Wednesday, August 9, 2017

Tips on using environment variables in WSO2 Integration Cloud

Environment variables allow you to change an application's internal configuration without changing its source code. Let’s say you want to deploy the same application in development, testing  and production environments. Then database related configs and some other internal configurations may change from one environment to another. If we can define these configurations as an environment variables we can easily set those without changing the source code of that application.

When you deploy your application in WSO2 Integration Cloud, it lets you define environment variables via the UI. Whenever you change the values of environment variables, you just need to redeploy the application for the changes to take effect.

Predefined environment variables
Key Concepts - Environment Variables provides you some predefined set of environment variables which will be useful when deploying applications in WSO2 Integration Cloud.

Sample on how to use environment variables
Use Environment Variable in your application provides you an sample how to use environment variables in WSO2 Integration Cloud.

Bulk environment variable upload
If the environment variable list is high, then entering one by one to the Integration Cloud UI is bit awkward. You can upload them all as a JSON file

Sample json file:


Use REST API to manipulate environment variables
WSO2 Integration Cloud provides an REST API to get/add/update/delete environment variables

Get version hash Id
curl -v -b cookies -X POST -d 'action=getVersionHashId&applicationName=app001&applicationRevision=1.0.0'

Get environment variables per version
curl -v -b cookies -X POST -d 'action=getEnvVariablesOfVersion&versionKey=123456789'

Add environment variable
curl -v -b cookies -X POST  -d 'action=addRuntimeProperty&versionKey=123456789&key=ENV_USER&value=amalka'

Update environment variable
curl -v -b cookies -X POST -d 'action= updateRuntimeProperty&versionKey=123456789&prevKey=ENV_USER&newKey=ENV_USERNAME&newValue=amalkasubasinghe'

Delete environment variable
curl -v -b cookies -X POST -d 'action=deleteRuntimeProperty&versionKey=123456789&key=ENV_USERNAME'

Code samples to read environment variables for different app types
Here are sample code to read environment variables from different app types, which are supported by WSO2 Integration Cloud.

Tomcat/Java Web Application/MSF4J


string dbUrl = system:getEnv("ENV_DATABASE_URL");


print getenv('ENV_DATABASE_URL');


You can use script mediator to read the environment variable in the synapse configuration. Please find the sample proxy service. Here, we get the property ENV_DATABASE_URL which is defined as the environment variable.

<?xml version="1.0" encoding="UTF-8"?>
<proxy xmlns=""
         <script language="js"><![CDATA[
             mc.setProperty("envDatabaseURL", java.lang.System.getenv("ENV_DATABASE_URL"));
        <log level="custom">
           <property expression="$ctx:envDatabaseURL"
                     name="EnvDatabaseURL: "/>


Where ENV_DATABASE_URL is the name of the variable we wish to access.

var process = require('process');
print(process.getEnvs()); // json objectprint(process.getEnv('ENV_DATABASE_URL')); // string

Saturday, July 29, 2017

Stop nginx decoding query paramaters on proxy pass

When using nginx in front of several applications, In coming requests come to the nginx as encoded parameters but it reached to the backend application as decoded parameters. Because of that backend application rejects the massage since it accept encoded parameter.

In order to solve this problem, with the following configuration we can stop decoding query parameters at the nginx level.

location /t/ {
                proxy_set_header X-Real-IP $remote_addr;
#               proxy_next_upstream error timeout invalid_header http_500;

The parameter added as $request uri is the full original request URI (with arguments)

Monday, July 17, 2017

How to block a particular user from accessing an API

1. Login to Admin Dashboard from the admin user. (

2. Click Black List under the Throttle Policies section and click Add Item (Refer to the screenshot below)

3. Select the condition type as the user and give the full qualified username as the value and click blacklist. (Refer to the screenshot below)

For example, if you want to block the user from invoking APIs, you have to provide the value as by appending the organization key at the end of the username with '@' character. 

If you follow the above steps, the user will not be able to invoke APIs. Also please note that if you blacklist, the user will not be able to invoke any API until you remove the blacklist policy.

How to use FHIR connector in WSO2 Integration Cloud

In WSO2 Integration Cloud, we provide WSO2 ESB as an app type. So you can configure to FHIR connector on WSO2 ESB.  

At the moment we don't have a specific document on configuring the FHIR connector on WSO2 Integration Cloud. But, we have included an example document [1] on how to configure a sample (Twitter) connector. This is a general guide a user can follow, it shows how to create a CAR file and import it onto the Integration Cloud.

For information on configuring the FHIR connector, you can follow the document here.[2]

Please note that if you wants to add custom server certificates into the client truststore or requires any custom configurations, you need to create custom docker image and deploy it in WSO2 Integration Cloud. [3]

Sunday, July 16, 2017

How to insert a Getting started guide into my WSO2 API Store

Let's say I have published a API and I want to let my API store users how they can use the API.

Currently this can be done by adding API documentation. So with this you will need to add the documentation to each API. The documentation types supported in the API Publisher are as follows:
Please refer [1] for more information regarding this. 

If your requirement is to add a generic guide to the store unfortunately this is something not possible at the moment. 

How to allow WSO2 cloud team to access your tenant

Sometimes, you may require to access your tenant by WSO2 cloud team, to investigate a issue, do some configurations changes on behalf of you, etc...

This blog will say how you can allow WSO2 cloud team to access your tenant.

1. Go to cloud organization management portal:

2. Click on check box (Allow Access to WSO2 Support) inline with your tenant name

Later you can remove it clicking on the check box agina.

Monday, June 19, 2017

How to remove a thumbnail from an API

Let's say you have created an API in API cloud and you have added thumbnail image to it. Now you want to remove it.

When you go to the edit api view it allows you to change the thumbnail, but not remove. Let's see how we can remove it.

1. login to the carbon console of gateway node as tenant admin

2. Go to Resource -> Browse under main menu

3. Go to "/_system/governance/apimgt/applicationdata/provider" 

4. Click on the relevant tenant - you will see list of APIs (eg:

5. Select relevant API - you will see api artifact   (eg: api1 under version 1.0.0)

6. Click on "api" - you will see list of meta data for that api

7. Remove the thumbnail value from attribute "Thumbnail"

8. Save the API

9. Then logout from the API publisher UI and login in incognito window, you will see thumbnail has removed from your API.

Friday, June 2, 2017

How to start multiple services as a group in WSO2 Integration Cloud

Let's say, we have a use case which is deployed in Integration Cloud and that involves number of applications.
There can be a PHP/Web application which user interact, ESB which provide integration with number of systems and DSS to manipulate database.

So let's say we want to start/stop these 3 applications as a group. But at the moment, Integration Cloud does not provide any grouping. So you have to login to the Integration Cloud and go to each and every application and start/stop those.

To make this little easier, we can use Integration Cloud REST API and write our own script.

This is the script to start the all applications as a group. You need to provide username, password, organization name and file which contains application list with versions

How to execute this script
./ <username> <password> <orgnaizationName> wso2Project.txt

wso2Project.txt file content should be like this. There you should provide applicationName and version separated with [ | ] pipe character

As shown above you can keep number of project files and start using script.

Monday, April 10, 2017

Add multiple database users with different privileges for the same database

Currently, the WSO2 Integration Cloud supports adding multiple database users for a same database, but does not support changing user privileges.

Let's say someone has a requirement of using same database via two different user, one user has full access, where other user should have READ_ONLY access. How we do this in Integration Cloud?
We are planning to add this as feature to change the user permissions, but until that you can do it as I have mentioned below.


1. Login Create a database with a user

2. Once you create a database you can see it as below, and you can add another user when clicking on the All users icon

3. There you can create new user or you can attach existing user to the same database

I added two users u_mb_2NNq0tjT and test_2NNq0tjT to the database wso2mb_esbtenant1
My requirement is to give full access to the u_mb_2NNq0tjT user and remove INSERT permission from test_2NNq0tjT user.

4. Login to the via mysql client as user u_mb_2NNq0tjT and revoke the INSERT permission of test_2NNq0tjT

first login as test_2NNq0tjT and check grants
mysql -u  test_2NNq0tjT -pXXXXX -h

show grants
| Grants for test_2NNq0tjT@%                                                             |
| GRANT USAGE ON *.* TO 'test_2NNq0tjT'@'%' IDENTIFIED BY PASSWORD <secret>              |
| GRANT ALL PRIVILEGES ON `wso2mb_esbtenant1`.* TO 'test_2NNq0tjT'@'%' WITH GRANT OPTION |

login as u_mb_2NNq0tjT and revoke the insert permission
mysql -u  u_mb_2NNq0tjT -pXXXXX -h

REVOKE INSERT ON wso2mb_esbtenant1.* FROM 'test_2NNq0tjT'@'%';

login again as test_2NNq0tjT and check grants
mysql -u  test_2NNq0tjT -pXXXXX -h

show grants

| Grants for test_2NNq0tjT@%                                                                                                                                                                                                                                   |
| GRANT USAGE ON *.* TO 'test_2NNq0tjT'@'%' IDENTIFIED BY PASSWORD <secret>                                                                                                                                                                                    |
2 rows in set (0.24 sec)

With this approach we can change the permissions of another user who is attached to the same database.

To make an read-only user you need to revoke the permissions as follows

Please note: after you change the user privileges, do not detach/attach the test_2NNq0tjT user to the same or different database. Then it will set the all privileges automatically.

Friday, March 17, 2017

How to run a Jenkins in WSO2 Integration Cloud

This blog post guides you on how to run Jenkins in WSO2 Integration Cloud and configure it to build an GitHub project. Currently the WSO2 Integration Cloud does not support Jenkins as a app type, but we can use Custom docker app type with Jenkins docker image.

First we need to find out, proper Jenkins docker image, which we can use for this  or we have to build it from the scratch.

If you go to you can find official Jenkins images in docker hub, but we can't use this images as it is due to several reasons. So I'm going to create a fork of and do some changes to the Dockerfile.

I use the branch here.

A. You will see it has VOLUMN mount - at the moment WSO2 Integration Cloud does not allow you to upload an image which has VOLUMN mount. So we need to comment it out

#VOLUME /var/jenkins_home

B. My plan is to build Git hub project, so I need enable Git hub Integration plugin. So I add the following line at the end of the file

RUN docker-slaves github-branch-source

C. I want to build projects using Maven, so I add the following segment to the Dockerfile to install and configure Maven.


RUN mkdir -p /usr/share/maven /usr/share/maven/ref/ \
  && curl -fsSL$MAVEN_VERSION/binaries/apache-maven-$MAVEN_VERSION-bin.tar.gz \
    | tar -xzC /usr/share/maven --strip-components=1 \
  && ln -s /usr/share/maven/bin/mvn /usr/bin/mvn

ENV MAVEN_HOME /usr/share/maven
COPY settings-docker.xml /usr/share/maven/ref/
RUN chown -R ${user} "$MAVEN_HOME"

D. I don't want to expose slave agent port 50000 to the outside. Just comment it out.

#EXPOSE 50000

E. I want to configure the Jenkins job to build the project periodically, so I need to copy the required configurations to the Jenkins and give the correct permissions.

Note: You can first run a Jenkins on your local machine, configure the job and get the config.xml file.
I configured the Jenkins job to poll the Github project every 2 minutes and build. (You can configure the interval as you wish)

Here's the Jenkins configurations

<?xml version='1.0' encoding='UTF-8'?>
    <com.coravy.hudson.plugins.github.GithubProjectProperty plugin="github@1.26.1">
  <scm class="hudson.plugins.git.GitSCM" plugin="git@3.1.0">
    <submoduleCfg class="list"/>
      <spec>H/2 * * * *</spec>
      <targets>clean install</targets>
      <settings class="jenkins.mvn.DefaultSettingsProvider"/>
      <globalSettings class="jenkins.mvn.DefaultGlobalSettingsProvider"/>

We need to create the following content in the JENKINS_HOME/jobs folder, to configure a job

 --> jobs
         ├── HelloWebApp
         │   └── config.xml

Add the following to the Dockerfile.

RUN mkdir -p $JENKINS_HOME/jobs/HelloWebApp
COPY HelloWebApp $JENKINS_HOME/jobs/HelloWebApp

RUN chmod +x $JENKINS_HOME/jobs/HelloWebApp \
  && chown -R ${user} $JENKINS_HOME/jobs/HelloWebApp

So let's build the Jenkins image and test locally.
Go to the folder where the Dockerfile exist and execute

docker build -t jenkins-alpine .

Run the Jenkins

docker run -p 80:8080 jenkins-alpine

You will see the Jenkins logs in the command line

You can access the Jenkins via http://localhost/ and see build jobs running in every 2 minutes when it detects any changes in GitHub project.

If you click on the HelloWebApp and go to configure, then you will see the Jenkins job configurations.

So now the image is ready and let's push it to the docker hub and deploy it in WSO2 Integration Cloud.

docker images

REPOSITORY               TAG                               IMAGE ID            CREATED             SIZE
jenkins-alpine                 latest                            d7dc03cec1df        51 minutes ago      257.4 MB

docker tag d7dc03cec1df amalkasubasinghe/jenkins-alpine:hellowebapp

docker login

docker push amalkasubasinghe/jenkins-alpine:hellowebapp

When you login to the docker hub you can see the image you push

Let's login to the WSO2 Integration Cloud -> Create Application -> and select Custom Docker Image

add the image providing image URL

Wait until the security scanning finished and then create the Jenkins application selecting scanned image

Here I select Custom Docker http-8080 and https-8443 runtime, as Jenkins run in 8080 port.

Wait until the Jenkins instance fully up and running. Check the logs

Now you can access the Jenkins UI via

That's all :). Now every 2 minutes our Jenkins job will poll the GitHub project and if there are any changes it will pull the changes and build.

This is how you can setup and configure Jenkins in WSO2 Integration Cloud.

You can see the docker file here

Saturday, February 25, 2017

How to change the organization name and key appear in WSO2 Cloud UI

Here are the instructions to change the Organisation Name:

1. Go to Organization Page from Cloud management app.

2. Select the organization that you want to change and select profile

3. Change the Organization name and update the profile

How to change the Organization Key:

Changing Organization Key is not possible. We generate the key from the organization name users provide at the registration time. It is a unique value and plays a major role in multi-tenancy. We have certain internal criteria for this key.

Another reason why we cannot do this is, we are using the organization key in the internal registries when storing API related metadata. So, if we change it, there is a data migration involved.

How to change the organisation name appear in WSO2 Cloud invoices

Let's say you want to change the organisation name appear in invoices when you subscribe to a paid plan. Here are the instructions:

1. Login to the WSO2 Cloud and go the the Accounts page.

2. You can find the contact information in the Accounts page. Click on 'update contact Info'.

3. Change the organization name, Add the organization name which you want to display in the invoice.

4. Save the changes.

5. You can see the changed organization name in the Accounts Summary.

How to add a new payment method to the WSO2 Cloud

Here are the instructions:

1. Go to:
2. Log in with your WSO2 credentials (email and password),
3. Click the 'New Payment Method' button:

4. Supply the new credit card information, click the Payment Info button and then the Proceed button.

Let us know if you need further help :)

Wednesday, February 15, 2017

WSO2 ESB communication with WSO2 ESB Analytics

This blog post is about how & what ports involved when connecting from WSO2 ESB to WSO2 ESB Analytics.

How to configure: This document explains how to configure it

Let's say we have WSO2 ESB  and WSO2 ESB Analytics packs we want to run in same physical machine, then we have to offset one instance. 
But we don't want to do that since WSO2 ESB Analytics by default come with the offset.

So WSO2ESB will run on 9443 port, WSO2 ESB Analytics will run on 9444 port

WSO2 ESB publish data to the WSO2 ESB Analytics via thrift. By default thrift port is 7611 and corresponding ssl thrift port is 7711 (7611+100), check the data-bridge-config.xml file which is in analytics server config directory . 

Since we are shipping analytics products with offset 1 then thrift ports are 7612 and ssl port is 7712.
Here, ssl port (7712) is used for initial authentication purposes of data publisher afterwards it uses the thrift port (7612) for event publishing.. 

Here's a common error people raise when configuring analytics with WSO2 ESB.

[2017-02-14 19:42:56,477] ERROR - DataEndpointConnectionWorker Error while trying to connect to the endpoint. Cannot borrow client for ssl://localhost:7713
org.wso2.carbon.databridge.agent.exception.DataEndpointAuthenticationException: Cannot borrow client for ssl://localhost:7713
        at org.wso2.carbon.databridge.agent.endpoint.DataEndpointConnectionWorker.connect(
        at java.util.concurrent.Executors$
        at java.util.concurrent.ThreadPoolExecutor.runWorker(
        at java.util.concurrent.ThreadPoolExecutor$
Caused by: org.wso2.carbon.databridge.agent.exception.DataEndpointSecurityException: Error while trying to connect to ssl://localhost:7713
        at org.wso2.carbon.databridge.agent.endpoint.thrift.ThriftSecureClientPoolFactory.createClient(
        at org.wso2.carbon.databridge.agent.client.AbstractClientPoolFactory.makeObject(
        at org.apache.commons.pool.impl.GenericKeyedObjectPool.borrowObject(
        at org.wso2.carbon.databridge.agent.endpoint.DataEndpointConnectionWorker.connect(
        ... 6 more
Caused by: org.apache.thrift.transport.TTransportException: Could not connect to localhost on port 7714
        at org.apache.thrift.transport.TSSLTransportFactory.createClient(
        at org.apache.thrift.transport.TSSLTransportFactory.getClientSocket(
        at org.wso2.carbon.databridge.agent.endpoint.thrift.ThriftSecureClientPoolFactory.createClient(
        ... 9 more
Caused by: Connection refused: connect
        at Method)
        at org.apache.thrift.transport.TSSLTransportFactory.createClient(
        ... 11 more

This comes because people change the thrift port comes in the following configuration files by adding another 1 (7612+1), thinking of we need to add 1, since we have offset in analytics server as 1.