stackoom
  简体   繁体   中英

WSO2 API Manager Clustering: Login error to Publisher and Store

 原文  2018-02-01 14:28:41       nginx/ wso2/ wso2-am/ wso2carbon

Question

we are trying to configure WSO2 API Manager 2.1.0 in a cluster following the WSO2 documents. We have:

  • a cluster of two Gateways
  • a cluster of two Key Managers
  • a cluster of two Traffic managers

As a front-end Load balancer, we are using NGINX. Everything works fine except this aspect:

When I try to login to the publisher or store the request is sent to the load balancer that redirects the request to the Key managers. The logs of the KM1 is:

INFO {org.wso2.carbon.core.services.util.CarbonAuthenticationUtil} - 'admin@carbon.super [-1234]' logged in at [2018-02-01 15:23:15,102+0100] {org.wso2.carbon.core.services.util.CarbonAuthenticationUtil}

while in the other the log (KM2) is:

TID: [-1234] [] [2018-02-01 15:23:15,165] WARN {org.wso2.carbon.server.admin.module.handler.AuthenticationHandler} - Illegal access attempt at [2018-02-01 15:23:15,0165] from IP address xxxxx while trying to authenticate access to service LoggedUserInfoAdmin {org.wso2.carbon.server.admin.module.handler.AuthenticationHandler}

The final result is that I can not access to the store or publisher. If one of the two KM is stopped everything works fine. Do you have any suggestions how i should configure the KM or TM? Thank you very much

1 answers

solution1
 0 ACCPTED  2018-02-07 04:40:29

This is happening because you haven't enabled sticky session for the key manager.

There are two calls going to the key manager and both calls should be redirected to the same key manager. In your case, the requests are load balanced in a round-robin manner. Therefore the second call fails as the session is created in another node.

Please refer article below. https://wso2.com/library/articles/2015/01/wso2-api-manager-deployment-customization-and-troubleshooting-part-02/

https://docs.wso2.com/display/CLUSTER44x/Configuring+NGINX

Why thrift key validation is not recommend in production deployments

Thrift key validation does not work when we have a load balancer fronted key manager. The reason for this is that most load balancers are not capable of routing traffic in a session-aware manner. Therefore, in such cases, it's always recommended to use the WS key validation client. When we use web service clients we need to enable a sticky session at the load balancer level. Moreover, we need to give a session cookie that we've used to handle session stickiness.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question WSO2 ESB 4.8.1 Clustering Reverse Proxy Websocket Connection from NGINX to WSO2 API Manager WSO2 API Manager 3.1.0 Analytics stucks on dashboard widget API loading Kubernetes Ingress Controller Fake Certificate on GKE for WSO2 API Management WSO2 APIM: Subdomains for different contexts How to load balance wso2 1.9.0 with NGINX 1.6.2 WSO2 disabling port redirect from 9763 to 9443 Nginx Reverse Proxy with WSO2 ESB giving Forbidden 403 How to correct config NGINX for WSO2 Identity Server Dashboard? What are the difference between NGINX Plus and NGINX Community edition? Some doubts in the use of NGINX in the WSO2 EI cluster creation
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM