Sunday, July 2, 2017

Clustering WSO2IOT for Mobile Device Management



As indicated in the above diagram, when clustering IoT Server, there is worker manager separation. However, this differs from standard WSO2 Carbon worker manager separation.
IoT Server includes an admin console that can be used by any user with administrative privileges. These users can perform some actions on enrolled devices and the devices can retrieve those actions by requesting the pending operations. This is done by either walking the device through a push notification or configuring the device to poll at a pre-compiled frequency.
Normally administrative tasks should be run from manager node.
There are two major deployment patterns for the manager node. One could be running the manager node in the private network due to security constraints and other is allowing end users to access the management node so that they can control and view their devices.
A manager node is used to run background tasks that are necessary to the update the device information such as the location and applications installed.

NGINX Configs



Please make sure that you have properly signed ssl certificates before starting this. And note that we are using 4 urls for the clustering. Two of them directed at the workers, one at the manager and one at the key managers. When producing the ssl certificates, please make sure to add all urls as SNI.


  1. iots310.wso2.com  
  2. mgt.iots310.wso2.com  
  3. keymgt.iots310.wso2.com  
  4. Gateway.iots310.wso2.com


This section provides instructions on how to configure Nginx as the load balancer. You can use any load balancer for your setup and Nginx is used here as an example. This covers the configuration in the main Nginx configuration file.
The location of this file varies depending on how you installed the software on your machine. For many distributions, the file is located at /etc/nginx/nginx.conf. If it does not exist there, it may also be at /usr/local/nginx/conf/nginx.conf or /usr/local/etc/nginx/nginx.conf. You can create separate files inside the conf.d for each configuration. Three different configuration files are used for the Manager, Key Manager and Worker node in the example provided in this page.


Manager  
Put this as mgt.conf in /etc/nginx/conf.d/


upstream mgt.iots310.wso2.com {
       ip_hash;
       server 192.168.57.124:9763;
}


server {
       listen 80;
       server_name mgt.iots310.wso2.com;
       client_max_body_size 100M;
       location / {
              proxy_set_header X-Forwarded-Host $host;
              proxy_set_header X-Forwarded-Server $host;
              proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
              proxy_set_header Host $http_host;
              proxy_read_timeout 5m;
              proxy_send_timeout 5m;
              proxy_pass http://mgt.iots310.wso2.com;


              proxy_http_version 1.1;
              proxy_set_header Upgrade $http_upgrade;
              proxy_set_header Connection "upgrade";
       }
}


upstream ssl.mgt.iots310.wso2.com {
   ip_hash;
   server 192.168.57.124:9443;
}


server {
listen 443;
   server_name mgt.iots310.wso2.com;
   ssl on;
   ssl_certificate /opt/keys/star_wso2_com.crt;
   ssl_certificate_key /opt/keys/iots310_wso2_com.key;
client_max_body_size 100M;
   location / {
              proxy_set_header X-Forwarded-Host $host;
              proxy_set_header X-Forwarded-Server $host;
              proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
              proxy_set_header Host $http_host;
              proxy_read_timeout 5m;
              proxy_send_timeout 5m;
              proxy_pass https://ssl.mgt.iots310.wso2.com;


              proxy_http_version 1.1;
              proxy_set_header Upgrade $http_upgrade;
              proxy_set_header Connection "upgrade";
       }
}


Worker

The workerr is pointed by two URLs.
  1. iots310.wso2.com
  2. gateway.iots310.wso2.com


Put this as wkr.conf in /etc/nginx/conf.d/

Iots310.wso2.com



upstream iots310.wso2.com {
       ip_hash;
       server 192.168.57.125:9763;
       server 192.168.57.126:9763;
}


server {
       listen 80;
       server_name iots310.wso2.com;
       location / {
              proxy_set_header X-Forwarded-Host $host;
              proxy_set_header X-Forwarded-Server $host;
              proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
              proxy_set_header Host $http_host;
              proxy_read_timeout 5m;
              proxy_send_timeout 5m;
              proxy_pass http://iots310.wso2.com;


              proxy_http_version 1.1;
              proxy_set_header Upgrade $http_upgrade;
              proxy_set_header Connection "upgrade";
       }
}


upstream ssl.iots310.wso2.com {
   ip_hash;
   server 192.168.57.125:9443;
   server 192.168.57.126:9443;
}


server {
listen 443;
   server_name iots310.wso2.com;
   ssl on;
   ssl_certificate /opt/keys/star_wso2_com.crt;
   ssl_certificate_key /opt/keys/iots310_wso2_com.key;
   location / {
              proxy_set_header X-Forwarded-Host $host;
              proxy_set_header X-Forwarded-Server $host;
              proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
              proxy_set_header Host $http_host;
              proxy_read_timeout 5m;
              proxy_send_timeout 5m;
              proxy_pass https://ssl.iots310.wso2.com;


              proxy_http_version 1.1;
              proxy_set_header Upgrade $http_upgrade;
              proxy_set_header Connection "upgrade";
       }
}


gateway.iots310.wso2.com

Put this as gateway.conf in /etc/nginx/conf.d/


upstream gateway.iots310.wso2.com {
       ip_hash;
       server 192.168.57.125:8280;
       server 192.168.57.126:8280;
}


server {
       listen 80;
       server_name gateway.iots310.wso2.com;
       location / {
              proxy_set_header X-Forwarded-Host $host;
              proxy_set_header X-Forwarded-Server $host;
              proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
              proxy_set_header Host $http_host;
              proxy_read_timeout 5m;
              proxy_send_timeout 5m;
              proxy_pass http://gateway.iots310.wso2.com;


              proxy_http_version 1.1;
              proxy_set_header Upgrade $http_upgrade;
              proxy_set_header Connection "upgrade";
       }
}


upstream ssl.gateway.iots310.wso2.com {
   ip_hash;
   server 192.168.57.125:8243;
   server 192.168.57.126:8243;
}


server {
listen 443;
   server_name gateway.iots310.wso2.com;
   ssl on;
   ssl_certificate /opt/keys/star_wso2_com.crt;
   ssl_certificate_key /opt/keys/iots310_wso2_com.key;
   location / {
              proxy_set_header X-Forwarded-Host $host;
              proxy_set_header X-Forwarded-Server $host;
              proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
              proxy_set_header Host $http_host;
              proxy_read_timeout 5m;
              proxy_send_timeout 5m;
              proxy_pass https://ssl.gateway.iots310.wso2.com;


              proxy_http_version 1.1;
              proxy_set_header Upgrade $http_upgrade;
              proxy_set_header Connection "upgrade";
       }
}

Key Manager

Put this as keymgt.conf in /etc/nginx/conf.d/


upstream keymgt.iots310.wso2.com {
       ip_hash;
       server 192.168.57.127:9763;
}


server {
       listen 80;
       server_name keymgt.iots310.wso2.com;
       location / {
              proxy_set_header X-Forwarded-Host $host;
              proxy_set_header X-Forwarded-Server $host;
              proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
              proxy_set_header Host $http_host;
              proxy_read_timeout 5m;
              proxy_send_timeout 5m;
              proxy_pass http://keymgt.iots310.wso2.com;


              proxy_http_version 1.1;
              proxy_set_header Upgrade $http_upgrade;
              proxy_set_header Connection "upgrade";
       }
}


upstream ssl.keymgt.iots310.wso2.com {
   ip_hash;
   server 192.168.57.127:9443;


}


server {
listen 443;
   server_name keymgt.iots310.wso2.com;
   ssl on;
   ssl_certificate /opt/keys/star_wso2_com.crt;
   ssl_certificate_key /opt/keys/iots310_wso2_com.key;
   location / {
              proxy_set_header X-Forwarded-Host $host;
              proxy_set_header X-Forwarded-Server $host;
              proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
              proxy_set_header Host $http_host;
              proxy_read_timeout 5m;
              proxy_send_timeout 5m;
              proxy_pass https://ssl.keymgt.iots310.wso2.com;


              proxy_http_version 1.1;
              proxy_set_header Upgrade $http_upgrade;
              proxy_set_header Connection "upgrade";
       }
}

Setting up the MySQL database


Required Databases and available location is mentioned below. (Please note CDM database includes Android, iOS, Windows and Certificate Management schemas as well as APP manager database includes Store and Social DB. Therefore 5 schemas would suffice)


  1. Registry Database - <PRODUCT_HOME>/dbscripts/mysql.sql
  2. User Manager Database - <PRODUCT_HOME>/dbscripts/mysql.sql
  3. APIM Database - <PRODUCT_HOME>/dbscripts/apimgt/mysql.sql
  4. CDM Database - <PRODUCT_HOME>/dbscripts/cdm/mysql.sql
    1. Certificate Mgt Database - <PRODUCT_HOME>/dbscripts/certMgt/mysql.sql
    2. Android Database - <PRODUCT_HOME>/dbscripts/cdm/plugins/android/mysql.sql
    3. iOS Database - <PRODUCT_HOME>/dbscripts/cdm/plugins/ios/mysql.sql
    4. Windows Database - <PRODUCT_HOME>/dbscripts/cdm/windows/mysql.sql
  5. APP Manager Database - <PRODUCT_HOME>/dbscripts/appmgt/mysql.sql
    1. Store Database - <PRODUCT_HOME>/dbscripts/storage/mysql/resource.sql
    2. Social Database -  <PRODUCT_HOME>/dbscripts/social/mysql/resource.sql


Databases are configured as following. Please note : make sure that you add the relevant jdbc library to <PRODUCT_HOME>/lib directory. In this case, it would be mysql-connector-java-{version}.jar


  1. <PRODUCT_HOME>/conf/datasources/master-datasources.xml
    1. Registry Database
    2. User Manager Database
    3. APIM Database
    4. APP Manager Database
      1. Store Database
      2. Social Database
  2. <PRODUCT_HOME>/conf/datasources/cdm-datasources.xml
    1. CDM Database (Please add the certMgt tables to CDM schema)
  3. <PRODUCT_HOME>/conf/datasources/android-datasources.xml
    1. Android Database
  4. <PRODUCT_HOME>/conf/datasources/ios-datasources.xml
    1. iOS Database
  5. <PRODUCT_HOME>/conf/datasources/windows-datasources.xml
    1. Windows Database


Database configs.
Sample DB config for User manager, Registry and App manager databases in master-datasources.xml
       
    <datasource>
           <name>WSO2UM_DB</name>
           <description>The datasource used for User Manager database</description>
           <jndiConfig>
               <name>jdbc/WSO2UM_DB</name>
           </jndiConfig>
           <definition type="RDBMS">
               <configuration>
                   <url>jdbc:mysql://{hostname}:{port}/userdb?autoReconnect=true&amp;relaxAutoCommit=true</url>
                   <username>root</username>
                   <password>root</password>
                   <driverClassName>com.mysql.jdbc.Driver</driverClassName>
                   <maxActive>50</maxActive>
                   <maxWait>60000</maxWait>
                   <testOnBorrow>true</testOnBorrow>
                   <validationQuery>SELECT 1</validationQuery>
                   <validationInterval>30000</validationInterval>
               </configuration>
           </definition>
       </datasource>


Sample DB config for APIM in mysql (Please note zeroDateTimeBehavior=convertToNull Parameter for mysql)


       <datasource>
           <name>WSO2AM_DB</name>
           <description>The datasource used for API Manager database</description>
           <jndiConfig>
               <name>jdbc/WSO2AM_DB</name>
           </jndiConfig>
           <definition type="RDBMS">
               <configuration>
                   <url>jdbc:mysql://{hostname}:{port}/apim?autoReconnect=true&amp;relaxAutoCommit=true&amp;zeroDateTimeBehavior=convertToNull</url>
                   <username>root</username>
                   <password>root</password>
                   <driverClassName>com.mysql.jdbc.Driver</driverClassName>
                   <maxActive>50</maxActive>
                   <maxWait>60000</maxWait>
                   <testOnBorrow>true</testOnBorrow>
                   <validationQuery>SELECT 1</validationQuery>
                   <validationInterval>30000</validationInterval>
               </configuration>
           </definition>
       </datasource>


Sample  DB config for CDM, Android, Windows and iOS databases.


   <datasources>
       <datasource>
           <name>DM_DS</name>
           <description>The datasource used for CDM</description>
           <jndiConfig>
               <name>jdbc/DM_DS</name>
           </jndiConfig>
           <definition type="RDBMS">
               <configuration>
                   <url>jdbc:mysql://{localhost}:3306/cdm?autoReconnect=true&amp;relaxAutoCommit=true</url>
                   <username>root</username>
                   <password>root</password>
                   <driverClassName>com.mysql.jdbc.Driver</driverClassName>
                   <maxActive>50</maxActive>
                   <maxWait>60000</maxWait>
                   <testOnBorrow>true</testOnBorrow>
                   <validationQuery>SELECT 1</validationQuery>
                   <validationInterval>30000</validationInterval>
               </configuration>
           </definition>
       </datasource>
   </datasources>

Registry Mounting



Registry is a virtual directory based repository system.  It can be federated among multiple databases which is called Registry mounting. All WSO2 servers supports registry mounting.


There are 3 types of registry repositories.
  1. Local  - stores local instance related data.
  2. Config - contains product specific configuration (shared across multiple instances of the same product)
  3. Governance - contains data and configuration shared across the platform




See Remote Instance and Mount Configuration Details for more information on registry mounting and why it is useful. These must be done in all nodes. Do the following steps to configure this.


Key manager registry mounting



<dbConfig name="mounted_registry">
       <dataSource>jdbc/WSO2REG_DB</dataSource>
</dbConfig>


<remoteInstance url="https://localhost:9443/registry">
       <id>instanceid</id>
       <dbConfig>mounted_registry</dbConfig>
       <readOnly>false</readOnly>
       <enableCache>true</enableCache>
       <registryRoot>/</registryRoot>
       <cacheId>root@jdbc:mysql://192.168.57.123:3306/govreg</cacheId>
</remoteInstance>


<mount path="/_system/config" overwrite="true">
       <instanceId>instanceid</instanceId>
       <targetPath>/_system/config/km</targetPath>
</mount>
<mount path="/_system/governance" overwrite="true">
       <instanceId>instanceid</instanceId>
       <targetPath>/_system/governance</targetPath>
</mount>


Worker and Manager Registry Mounting



<dbConfig name="mounted_registry">
       <dataSource>jdbc/WSO2REG_DB</dataSource>
</dbConfig>


<remoteInstance url="https://localhost:9443/registry">
       <id>instanceid</id>
       <dbConfig>mounted_registry</dbConfig>
       <readOnly>false</readOnly>
       <enableCache>true</enableCache>
       <registryRoot>/</registryRoot>
       <cacheId>root@jdbc:mysql://192.168.57.123:3306/govreg</cacheId>
</remoteInstance>


<mount path="/_system/config" overwrite="true">
       <instanceId>instanceid</instanceId>
       <targetPath>/_system/config/iot</targetPath>
</mount>
<mount path="/_system/governance" overwrite="true">
       <instanceId>instanceid</instanceId>
       <targetPath>/_system/governance</targetPath>
</mount>


Configuring the Key manager  (keymgt.iots310.wso2.com)



Mount the registry as mentioned above. Configure the following databases for the key manager in <PRODUCT_HOME>/conf/datasources/master-datasources.xml file.


  1. Registry DB
  2. User manager DB
  3. APIM DB


Change the following on <PRODUCT_HOME>/conf/carbon.xml and make sure that port offset is set to 0, if it is set to a higher value, please make sure to reflect that on NGINX config too.


<HostName>keymgt.iots310.wso2.com</HostName>
<MgtHostName>keymgt.iots310.wso2.com</MgtHostName>


Change the following configs on the <PRODUCT_HOME>/bin/iotserver.sh


   -Diot.keymanager.host="keymgt.iots310.wso2.com" \
   -Diot.keymanager.https.port="443" \


Change the <PRODUCT_HOME>/conf/identity/sso-idp-config.xml as follows to configure single sign on for  following front end applications. Highlighted lines shows the changes done.


<SSOIdentityProviderConfig>
   <TenantRegistrationPage>https://stratos-local.wso2.com/carbon/tenant-register/select_domain.jsp</TenantRegistrationPage>
   <ServiceProviders>
       <ServiceProvider>
           <Issuer>devicemgt</Issuer>
           <AssertionConsumerServiceURLs>
               <AssertionConsumerServiceURL>https://mgt.iots310.wso2.com:443/devicemgt/uuf/sso/acs</AssertionConsumerServiceURL>
           </AssertionConsumerServiceURLs>
           <DefaultAssertionConsumerServiceURL>https://mgt.iots310.wso2.com:443/devicemgt/uuf/sso/acs</DefaultAssertionConsumerServiceURL>
           <SignAssertion>true</SignAssertion>
           <SignResponse>true</SignResponse>
           <EnableAttributeProfile>false</EnableAttributeProfile>
           <IncludeAttributeByDefault>false</IncludeAttributeByDefault>
           <Claims>
               <Claim>http://wso2.org/claims/role</Claim>
               <Claim>http://wso2.org/claims/emailaddress</Claim>
           </Claims>
           <EnableAudienceRestriction>true</EnableAudienceRestriction>
           <EnableRecipients>true</EnableRecipients>
           <AudiencesList>
               <Audience>https://localhost:9443/oauth2/token</Audience>
           </AudiencesList>
           <RecipientList>
               <Recipient>https://localhost:9443/oauth2/token</Recipient>
           </RecipientList>
       </ServiceProvider>
       <ServiceProvider>
           <Issuer>store</Issuer>
           <AssertionConsumerServiceURLs>
               <AssertionConsumerServiceURL>https://mgt.iots310.wso2.com:443/store/acs</AssertionConsumerServiceURL>
           </AssertionConsumerServiceURLs>
           <DefaultAssertionConsumerServiceURL>https://mgt.iots310.wso2.com:443/store/acs</DefaultAssertionConsumerServiceURL>
           <SignResponse>true</SignResponse>
           <CustomLoginPage>/store/login.jag</CustomLoginPage>
       </ServiceProvider>
       <ServiceProvider>
           <Issuer>social</Issuer>
           <AssertionConsumerServiceURLs>
               <AssertionConsumerServiceURL>https://mgt.iots310.wso2.com:443/social/acs</AssertionConsumerServiceURL>
           </AssertionConsumerServiceURLs>
           <DefaultAssertionConsumerServiceURL>https://mgt.iots310.wso2.com:443/social/acs</DefaultAssertionConsumerServiceURL>
           <SignResponse>true</SignResponse>
           <CustomLoginPage>/social/login</CustomLoginPage>
       </ServiceProvider>
       <ServiceProvider>
           <Issuer>publisher</Issuer>
           <AssertionConsumerServiceURLs>
               <AssertionConsumerServiceURL>https://mgt.iots310.wso2.com:443/publisher/acs</AssertionConsumerServiceURL>
           </AssertionConsumerServiceURLs>
           <DefaultAssertionConsumerServiceURL>https://mgt.iots310.wso2.com:443/publisher/acs</DefaultAssertionConsumerServiceURL>
           <SignResponse>true</SignResponse>
           <CustomLoginPage>/publisher/controllers/login.jag</CustomLoginPage>
           <EnableAudienceRestriction>true</EnableAudienceRestriction>
           <AudiencesList>
               <Audience>carbonServer</Audience>
           </AudiencesList>
       </ServiceProvider>
       <ServiceProvider>
           <Issuer>API_STORE</Issuer>
           <AssertionConsumerServiceURLs>
               <AssertionConsumerServiceURL>https://mgt.iots310.wso2.com:443/api-store/jagg/jaggery_acs.jag</AssertionConsumerServiceURL>
           </AssertionConsumerServiceURLs>
           <DefaultAssertionConsumerServiceURL>https://mgt.iots310.wso2.com:443/api-store/jagg/jaggery_acs.jag</DefaultAssertionConsumerServiceURL>
           <SignResponse>true</SignResponse>
           <EnableAudienceRestriction>true</EnableAudienceRestriction>
           <AudiencesList>
               <Audience>carbonServer</Audience>
           </AudiencesList>
       </ServiceProvider>
       <ServiceProvider>
           <Issuer>portal</Issuer>
           <AssertionConsumerServiceURLs>
               <AssertionConsumerServiceURL>https://mgt.iots310.wso2.com:443/portal/acs</AssertionConsumerServiceURL>
           </AssertionConsumerServiceURLs>
           <DefaultAssertionConsumerServiceURL>https://mgt.iots310.wso2.com:443/portal/acs</DefaultAssertionConsumerServiceURL>
           <SignResponse>true</SignResponse>
           <EnableAudienceRestriction>true</EnableAudienceRestriction>
           <EnableRecipients>true</EnableRecipients>
           <AudiencesList>
               <Audience>https://localhost:9443/oauth2/token</Audience>
           </AudiencesList>
           <RecipientList>
               <Recipient>https://localhost:9443/oauth2/token</Recipient>
           </RecipientList>
       </ServiceProvider>
       <ServiceProvider>
           <Issuer>analyticsportal</Issuer>
           <AssertionConsumerServiceURLs>
               <AssertionConsumerServiceURL>https://mgt.iots310.wso2.com:443/portal/acs</AssertionConsumerServiceURL>
           </AssertionConsumerServiceURLs>
           <DefaultAssertionConsumerServiceURL>https://mgt.iots310.wso2.com:443/portal/acs</DefaultAssertionConsumerServiceURL>
           <SignResponse>true</SignResponse>
           <EnableAudienceRestriction>true</EnableAudienceRestriction>
           <EnableRecipients>true</EnableRecipients>
           <AudiencesList>
               <Audience>https://localhost:9443/oauth2/token</Audience>
           </AudiencesList>
           <RecipientList>
               <Recipient>https://localhost:9443/oauth2/token</Recipient>
           </RecipientList>
       </ServiceProvider>
   </ServiceProviders>
</SSOIdentityProviderConfig>


Start the server with following command in <PRODUCT_HOME>/bin/iot-server.sh start

Configuring the Manager   (mgt.iots310.wso2.com)



Mount the registry as mentioned above. Configure the following databases for the key manager in <PRODUCT_HOME>/conf/datasources/master-datasources.xml file.


  1. Registry DB
  2. User Manager DB
  3. APIM DB
  4. APP Manager DB (Includes the following schemas to the same db)
    1. Social DB
    2. Storage DB
  5. CDM DB  (Includes the following schemas to the same db)
    1. Certificate Mgt
    2. Android DB
    3. iOS DB
    4. Windows DB


Change the following on <PRODUCT_HOME>/conf/carbon.xml and make sure that port offset is set to 0, if it is set to a higher value, please make sure to reflect that on NGINX config too.


<HostName>iots310.wso2.com </HostName>
<MgtHostName>mgt.iots310.wso2.com</MgtHostName>


Change the following highlighted configs on the <PRODUCT_HOME>/bin/iotserver.sh


   -Diot.manager.host="mgt.iots310.wso2.com" \
   -Diot.manager.https.port="443" \
   -Diot.core.host="iots310.wso2.com" \
   -Diot.core.https.port="443" \
   -Diot.keymanager.host="keymgt.iots310.wso2.com" \
   -Diot.keymanager.https.port="443" \
   -Diot.gateway.host="gateway.iots310.wso2.com" \
   -Diot.gateway.https.port="443" \
   -Diot.gateway.http.port="80" \
   -Diot.gateway.carbon.https.port="443" \
   -Diot.gateway.carbon.http.port="80" \
   -Diot.apimpublisher.host="gateway.iots310.wso2.com" \
   -Diot.apimpublisher.https.port="443" \
   -Diot.apimstore.host="gateway.iots310.wso2.com" \
   -Diot.apimstore.https.port="443" \


Change the config on <PRODUCT_HOME>/repository/deployment/server/jaggeryapps/store/config/store.json for SSO as follows.


   "ssoConfiguration": {
       "enabled": true,
       "issuer": "store",
       "identityProviderURL": "https://keymgt.iots310.wso2.com/samlsso",
       "keyStorePassword": "wso2carbon",
       "identityAlias": "wso2carbon",
       "responseSigningEnabled": "true",
       "storeAcs" : "https://mgt.iots310.wso2.com/store/acs",
       "keyStoreName": "/repository/resources/security/wso2carbon.jks",
       "validateAssertionValidityPeriod": true,
       "validateAudienceRestriction": true,
       "assertionSigningEnabled": true
   },


Change the config on <PRODUCT_HOME>/repository/deployment/server/jaggeryapps/publisher/config/publisher.json for SSO as follows.


   "ssoConfiguration": {
       "enabled": true,
       "issuer": "publisher",
       "identityProviderURL": "https://keymgt.iots310.wso2.com/samlsso",
       "keyStorePassword": "wso2carbon",
       "identityAlias": "wso2carbon",
       "responseSigningEnabled": "true",
       "publisherAcs": "https://mgt.iots310.wso2.com/publisher/sso",
       "keyStoreName": "/repository/resources/security/wso2carbon.jks",
       "validateAssertionValidityPeriod": true,
       "validateAudienceRestriction": true,
       "assertionSigningEnabled": true
   },


Change the config on <PRODUCT_HOME>/repository/deployment/server/jaggeryapps/api-store/site/conf/site.json   for SSO as follows.


   "ssoConfiguration" : {
       "enabled" : "true",
       "issuer" : "API_STORE",
       "identityProviderURL" : "https://keymgt.iots310.wso2.com/samlsso",
       "keyStorePassword" : "",
       "identityAlias" : "",
       "responseSigningEnabled":"true",
       "assertionSigningEnabled":"true",
       "keyStoreName" :"",
       "passive" : "false",
       "signRequests" : "true",
       "assertionEncryptionEnabled" : "false"
   },


Change the config on <PRODUCT_HOME>/repository/deployment/server/jaggeryapps/android-web-agent/app/conf/config.json to reflect agent download url.


   "generalConfig" : {
       "host" : "https://mgt.iots310.wso2.com",
       "companyName" : "WSO2 IoT Server",
       "browserTitle" : "WSO2 IoT Server",
       "copyrightText" : "\u00A9 %date-year%, WSO2 Inc. (http://www.wso2.org) All Rights Reserved."
   },


Change the config on <PRODUCT_HOME>/repository/deployment/server/jaggeryapps/devicemgt/app/conf/config.json to reflect bar code scanne.


 "generalConfig": {
   "host": "https://mgt.iots310.wso2.com",
   "companyName": "WSO2 Carbon Device Manager",
   "browserTitle": "WSO2 Device Manager",
   "copyrightPrefix": "\u00A9 %date-year%, ",
   "copyrightOwner": "WSO2 Inc.",
   "copyrightOwnersSite": "http://www.wso2.org",
   "copyrightSuffix": " All Rights Reserved."
 },


Start the server with following command in ‘<PRODUCT_HOME>/bin/iot-server.sh start’

Configuring the Worker Nodes. (iots310.wso2.com,  gateway.iots310.wso2.com)



Mount the registry as mentioned above. Configure the following databases for the key manager in <PRODUCT_HOME>/conf/datasources/master-datasources.xml file.


  1. Registry DB
  2. User Manager DB
  3. APIM DB
  4. APP Manager DB (Includes the following schemas to the same db)
    1. Socal DB
    2. Storage DB
  5. CDM DB  (Includes the following schemas to the same db)
    1. Certificate Mgt
    2. Android DB
    3. iOS DB
    4. Windows DB


Change the following on <PRODUCT_HOME>/conf/carbon.xml and make sure that port offset is set to 0, if it is set to a higher value, please make sure to reflect that on NGINX config too.


<HostName>iots310.wso2.com</HostName>
<MgtHostName>mgt.iots310.wso2.com</MgtHostName>


Change the following configs on the <PRODUCT_HOME>/bin/iotserver.sh


   -Diot.manager.host="mgt.iots310.wso2.com" \
   -Diot.manager.https.port="443" \
   -Diot.core.host="iots310.wso2.com" \
   -Diot.core.https.port="443" \
   -Diot.keymanager.host="keymgt.iots310.wso2.com" \
   -Diot.keymanager.https.port="443" \
   -Diot.gateway.host="gateway.iots310.wso2.com" \
   -Diot.gateway.https.port="443" \
   -Diot.gateway.http.port="80" \
   -Diot.gateway.carbon.https.port="443" \
   -Diot.gateway.carbon.http.port="80" \
   -Diot.apimpublisher.host="gateway.iots310.wso2.com" \
   -Diot.apimpublisher.https.port="443" \
   -Diot.apimstore.host="gateway.iots310.wso2.com" \
   -Diot.apimstore.https.port="443" \


Change the following in the <PRODUCT_HOME>/repository/deployment/server/devicetypes    both android.xml and windows.xml files.


   <TaskConfiguration>
       <Enable>false</Enable>
   ……...
   </TaskConfiguration>
   <PolicyMonitoring enabled="false"/>


In order to worker to operate, please make sure that each workers are started one by one with following config changed.
<PRODUCT_HOME>/conf/etc/webapp-publisher-config.xml
       <PublishAPI>true</PublishAPI>
       <EnabledUpdateApi>true</EnabledUpdateApi>


This is to make sure that synapse configs are published to <PRODUCT_HOME>/repository/deployment/server/synapse-configs/default/api. After publishing, make sure above configs are changed to false. Start the server by executing the command ‘<PRODUCT_HOME>/bin/iot-server.sh start’


Configuring the App Manager



Application manager will be running on the manager node both publisher and store.


Change the config on <PRODUCT_HOME>/repository/deployment/server/jaggeryapps/store/config/store.json for SSO as follows.


   "ssoConfiguration": {
       "enabled": true,
       "issuer": "store",
       "identityProviderURL": "https://keymgt.iots310.wso2.com/samlsso",
       "keyStorePassword": "wso2carbon",
       "identityAlias": "wso2carbon",
       "responseSigningEnabled": "true",
       "storeAcs" : "https://mgt.iots310.wso2.com/store/acs",
       "keyStoreName": "/repository/resources/security/wso2carbon.jks",
       "validateAssertionValidityPeriod": true,
       "validateAudienceRestriction": true,
       "assertionSigningEnabled": true
   },


Change the config on <PRODUCT_HOME>/repository/deployment/server/jaggeryapps/publisher/config/publisher.json for SSO as follows.


   "ssoConfiguration": {
       "enabled": true,
       "issuer": "publisher",
       "identityProviderURL": "https://keymgt.iots310.wso2.com/samlsso",
       "keyStorePassword": "wso2carbon",
       "identityAlias": "wso2carbon",
       "responseSigningEnabled": "true",
       "publisherAcs": "https://mgt.iots310.wso2.com/publisher/sso",
       "keyStoreName": "/repository/resources/security/wso2carbon.jks",
       "validateAssertionValidityPeriod": true,
       "validateAudienceRestriction": true,
       "assertionSigningEnabled": true
   },


Change the config on <PRODUCT_HOME>/conf/app-manager.xml


<Config name="AppDownloadURLHost">http://mgt.iots310.wso2.com</Config>


IOS Clustering



Before you begin, please make sure that you have installed iOS features to the IoT server to both backend and manager nodes. And make sure to remove following from the <PRODUCT_HOME>/repository/deployment/server/synapse-config/default/api/
  1. admin--IOS-Enrollment-Profile.xml
  2. admin--IOS-Enrollment-Scep.xml
  3. admin--IOS-Enrollment.xml

Certificates generating (CA, RA and SSL)



Please use the following script to create the certificates. Make sure to create “output” folder and use the NGINX private key (iots310_wso2_com.key) as the CA.


Please note: Following should be done only on one server and certificates must be copied to other servers.


SSL_PASS="wso2carbon"
CA_SUBJ="/C=SL/ST=Western/L=Colombo/O=WSO2/OU=CDM/CN=*.iots310.wso2.com/EMAILADDRESS=noreply@wso2.com"
RA_SUBJ="/C=SL/ST=Western/L=Colombo/O=WSO2/OU=CDM/CN=iots310.wso2.com/EMAILADDRESS=noreply@wso2.com"
SSL_SUBJ="/C=SL/ST=Western/L=Colombo/O=WSO2/OU=CDM/CN="$1


echo "Generating CA"
openssl req -new -key ./output/iots310_wso2_com.key -out ./output/ca.csr -subj $CA_SUBJ
openssl x509 -req -days 365 -in ./output/ca.csr -signkey ./output/iots310_wso2_com.key -out ./output/ca.crt -extensions v3_ca -extfile ./needed_files/openssl.cnf
openssl rsa -in ./output/iots310_wso2_com.key -text > ./output/ca_private.pem
openssl x509 -in ./output/ca.crt -out ./output/ca_cert.pem


echo "Generating RA"
openssl genrsa -out ./output/ra_private.key 4096
openssl req -new -key ./output/ra_private.key -out ./output/ra.csr -subj $RA_SUBJ
openssl x509 -req -days 365 -in ./output/ra.csr -CA ./output/ca.crt -CAkey ./output/iots310_wso2_com.key -set_serial 12132121241241 -out ./output/ra.crt -extensions v3_req -extfile ./needed_files/openssl.cnf
openssl rsa -in ./output/ra_private.key -text > ./output/ra_private.pem
openssl x509 -in ./output/ra.crt -out ./output/ra_cert.pem


echo "Generating SSL"
openssl genrsa -out ./output/ia.key 4096
openssl req -new -key ./output/ia.key -out ./output/ia.csr  -subj $SSL_SUBJ
openssl x509 -req -days 730 -in ./output/ia.csr -CA ./output/ca_cert.pem -CAkey ./output/ca_private.pem -set_serial 34467867966445 -out ./output/ia.crt


echo "Export to PKCS12"
openssl pkcs12 -export -out ./output/KEYSTORE.p12 -inkey ./output/ia.key -in ./output/ia.crt -CAfile ./output/ca_cert.pem -name "ioscluster" -password pass:$SSL_PASS
openssl pkcs12 -export -out ./output/ca.p12 -inkey ./output/ca_private.pem -in ./output/ca_cert.pem -name "cacert" -password pass:$SSL_PASS
openssl pkcs12 -export -out ./output/ra.p12 -inkey ./output/ra_private.pem -in ./output/ra_cert.pem -chain -CAfile ./output/ca_cert.pem -name "racert" -password pass:$SSL_PASS


echo "Export PKCS12 to JKS"
keytool -importkeystore -srckeystore ./output/KEYSTORE.p12 -srcstoretype PKCS12 -destkeystore ./output/wso2carbon.jks -deststorepass wso2carbon -srcstorepass wso2carbon -noprompt
keytool -importkeystore -srckeystore ./output/KEYSTORE.p12 -srcstoretype PKCS12 -destkeystore ./output/client-truststore.jks -deststorepass wso2carbon -srcstorepass wso2carbon -noprompt
keytool -importkeystore -srckeystore ./output/ca.p12 -srcstoretype PKCS12 -destkeystore ./output/wso2certs.jks -deststorepass wso2carbon -srcstorepass wso2carbon -noprompt
keytool -importkeystore -srckeystore ./output/ra.p12 -srcstoretype PKCS12 -destkeystore ./output/wso2certs.jks -deststorepass wso2carbon -srcstorepass wso2carbon -noprompt

Change the following highlighted lines in <PRODUCT_HOME>/conf/iot-api-config.xml  in the manager node.
   <VerificationEndpoint>https://iots310.wso2.com/api/certificate-mgt/v1.0/admin/certificates/verify/</VerificationEndpoint>
   <DynamicClientRegistrationEndpoint>https://keymgt.iots310.wso2.com/client-registration/v0.11/register</DynamicClientRegistrationEndpoint>
   <OauthTokenEndpoint>https://gateway.iots310.wso2.com/token</OauthTokenEndpoint>


Change the following in  <PRODUCT_HOME>/conf/certificate-config.xml, Please note: if you us a different password, please make sure to change them accordinly.


       <CAPrivateKeyPassword>wso2carbon</CAPrivateKeyPassword>
       <RAPrivateKeyPassword>wso2carbon</RAPrivateKeyPassword>


Please change the <PRODUCT_HOME>/repository/deployment/server/devicetypes/ios.xml in the worker nodes.


       <PolicyMonitoring enabled="false"/>


   <TaskConfiguration>
       <Enable>false</Enable>
       <Frequency>60000</Frequency>
     …...
     </TaskConfiguration>


Enrolling Devices

Android

Please enter the following url to the android agent.
https://mgt.iots310.wso2.com

iOS


Please use this url to start the device registration.
https://mgt.iots310.wso2.com/ios-web-agent/enrollment

No comments:

Post a Comment