I configured my cluster in AWS for WSO2 API Manager, with load balancers for each section: The store, the publisher, the gateway managers and the gateway workers.
However, when I try to log into the Store, the Publisher or Carbon, with the correct username and password, I get the following error in the logs:
ARN - JavaLogger potential cross-site request forgery (CSRF) attack thwarted
(user:<anonymous>, ip:10.0.1.125, method:HEAD, uri:/carbon/admin/login.jsp,
error:required token is missing from the request)
That's all the information the log gives me, and I know for sure the user/pass is correct. Why can't I log in?
I only posted this question for share the answer, because I couldn't find anything about it on Google.
My problem was that the load balancer was configure to distribute the requests evenly among it's instances. So, when I tried to log in, the request always was sent to a different node, which by definition is a CSRF attack.
As soon as I allowed those requests to be sticky, so a login request from a node goes to itself, the log in works.