Maintaining Logins and Passwords
This section covers the following topics:Â
Changing the super admin credentials
Follow the instructions below to change the default admin password:Â
Change the user credentials in the following files.
<APIM_HOME>/repository/conf/user-mgt.xml
 file<UserManager> <Realm> <Configuration> ... <AdminUser> <UserName>admin</UserName> <Password>admin</Password> </AdminUser> ... </Realm> </UserManager>
Note that the password in theÂ
user-mgt.xml
 file is written to the primary user store when the server starts for the first time. Thereafter, the password will be validated from the primary user store and not from theÂuser-mgt.xml
 file. Therefore, if you need to change the admin password stored in the user store, you cannot simply change the value in theÂuser-mgt.xml
 file. To change the super admin password, you must use the Change Password option from the management console.To change the password from Management Console ( https://localhost:9443/carbon ), follow the steps in Changing a Password corresponding to API Manager.
TheÂ
<APIM_HOME>/repository/conf/jndi.properties
file.connectionfactory.TopicConnectionFactory = amqp://admin:admin@clientid/carbon?brokerlist='tcp://localhost:5672' connectionfactory.QueueConnectionFactory = amqp://admin:admin@clientID/test?brokerlist='tcp://localhost:5672'
If you have Configured API Manager Analytics, when changing the super admin credentials you have to change credentials in <APIM_HOME>/repository/conf/api-manager.xml and <APIM_HOME>/repository/conf/log4j.properties as well.Â
TheÂ
<APIM_HOME>/repository/conf/api-manager.xml
 file.<Analytics> <!-- Enable Analytics for API Manager --> <Enabled>true</Enabled> .... <DASServerURL>{tcp://localhost:7612}</DASServerURL> <!--DASAuthServerURL>{ssl://localhost:7712}</DASAuthServerURL--> <!-- Administrator username to login to the remote DAS server. --> <DASUsername>${admin.username}</DASUsername> <!-- Administrator password to login to the remote DAS server. --> <DASPassword>${admin.password}</DASPassword> .... <StatsProviderImpl>org.wso2.carbon.apimgt.usage.client.impl.APIUsageStatisticsRdbmsClientImpl</StatsProviderImpl> ... <DASRestApiURL>https://localhost:9444</DASRestApiURL> <DASRestApiUsername>${admin.username}</DASRestApiUsername> <DASRestApiPassword>${admin.password}</DASRestApiPassword> ..... </Analytics>
TheÂ
<APIM_HOME>/repository/conf/log4j.properties
 file.This is only applicable if you have enabled the Log Analyzer, which has been deprecated and disabled by default.
log4j.appender.DAS_AGENT.userName=admin log4j.appender.DAS_AGENT.password=admin log4j.appender.LOGEVENT.userName=admin log4j.appender.LOGEVENT.password=admin   Â
Do you have any special characters in passwords?
If you specify passwords inside XML files, take care when giving special characters in the user names and passwords. According to XML specification (http://www.w3.org/TR/xml/), some special characters can disrupt the configuration. For example, the ampersand character (&) must not appear in the literal form in XML files. It can cause a Java Null Pointer exception. You must wrap it with CDATA (http://www.w3schools.com/xml/xml_cdata.asp) as shown below or remove the character:
<Password> <![CDATA[xnvYh?@VHAkc?qZ%Jv855&A4a,%M8B]]> </Password>
Note the following if you have special characters in the passwords on your
jndi.properties
file:- It is not possible to use the
@
symbol in the username or password. - It is also not possible to use the percentage (%) sign in the password. When building the connection URL, the URL is parsed. This parsing exception happens because the percentage (%) sign acts as the escape character in URL parsing. If using the percentage (%) sign in the connection string is required, use the respective encoding character for the percentage (%) sign in the connection string. For example, if you need to pass
adm%in
as the password, then the%
symbol should be encoded with its respective URL encoding character. Therefore, you have to send it asadm%25in
.
For a list of possible URL parsing patterns, see URL encoding reference.
- It is not possible to use the
Recovering a password
See How can I recover the admin password used to log in to the management console?
Login in via multiple user attributes in API Store
See Authentication using multiple Attributes in the WSO2 IS documentation.
Setting up an e-mail loginÂ
See Email Authentication in the WSO2 IS documentation.
- When setting up email login, specify the complete username with tenant domain. If you are in the super tenant mode the username should be as follows. <username>@<email>@carbon.super
Example: admin@wso2.com@carbon.super.
- When configuring the <DataPublisher> section under <ThrottlingConfiguration> in the <PRODUCT_HOME>/repository/conf/api-manager.xml file, specify the fully qualified username with tenant domain.
Example : <Username>admin@wso2.com@carbon.super</Username>
The "@" character is a reserved character in the WSO2 messaging component. Therefore, when specifing username in JMS Connection URL, under <JMSConnectionParameters> section in the <PRODUCT_HOME>/repository/conf/api-manager.xml file, "@" characters should be replaced by "!" character. An example is shown below.
<connectionfactory.TopicConnectionFactory><![CDATA[amqp://admin!wso2.com!carbon.super:admin@clientid/carbon?failover='roundrobin'&cyclecount='2'&brokerlist='tcp://10.100.0.3:5682?retries='5'&connectdelay='50';tcp://10.100.0.3:5692?retries='5'&connectdelay='50'']]></connectionfactory.TopicConnectionFactory>
Setting up a social media login
You can auto-provision users based on a social network login by integrating the API Manager with WSO2 Identity Server. Refer Log in to the API Store using Social Media for more information.
Note that auto-provision users based on a social network login is not supported in a multi-tenant environment.Â
In a multi-tenant environment, the system cannot identify the tenant domain in the login request that comes to the API Manager's Publisher/Store. Therefore, the service provider is registered as a SaaS application within the super tenant's space. Configuring user provisioning is part of creating the service provider. In order to authenticate the user through a third party identity provider such as a social network login, you must enable identity federation. As the service provider is created in the super tenant's space, the provisioned user is also created within the super tenant's space. As a result, it is not possible to provision the user in the tenant's space.Â
To overcome this limitation, you can write a custom authenticator to retrieve the tenant domain of the user and write a custom login page where the user can enter the tenant domain, which is then added to the authenticator context. Then, write a custom provisioning handler to provision the user in the tenant domain that is maintained in the context.Â
- For information on writing a custom authenticator, see Creating Custom Authenticators  in the WSO2 IS documentation.
- For information on writing a custom login page, see Customizing Login Pages  in the WSO2 IS documentation.