Configuring the Identity Server 5.0.0 with the API Manager 1.8.0 or 1.7.0

This configuration uses WSO2 Identity Server 5.0.0 with Service Pack 1 and WSO2 API Manager 1.7.0 or 1.8.0.

Configuring the Identity Server

Download WSO2 Identity Server from http://wso2.com/products/identity-server and install it.
Log into the Identity Server and access the Management Console.
Download the WSO2 Identity Server 5.0.0 - Service Pack-01 from the Identity Server More Downloads page and install it using the instructions in the README file.
After starting the Identity Server, install the Key Manager feature.

Warning: Installing this feature will result in changes to some of the configuration files in Identity Server. The <IS_HOME>/repository/conf/identity.xml file and the <IS_HOME>/repository/conf/datasources/master-datasouces.xml file will lose their current configurations.
To install the feature:
1. Navigate to the Features section in the Configure menu of the management console.
2. Add the following feature repository in the Feature Management section in the Identity Server. See here for information on how to do this.
  P2 Repo: http://product-dist.wso2.com/p2/carbon/releases/turing/
3. After adding the repository, navigate to the Available Features tab and find the feature in that repository by clicking the Find Features button. The list of available features appear.
  1. Select the Key Manager feature from the API Manager 1.7.0 or API Manager 1.8.0 features category.
  2. Select Registry Extension Feature from the Governance registry features category.
  3. Click on the Install button and go through the wizard to complete the installation. See here if you require more information on how to do this.
Download WSO2 API Manager from here and install it.
Copy the api-manager.xml file from the <APIM_HOME>/repository/conf directory and paste it into the <IS_HOME>/repository/conf directory. You must replace the file that is already available there. The IS has an outdated file.
Make the following changes in the api-manager.xml file you just copied.
1. Change the GatewayType property to the following. This is done because the default value here is Synapse. Synapse runtime is used for various ESB related functionality that is not available in the Identity Server, so this must be changed to None.
  <GatewayType>None</GatewayType>
2. Change the <RevokeAPIURL> so that it points to the API Manager server. Note that if API Manager is running in distributed mode (has a separate node for the Gateway), you need to point this URL to the Gateway node. This is done so that when the token is revoked, the Gateway cache is updated as well. The port value you enter here must be the NIO port. See Default Ports of WSO2 Products for more information.
  <RevokeAPIURL>https://${GATEWAY_SERVER_HOST}:{port}/revoke</RevokeAPIURL>
3. Change the <ServerURL> occurring under the <APIGateway> section so that it points to the API Manager server. If you are using distributed mode, this needs to point to the Gateway node as well. This is done so that when the token is regenerated, the Gateway cache is updated as well. The port value you enter here must be the management transport port. See Default Ports of WSO2 Products for more information.
  <ServerURL>https://${GATEWAY_SERVER_HOST}:{port}/services/</ServerURL>
4. Change EnableThriftServer to false. The Identity Server does not come with a thrift server and this causes issues at runtime if not disabled.
  <EnableThriftServer>false</EnableThriftServer>
Restart the Identity Server for your changes to take effect.

Open the <IS_HOME>/repository/conf/datasources/master-datasources.xml file and add the following datasources.

Ensure that you keep the 'WSO2_CARBON_DB' datasource the way it is and simply add the following datasources in the master-datasources.xml file. Also note that the WSO2AM_DB is already added in the master-datasources.xml file so you do not need to add it again. However, you must edit this datasource to point to your new database as this still points to the default H2 database. The following code block includes a sample of the WSO2AM_DB datasource as a sample configuration when pointing to the new database.

<datasource>
    <name>WSO2AM_DB</name>
    <description>The datasource used for API Manager database</description>
    <jndiConfig>
        <name>jdbc/WSO2AM_DB</name>
    </jndiConfig>
    <definition type="RDBMS">
        <configuration>  <url>jdbc:mysql://localhost:3306/apimgt?autoReconnect=true&amp;relaxAutoCommit=true&amp;</url>
            <username>apiuser</username>
            <password>apimanager</password>
            <driverClassName>com.mysql.jdbc.Driver</driverClassName>
            <maxActive>50</maxActive>
            <maxWait>60000</maxWait>
            <testOnBorrow>true</testOnBorrow>
            <validationQuery>SELECT 1</validationQuery>
            <validationInterval>30000</validationInterval>
            <defaultAutoCommit>false</defaultAutoCommit>
        </configuration>
    </definition>
</datasource>
 
<datasource>
    <name>WSO2REG_DB</name>
    <description>The datasource used for registry</description>
    <jndiConfig>
        <name>jdbc/WSO2REG_DB</name>
    </jndiConfig>
    <definition type="RDBMS">
        <configuration>
<url>jdbc:mysql://localhost:3306/registry?autoReconnect=true&amp;relaxAutoCommit=true&amp;</url>
            <username>apiuser</username>
            <password>apimanager</password>
            <driverClassName>com.mysql.jdbc.Driver</driverClassName>
            <maxActive>50</maxActive>
            <maxWait>60000</maxWait>
            <testOnBorrow>true</testOnBorrow>
            <validationQuery>SELECT 1</validationQuery>
            <validationInterval>30000</validationInterval>
        </configuration>
    </definition>
</datasource>

<datasource>
    <name>WSO2UM_DB</name>
    <description>The datasource used for user management</description>
    <jndiConfig>
        <name>jdbc/WSO2UM_DB</name>
    </jndiConfig>
    <definition type="RDBMS">
        <configuration>
   <url>jdbc:mysql://localhost:3306/userstore?autoReconnect=true&amp;relaxAutoCommit=true&amp;
            </url>
            <username>apiuser</username>
            <password>apimanager</password>
            <driverClassName>com.mysql.jdbc.Driver</driverClassName>
            <maxActive>50</maxActive>
            <maxWait>60000</maxWait>
            <testOnBorrow>true</testOnBorrow>
            <validationQuery>SELECT 1</validationQuery>
            <validationInterval>30000</validationInterval>
        </configuration>
    </definition>
</datasource>

The following diagram illustrates how databases are shared between IS and APIM as per the above configuration.

WSO2REG_DB - This is used to keep the registry information.
WSO2UM_DB - This is used to store the permissions (i.e. permission store) and the internal roles of the users.
WSO2AM_DB - This will be used to keep the identity data and API-related data. This includes OAuth tokens and keys. When serving key-validation requests, the key manager validates whether there are subscriptions made by the particular key. For this WSO2AM_DB should be accessed.

Copy the registry.xml file from the <APIM_HOME>/repository/conf/ directory to the <IS_HOME>/repository/conf/ directory. Make sure you replace the existing registry.xml file found in the <IS_HOME>. This is because the <indexingConfiguration> element is not there in the registry.xml that comes in the IS.

Make the following changes to the <IS_HOME>/repository/conf/registry.xml file you copied in the above step.

The handler used to evaluate the XACML media type is not there in the registry.xml file you copied. Therefore, you must add the handler shown in the following code block.

<handler class="org.wso2.carbon.identity.entitlement.policy.finder.registry.RegistryPolicyHandler">
        <filter class="org.wso2.carbon.identity.entitlement.policy.finder.registry.RegistryPolicyMediaTypeMatcher">
            <property name="mediaType">application/xacml-policy+xml</property>
        </filter>
</handler>

Create the registry mounts by inserting the following sections into the registry.xml file.

When doing this change, do not replace the existing <dbConfig> for "wso2registry". Simply add the following configuration to the existing configurations.

<dbConfig name="govregistry">
        <dataSource>jdbc/WSO2REG_DB</dataSource>
</dbConfig>

<remoteInstance url="https://localhost">	
        <id>gov</id>
        <dbConfig>govregistry</dbConfig>
		<cacheId>apiuser@jdbc:mysql://localhost:3306/registry</cacheId>
        <readOnly>false</readOnly>
        <enableCache>true</enableCache>
        <registryRoot>/</registryRoot>
</remoteInstance>

<mount path="/_system/governance" overwrite="true">
        <instanceId>gov</instanceId>
        <targetPath>/_system/governance</targetPath>
</mount>

<mount path="/_system/config" overwrite="true">
       <instanceId>gov</instanceId>
       <targetPath>/_system/config</targetPath>
</mount>

Change the datasource in the identity.xml and user-mgt.xml file found in the <IS_HOME>/repository/conf/ directory to WSO2AM_DB and WSO2UM_DB respectively.

identity.xml configurations

<DataSource>
		<!-- Include a data source name (jndiConfigName) from the set of data sources defined in master-datasources.xml -->
		<Name>jdbc/WSO2AM_DB</Name>
</DataSource>

user-mgt.xml configurations

<Realm>
        <Configuration>
			...
			<Property name="dataSource">jdbc/WSO2UM_DB</Property>
        </Configuration>
		...
</Realm>

Also change the datasource in the <IS_HOME>/repository/conf/security/application-authentication.xml file to point to WSO2AM_DB.
```
<JDBCPersistenceManager>
		<DataSource>
			<Name>jdbc/WSO2AM_DB</Name>
		</DataSource>
</JDBCPersistenceManager>
```

Make the following changes to ensure that the WSO2 Identity Server is properly configured as a Key manager with all the necessary configurations.

Make sure you add the user store configuration correctly in the <IS_HOME>/repository/conf/user-mgt.xml file so that both the Identity Server and API Manager point to the same user store. For more information on configuring user stores, see here.

You must change the <UserStoreManager> element here since the internal LDAP user store is used by default. The <UserStoreManager class="org.wso2.carbon.user.core.ldap.ReadWriteLDAPUserStoreManager"> code block needs to be removed or modified and the right code block must be used.

Copy the following into the <IS_HOME>/repository/conf/identity.xml file under the <OAuth> tag.

<!-- Default validity period for application access tokens in seconds -->
<UserAccessTokenDefaultValidityPeriod>3600</UserAccessTokenDefaultValidityPeriod>
<!-- Validity period for refresh token -->		
<RefreshTokenValidityPeriod>84600</RefreshTokenValidityPeriod>

Delete the following configuration in the <IS_HOME>/repository/conf/identity.xml file found under the <OAuth> tag.

<!-- Configure the security measures needs to be done prior to store the token in the database, such as hashing, encrypting, etc. -->
<TokenPersistencePreprocessor>org.wso2.carbon.identity.oauth.preprocessor.PlainTextTokenPersistencePreprocessor</TokenPersistencePreprocessor>

Replace the configuration you deleted with the following.

<!-- Enable renewal of refresh token for refresh_token grant -->
<RenewRefreshTokenForRefreshGrant>true</RenewRefreshTokenForRefreshGrant>
<!-- Process the token before storing it in database, e.g. encrypting -->
<TokenPersistenceProcessor>org.wso2.carbon.identity.oauth.tokenprocessor.PlainTextPersistenceProcessor</TokenPersistenceProcessor>
<!-- Supported Client Autnetication Methods -->
<ClientAuthHandlers>
	<ClientAuthHandlerImplClass>org.wso2.carbon.identity.oauth2.token.handlers.clientauth.BasicAuthClientAuthHandler</ClientAuthHandlerImplClass>
</ClientAuthHandlers>

Copy the <SupportedGrantTypes> section from the identity.xml file in the API Manager (<AM_HOME>/repository/conf/identity.xml) and replace the <SupportedGrantTypes> section of the identity.xml file of the Identity Server (<IS_HOME>/repository/conf/identity.xml). See example below.

<SupportedGrantTypes>
    <SupportedGrantType>
       <GrantTypeName>authorization_code</GrantTypeName>
       <GrantTypeHandlerImplClass>org.wso2.carbon.apimgt.keymgt.handlers.ExtendedAuthorizationCodeGrantHandler</GrantTypeHandlerImplClass>
    </SupportedGrantType>
    <SupportedGrantType>
       <GrantTypeName>password</GrantTypeName>
       <GrantTypeHandlerImplClass>org.wso2.carbon.apimgt.keymgt.handlers.ExtendedPasswordGrantHandler</GrantTypeHandlerImplClass>
    </SupportedGrantType>
    <SupportedGrantType>
       <GrantTypeName>refresh_token</GrantTypeName>
       <GrantTypeHandlerImplClass>org.wso2.carbon.identity.oauth2.token.handlers.grant.RefreshGrantHandler</GrantTypeHandlerImplClass>
    </SupportedGrantType>
    <SupportedGrantType>
       <GrantTypeName>client_credentials</GrantTypeName>
       <GrantTypeHandlerImplClass>org.wso2.carbon.apimgt.keymgt.handlers.ExtendedClientCredentialsGrantHandler</GrantTypeHandlerImplClass>
    </SupportedGrantType>
    <SupportedGrantType>
       <GrantTypeName>urn:ietf:params:oauth:grant-type:saml2-bearer</GrantTypeName>
       <GrantTypeHandlerImplClass>org.wso2.carbon.identity.oauth2.token.handlers.grant.saml.SAML2BearerGrantHandler</GrantTypeHandlerImplClass>
    </SupportedGrantType>
    <SupportedGrantType>
       <GrantTypeName>iwa:ntlm</GrantTypeName>
       <GrantTypeHandlerImplClass>org.wso2.carbon.identity.oauth2.token.handlers.grant.iwa.ntlm.NTLMAuthenticationGrantHandler</GrantTypeHandlerImplClass>
    </SupportedGrantType>
</SupportedGrantTypes>

Delete the <SupportedResponseTypes> configuration found under the <OAuth> tag in the <IS_HOME>/repository/conf/identity.xml file. Replace the configuration you deleted with the following.

<SupportedResponseTypes>
	<SupportedResponseType>
		<ResponseTypeName>token</ResponseTypeName>
		<ResponseTypeHandlerImplClass>org.wso2.carbon.identity.oauth2.authz.handlers.TokenResponseTypeHandler</ResponseTypeHandlerImplClass>
	</SupportedResponseType>
	<SupportedResponseType>
		<ResponseTypeName>code</ResponseTypeName>
		<ResponseTypeHandlerImplClass>org.wso2.carbon.identity.oauth2.authz.handlers.CodeResponseTypeHandler</ResponseTypeHandlerImplClass>
	</SupportedResponseType>
</SupportedResponseTypes>

Add the following under the <OAuth> tag in the <IS_HOME>/repository/conf/identity.xml file. This is an optional configuration and is only relevant when you wish to have a customized token validator.
```
<TokenValidators>
	<TokenValidator type="bearer" class="org.wso2.carbon.identity.oauth2.validators.DefaultOAuth2TokenValidator"/>
</TokenValidators>
```

Add the following configuration under the <SSOService> tag in the <IS_HOME>/repository/conf/identity.xml file.

<EntityId>localhost</EntityId>

<SAMLSSOEncrypter>org.wso2.carbon.identity.sso.saml.builders.encryption.DefaultSSOEncrypter</SAMLSSOEncrypter>
<SAMLSSOSigner>org.wso2.carbon.identity.sso.saml.builders.signature.DefaultSSOSigner</SAMLSSOSigner>
<SAML2HTTPRedirectSignatureValidator>org.wso2.carbon.identity.sso.saml.validators.SAML2HTTPRedirectDeflateSignatureValidator</SAML2HTTPRedirectSignatureValidator>
<!--SAMLSSOResponseBuilder>org.wso2.carbon.identity.sso.saml.builders.DefaultResponseBuilder</SAMLSSOResponseBuilder-->

<UseAuthenticatedUserDomain>false</UseAuthenticatedUserDomain>

Configure the scope validator for OAuth but placing the following under the <OAuth> tag. This value can be a custom class. This is relevant when the API created in WSO2 API Manager has a scope configured and must be validated in the Key manager. See OAuth scopes for more information.
```
<OAuthScopeValidator class="org.wso2.carbon.identity.oauth2.validators.JDBCScopeValidator"/>
```

Create the following databases in the MySQL database server.
- userstore
- registry
- apimgt
For creating the userstore and registry database, use the <IS_HOME>/dbscripts/mysql.sql script.

Note that MySQL is used as an example here and you can use a different database if required.
When creating the apimgt db, run both the scripts; <APIM_HOME>/dbscripts/apimgt/mysql.sql and <IS_HOME>/dbscripts/identity/mysql.sql. The script found in the <APIM_HOME>/dbscripts/apimgt/ directory only has tables required to manage OAuth access tokens. To make all the other identity-related features to work, the script inside <IS_HOME>/dbscripts/identity should be used as well.

You can change the CREATE TABLE statements to CREATE TABLE IF NOT EXISTS when running the identity scripts after you have run the apimgt script.

Create a user ‘apiuser’ with password ‘apimanager’. Grant all permissions for this user in the above three databases. For example:

grant all on apimgt.* TO apiuser@localhost identified by "apimanager";
grant all on userstore.* TO apiuser@localhost identified by "apimanager"; 
grant all on registry.* TO apiuser@localhost identified by "apimanager";

JWT configuration must be done in the <IS_HOME>/repository/conf/api-manager.xml file in the Identity Server. See here for more information on JWT Token generation. Enable the ClaimsRetrieverImplClass, ConsumerDialectURI and SignatureAlgorithm. Set SignatureAlgorithm to NONE.

Configuring the API Manager

Open the <APIM_HOME>/repository/conf/datasources/master-datasources.xml file and add the following datasources.

<datasource>
    <name>WSO2AM_DB</name>
    <description>The datasource used for API Manager database</description>
    <jndiConfig>
        <name>jdbc/WSO2AM_DB</name>
    </jndiConfig>
    <definition type="RDBMS">
        <configuration>  <url>jdbc:mysql://localhost:3306/apimgt?autoReconnect=true&amp;relaxAutoCommit=true&amp;</url>
            <username>apiuser</username>
            <password>apimanager</password>
            <driverClassName>com.mysql.jdbc.Driver</driverClassName>
            <maxActive>50</maxActive>
            <maxWait>60000</maxWait>
            <testOnBorrow>true</testOnBorrow>
            <validationQuery>SELECT 1</validationQuery>
            <validationInterval>30000</validationInterval>
			<defaultAutoCommit>false</defaultAutoCommit>
        </configuration>
    </definition>
</datasource>

<datasource>
    <name>WSO2REG_DB</name>
    <description>The datasource used for registry and user manager</description>
    <jndiConfig>
        <name>jdbc/WSO2REG_DB</name>
    </jndiConfig>
    <definition type="RDBMS">
        <configuration>
<url>jdbc:mysql://localhost:3306/registry?autoReconnect=true&amp;relaxAutoCommit=true&amp;</url>
            <username>apiuser</username>
            <password>apimanager</password>
            <driverClassName>com.mysql.jdbc.Driver</driverClassName>
            <maxActive>50</maxActive>
            <maxWait>60000</maxWait>
            <testOnBorrow>true</testOnBorrow>
            <validationQuery>SELECT 1</validationQuery>
            <validationInterval>30000</validationInterval>
        </configuration>
    </definition>
</datasource>

<datasource>
    <name>WSO2UM_DB</name>
    <description>The datasource used for registry and user manager</description>
    <jndiConfig>
        <name>jdbc/WSO2UM_DB</name>
    </jndiConfig>
    <definition type="RDBMS">
        <configuration>
   <url>jdbc:mysql://localhost:3306/userstore?autoReconnect=true&amp;relaxAutoCommit=true&amp;
            </url>
            <username>apiuser</username>
            <password>apimanager</password>
            <driverClassName>com.mysql.jdbc.Driver</driverClassName>
            <maxActive>50</maxActive>
            <maxWait>60000</maxWait>
            <testOnBorrow>true</testOnBorrow>
            <validationQuery>SELECT 1</validationQuery>
            <validationInterval>30000</validationInterval>
        </configuration>
    </definition>
</datasource>

Open the user-mgt.xml file found in the <APIM_HOME>/repository/conf directory and change the permission datasource.
user-mgt.xml configurations
```
<Realm>
        <Configuration>
			...
			<Property name="dataSource">jdbc/WSO2UM_DB</Property>
        </Configuration>
		...
</Realm>
```
Make sure you add the user store configuration correctly. This is the same configuration that you did in the Identity Server. For more information on how to do this, see here.

Create the registry mounts. Open the <APIM_HOME>/repository/conf/registry.xml file and insert the following sections.

<dbConfig name="govregistry">
       <dataSource>jdbc/WSO2REG_DB</dataSource>
</dbConfig>

<remoteInstance url="https://localhost">	
       <id>gov</id>
       <dbConfig>govregistry</dbConfig>
	   <cacheId>apiuser@jdbc:mysql://localhost:3306/registry</cacheId>
       <readOnly>false</readOnly>
       <enableCache>true</enableCache>
       <registryRoot>/</registryRoot>
</remoteInstance>

<mount path="/_system/governance" overwrite="true">
       <instanceId>gov</instanceId>
       <targetPath>/_system/governance</targetPath>
</mount>

<mount path="/_system/config" overwrite="true">
       <instanceId>gov</instanceId>
       <targetPath>/_system/config</targetPath>
</mount>

Open the api-manager.xml file found in the <APIM_HOME>/repository/conf directory and change the following.
1. Change the ServerURL of the AuthManager to point to IS.
  <ServerURL>https://${IS_SERVER_HOST}:{port}/services/</ServerURL>
2. Change the ServerURL of the APIKeyManager to point to IS.
  <ServerURL>https://${IS_SERVER_HOST}:{port}/services/</ServerURL>
3. Change the KeyValidatorClientType from ThriftClient to WSClient.
4. Change EnableThriftServer to false.
Navigate to the <AM_HOME>/repository/deployment/server/synapse-configs/default/api directory and change the URLs specified in the following files of the API Manager so that they point to the IS node. Note that when you run the API Manager in distributed mode, these configurations should be done in the API Gateway node.
- _AuthorizeAPI_.xml
- _RevokeAPI_.xml
- _TokenAPI_.xml
For example
```
<endpoint>
       <address uri="https://{ip_address_of_IS}:{IS_management_port}/oauth2/token"/>
</endpoint>
```

Make sure you add the MySQL JDBC driver to both servers. I.e. put the .jar file into the <PRODUCT_HOME>/repository/components/lib directory.