/
Sending Notifications to External PEP Endpoints

This site contains the documentation that is relevant to older WSO2 product versions and offerings.
For the latest WSO2 documentation, visit https://wso2.com/documentation/.

Sending Notifications to External PEP Endpoints

Aug 29, 2019

You can register external PEP Endpoints in the WSO2 Identity Server. The Identity Server sends cache invalidation notifications (JSON, XML, EMAIL) to the pre-configured external PEP endpoints. Basic authentication will be used as the authentication mechanism.

This topic describes how you can enable the XACML engine to send invalidation notifications to these external PEP endpoints when there is a policy update or a change in user roles, permissions or attributes. This also clears the internal cache when user roles, permissions or attributes are updated.

  1. If you are using EMAIL as the notification method, configure email transport details using the axis2.xml file. Follow the steps below to configure this: 

    1. Navigate to the <IS_HOME>/repository/conf/axis2/axis2.xml file.

    2. Configure the relevant attributes according to your email account information. The following is a sample configuration.

      <transportSender name="mailto" class="org.apache.axis2.transport.mail.MailTransportSender"> <parameter name="mail.smtp.from">wso2demomail@gmail.com</parameter> <parameter name="mail.smtp.user">wso2demomail</parameter> <parameter name="mail.smtp.password">mailpassword</parameter> <parameter name="mail.smtp.host">smtp.gmail.com</parameter> <parameter name="mail.smtp.port">587</parameter> <parameter name="mail.smtp.starttls.enable">true</parameter> <parameter name="mail.smtp.auth">true</parameter> </transportSender>

  2. Create an email template in <carbon-home>/repository/conf/email directory as shown below. Use this template path in the below configurations. Here, entitlement-email-config.xml is a sample template which contains the below code part.

    Hi {username}, XACML PDP policy store has been changed.. Policy Id : {targetId} Action : {action} Policy : {target} Best Regards, http://xacmlinfo.org

  3. Do the following to send notifications to external endpoints when there is a policy change.

    1. Navigate to the <IS_HOME>/repository/conf/identity/entitlement.properties file.

    2. Make the following change.

      PAP.Status.Data.Handler.2=org.wso2.carbon.identity.entitlement.EntitlementNotificationExtension

      Here the trailing number that is added after "PAP.Status.Data.Handler" should be the minimum positive number you can add for a new "PAP.Status.Data.Handler".

  4. Additionally, add the following to the entitlement.properties file and change accordingly. If you are sending notifications via email, use this and change the recipient email address.

    #org.wso2.carbon.identity.entitlement.EntitlementNotificationExtension.1=notificationType,JSON #org.wso2.carbon.identity.entitlement.EntitlementNotificationExtension.1=notificationType,XML org.wso2.carbon.identity.entitlement.EntitlementNotificationExtension.1=notificationType,EMAIL org.wso2.carbon.identity.entitlement.EntitlementNotificationExtension.2=ignoreServerVerification,true #org.wso2.carbon.identity.entitlement.EntitlementNotificationExtension.3=targetUrl,http://targetUrlAddress;username;password org.wso2.carbon.identity.entitlement.EntitlementNotificationExtension.3=emailAddress,wso2demomail@gmail.com org.wso2.carbon.identity.entitlement.EntitlementNotificationExtension.4=pdpNotificationAction,ENABLE;DISABLE;UPDATE;DELETE org.wso2.carbon.identity.entitlement.EntitlementNotificationExtension.5=papNotification,true org.wso2.carbon.identity.entitlement.EntitlementNotificationExtension.6=pdpNotification,true org.wso2.carbon.identity.entitlement.EntitlementNotificationExtension.9=roleName, admin

    The following table lists out and describes the above attributes.

  5. In order to send notifications to external endpoints when a user attribute is updated, update the msg-mgt.properties file in the <IS_HOME>/repository/conf/identity/ directory and add the following configurations to it. Change it according to your notification module. The sample below shows how email notification can be configured.

    module.name.1=email email.subscription.1=userOperation email.subscription.userOperation.template=[IS_HOME]/repository/conf/email/entitlement-email-config.xml email.subscription.userOperation.salutation=Admin email.subscription.userOperation.subject=User operation change information email.subscription.userOperation.endpoint.1=privateMail email.subscription.userOperation.endpoint.privateMail.address=wso2demomail@gmail.com email.subscription.userOperation.endpoint.privateMail.salutation=wso2demomail@gmail.com email.subscription.userOperation.endpoint.privateMail.subject= The User Operation change has occured. # email.subscription.userOperation.endpoint.2=wso2demomail@gmail.com email.subscription.userOperation.endpoint.officeMail.address=wso2demomail@gmail.com # email.subscription.2=policyUpdate email.subscription.policyUpdate.template=<full path to the carbon- home>/repository/conf/email/entitlement-email-config.xml email.subscription.policyUpdate.salutation=Admin email.subscription.policyUpdate.subject= policy update information mail email.subscription.policyUpdate.endpoint.1=privateMail email.subscription.policyUpdate.endpoint.privateMail.address=wso2demomail@gmail.com email.subscription.policyUpdate.endpoint.privateMail.salutation=Admin email.subscription.policyUpdate.endpoint.privateMail.subject=policy update information to private wso2demomail@gmail.com # #module.name.2=json #json.subscription.1=userOperation #json.subscription.userOperation.template=templatePath/jsonTemplate #json.subscription.userOperation.jsonId=3232 #json.subscription.userOperation.endpoint.1=pepEndpoint1 #json.subscription.userOperation.endpoint.pepEndpoint1.address=https://localhost:8080/testEndpoint1 #json.subscription.userOperation.endpoint.pepEndpoint1.username=testUsername #json.subscription.userOperation.endpoint.pepEndpoint2.password=testPW # #json.subscription.userOperation.endpoint.2=pepEndpoint2 #json.subscription.userOperation.endpoint.pepEndpoint2.address=https://localhost:8080/testEndpoint2 threadPool.size = 10

  6. It is recommended to use https to communicate with external endpoints. In that case, import your certificates to client-truststore.jks in the Identity Server. You can use the Java keytool command to do it. The following is a sample command. Note that the default password for client-truststore.jks is "wso2carbon".

    keytool -import -alias wso2 -file <path_to_your_certificate_file>/yourCertificate.crt -keystore <CARBON_SERVER>/repository/resources/security/client-truststore.jks