Versions Compared

Old Version 1

changes.mady.by.user Former user

Saved on

compared with

New Version 2

changes.mady.by.user Former user

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

See the following topics for details on how keystores are used in WSO2 products and the default keystore settings with which all products are shipped:

Setting up keystores for WSO2 products

In WSO2 products, public key encryption is used for the following purposes:

...

  • Maintain a primary keystore for encrypting sensitive data such as admin passwords and certain registry data. By default, the primary keystore is also used for WS-Security and for authenticating tomcat level connections.
  • Maintain a separate keystore for authenticating the communication over SSL/TLS (tomcat level connections).
  • Optionally, you can set up separate keystores with key pairs and certificates for WS-Security.
  • A separate keystore (truststore) for the purpose of storing the trusted certificates of public keys in your keystores.

See the related links for information on creating new keystores with the required certificates.

Default keystore settings in WSO2 products

All WSO2 products are shipped with two default keystore files stored in the <PRODUCT_HOME>/repository/resources/security/ directory;

...

Note

It is recommended to replace this default keystore with a new keystore that has self-signed or CA signed certificates when the products are deployed in production environments. This is because wso2carbon.jks is available with open source WSO2 products, which means anyone can have access to the private key of the default keystore. 

Managing keystores 

WSO2 products provide the facility to add keystores using the management console or using an XML configuration, and to import certificates to the keystore using the management console. The WSO2 keystore management feature provides a UI and an API to add and manage keystores used for WS-Security scenarios. When you apply WS-Security to web services using the management console, you can select a keystore from uploaded keystores for encryption/signing processes. The management console also allows you to view/delete keystores. 

...

Info

Note the following regarding WSO2 keystore management:

  • You cannot import an existing private key to which you already have a certificate.
  • You cannot delete the default wso2carbon.jks keystore.
  • You must have the same password for both keystore and private key, due to a Tomcat limitation.
  • You cannot remove a service before disabling its security.
Excerpt
hiddentrue

 

Note to Writers: The 'Related Links' title is bookmarked in the shared spaces so that it is also pulled along with the other content. Therefore, after pulling this page, make sure to add the relevant interspace links in your product spaces.