Warning | ||
---|---|---|
| ||
This document is work in progress! |
The following diagram illustrates a typical deployment pattern for WSO2 IoT Server.
As indicated in the above diagram, when clustering WSO2 IoT Server, there is worker manager separation. In a standard WSO2 product cluster, worker and manager separation is derived from deployment synchronization. However, this differs from standard WSO2 Carbon worker manager separation.
WSO2 IoT Server includes an admin console that can be used by any user with administrative privileges. These users can perform some actions operations on enrolled devices and the devices can retrieve those actions by requesting for the pending operations. This is done by either walking the device through a push notification or configuring the device to poll at a pre-compiled configured frequency.
Normally administrative tasks should be run from a manager node.
There are two major deployment patterns for the manager node. One could be running the manager node in the private network due to security constraints and other is allowing end users to access the management node so that they can control and view their devices.
A manager node is used to run background tasks that are necessary to the update the device information such as the location and applications installed.the list of installed applications. For more information on creating different profiles in WSO2 IoT Server, see Product Profiles.
Let's take a look at the steps to cluster WSO2 IoT Server:
Child pages (Children Display)
Tip | ||
---|---|---|
| ||
You need the following to cluster WSO2 IoT Server: Virtual machines used in a high availability clusterThe following is a list of virtual machines (VMs) that are used in a high availability cluster and their details.
All the VMs have 4 cores and 4GB memory. Open ports80 and 443 are from the NGINX server. The following ports need to be opened for Android and iOS devices so that it can connect to GCM (Google Cloud Message) and APNS (Apple Push Notification Service) and enroll to WSO2 IoT Server. Android The ports to open are 5228, 5229 and 5230. GCM typically uses only 5228, but it sometimes uses 5229 and 5230. GCM does not provide specific IPs, so it is recommended to allow the firewall to accept outgoing connections to all IP addresses contained in the IP blocks listed in Google's ASN of 15169. iOS
The APNS servers use load balancing. The devices will not always connect to the same public IP address for notifications. The entire 17.0.0.0/8 address block is assigned to Apple, so it is best to allow this range in the firewall settings |
...
Setting up the database
The following databases are needed when clustering WSO2 IoT Server.
...
App management database
(XXX)
...
The following databases are related to plugins. These enable you to keep the data that is essential for these devices to work (such as APNS related keys) and this data is not available in the CDM core database.
...
Stores the iOS related the data.
Info |
---|
If you have not configured WSO2 IoT Server for iOS, you won't have the database scripts in the given location. For more information on configuring WSO2 IoT Server for iOS, see iOS Configurations. |
...
To change the datasource configurations, please change the following files.
Note |
---|
NOTE: Make sure to add the relevant JDBC library to the |
...
This file must include the datasource configuration for the following databases.
APIM database
Registry database
- User management database
- App Manager database
- Store database
- Social database
...
This file must include the datasource configuration for the following databases.
CDM core database
IOS plugin database
Android database
- Windows database
Mounting the registry
See Remote Instance and Mount Configuration Details for more information on registry mounting and why it is useful. These must be done in all nodes. Do the following steps to configure this.
O pen the
<PRODUCT_HOME>/repository/conf/
datasources/master-datasources.xml
file and add the following datasource configurations.Code Block language xml <datasource> <name>WSO2REG_DB</name> <description>The datasource used for Registry database</description> <jndiConfig> <name>jdbc/WSO2REG_DB</name> </jndiConfig> <definition type="RDBMS"> <configuration> <url>jdbc:mysql://localhost:3306/C_REG</url> <username>root</username> <password></password> <driverClassName>com.mysql.jdbc.Driver</driverClassName> <maxActive>50</maxActive> <maxWait>60000</maxWait> <testOnBorrow>true</testOnBorrow> <validationQuery>SELECT 1</validationQuery> <validationInterval>30000</validationInterval> </configuration> </definition> </datasource>
Add the following configurations to the
<PRODUCT_HOME>/repository/conf/registry.xml
file.Code Block language xml <dbConfig name="mounted_registry"> <dataSource>jdbc/WSO2REG_DB</dataSource> </dbConfig> <remoteInstance url="https://localhost:9443/registry"> <id>instanceid</id> <dbConfig>mounted_registry</dbConfig> <readOnly>false</readOnly> <enableCache>true</enableCache> <registryRoot>/</registryRoot> <cacheId>root@jdbc:mysql://localhost:3306/C_REG</cacheId> </remoteInstance> <mount path="/_system/config" overwrite="true"> <instanceId>instanceid</instanceId> <targetPath>/_system/config</targetPath> </mount> <mount path="/_system/governance" overwrite="true"> <instanceId>instanceid</instanceId> <targetPath>/_system/governance</targetPath> </mount>
Configuring the load balancer
This section provides instructions on how to configure Nginx as the load balancer. You can use any load balancer for your setup and Nginx is used here as an example. This covers the configuration in the main Nginx configuration file.
The location of this file varies depending on how you installed the software on your machine. For many distributions, the file is located at /etc/nginx/nginx.conf. If it does not exist there, it may also be at /usr/local/nginx/conf/nginx.conf or /usr/local/etc/nginx/nginx.conf. You can create separate files inside the conf.d for each configuration. Three different configuration files are used for the Manager, Key Manager and Worker node in the example provided in this page.
In the Key Manager, create a VHost file inside the
/etc/nginx/conf.d
directory and add the following configurations into it.Code Block upstream keymgt.emm-c.wso2.com { ip_hash; server 192.168.57.149:9763; server 192.168.57.144:9763; } server { listen 80; server_name keymgt.emm-c.wso2.com; location / { proxy_set_header X-Forwarded-Host $host; proxy_set_header X-Forwarded-Server $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header Host $http_host; proxy_read_timeout 5m; proxy_send_timeout 5m; proxy_pass http://keymgt.emm-c.wso2.com; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; } } upstream ssl.keymgt.emm-c.wso2.com { ip_hash; server 192.168.57.149:9443; server 192.168.57.144:9443; } server { listen 443; server_name keymgt.emm-c.wso2.com; ssl on; ssl_certificate /opt/keys/server.crt; ssl_certificate_key /opt/keys/server.key; location / { proxy_set_header X-Forwarded-Host $host; proxy_set_header X-Forwarded-Server $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header Host $http_host; proxy_read_timeout 5m; proxy_send_timeout 5m; proxy_pass https://ssl.keymgt.emm-c.wso2.com; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; } }
In the Manager node, create a VHost file inside the
/etc/nginx/conf.d
directory and add the following configurations into it.Code Block upstream mgt.emm-c.wso2.com { ip_hash; server 192.168.57.146:9763; } server { listen 80; server_name mgt.emm-c.wso2.com; location / { proxy_set_header X-Forwarded-Host $host; proxy_set_header X-Forwarded-Server $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header Host $http_host; proxy_read_timeout 5m; proxy_send_timeout 5m; proxy_pass http://mgt.emm-c.wso2.com; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; } } upstream ssl.mgt.emm-c.wso2.com { ip_hash; server 192.168.57.146:9443; } server { listen 443; server_name mgt.emm-c.wso2.com; ssl on; ssl_certificate /opt/keys/server.crt; ssl_certificate_key /opt/keys/server.key; location / { proxy_set_header X-Forwarded-Host $host; proxy_set_header X-Forwarded-Server $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header Host $http_host; proxy_read_timeout 5m; proxy_send_timeout 5m; proxy_pass https://ssl.mgt.emm-c.wso2.com; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; } }
In the Worker node, create a VHost file inside the
/etc/nginx/conf.d
directory and add the following configurations into it.Code Block upstream wkr.emm-c.wso2.com { ip_hash; server 192.168.57.145:9763; server 192.168.57.142:9763; } server { listen 80; server_name wkr.emm-c.wso2.com; location / { proxy_set_header X-Forwarded-Host $host; proxy_set_header X-Forwarded-Server $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header Host $http_host; proxy_read_timeout 5m; proxy_send_timeout 5m; proxy_pass http://wkr.emm-c.wso2.com; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; } } upstream ssl.wkr.emm-c.wso2.com { ip_hash; server 192.168.57.145:9443; server 192.168.57.142:9443; } server { listen 443; server_name wkr.emm-c.wso2.com; ssl on; ssl_certificate /opt/keys/server.crt; ssl_certificate_key /opt/keys/server.key; location / { proxy_set_header X-Forwarded-Host $host; proxy_set_header X-Forwarded-Server $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header Host $http_host; proxy_read_timeout 5m; proxy_send_timeout 5m; proxy_pass https://ssl.wkr.emm-c.wso2.com; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; } }
Generating SSL certificates to NGINX
Create SSL certificates for both the manager and worker nodes using the instructions that follow.
Create the Server Key.
$sudo openssl genrsa -des3 -out server.key 1024
Certificate Signing Request.
$sudo openssl req -new -key server.key -out server.csr
Remove the password.
$sudo cp server.key server.key.org
$sudo openssl rsa -in server.key.org -out server.keySign your SSL Certificate.
$sudo openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
While creating keys, enter the host name (*.emm-c.wso2.com) as the common name.
Add the public key of the NGINX server to the client_truststore.jks (you can download the public key from the browser). Use the following command to add the public key to client_truststore.jks
keytool -import -alias emm-c.wso2.com -file emm.wso2.com.crt -keystore <PRODUCT_HOME>/repository/resources/security/client-truststore.jks
Note |
---|
Note: If you need to configure iOS in your cluster, do not configure the SSL certificate in above way. You can use the SSL certificate generated in the 6th step of iOS Configuration document. |
Configuring the manager node
EMM has three key consoles.
EMM console - For device management related tasks such as adding policies, operations, users, roles and devices.
Publisher - Used for adding and publishing the enterprise mobile applications.
Store - Device user can go and subscribe to the apps and it gets installed to the device.
The above three consoles could be running inside the company network due to security concerns or could be exposed through a load balancer.
Note |
---|
Note: There can be one EMM manager node if you use policy monitoring and policy change management. If you do not plan to use those, you can have a cluster of manager nodes. |
Do the following to configure the manager node.
In the
<PRODUCT_HOME>/
repository/conf/security/authenticators.xml
file, do the following configurations. ThehostURL
,adminUsername
, andadminPassword
must be configured with the respective values in order to validate the OAuth token.Code Block language xml <Authenticator name="OAuthAuthenticator" disabled="false"> ... <Config> <Parameter name="isRemote">true</Parameter> <Parameter name="hostURL">https://keymgt.emm-c.wso2.com</Parameter> <Parameter name="adminUsername">admin</Parameter> <Parameter name="adminPassword">admin</Parameter> </Config> </Authenticator>
Change the
ServerUrl
of theIdentityConfiguration
in the<PRODUCT_HOME>/repository/conf/security/cdm-config.xml
file. Enable policy monitoring and device monitoring as shown in the following configuration sample. You can change the frequency of the tasks running by changing theMonitoringFrequency
andFrequency
in thePolicyConfiguration
andTaskConfiguration
.Code Block language xml <IdentityConfiguration> <ServerUrl>https://keymgt.emm-c.wso2.com</ServerUrl> <AdminUsername>admin</AdminUsername> <AdminPassword>admin</AdminPassword> </IdentityConfiguration> <PolicyConfiguration> ... <MonitoringEnable>true</MonitoringEnable> <MonitoringFrequency>60000</MonitoringFrequency> ... </PolicyConfiguration> <TaskConfiguration> <Enable>true</Enable> <Frequency>600000</Frequency> ……... </TaskConfiguration>
Change the
HostName
andMgtHostName
in the<PRODUCT_HOME>/repository/conf/carbon.xml
file.Code Block language xml <HostName>wkr.emm-c.wso2.com</HostName> <MgtHostName>mgt.emm-c.wso2.com</MgtHostName>
Change the following in the
config.json
file in the<PRODUCT_HOME>/repository/deployment/server/jaggeryapps/emm/app/conf
directory. This must only be configured in the manager node as this is specific to the admin UI.Code Block …………………………. "httpsURL" : "https://mgt.emm-c.wso2.com", "httpURL" : "http://mgt.emm-c.wso2.com", …………………………. "oauthProvider": { "appRegistration": { "appType": "webapp", "clientName": "emm", "owner": "admin@carbon.super", "dynamicClientAppRegistrationServiceURL": "https://keymgt.emm-c.wso2.com/dynamic-client-web/register", "apiManagerClientAppRegistrationServiceURL": "https://keymgt.emm-c.wso2.com/api-application-registration/register/tenants", "grantType": "password refresh_token urn:ietf:params:oauth:grant-type:saml2-bearer urn:ietf:params:oauth:grant-type:jwt-bearer", "tokenScope": "admin", "callbackUrl": "https://mgt.emm-c.wso2.com/api/device-mgt/v1.0" }, "tokenServiceURL": "https://keymgt.emm-c.wso2.com/oauth2/token" }, ……………….. "generalConfig" : { "host" : "https://wkr.emm-c.wso2.com", ………………... },
Change the following in the
config.json
file in the<PRODUCT_HOME>/repository/deployment/server/jaggeryapps/emm-web-agent/app/conf
directory. This is used for the device agent download.Code Block "httpsURL" : "https://wkr.emm-c.wso2.com", "httpURL" : "http://wkr.emm-c.wso2.com", "enrollmentDir": "/emm-web-agent/enrollment", "iOSConfigRoot" : "https://wkr.emm-c.wso2.com/ios-enrollment/", "iOSAPIRoot" : "https://wkr.emm-c.wso2.com/api/device-mgt/ios/v1.0/", "dynamicClientRegistrationEndPoint" : "https://keymgt.emm-c.wso2.com/dynamic-client-web/register/", "adminService":"https://wkr.emm-c.wso2.com", "idPServer":"https://keymgt.emm-c.wso2.com", "callBackUrl":"https://wkr.emm-c.wso2.com/mdm-admin", "oauthProvider": { "appRegistration": { "appType": "webapp", "clientName": "emm-web-agent", "owner": "admin@carbon.super", "dynamicClientAppRegistrationServiceURL": "https://keymgt.emm-c.wso2.com/dynamic-client-web/register", "apiManagerClientAppRegistrationServiceURL": "https://keymgt.emm-c.wso2.com/api-application-registration/register/tenants", "grantType": "password refresh_token urn:ietf:params:oauth:grant-type:saml2-bearer urn:ietf:params:oauth:grant-type:jwt-bearer", "tokenScope": "admin", "callbackUrl": "https://wkr.emm-c.wso2.com/api/device-mgt/v1.0" }, "tokenServiceURL": "https://keymgt.emm-c.wso2.com/oauth2/token" }, ………….. "generalConfig" : { "host" : "http://wkr.emm-c.wso2.com", ………………………….. },
Configuring the worker node
Do the following to configure the worker node.
In the
<PRODUCT_HOME>/repository/conf/security/authenticators.xml
file, do the following configurations. ThehostURL
,adminUsername
, andadminPassword
must be configured with the respective values in order to validate the OAuth token.Code Block language xml <Authenticator name="OAuthAuthenticator" disabled="false"> <Priority>10</Priority> <Config> <Parameter name="isRemote">true</Parameter> <Parameter name="hostURL">https://keymgt.emm-c.wso2.com</Parameter> <Parameter name="adminUsername">admin</Parameter> <Parameter name="adminPassword">admin</Parameter> </Config> </Authenticator>
Change the
ServerUrl
ofIdentityConfiguration
in the<PRODUCT_HOME>/repository/conf/security/cdm-config.xml
file. This is used by the worker node to validate the user details after the Key Manager validates the OAuth token. You must disable policy monitoring and device monitoring as indicated in the following code snippet.Code Block language xml <IdentityConfiguration> <ServerUrl>https://keymgt.emm-c.wso2.com</ServerUrl> <AdminUsername>admin</AdminUsername> <AdminPassword>admin</AdminPassword> </IdentityConfiguration> <PolicyConfiguration> ... <MonitoringEnable>false</MonitoringEnable> <MonitoringFrequency>60000</MonitoringFrequency> ... </PolicyConfiguration> <TaskConfiguration> <Enable>false</Enable> <Frequency>600000</Frequency> ... </TaskConfiguration>
Change the
HostName
andMgtHostName
in the<PRODUCT_HOME>/repository/conf/carbon.xml
file.Code Block language xml <HostName>wkr.emm-c.wso2.com</HostName> <MgtHostName>wkr.emm-c.wso2.com</MgtHostName>
Change following in the
config.json
file in the<PRODUCT_HOME>/repository/deployment/server/jaggeryapps/emm-web-agent/app/conf
directory. These parameters are used to point to the NGINX URLs of worker nodes and the Key Manager. If this is not configured, the local IP address of the server is used.Code Block "httpsURL" : "https://wkr.emm-c.wso2.com", "httpURL" : "http://wkr.emm-c.wso2.com", "enrollmentDir": "/emm-web-agent/enrollment", "iOSConfigRoot" : "https://wkr.emm-c.wso2.com/ios-enrollment/", "iOSAPIRoot" : "https://wkr.emm-c.wso2.com/api/device-mgt/ios/v1.0/", "dynamicClientRegistrationEndPoint" : "https://keymgt.emm-c.wso2.com/dynamic-client-web/register/", "adminService":"https://wkr.emm-c.wso2.com", "idPServer":"https://keymgt.emm-c.wso2.com", "callBackUrl":"https://wkr.emm-c.wso2.com/mdm-admin", "oauthProvider": { "appRegistration": { "appType": "webapp", "clientName": "emm-web-agent", "owner": "admin@carbon.super", "dynamicClientAppRegistrationServiceURL": "https://keymgt.emm-c.wso2.com/dynamic-client-web/register", "apiManagerClientAppRegistrationServiceURL": "https://keymgt.emm-c.wso2.com/api-application-registration/register/tenants", "grantType": "password refresh_token urn:ietf:params:oauth:grant-type:saml2-bearer urn:ietf:params:oauth:grant-type:jwt-bearer", "tokenScope": "admin", "callbackUrl": "https://wkr.emm-c.wso2.com/api/device-mgt/v1.0" }, "tokenServiceURL": "https://keymgt.emm-c.wso2.com/oauth2/token" }, ... "generalConfig" : { "host" : "http://wkr.emm-c.wso2.com", ... },
Configuring the Key Manager node
Do the following configurations in the Key Manager node.
Make sure that DB configurations are done and registry mounting is correctly set up.
Configure the
HostName
. To do this, edit the<PRODUCT_HOME>/repository/conf/carbon.xml
file as follows.
<HostName>keymgt.emm.wso2.com</HostName>
Configuring the iOS server
The following are the steps involved when configuring iOS. Also see iOS Server Configurations in the WSO2 EMM documentation for more information.
Installing WSO2 EMM iOS features via the P2 repository
Configuring the general iOS server settings
Generating the MDM APNS certificate
You must be enrolled in the Apple Developer Program as an individual or organization before starting the iOS server configurations.
Follow the instructions given below to configure the iOS server-side configurations:
Installing WSO2 EMM iOS features via the P2 repository
For more information on installing the P2 repository, see Installing WSO2 EMM iOS features via the P2 Repository .
Configuring the general iOS server settings
...
Update the following parameters in the ios-config.xml file, which is in the <EMM_HOME>/repository/conf directory. Enter the server IP or the server domain name for the following parameters.
Code Block | ||
---|---|---|
| ||
<?xml version="1.0" encoding="ISO-8859-1"?>
<iOSEMMConfigurations>
<!-- iOS MDM endpoint urls -->
<iOSEnrollURL>https://wkr.emm-c.wso2.com/ios-enrollment/scep</iOSEnrollURL>
<iOSProfileURL>https://wkr.emm-c.wso2.com/ios-enrollment/profile</iOSProfileURL>
<iOSCheckinURL>https://wkr.emm-c.wso2.com/ios-enrollment/checkin</iOSCheckinURL>
<iOSServerURL>https://wkr.emm-c.wso2.com/ios-enrollment/server</iOSServerURL>
</iOSEMMConfigurations> |
Change the following properties in the config.json file in the <PRODUCT_HOME>/repository/deployment/server/jaggeryapps/emm-web-agent/app/conf directory as follows.
Code Block |
---|
.....
"enrollmentDir": "/emm-web-agent/enrollment",
"iOSConfigRoot" : "https://wkr.emm-c.wso2.com/ios-enrollment/",
"iOSAPIRoot" : "https://wkr.emm-c.wso2.com/api/device-mgt/ios/v1.0/",
"dynamicClientRegistrationEndPoint" : "https://keymgt.emm-c.wso2.com/dynamic-client-web/register/",
"adminService":"https://wkr.emm-c.wso2.com",
"idPServer":"https://keymgt.emm-c.wso2.com",
"callBackUrl":"https://wkr.emm-c.wso2.com/mdm-admin",
…………….
"usernameLength":30,
"device" : {
"ios" : {
"location" : "https://wkr.emm-c.wso2.com/emm-web-agent/public/mdm.page.enrollments.ios.download-agent/asset/ios-agent.ipa",
"bundleID" : "org.wso2.carbon.emm.iOSMDMAgent",
"version" : "1.0",
"appName" : "EMM iOS Agent"
}
}, |
...
You must generate the Certificate Authority (CA), Registration Authority (RA) and SSL certificate. For more information on general iOS server configurations, see General iOS Server Configurations .
Note |
---|
Note: Once SSL certificates are generated and after following the rest of the steps, add the ia.crt and ia.key as the SSL certificates in NGINX. |
Generating the MDM APNS certificate
For more information on generating the MDM APNS certificate, see Generating a MDM APNS Certificate .
Configuring the App Manager
For this release we are using WSO2 App Manager in the manager node. Applications will be uploaded to the manager node and URLs will be provided from the manager node. The devices will get them through the manager URLs.
To configure clustering with WSO2 App Manager, the Android agent has to be changed. Set the APP_MANAGER_HOST as http://mgt.emm-c.wso2.com in org.wso2.emm.agent.utils.Constants.
...
Configure single sign-on (SSO) for the Store and Publisher in the App Manager store and publisher. Change the following config elements in the <APPM_HOME>/repository/conf/app-manager.xml file.
Change the ServerURL, Username and Password elements in the <AuthManager> section to point to the Identity Server URL and credentials.
Code Block language xml <ServerURL>https://keymgt.emm-c.wso2.com/services/</ServerURL>
Change the providerURL element in the <SSOConfiguration> section as shown below:
Code Block language xml <IdentityProviderUrl>https://keymgt.emm-c.wso2.com/samlsso</IdentityProviderUrl><providerURL>https://keymgt.emm-c.wso2.com</providerURL>
Change the ServerURL element in the <EntitlementServiceConfiguration> section as shown below:
Code Block language xml <ServerUrl>https://keymgt.emm-c.wso2.com</ServerUrl>
...
Change AppDownloadURLHost in <APPM_HOME>/repository/conf/app-manager.xml file.
Code Block | ||
---|---|---|
| ||
<Config name="AppDownloadURLHost">http://mgt.emm-c.wso2.com</Config> |
...
Change the identityProviderURL config in the <AppM_HOME>/repository/deployment/server/jaggeryapps/store/config/store.json file as shown below:
Code Block | ||
---|---|---|
| ||
"ssoConfiguration": {
"enabled": true,
"issuer": "APPM_Store",
"identityProviderURL": "https://keymgt.emm-c.wso2.com/samlsso",
"keyStorePassword": "wso2carbon",
"identityAlias": "wso2carbon",
"responseSigningEnabled": "true",
"storeAcs" : "https://mgt.emm-c.wso2.com/store/acs",
"keyStoreName": "/repository/resources/security/wso2carbon.jks"
}, |
...
Change the identityProviderURL element in the <AppM_HOME>/repository/deployment/server/jaggeryapps/publisher/config/publisher.json file as shown below:
Code Block | ||
---|---|---|
| ||
"ssoConfiguration": {
"enabled": true,
"issuer": "APPM_Publisher",
"identityProviderURL": "https://keymgt.emm-c.wso2.com/samlsso",
"keyStorePassword": "wso2carbon",
"identityAlias": "wso2carbon",
"responseSigningEnabled": "true",
"publisherAcs": "https://mgt.emm-c.wso2.com/publisher/sso",
"keyStoreName": "/repository/resources/security/wso2carbon.jks"
}, |
...
Start both the WSO2 App Manager and WSO2 Identity Server.
...
Log into the WSO2 Identity Server management console.
...
Click Add under Service Providers . This is found in the Main menu.
...
Give a name for the service provider and click Register .
...
You are navigated to the detailed configuration page. Expand SAML2 Web SSO Configuration inside the Inbound Authentication Configuration section and click Configure .
...
Provide the configurations to register the App Store as the SSO service provider. These sample values may change depending on your configuration.
Issuer: APPM_Store
Assertion Consumer URL: https://mgt.emm-c.wso2.com/store/acs. This is the URL for the ACS page for your running store app.
Select the following options:
Enable Response Signing
Enable Single Logout
...
Click Register once done.
...
Similarly, provide configurations to register the App Publisher and social apps as SSO service providers. These sample values may change depending in your configuration.
Issuer: APPM_Publisher
Assertion Consumer URL: https://mgt.emm-c.wso2.com/publisher/acs. This is the URL for the ACS page for your running publisher app.
Select the following options:
Enable Response Signing
Enable Single Logout
...
. |