Versions Compared

Old Version 6

changes.mady.by.user Former user

Saved on

compared with

New Version Current

changes.mady.by.user Former user

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

This section covers the following topics: 

Table of Contents

Changing the super admin

...

credentials

Follow the instructions below to change the default super admin passwordcredentials

  1. Sign in to the WSO2 APIM management console with admin/admin credentials and use the

    Change

    my password option.

    After changing the user credentials , change the same in the following files.

    • The The <UserName> and <Password> values in the <APIM_HOME>/repository/conf/user-mgt.xml file.

      Code Block
      languagexml
      <UserManager>
   <Realm>
      <Configuration>
          ...
          <AdminUser>
             <UserName>admin</UserName>                  
             <Password>admin</Password>
          </AdminUser>
      ...
   </Realm>
</UserManager>
      Note

      Note that the password in the user-mgt.xml file is written to the primary user store when the server starts for the first time. Thereafter, the password will be validated from the primary user store and not from the user-mgt.xml file. If you have started the server already, to change the admin password in the userstore do the following:

      1. Modify admin password in the user-mgt.xml file

      2. Configure the password through the management console.

      3. Edit the files following all the steps given below.

      To change the password from Management Console (https://localhost:9443/carbon), follow the steps in Changing a Password.

    • The  <APIM_HOME>/repository/conf/jndi.properties file.

      Code Block
      connectionfactory.TopicConnectionFactory = amqp://admin:admin@clientid/carbon?brokerlist='tcp://localhost:5672'
connectionfactory.QueueConnectionFactory = amqp://admin:admin@clientID/test?brokerlist='tcp://localhost:5672'

...



    • If you have configured API Manager Analytics,       change the credentials in the following files when changing the super admin credentials as shown below.

      • <APIM_HOME>/repository/conf/api-manager.xml 

        Code Block
        <Analytics>
        <!-- Enable Analytics for API Manager -->
        <Enabled>true</Enabled>
        ....

        <DASServerURL>{tcp://localhost:7612}</DASServerURL>
        <!--DASAuthServerURL>{ssl://localhost:7712}</DASAuthServerURL-->
        <!-- Administrator username to login to the remote DAS server. -->
        <DASUsername>${admin.username}</DASUsername>
        <!-- Administrator password to login to the remote DAS server. -->
        <DASPassword>${admin.password}</DASPassword>

        ....

      <StatsProviderImpl>org.wso2.carbon.apimgt.usage.client.impl.APIUsageStatisticsRdbmsClientImpl</StatsProviderImpl>

        ...

        <DASRestApiURL>https://localhost:9444</DASRestApiURL>
        <DASRestApiUsername>${admin.username}</DASRestApiUsername>
        <DASRestApiPassword>${admin.password}</DASRestApiPassword>

        .....

    </Analytics>

      • <APIM_HOME>/repository/conf/log4j.properties 

        Code Block
        log4j.appender.DAS_AGENT.userName=admin
log4j.appender.DAS_AGENT.password=admin


log4j.appender.LOGEVENT.userName=admin
log4j.appender.LOGEVENT.password=admin       
Note

Do you have any special characters in passwords?

  • If you specify passwords inside XML files, take care when giving special characters in the user names and passwords. According to XML specification (http://www.w3.org/TR/xml/), some special characters can disrupt the configuration. For example, the ampersand character (&) must not appear in the literal form in XML files. It can cause a Java Null Pointer exception. You must wrap it with CDATA (http://www.w3schools.com/xml/xml_cdata.asp) as shown below or remove the character:

 

  • Code Block
    languagexml
    <Password>
    <![CDATA[xnvYh?@VHAkc?qZ%Jv855&A4a,
%M8B@h
  • %M8B]]>
</Password>

  • Note the following if you have special characters in the passwords on your jndi.properties file:

    • It is not possible to use the @ symbol in the username or password.
    • It is also not possible to use the percentage (%) sign in the password. When building the connection URL, the URL is parsed. This parsing exception happens because the percentage (%) sign acts as the escape character in URL parsing. If using the percentage (%) sign in the connection string is required, use the respective encoding character for the percentage (%) sign in the connection string. For example, if you need to pass adm%in as the password, then the % symbol should be encoded with its respective URL encoding character. Therefore, you have to send it as adm%25in.

      For a list of possible URL parsing patterns, see URL encoding reference.

Recovering a password

See How can I recover the admin password used to log in to the management console?

...

Login in via multiple user

...

attributes in API Store

See Authentication using multiple Attributes in the WSO2 IS documentation.

Setting up

...

In a standalone deployment of the API Manager instance, users of the API Store can have a secondary login name in addition to the primary login name. This gives the user flexibility to provide either an email or a user name to log in. You can configure the API Store to treat both login names as belonging to a single user. Users can invoke APIs with the same access token without having to create a new one for the secondary login. 

You can configure this capability using the steps below.

...

an e-mail login

See Email Authentication in the WSO2 IS documentation.

Tip
  • When setting up email login, specify the complete username with tenant domain. If you are in the super tenant mode the username should be as follows. <username>@<email>@carbon.super
    Example:admin@wso2.com@carbon.super.
  • When configuring the <DataPublisher> section under <ThrottlingConfiguration> in the <PRODUCT_HOME>/repository/conf/

...

  • api-manager.xml file

...

  1. Mention your primary and secondary login names. Set the primary attribute of the primary login to true and the primary attribute of the secondary login to false.
  2. Primary login doesn't have a ClaimUri. Leave this field empty.
  3. Provide the  correct  ClaimUri value for the secondary login.

An example is given below:

Code Block
languagehtml/xml
<OAuth>
    ..... . ....
    <LoginConfig>
        <UserIdLogin primary="true">
             <ClaimUri></ClaimUri>
        </UserIdLogin>
        <EmailLogin primary="false">
             <ClaimUri>http://wso2.org/claims/emailaddress</ClaimUri>
        </EmailLogin>
     </LoginConfig>
</OAuth>

...

  • , specify the fully qualified username with tenant domain.
    Example : <Username>admin@wso2.com@carbon.super</Username>

  • The "@" character is a reserved character in the WSO2 messaging component. Therefore, when specifing username in JMS Connection URL, under <JMSConnectionParameters> section in the <PRODUCT_HOME>/repository/conf/api-manager.xml file

...

Code Block
languagehtml/xml
<AuthManager>
   <!--Server URL of the Authentication service -->
   <ServerURL>https://localhost:9444/services/</ServerURL>
 
   <!-- Admin username for the Authentication manager. -->
   <Username>admin</Username>
 
   <!-- Admin password for the Authentication manager.-->
   <Password>admin</Password>
   
   <CheckPermissionsRemotely>false</CheckPermissionsRemotely>
</AuthManager>
Note

If you have set the CheckPermissionRemotely parameter as true, the permissions will be checked in the remote server set in ServerURL. If the parameter is set as false the permissions will be checked by the local server

Tip

Tip: In a distributed setup, the API Store's user store needs to point to the key manager user store.

Tip

Tip: Be sure to keep the secondary login name unique to each user.

Setting up an e-mail login

See Email Authentication in the WSO2 IS documentation.

  • , "@" characters should be replaced by "!" character. An example is shown below.

    Code Block
    <connectionfactory.TopicConnectionFactory><![CDATA[amqp://admin!wso2.com!carbon.super:admin@clientid/carbon?failover='roundrobin'&cyclecount='2'&brokerlist='tcp://10.100.0.3:5682?retries='5'&connectdelay='50';tcp://10.100.0.3:5692?retries='5'&connectdelay='50'']]></connectionfactory.TopicConnectionFactory>


Setting up a social media login

You can auto-provision users based on a social network login by integrating the API Manager with WSO2 Identity Server.  But, this . Refer Log in to the API Store using Social Media for more information.

Note

Note that auto-provision users based on a social network login is not supported in a multi-tenant environment

Info

In a multi-tenant environment, the system cannot identify the tenant domain in the login request that comes to the API Manager's Publisher/Store. Therefore, the service provider is registered as a SaaS application within the super tenant's space. Configuring user provisioning is part of creating the service provider. In order to authenticate the user through a third party identity provider such as a social network login, you must enable identity federation. As the service provider is created in the super tenant's space, the provisioned user is also created within the super tenant's space. As a result, it is not possible to provision the user in the tenant's space. 

To overcome this limitation, you can write a custom authenticator to retrieve the tenant domain of the user and write a custom login page where the user can enter the tenant domain, which is then added to the authenticator context. Then, write a custom provisioning handler to provision the user in the tenant domain that is maintained in the context. 

...

...

  •   in the WSO2 IS documentation.