0

I want to make my identity server public so that all users who visit it can access the identity server but right now only I can access it since it's hosted locally. How can I deploy this so that it runs on my IIS? Will copying and pasting the WSO2 IS folder into my inetpub\wwwroot folder work? (And after configuring the .xml files so that it shares my public domain)

I tried reading the WSO2 IS documentation but it's not very clear to me how I can make it public. I was hoping for a systematic tutorial/way to do this but it chains from one step to multiple.

https://docs.wso2.com/display/IS530/Deployment+Guidelines+in+Production https://docs.wso2.com/display/IS550/Changing+the+hostname

SaltySea
  • 700
  • 1
  • 7
  • 21

2 Answers2

1

Every WSO2 product already has an application server shipped with a TomCat. This way you do not need, nor should, place the fonts on another separate application server. Use what's in the product.

By its description it seems to me that you do not have much familiarity with infrastructure, servers and etc, I will try to help you and clarify some points.

As I mentioned above, you should use the TomCat that already comes with the product and put it in some VM (Server) that has Internet output, that is, it has ports 80, 443 and also ports 9443 and 8243 (which are the default product ports) released for access beyond the internal network (LAN).

If you get the Public IP of that VM where the WSO2 Identity Server product is running, and access it from outside your local area network (LAN), the service should work.

Making an analogy to a Web site is the same concept. When you want to put a Web Site publicly for the internet, as you said put the fonts inside apache's WWW folder or something, it's the same concept, so people outside of your local network can access this website, this Apache would have to be with a Public IP, It's the same concept, but WSO2 already has its "Apache" TomCat internally, just leave your Public IP.

Vitor Darela
  • 142
  • 7
  • Right, but I'd have to change the hostnames first right? – SaltySea Jul 27 '18 at 13:45
  • if you like to work with hostname or fixed URL for example (is.mydomain.com), yes. But you can use just the IP and for this not necessary change the hostname, Srry the delay . – Vitor Darela Jul 31 '18 at 11:19
1

I believe there are a few misconceptions (no, copying the installation into inetpub\wwwroot won't work, it's not php)

chains from one step to multiple

well - the documentation is related only to a product, it assumes some knowledge of the network and systems it runs on

1 - you should run the WSO2IS as a service ( so this is Windows guide may be helpful and this here is how to run the WSO2IS as as service for Linux)

2 - change the repository/conf/carbon.xml

(this step is optional, but increases security) HostName - to the public hostname MgtHostName - to internal hostname, so the administrative console is not accessible from internet

3 - The best practice to expose the WSO2IS would be a reverse proxy (depending you are using IIS, nginx or httpd) so you don't expose the default port 9443 to the outside directly (I assume you want to use your own SSL certificate on 443 and TLS termination in the web server)

For the default WSO2IS applications you need to create a reverse proxy from `HTTPS:443 -> HTTP:9763

update /repository/conf/tomcat/catalina-server.xml and on the Connector listening on 9763 add attribtue proxyPort="443"

(Note: now I am not sure if it will work, what will work for sure is TLS bridging HTTPS:443->HTTPS:9443, it means adding proxyPort="443" to the Connector for port 9443)

gusto2
  • 11,210
  • 2
  • 17
  • 36
  • Okay, so I've done all the steps successfully and I've been able to run WSO2IS as a service with the proxy port configured. I have changed the HostName and the MgtHostName but I'm still not able to reach it by it's MgtHostName. Also, for my ServiceProvider I'm using SSO, does this mean I'll have to upload the metadata again since I've changed the hostname/mgthostname? – SaltySea Jul 26 '18 at 19:28
  • Not able to access after changing hostname. I've followed all your steps. Please don't abandon me :( – SaltySea Jul 27 '18 at 14:34
  • @SaltySea for the first iteration, you may omit (comment out) the HostName and MgtHostName, then all hosts should work (assuming the IIS will send the headers correctly). The URLs in metadata must match the address how the client will access the systems. .. and what do you mean `Not able to access`? – gusto2 Jul 27 '18 at 15:12
  • Okay, I'll try that commenting out the HostName/Mgt. Well, I thought I could access the admin dashboard through my new hostname so instead of localhost:9443 I could do [myhostname]:9443 and see it but nothing is coming up like it doesn't "exist." I followed the guide to set up a hostname using keytool and saving the new alias and whatnot in carbon.xml but nothing changed - I'm still unable to reach my new hostname URL. – SaltySea Jul 27 '18 at 15:16
  • Okay commenting out the hostnames didn't work. When I try to access the IS, it's still referring to it as localhost and it's saying "localhost refused to connect." Is it because I'm doing SSO? Do I have to update the 'metadata.xml'? I don't know if the metadata is affected when I change the carbon.xml/catalina-server.xml values. – SaltySea Jul 27 '18 at 15:42
  • By the way, I'm suspended from using chat so if we could exchange something like a Discord link or a separate chat app I'd be willing to talk and learn how to configure WSO2IS properly. – SaltySea Jul 27 '18 at 20:02
  • @SaltySea in our company we have 3 days courses for wso2is, it's not something to be fully comprehended in a chat. In your description you need to be more specific. `it's still referring to it as localhost` what, where? does the IS even run? (see wso2carbon.log, ) do you acces the IS through IIS? – gusto2 Jul 27 '18 at 23:20
  • That's fine, I don't need to fully understand WSO2IS I just need it so that I can be able to access it publicly (outside my LAN). My SAML-SSO is referring to localhost. The IS runs but it only runs locally. Yes, I have access to the IS through IIS but only through my LAN because the IS is running locally. – SaltySea Jul 28 '18 at 14:08
  • @SaltySea `My SAML-SSO is referring to localhost` SAML works through browser's client (not direct server-to-server connection), so all URLs in SAML need to be client-related. From your description is very unclear what doesn't work for you exactly. I wrote steps needed to use IS behind a reverse proxy. For the rest I assume you will setup everything correctly. We know only what you write down, so - maybe you could hire a consultant who could do that properly and quickly once and you will learn on it – gusto2 Jul 30 '18 at 07:20