Tuesday, December 17, 2019

Troubleshooting Key Manager WSO2

Hi all,

Today I am going to tell you something that helped me during support troubleshooting.

One of the most common API manager distribution patterns is the gateway and key manager separation. Now comes the problem.

What happens when a customer complains that the following use cases failing?


  • Token generation
  • API security
  • Slowness in token API


 You can do the following to determine this


  1. Enable %T in the Key Manager access log valve to print response time
  2. Enable client wire logs at the gateway
  3. Send curl request to simulate gateway to the key manager


From the above 3 options, the first 2 needs server restarts. But with 3rd option, you can easily do it in a production environment and troubleshoot. Nothing would be effected.

Let's check what are the important calls.


Get API security data


Create a file named request.xml with the following content. Change context and version as needed.

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://org.apache.axis2/xsd">
   <soapenv:Header/>
   <soapenv:Body>
      <xsd:getAllURITemplates>
         <!--Optional:-->
         <xsd:context>/t/abc.com/abc/1</xsd:context>
         <!--Optional:-->
         <xsd:version>1</xsd:version>
      </xsd:getAllURITemplates>
   </soapenv:Body>
</soapenv:Envelope>

Then send the following request.

curl -k -d "@request.xml" -X POST https://localhost:9443/services/APIKeyValidationService -H "Content-Type: text/xml" -H "SOAPAction: urn:getAllURITemplates" -H "Authorization: Basic YWRtaW46YWRtaW4="

Validate Access Token


Create a file named request.xml with the following content. Change context, accessToken, version and other parameters as needed.

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://org.apache.axis2/xsd">
   <soapenv:Header/>
   <soapenv:Body>
      <xsd:validateKey>
         <!--Optional:-->
         <xsd:context>/t/abc.com/abc/1</xsd:context>
         <!--Optional:-->
         <xsd:version>1</xsd:version>
         <!--Optional:-->
         <xsd:accessToken>e34c38fd-e391-322c-97f0-4d677121536b</xsd:accessToken>
         <!--Optional:-->
         <xsd:requiredAuthenticationLevel>Any</xsd:requiredAuthenticationLevel>
         <!--Optional:-->
         <!--Optional:-->
         <xsd:matchingResource>/</xsd:matchingResource>
         <!--Optional:-->
         <xsd:httpVerb>GET</xsd:httpVerb>
      </xsd:validateKey>
   </soapenv:Body>
</soapenv:Envelope>

Then send the following request.

curl -k -d "@request.xml" -X POST https://<KM_HOST>:9443/services/APIKeyValidationService -H "Content-Type: text/xml" -H "SOAPAction: urn:validateKey" -H "Authorization: Basic YWRtaW46YWRtaW4="


Important


When API request is received at the gateway, and it has a bearer token, there are two requests made to the key manager.

1st one is to get API level security data and upon successful response to 1st, validate the bearer token. So invoke both and check if you need to troubleshoot depending on the situation.

The basic auth is <admin_user>:<admin_password> in to base64 encoded.

Hope you got the idea




Posted by at

1 comment:

  1. shammiJune 16, 2020 at 6:32 PM

    Hi Waruna, This is nice, Please edit the "@reqest.xml" to "@request.xml" in the command

    ReplyDelete

Subscribe to: Post Comments (Atom)