Configure APIM 3.0.0 Key Manager User stores

  1. Introductoion

  2. APIM 3.0.0 Key manager runtime support following user stores by default.

    • JDBC User store
    • Ldap User store
  3. Configure User stores

  4. Since Key manager provide JDBC and LDAP default implementation by default, in the configuration you can select which user store to be used. By Default JDBC is selected and you can select it to LDAP.

    To change the connector type the following property in deployment.yaml

        connectorType: JDBC
        
  5. Configure JDBC User store connector

  6.     jdbcProperties:
    dataSource: WSO2_UM_DB
        

    By default User Management DB’s JNDI name is set to WSO2_UM_DB and it need to be configured in the deployment.yaml as follow.

        dataSources:
        - name: WSO2_UM_DB
        description: The datasource used for user management
        # JNDI mapping of a data source
        jndiConfig:
        # JNDI name
        # THIS IS A MANDATORY FIELD
        name: jdbc/WSO2UM_DB
        # JNDI Reference Flag
        useJndiReference: false
        # data source definition
        definition:
        # data source type
        # THIS IS A MANDATORY FIELD
        type: RDBMS
        # data source configuration
        configuration:
        jdbcUrl: 'jdbc:h2:./database/UM_DB;DB_CLOSE_ON_EXIT=FALSE;LOCK_TIMEOUT=60000'
        username: wso2carbon
        password: wso2carbon
        driverClassName: org.h2.Driver
        maxPoolSize: 50
        idleTimeout: 60000
        connectionTestQuery: SELECT 1
        validationTimeout: 30000
        isAutoCommit: false
    
  7. Configure LDAP User store connector

  8. Ldap related configurations can be found under the ldapProperties in deployment yaml as follow.

    ldapProperties:
    ldap.ConnectionName: uid=admin,ou=system
    ldap.GroupEntryObjectClass: groupOfNames
    ldap.UserNameSearchFilter: (&(objectClass=person)(uid=?))
    ldap.ConnectionURL: ldap://localhost:10389
    ldap.InitialContextFactory: com.sun.jndi.ldap.LdapCtxFactory
    ldap.connectorClass: org.wso2.carbon.auth.user.store.connector.ldap.LDAPUserStoreConnector
    ldap.GroupSearchBase: ou=Groups,dc=wso2,dc=org
    ldap.ConnectionPassword: admin
    ldap.UserNameAttribute: uid
    ldap.GroupSearchFilter: (&(objectClass=groupOfNames)(cn=?))
    ldap.UserEntryObjectClass: identityPerson
    ldap.GroupAttribute: cn
    ldap.SecurityAuthentication: simple
    ldap.UserNameListFilter: (objectClass=person)
    ldap.GroupListFilter: (objectClass=groupOfNames)
    ldap.UserSearchBase: ou=Users,dc=wso2,dc=org
        

    Ldap Server need to be configure with user/group nodes. Also new schemes need to be import to LDAP server before working with key manager. These schemes can be found in the following location and can be imported into LDAP server.

    You can use following command to import schemas

    ldapadd -Y EXTERNAL -H ldapi:// -f 1-wso2Person.ldif
    ldapadd -Y EXTERNAL -H ldapi:// -f 2-scimPerson.ldif
    ldapadd -Y EXTERNAL -H ldapi:// -f 3-identityPerson.ldif
    ldapadd -Y EXTERNAL -H ldapi:// -f userPassInfo.ldif
        

    You also need to create tree node for both users and groups in your LDAP.

    Ex:

        ou=Groups,dc=wso2,dc=org
        ou=Users,dc=wso2,dc=org
        

    Or else you can import group.ldif and users.ldif into LDAP to create them. Before import edit them and edit dn record as suitable to your LDAP.

    Also you can get preconfigured docker image from docker hub with name ruks/ldap.

  9. Changing other properties

  10. So full set of configuration parameters is looks like below. You can override them and can be include into deployment.yaml of appropriate runtime in order to configure key manager components.

    wso2.carbon.auth:
       # User Store Configurations
     userStoreConfiguration: 
       attributes:
       - attribute: userName
         displayName: Username
         regex: .*
         required: true
         unique: true
       - attribute: givenName
         displayName: First Name
         regex: .*
         required: false
         unique: false
       - attribute: lastName
         displayName: Last Name
         regex: .*
         required: false
         unique: false
       - attribute: email
         displayName: Email
         regex: .*
         required: false
         unique: false
       - attribute: phoneNumber
         displayName: Phone Number
         regex: .*
         required: false
         unique: false
       - attribute: address
         displayName: Address
         regex: .*
         required: false
         unique: false
       - attribute: organization
         displayName: Organization
         regex: .*
         required: false
         unique: false
       connectorType: JDBC
       hashAlgo: SHA256
       iterationCount: 4096
       jdbcProperties:
         dataSource: WSO2_UM_DB
       keyLength: 256
       ldapProperties:
         ldap.ConnectionName: uid=admin,ou=system
         ldap.GroupEntryObjectClass: groupOfNames
         ldap.UserNameSearchFilter: (&(objectClass=person)(uid=?))
         ldap.ConnectionURL: ldap://localhost:10389
         ldap.InitialContextFactory: com.sun.jndi.ldap.LdapCtxFactory
         ldap.connectorClass: org.wso2.carbon.auth.user.store.connector.ldap.LDAPUserStoreConnector
         ldap.GroupSearchBase: ou=Groups,dc=wso2,dc=org
         ldap.ConnectionPassword: admin
         ldap.UserNameAttribute: uid
         ldap.GroupSearchFilter: (&(objectClass=groupOfNames)(cn=?))
         ldap.UserEntryObjectClass: identityPerson
         ldap.GroupAttribute: cn
         ldap.SecurityAuthentication: simple
         ldap.UserNameListFilter: (objectClass=person)
         ldap.GroupListFilter: (objectClass=groupOfNames)
         ldap.UserSearchBase: ou=Users,dc=wso2,dc=org
       readOnly: false
       superUser: admin
       superUserPass: admin
       # Key Management Configurations
     keyManagerConfigs:
         # Access token default validity period
       defaultTokenValidityPeriod: 3600
        
        
  11. References