This post will explain on how to configure WSO2 API Manager 1.10.0 for account locking for failed login attempts. This feature is not available in APIM 1.10.0 out of the box so we’ll have to install the relevant features and configure the product to achieve this.
Start the APIM product and login to the management console with an admin user. The management console can be accessed from the url:
After login in to the management console, goto Feature Management section (Configure > Features). From the UI, click on ‘Add Repository’.
Since APIM 1.10.0 is released on carbon kernel 4.4.x we have to provide the p2 repository location for kernel 4.4.x which is
p2 repositories for other kernel versions can be found at . Enter the repository name and the url and click on ‘Add’ button. This will take a couple of seconds.
Once the repository is added, it will be listed in the repositories list dropdown. Now click on ‘Find Features‘ button and it will list down the available features grouped by category.
From the features list, expand
User Management > Identity - User Management Feature Category and select ‘Account Recovery and Credential Management‘ and click ‘Install‘.
Click ‘Next >‘ at Install Details UI, accept the terms and click on ‘Next >‘ again.
Once the feature is installed successfully, you should see an Installation Complete message asking to restart the server. Restart the server and you are good to configure APIM for user account locking.
The following configurations are needed to enable account locking.
Open identity.xml file in
/repository/conf/identity directory and enable ‘IdentityMgtEventListener‘ by setting following listener to enable=”true”.
<EventListener enable="true" name="org.wso2.carbon.identity.mgt.IdentityMgtEventListener" orderId="50" type="org.wso2.carbon.user.core.listener.UserOperationEventListener"/>
Then open identity-mgt.properties file in the same direcory and set the following poperties.
Authentication.Policy.Enable=true Authentication.Policy.Account.Lock.On.Failure=true Authentication.Policy.Account.Lock.On.Failure.Max.Attempts=2 Authentication.Policy.Account.Lock.Time=5
You can follow refer  for more information about the properties.
Once the configuration is done you can try testing out the functionality by trying to login to the store, publisher or the management console with incorrect passwords. At the 3rd unsuccessful login attempt you should see the following log in the wso2carbon.log if the account is getting locked.
ERROR - AuthenticationAdmin System error while Authenticating/Authorizing User : 17003 User account is locked for user : testuser. cannot login until the account is unlocked