Usage of "OAuth2" policy action in CentraSite and Mediator

Similar documents
Usage of Evaluate IPAddress Action with wm Mediator

Mobile Procurement REST API (MOBPROC): Access Tokens

WEB API. Nuki Home Solutions GmbH. Münzgrabenstraße 92/ Graz Austria F

NIELSEN API PORTAL USER REGISTRATION GUIDE

E POSTBUSINESS API Login-API Reference. Version 1.1

Tutorial: Building the Services Ecosystem

Using OAuth 2.0 to Access ionbiz APIs

Inland Revenue. Build Pack. Identity and Access Services. Date: 04/09/2017 Version: 1.5 IN CONFIDENCE

Protect Your API with OAuth 2. Rob Allen

Integrating with ClearPass HTTP APIs

If the presented credentials are valid server will respond with a success response:

Single Sign-On for PCF. User's Guide

Aruba Central Application Programming Interface

NetIQ Access Manager 4.3. REST API Guide

ovirt SSO Specification

INTEGRATION MANUAL DOCUMENTATION E-COMMERCE

API Security Management SENTINET

Login with Amazon. Developer Guide for Websites

API Gateway. Version 7.5.1

The OAuth 2.0 Authorization Framework draft-ietf-oauth-v2-30

JPX Data Cloud API Specifications

Box Connector. Version 2.0. User Guide

Realtime API. API Version: Document Revision: 16 Last change:26 October Kwebbl Swiss Software House GmbH

django-oauth2-provider Documentation

The production version of your service API must be served over HTTPS.

The OAuth 2.0 Authorization Protocol

Infoblox Authenticated DHCP

Siebel REST API Guide. Siebel Innovation Pack 2017, Rev. A November 2017

Heartbeat API. Document revision 1.0 Date of Issue: 04 October 2018 Date of revision: 04 October Nick Palmer.

DreamFactory Security Guide

uick Start Guide 1. Install Oracle Java SE Development Kit (JDK) version or later or 1.7.* and set the JAVA_HOME environment variable.

GPII Security. Washington DC, November 2015

OAuth and OpenID Connect (IN PLAIN ENGLISH)

API Security Management with Sentinet SENTINET

[MS-ADFSOAL]: Active Directory Federation Services OAuth Authorization Code Lookup Protocol

OAuth 2.0 Incremental Auth

sanction Documentation

RSA NetWitness Logs. Salesforce. Event Source Log Configuration Guide. Last Modified: Wednesday, February 14, 2018

Salesforce IoT REST API Getting Started Guide

Consents Service - SMBC NextGenPSD2

Login with Amazon. Developer Guide API Version

[MS-ADFSOAL]: Active Directory Federation Services OAuth Authorization Code Lookup Protocol

BlackBerry AtHoc Networked Crisis Communication. BlackBerry AtHoc API Quick Start Guide

ForeScout Extended Module for Symantec Endpoint Protection

[GSoC Proposal] Securing Airavata API

ClearPass. ClearPass Extension Universal Authentication Proxy. ClearPass Extension Universal Authentication Proxy TechNote

User Managed Access Core Protocol

OAuth2 Autoconfig. Copyright

Slovak Banking API Standard. Rastislav Hudec, Marcel Laznia

Advanced API Security

AEM Mobile: Setting up Google as an Identity Provider

NetIQ Access Manager 4.4. REST API Guide

Workspace ONE UEM Notification Service. VMware Workspace ONE UEM 1811

Administering Jive Mobile Apps for ios and Android

Building the Modern Research Data Portal using the Globus Platform. Rachana Ananthakrishnan GlobusWorld 2017

Technical Overview. Version March 2018 Author: Vittorio Bertola

Identity and Data Access: OpenID & OAuth

Writing REST APIs with OpenAPI and Swagger Ada

Symantec Endpoint Protection Manager Quick Integration Guide. for PacketFence version 7.4.0

Oracle Fusion Middleware. Oracle API Gateway OAuth User Guide 11g Release 2 ( )

AT&T Developer Best Practices Guide

Have documentation feedback? Submit a Documentation Feedback support ticket using the Support Wizard on support.air-watch.com.

Zephyr Cloud for HipChat

EMS Platform Services Installation & Configuration Guides

Setting Up the Server

Mashery I/O Docs. Configuration Guide

Have documentation feedback? Submit a Documentation Feedback support ticket using the Support Wizard on support.air-watch.com.

Server - The Tigo platform and urls associated with the api Client - Third party user with api access to the Tigo platform and/or Tigo api.

Web Messaging Configuration Guide Document Version: 1.3 May 2018

Volante NACHA ISO20022 Validator AMI User Guide

Healthcare Database Connector

Have documentation feedback? Submit a Documentation Feedback support ticket using the Support Wizard on support.air-watch.com.

Healthcare Database Connector

Using Twitter & Facebook API. INF5750/ Lecture 10 (Part II)

PowerExchange for Facebook: How to Configure Open Authentication using the OAuth Utility

SAS Event Stream Processing 4.3: Security

FAS Authorization Server - OpenID Connect Onboarding

FAS Authorization Server - OpenID Connect Onboarding

Issue No. Date Description of Changes Initial issue Added basic authentication

Building the Modern Research Data Portal. Developer Tutorial

Red Hat 3Scale 2-saas

Oracle Communications Services Gatekeeper

Patch Server for Jamf Pro Documentation

Oracle REST Data Services Quick Start Guide. Release 17.4

How to use or not use the AWS API Gateway for Microservices

ChatWork API Documentation

SAS Viya 3.3 Administration: Authentication

ReportPlus Embedded Web SDK Guide

The PureEngage Cloud API. Jim Crespino Director, Developer Enablement

Salesforce Files Connect Implementation Guide

PAS for OpenEdge Support for JWT and OAuth Samples -

Xerox Connect App for Blackboard

How to set up VMware Unified Access Gateway with OPSWAT MetaAccess Client

Using Keycloak to Provide Authentication, Authorization, and Identity Management Services for Your Gateway

ClearPass Extension for BMC Remedy TechNote. ClearPass Extension For BMC Remedy. ClearPass. ClearPass Extension for BMC Remedy - TechNote 1

VMware AirWatch Content Gateway for Windows. VMware Workspace ONE UEM 1811 Unified Access Gateway

Lab 2 Third Party API Integration, Cloud Deployment & Benchmarking

Aruba Central APIs. Adolfo Bolivar April 2018

MediaAUTH Draft Proposal

SAS Event Stream Processing 4.2: Security

Transcription:

Usage of "OAuth2" policy action in CentraSite and Mediator Introduction Prerequisite Configurations Mediator Configurations watt.server.auth.skipformediator The pg.oauth2 Parameters Asset Creation and Deployment Asset Consumption Fetching and Using Your OAuth2 Access Tokens for Consumption Overview of Access Keys Invocation through SOAP UI Troubleshooting Introduction Mediator extracts the OAuth2 access token from the request s HTTP header at run time and searches its list of consumers for the client that is defined by that access token in Integration Server. The type of OAuth2 authorization grant that Mediator supports is "Client Credentials". Client credentials are used as an authorization grant when the client is requesting access to protected resources based on an authorization previously arranged with the authorization server. That is, the client application gains authorization when it is registered with CentraSite. OAuth2 Sequence Flow Prerequisite

This tutorial assumes some basic knowledge with Mediator and Integration Server. You must set the following parameters in Mediator to support OAuth2: Create a HTTPS port in Integration Server and enable it in the Mediator Administration screen in the General screen. Set watt.server.auth.skipformediator to true and Set the pg.oauth2.* parameters as appropriate Create a target instance in CentraSite pointing to the mediator url where it is available. Note: Mediator hosts a predefined service that consumers must invoke in order to receive OAuth2 access tokens Configurations Mediator Configurations watt.server.auth.skipformediator To set watt.server.auth.skipformediator =true in the Integration Server Extended settings. This parameter specifies whether Integration Server authenticates requests for Mediator. You must set this parameter to true. To do this In the Integration Server Administrator, click Settings > Extended Click Show and Hide Keys.Look for the watt.server.auth.skipformediator property and ensure it is set to true. If the watt.server.auth.skipformediator property is not present, add it as follows: a. Click Edit Extended Settings. b. Type watt.server.auth.skipformediator=true on a separate line. c. Click Save. d. Restart Integration Server The pg.oauth2 Parameters For security reasons it is recommended to use HTTPS in your production environment.if you will be using HTTPS as the transport protocol over which the OAuth2 access tokens will be granted authorization, you must set the following parameters in the Mediator properties file, which is located in: Integration Server_directory \instances\instance_name \packages\wmmediator\config\resources\pg-config.properties pg.oauth2.ishttps: Specifies the transport protocol over which the OAuth2 access tokens will be granted authorization. Set this parameter to true for HTTPS (the default) or false for HTTP pg.oauth2.ports: If pg.oauth2.ishttps is set to true, specify a comma-separated list of the HTTPS ports on which the service mediator.oauth2.getoauth2accesstoken will be available. Asset Creation and Deployment Create a webservice asset in CentraSite using Business UI pointing to the native webservice uri where it is hosted.

Once the asset is created, click on "Virtualize" action in the "Action Bar" of the webservice asset. Once you click on the action you would be prompted to provide the new Virtual alias name and select the desired endpoint to be virtualized, Once done click on "Next". Once the virtual service is created, in the asset details under the "Actions Bar" click on the action "API Consumption Settings" and select "OAuth2" as the asset consumption mechanism. There are other parameters as well like the "Refresh Token After" which specifies the renewal time of token being used. If you would like to have the Approval to be triggered for managing the token generation / renewal process, You can do that by enabling the check box "Require Approval" which is an optional settings. Once the settings are done click on "Configure" Now click on "Publish" Action and select the mediator / target instance where you desire to deploy the asset and select the option "Expose to Consumers" and click on "Publish" button

VSD Snippet VSD Snippet <enforcement-actions allow-anon="false"> <expressions> <expression> <params identify="strict" type="oauth2token" validate="true" /> </expression> </expressions> </enforcement-actions> Asset Consumption Once the asset is published on to the mediator instance, the consumers would be able to view the asset in the CentraSite and the intrested consumer would proceed to view the details of the asset and click on the action "Consume"

Provide the details of how you would like to consume the asset, In this case since we have enabled only "OAuth" way of doing it, it would be already selected by default. Once provide the reason for request and the Consume Application name click on "Consume" button as a result a consumer application asset with the name provided here would be created in CentraSite. Once its is done you would the list of consumers in the Basic Information to have increased(hint: if there is no approval flow involved), By clicking on the number as below it would show the "OAuth2 Client" asset created for the user(internal\inosec2) who would like to consume the asset as shown below.

Following the above link would show the "OAuth2 Identification Details" for the asset using which we can consume the Virtual Service. A brief introduction about the parameters seen as part of the "Identification Details" profile which are used for generating the OAuth2 Access token going forward. a. b. c. d. Client ID: It is the unique ID of the consumer created in the "Integration Server" Client Secret: It is a unique code/password used to validate the consumer Scope: Scope is the name of the Virtual Service asset being deployed / ready for consumption Access Token Request URI: this is the uri which the consumer should use to generate an access for access the Virtual Service Fetching and Using Your OAuth2 Access Tokens for Consumption Mediator out of the box provides a REST based service which would generate an OAuth2 Access token for the virtual service asset deployed in mediator. You need to obtain an OAuth2 access token by passing your client credentials to the Mediator-hosted REST service pub.mediator.oauth2.getoauth2accesstoken. This service will provide an OAuth2 access token that you can subsequently include in your requests to call the API. The service's input parameters are: client_id client_secret scope (optional) Set the Content-Type and the Accept HTTP headers to application/json

Copy the access token uri and provide the input from a REST based client to generate the access token, In this case we are using SOAP UI to create a rest service pointing to the access uri (For example: https://<is Host IP>:<HTTPS Port>/rest/pub.mediator.oauth2.getOAuth2AccessToken) Over here what we see is the OAuth2 token is now successfully generated. Overview of Access Keys Often users who have access to the the services they are consuming they can get an overview of their access keys in Business UI by landing in the user preferences screen. Invocation through SOAP UI Create a project in SOAP UI referring to the uri of the deployed asset Add the custom HTTP Header (Authorization) with the value as "Bearer --accesstoken-- " Invoke the service

Troubleshooting S. No Exception What happened What should be done 1 Port not accessible {"$errordump":"com.wm.app.b2b.server.portaccessexception: [ISS.0084.9101] Access Denied\r\n\tat While accessing the Mediator Hosted REST service which generates the OAuth2 access token you are getting an access denied exception while accessing the port Check if the port is having Enabled to access and also the Access mode is allow which is deny by default 2 Invalid client id/secret during token generation { error: "invalid_request" error_description: "[ISS.0010.8008] client_id does not identify a registered client." 3 HTTP Status 405 Method Not Allowed 4 Mediator encountered an error:consumer could not be identified. Anonymous access is not allowed for this service! 5 HTTP Status 401 Unauthorized, invalid_token 6 HTTP Status 403 Forbidden, insufficient_scope } Mismatch of the client id and the client secret provided The REST Service uri package is invalid Auth token not provided during service invocation The access token is either invalid or expired Integration Server rejected the request to access this resource. The access token's scope is insufficient to access the resource. Check if the client_id and the client_secret values provided is correct. The uri to get the access token should be https://<ishost>:<htt PSPortNumber>/rest/pub.mediat or.oauth2.getoauth2accesstok en Provide the Authorization header with "bearer accesstokenvalue" as custom header Regenerate a new token Check if the property watt.server.auth.skipformediator =true if not enable it in the Extended settings

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback