1

I am trying to set up a cluster for WSO2 api manager and I am following https://docs.wso2.com/display/CLUSTER44x/Clustering+API+Manager+1.10.0

I am using seperate VMs for each of the component and currently in my setup I am able to

  1. Publish an api using the publisher which gets published in the Gateway (Visible in the log)
  2. Subscribe to this API from the store and generate keys

However when I am trying to access this api using the generated key I get the following response

<soapenv:Fault xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
    <faultcode xmlns:axis2ns2="http://schemas.xmlsoap.org/soap/envelope/">axis2ns2:Client</faultcode>
    <faultstring>Authentication Failure</faultstring>
    <detail>Error while accessing backend services for API key validation</detail>
</soapenv:Fault>

In the gateway logs I can see only the below line. There is no further details in the logs

TID: [-1234] [] [2016-02-02 16:55:58,288]  WARN {org.wso2.carbon.apimgt.gateway.handlers.security.APIAuthenticat
ionHandler} -  API authentication failure due to Unclassified Authentication Failure {org.wso2.carbon.apimgt.gat
eway.handlers.security.APIAuthenticationHandler}

Please help me to resolve this issue.

Abimaran Kugathasan
  • 26,826
  • 11
  • 67
  • 101
Mrinal Kanti Mandal
  • 21
  • 3
  • What happens if you intentionally pass a bad Oauth token? Does it at least fail as expected? Also what's your Swagger look like? – Charlie Feb 02 '16 at 19:47
  • I get the same error. But if I give a wrong IP for key manager I get different error saying unable to connect etc. – Mrinal Kanti Mandal Feb 03 '16 at 03:47
  • We had similar issues when using clustered gateways. Our (naive) solution was to just configure each gateway to use their local IP to resolve key manager requests, though you should also be able to do it right and configure dedicated key manager nodes... just be sure your gateways have access to them. Try: a cURL from your gateway to the URL of the key manager it is attempting to access to see if this is a problem. – Kjata30 Apr 11 '17 at 15:04

3 Answers3

1

That sounds like an issue with your API - API Manager doesn't actually "authenticate anything" unless you are using identity server see here for the difference between authentication and authorization (what WSO2 does through Oauth). Please try an API that is know to work such as http://petstore.swagger.io/ and report back the error.

Community
  • 1
  • 1
Charlie
  • 1,398
  • 2
  • 14
  • 30
0

This can happen due to many reason. Please check some of the reasons below

  1. Key Manager's public certificate isn'y properly imported in the <GATEWAY_HOME>/repository/resources/security/client-truststore.jks

  2. Open the api-manager.xml fie of the gateway and key manager nodes and change the <KeyValidatorClientType> to WSClient as bellow (default value is ThriftClient).

    <KeyValidatorClientType>WSClient</KeyValidatorClientType>
Abimaran Kugathasan
  • 26,826
  • 11
  • 67
  • 101
0

The reason for this could be a result of misconfiguration between nodes. First you can double check the configurations (specially keyvalidator related configurations)

If you could not find any issue there, then you can enable debug logs and get some idea about the issue

add following entires in repository/conf/log4j.properties in gateway node

log4j.logger.org.wso2.carbon.apimgt.gateway.handlers.security=DEBUG

add following entires in repository/conf/log4j.properties in key manager node

log4j.logger.org.wso2.carbon.apimgt.keymgt=DEBUG

You might be able to find the issue by analyzing the logs

Chamila Adhikarinayake
  • 3,280
  • 3
  • 21
  • 27