This site contains the documentation that is relevant to older WSO2 product versions and offerings.
For the latest WSO2 documentation, visit https://wso2.com/documentation/.

Logging in to Liferay using the Identity Server

Deprecated Feature!

OpenID 2.0 has been deprecated in this release (WSO2 Identity Server 5.2.0) as it is now an obsolete specification and has been superseded by OpenID Connect. It will be removed from the base product in the next release (WSO2 Identity Server 5.3.0) and will be moved to the store. Alternatively, we recommend that you use OpenID Connect instead.

This topic provides instructions on how to utilize OpenID, issued by WSO2 Identity Server, in an actual environment. This scenario portrays Liferay portal as the OpenID consumer and assumes that the Liferay portal and the Identity Server have been set up in different hosts in a LAN. Liferay delivers enterprise solutions for portals, publishing, content, and collaboration.

  1. First download WSO2 Identity Server from here and extract it into a directory in your file system. Lets call this directory <PRODUCT_HOME>.
  2. Start the Identity Server by running wso2server.sh (in UNIX) or wso2server.bat (in Windows) file found in the <PRODUCT_HOME>/bin directory. Identity Server starts with a default configuration. If you examine the OpenID URL of a user (the default admin user in this instance) in Identity Server, it will look like the following:

    https://localhost:9443/openid/admin

    However, this OpenID URL cannot be accessed by other hosts in your network, so the next logical step is to change the name of the host.

  3. Configure the host name as "wso2identity" (or any IP address). 
    1. First configure the following parameters in carbon.xml which can be found in the <PRODUCT_HOME>/repository/conf directory.

      <ServerURL>https://wso2identity:${carbon.management.port}${carbon.context}/services/</ServerURL>
      <HostName>wso2identity</HostName>
    2. Configure the following parameters in identity.xml which can be found in same location.

      <OpenIDServerUrl>https://wso2identity:9443/openidserver</OpenIDServerUrl>
      <OpenIDUserPattern>https://wso2identity:9443/openid/</OpenIDUserPattern>
  4. Restart the Identity Server. Now the OpenID URL is as follows:

    https://wso2identity:9443/openid/admin
  5. Download latest version of Liferay portal from here and extract it into a directory in your file system. Lets call this <LIFERAY_HOME> for the purposes of our scenario.
  6. Set CATALINA_HOME =<LIFERAY_HOME>/tomcat_dir.
  7. Start the Liferay portal by running the catalina.sh file (in UNIX) or the catalina.bat file (in Windows), which is found in the <CATALINA_HOME>/bin directory.
  8. Create a user account in Liferay and configure an OpenID that is issued by Identity Server: (https://wso2identity:9443/openid/admin).

  9. Now try to sign in by providing your OpenID. Do this by clicking on Sign In at the top right of your screen. You may see the following error message. This occurs because there is one more configuration to do, if we use default keystore, wso2carbon.jks for identity server.


    Liferay uses Java cacerts as its trust-store. However, wso2carbon.jks contains a self-signed certificate. So the public key should be imported to the Java cacerts that are used by Liferay. Then Liferay can trust the OpenID provided by WSO2 Identity Server.
  10. Import the WSO2 Identity Server public certificate to the cacerts.
    1. First export the wso2carbon certificate from wso2carbon.jks which can be found in the <PRODUCT_HOME>/repository/resources/security directory. The following is the sample keytool command:

      > keytool -export -keystore wso2carbon.jks -file carbon.cert -alias localhost -keypass wso2carbon
    2. Import this to the cacerts which are found in the <JAVA_HOME>/jre/lib/security directory.

      > keytool -import -keystore cacerts -file carbon.cert -alias carbon -storepass changeit
  11. Then restart the Liferay portal. Now you can sign in to the Liferay portal using WSO2 Identity Server's Openid.