Configure WSO2IS to use 443 instead of 9443 #26348
Description
Description
Hello everyone,
I have managed recently to deploy a wso2is instance using docker image and put it behind reverse proxy for SSL offloading on EC2 instance. It practically works over port 443 as expected except for several internal APIs as far as I observed. One of those APIs is https://id.example.com:9443/scim2/Users?count=11&domain=PRIMARY&excludedAttributes=groups,roles&startIndex=1 which is for some reason still uses 9443. More precisely mostly any path that starts with /scim2. Here is my deployment.toml:
[server]
hostname = "id.example.com"
node_ip = "127.0.0.1"
[transport.https.properties]
proxyPort = 443
proxyHost = "id.example.com"
...
It appears to be valid and working since I am able to access and use most of wso2is instance using port 443. Any idea why 9443 is still used? I have tried to grep scim2 and 9443 in the container but couldn't tell clearly what file remains to be updated.
I also should mention I did find carbon.management.port in multiple files where scim2 related api paths are but couldn't tell how to change it correctly
Regards.
Steps to Reproduce
#Local Machine Setup
These steps describe how to reproduce the issue using a local environment (Mac/Windows/Linux) with Docker installed. No EC2 setup is required.
1. Pull the WSO2 Identity Server Docker Image
docker pull wso2/wso2is:7.2.02. Create a Local deployment.toml
Create a directory on your machine, for example:
mkdir wso2is-local
cd wso2is-localCreate a file named deployment.toml with the following content:
# /home/wso2carbon/wso2is-7.2.0/repository/conf/deployment.toml
# [server]
# hostname = "localhost"
# node_ip = "127.0.0.1"
# base_path = "https://$ref{server.hostname}:${carbon.management.port}"
[server]
hostname = "id.example.com"
node_ip = "127.0.0.1"
offset = 0
management_port = 80
[transport.https]
port = 80
[transport.https.properties]
proxyPort = 80
proxyHost = "id.example.com"
[super_admin]
username = "..."
password = "..."
create_admin_account = true
[user_store]
type = "database_unique_id"
[database.identity_db]
type = "h2"
url = "jdbc:h2:./repository/database/WSO2IDENTITY_DB;DB_CLOSE_ON_EXIT=FALSE;LOCK_TIMEOUT=60000"
username = "..."
password = "..."
[database.shared_db]
type = "h2"
url = "jdbc:h2:./repository/database/WSO2SHARED_DB;DB_CLOSE_ON_EXIT=FALSE;LOCK_TIMEOUT=60000"
username = "..."
password = "..."
[datasource.AgentIdentity]
id = "AgentIdentity"
url = "jdbc:h2:./repository/database/WSO2AGENTIDENTITY_DB;DB_CLOSE_ON_EXIT=FALSE;LOCK_TIMEOUT=60000"
username = "..."
password = "..."
driver = "org.h2.Driver"
[keystore.primary]
file_name = "wso2carbon.p12"
password = "wso2carbon"
type="PKCS12"
[truststore]
file_name="client-truststore.p12"
password="wso2carbon"
type="PKCS12"
[account_recovery.endpoint.auth]
hash= "..."
[identity.auth_framework.endpoint]
app_password= "..."(The hostname can be anything, it just needs to be consistent.) In overall it is identical to the default deployment.toml except for [server], [transport.https] and [transport.https.properties]. Also, usage of port 80 is identical to 443 mostly. The point is that the port change should be reflected consistently everywhere else
3. Run the Container and Mount deployment.toml
Expose container port 6763, simulating SSL offloading through a reverse proxy.
docker run \
--name wso2is \
-p 80:6763 \
-v $(pwd)/deployment.toml:/home/wso2carbon/wso2is-7.2.0/repository/conf/deployment.toml \
wso2/wso2is:latestThis setup simulates:
- User accessing WSO2IS via port 80
- Reverse proxy (simulated) forwarding traffic into container port 6763
4. Access Management Console
Open the browser:
http://id.example.com/
(or modify your /etc/hosts (depending on your OS) to point it to 127.0.0.1)
5. Navigate Through the Console
Log in normally and use features across the dashboard (users, roles, applications).
Most endpoints work correctly through the configured proxy port 80.
6. Trigger a SCIM2 API Call
Use the UI or call the API directly:
http://id.example.com/scim2/Users?count=11&domain=PRIMARY&excludedAttributes=groups,roles&startIndex=1
7. Observe the Issue
Even though the server is accessed through 80, WSO2 IS internally still responds with URLs pointing to:
http://id.example.com:9443/scim2/Users...
Or attempts to call internal SCIM2 endpoints via port 9443, ignoring the configured:
[transport.https.properties]
proxyPort = 80
proxyHost = "id.example.com"8. Inspect Container for References to 9443 (Optional)
Running a grep inside the container shows multiple references to:
carbon.management.port9443- SCIM2 URL patterns inside XML/TOML files
But it is unclear which file is responsible for SCIM2 continuing to use 9443.
Example:
docker exec -it wso2is bash
grep -R "9443" /home/wso2carbon/wso2is-7.2.0/ -n
grep -R "scim2" /home/wso2carbon/wso2is-7.2.0/ -n9. Result
Even with a valid deployment.toml, SCIM2 endpoints still use 9443 instead of the configured proxy port 80.
This behavior only affects certain internal API paths (mostly /scim2/*), while the rest of the product works correctly behind the reverse proxy.
Please select the area issue is related to
Identity Server Core
Version
7.2.0
Environment Details (with versions)
No response
Developer Checklist
- [Behavioural Change] Does this change introduce a behavioral change to the product?
- ↳ Approved by team lead
- ↳ Label
impact/behavioral-changeadded - [Migration Impact] Does this change have a migration impact?
- ↳ Migration label added (e.g.,
7.2.0-migration) - ↳ Migration issues created and linked
- [New Configuration] Does this change introduce a new configuration?
- ↳ Label
configadded - ↳ Configuration is properly documented