product>/templates/<version>/bin/wso2server.sh.erb  

 -Ddeployment.security.SSLv2Hello=false \
-Ddeployment.security.SSLv3=false \
-Ddeployment.security.TLSv1=false \
-Ddeployment.security.TLSv1.1=true \
-Ddeployment.security.TLSv1.2=true \
-Dhttps.protocols=TLSv1.2 \

HOW : Refer to the 'Build Docker Images' section here.


6) Push the Images


HOW : Refer this 

7) Deploy Services and Replication Controllers

 

HOW :

  • Go to KUBERNETES_ARTIFACTS_GIT_REPO/<product>
  • ./deploy sh


 TWEAK :

 The image names in the deployed replication controllers are not valid in the Google Container Cloud env. So we have to amend the replication controller definitions to refer to the image names in the Google container registry.

 We can do it from the Google Kubernetes Dashboard

 Select 'View/edit YAML' of the desired replication controller.

 Edit the spec/containers/image element with the correct image name.

 e.g. gcr.io/dazzling-bruin-148110/wso2am-kubernetes:1.10.0

 In order to make the change effective you can scale the nodes to 0 and then scale up.


8) Open Firewall Ports


WHY : By default the ports of Google cloud nodes are closed for traffic from outside.

HOW : Go to Networking -> Firewall rules section and add a rule to expose the desired ports.
Posted by at 4 comments:
Labels: , , , ,

Friday, October 16, 2015

JWT's role in WSO2 App Manager

WSO2 App Manager is a fully fledged solution for managing and governing applications in an enterprise.

 App Manager 1.0.0 supports web apps and mobile apps, out of the box.

 When an existing web app is published through App Manager, all the HTTP requestes to the web app go through the Gateway component of App Manager. This feature enables us to intercept the call and augment a plain web app with authentication, authorization and stat collection etc ..  

 In this post, I describe how App Manager can secure an unsecured web app.

 App Manager uses SAML and JWT to handle authentication scenarios.

 When the gateway receives an HTTP call, it first checks whether the call is coming from an authenticated user. Gateway decides whether a requested is authenticated, by checking either the requested has a valid session associated with it, of the request has a valid SAML response from the trusted identity provider.

 If the user is not authenticated he/she will be redirected to the IDP for authentication.

 If the user is authenticated, a JWT will be generated, signed by the gateway and sent to the web app along with the SAML response received from the identity provider. 

 JWT is a standard to securely share user claims between two parties. In our scenario, gateway is the one who handles authentication on behalf of the web app. So the web app should trust the gateway.

 The configuration related to JWT in App Manager, can be found in App Manager documentation

 The image below depicts the aforementioned scenario.


When the web app receives the HTTP request, it can read the JWT, which is normally sent as an HTTP header and decode it and use the user information accordingly.

 e.g. The web app can extract user information and store it in the user session and use that information give a personalize view for users. 
If the web app developer has to develop the authentication part from the scratch, then it would take more time. But having App Manager in between, reduces that cost.

 Decoding a JWT and verifying the signature  needs some coding. But there are a lot of libraries which do that for you. jwt.io is a pretty cool website where you can grab information about different JWT implementations in different languages.

 If you are looking for a Java implementation Nimbus-JOSE-JWT is a good option.

 I wrote a small Jaggery module to wrap the functionality of the above library.

 Below is a code snippet of its usage.

 index.jag
=======

 
var config = require('config.json');
var jwtClientModule = require('/modules/jwt-client.js');
var jwtClient = new jwtClientModule.JWTClient(request, config.jwtClient.headerName, config.jwtClient.certificatePath);

jwtClient.init();

log.debug("JWT = " + jwtClient.jwt);

if(jwtClient.isJWTPresent()){
  include('includes/jwt_login.jag');
}else{
  // Send an HTTP 401
}

   
jwt_login.jag
==========        


authenticateAndAuthorize();

function authenticateAndAuthorize(){

  try{
    jwtClient.parse();

    if(jwtClient.verify()){
      log.debug("Verified the signature of the JWT.");

      var subject = jwtClient.getSubject();
      var issuer = jwtClient.getIssuer();
      var claims = jwtClient.getClaims();

      setSessionAttributes(subject, claims);

      // Implement your authorization logic based on the claim values.

    }else{
      logAndShowError("Authentication failure. Cannot verify the JWT signature.");
    }
  }catch(e){
    logAndShowError("Authentication failure. Something went wrong ", e);
  }

}

function setSessionAttributes(subject, claims){

  session.put("logged-in", "true");
  session.put("username", subject);
  
  var roles = claims.get("http://wso2.org/claims/role");
  if(roles){
    roles = roles.split(',');
    session.put("roles", roles);
  }

}
Posted by at No comments:
Labels: , ,
Subscribe to: Comments (Atom)