WSO2 Identity Analytics
WSO2 Identity Analytics comes with WSO2 Identity Server. It allows you to view and analyze statistics related to authentication requests that go through WSO2 Identity Server and those solutions are built on top of WSO2 Stream Processor.
If we take Identity Analytics it will provide useful stats and analytics based on the events published through WSO2 Identity Server such as login events, session-related data, etc.
Let’s see how we can enable identity analytics.
Step 01: Download WSO2 IS Analytics
Go to the WSO2 IS Analytics download page and download the WSO2 IS Analytics pack. If you didn’t download the WSO2 Identity server, you can download it via, WSO2 Identity server page.
Step 02: Enable Analytics in WSO2 Identity Server
Here I am enabling both Login data and session data publishers and so that I can see both Login and session data analytics once you enable publishing. You have to configure publish as has been met.
- Open the
deployment.toml
file in the<Identity Server_HOME>/repository/conf/
directory.
2. Add below configuration in deployment.toml
[event.default_listener.application_authentication]
enable = true
[identity_mgt.analytics_login_data_publisher]
enable = true
[identity_mgt.analytics_session_data_publisher]
enable= true
- You can enable them according to your requirements.
Step 03: Configure Event Publishers
Once you enabling publishing, you have configured publishes as well,
<Identity Server_HOME>/repository/deployment/server/eventpublishers, here you can find event publisher configurations. There you can see multiple event publishers.
Ex: Let me open one and go through what there are inside these files as you can see
As you can see, this describes how publishing is done, from Identity Server to Identity Server analytics server.
You can see there is the username, protocol, receiver URL and password.
I will not change any of them since I am using my analytics server on localhost and with default super admin username and password(admin: admin).
Well, now I’m done with configuration changes.
Let me start to servers you don’t need to add a port offset for analytics so it comes with a default port offset of 1 out of the box.
Step 04: Run the Servers
Initially Run the WSO2 identity Server,
Start the WSO2 Identity Server,
On Windows,
Run the script wso2server.bat
from the bin
folder (<IS_HOME>/bin/wso2server.bat
file).
On Linux/Mac OS,
Run the script wso2server.sh
from the bin
folder (<IS_HOME>/bin/wso2server.sh
file).
Next,
- Run the Worker node of WSO2 IS Analytics.
On Windows,
Run the script worker.bat
from the bin
folder (<WSO2is-analytics>/bin/worker.bat
file).
On Linux/Mac OS,
Run the script worker.sh
from the bin
folder (<WSO2is-analytics>/bin/worker.sh
file).
- Run the Dashboard node of WSO2 IS Analytics.
On Windows,
Run the script dashboard.bat
from the bin
folder (<WSO2is-analytics>/bin/dashboard.bat
file).
On Linux/Mac OS,
Run the script dashboard.sh
from the bin
folder (<WSO2is-analytics>/bin/dashboard.sh
file).
****************************************
So both servers are up and running once the server is up and running. You can access the admin console via WSO2 Identity Server.
Let's see how we can, accessing the Analytics Dashboard and view the Login Attempts
If I log in as the admin I can see I have configured “travelocity.com” as a service provider. So I’ll be trying to log in to travelocity.com through the Identity Server.
Add the SAML related configuration in the service provider configuration. For that, Expand the “Inbound Authentication Configuration” of the service provider configuration and then under “SAML 2 Web SSO Configuration”, click on “Configure” button.
Issuer: travelocity.com
Assertion Consumer URLs : http://localhost:8080/travelocity.com/home.jsp
Enable Response Signing
Enable Single Logout
Tick Enable Attribute Profile and Include Attributes in Response Always
Click on Update to save the changes and you will be directed back to the service provider page.
Now the configurations are done. To check how this works, access http://localhost:8080/travelocity.com
You will be directed to the travelocity application. When you click on to Login with SAML, you would be directed to Identity Server login page. Enter your credentials and log into the application.
*************************************************************
So now I would expect to see these events and relevant analytics in my analytics dashboard. Let me log into analytics dashboard.
https://<HTTPS_IS_ANALYTICS_HOST>: 9643 /portal
Enter the admin
as the username
and password
and click “LOGIN”.
Click IS Analytics tile.
The Analytics Dashboard appears with a summary of overall login attempts, local login attempts, and federated login attempts.
As you can see there are a few main sections in the analytics dashboard, it contains Logging analytics, Federated analytics Session Alerts and Suspicious Login Alerts.
You can see a comprehensive representation of events represented using graphs and charts.
Well, that’s about how to set up WSO2 identity analytics.
Important:
You probably might have come across following errors in a wso2 product deployment
javax.net.ssl.SSLHandshakeException:sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
or
javax.net.ssl.SSLException: hostname in certificate didn't match: <ip address> != <localhost>
Both above are very common issues people get when dealing with a partially configured wso2 product deployment.
Reason: You might be using wso2 default keystore with all the products in the deployment and might be trying to do https calls between servers. In that case, SSL Handshake happens and wso2 servers have its own hostname verifier. Above errors are visible when these cases fail.
Remedy : import the public certificate of WSO2 IS Analytics server to the client-truststore.jks of WSO2 Identity Server, and vice versa.
So now let’s see how this can be done.
Step 1:
Go to <IS_HOME>/repository/resources/security/ folder and execute the following keytool command.
keytool -export -keystore wso2carbon.jks -alias wso2carbon -file wso2carbon.cer
Provide wso2carbon as the keystore password when prompted as it is the default password.
This command is used to export the public certificate of Identity Server as a certificate file called wso2carbon.cer.
Since the default keystore in Identity Server is wso2carbon.jks, we have specified it as the keystore and the default alias is wso2carbon.
After executing the above command from within the security folder in Identity Server, you will see that a file with the name of wso2carbon.cer is created inside the same folder.
Step 2:
Now go to <IS_ANALYTICS_HOME>resources/security/ folder.
You can either copy the wso2carbon.cer file created in Step 1 to the IS_ANALYTICS_HOME security folder and execute the below command or you can just refer to this certificate file by giving the correct path in the command.
keytool -import -alias wso2carbon1 -file wso2carbon.cer -keystore client-truststore.jks -storepass wso2carbon
This command is used to import the wso2carbon.cer public certificate to the client trust store of IS Analytics.
Note that the alias is now wso2carbon1, and not wso2carbon. Since an entry with the same alias already exists by default in the client-truststore.jks of IS Analytics, we are going to import the certificate of Identity Server to IS Analytics with a different alias.
Accept the certificate when prompted.
Now you have successfully imported the public certificate of one WSO2 product into the trust store of another.
Cheers!! :)