Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Digital certificate: When there is a key pair, it is also necessary to have a digital certificate to verify the identity of the keys. Typically, the public key of a key pair is embedded in this digital certificate, which also contains additional information such as the owner, validity, etc. of the keys. For example, if an external party wants to verify the integrity of data or validate the identity of the signer (by validating the digital signature), it is necessary for them to have this digital certificate. 

Trusted certificates: To establish trust, the digital certificate containing the public key should be signed by a trusted certifying authority (CA). You can generate self-signed certificates for the public key (thereby creating your own certifying authority), or you can get the certificates signed by an external CA. Both types of trusted certificates can be effectively used depending on the sensitivity of the information that is protected by the keys. When the certificate is signed by a reputed CA, all the parties who trust this CA will also trust the certificates signed by them.

Info
titleIdentity and Trust

The key pair and the CA-signed certificates in a keystore establishes two security functions in your server: The key pair with the digital certificate gives is an indication of identity and the CA-signed certificates certificate provides trust to the identity. Since the public key is used to encrypt information, the keystore containing the corresponding private key should always be protected, as it can decrypt the sensitive information. FurtherFurthermore, the privacy of the private key is important as it represents its own identity and protects the integrity of data. However, the CA-signed digital certificates should be accessible to outside parties that requires require to decrypt and use the information.

To facilitate this requirement, the certificates should must be copied to a separate keystore (called a Truststore), which can then be shared with outside parties. Therefore, in a typical setup, you will have one keystore for identity (containing the private key) that is protected, and a separate keystore for trust (containing CA certificates) that is shared with outside parties.

...

  • Authenticating the communication over Secure Sockets Layer (SSL)/Transport Layer Security (TLS) protocols.
  • Encrypting sensitive information such as plain text passwords in configuration files.
  • Encrypting data such as scripts, configuration files, xmld, xsds etc. into the registry.
  • Encrypting/signing in WS-Security.

...

  • Maintain a primary keystore for encrypting sensitive data such as admin passwords and certain registry data. By default, the primary keystore is also used for WS-Security and for authenticating tomcat Tomcat level connections.
  • Maintain a separate keystore for authenticating the communication over SSL/TLS (tomcat for Tomcat level connections).
  • Optionally, you can set up separate keystores with key pairs and certificates for WS-Security.
  • A separate keystore (truststore) for the purpose of storing the trusted certificates of public keys in your keystores.

...

  • wso2carbon.jks: This keystore contains a key pair , which and is used by default used in your Carbon server for all of the purposes explained above. 
  • client-truststore.jks: This is the default trust store, which contains the trusted certificates of the keystore used in SSL communication.

...

...

This functionality is bundled with the following feature that is installed in your product:.

Name: WSO2 Carbon - Security Management Feature
Identifier: org.wso2.carbon.security.mgt.feature.group

Info

Note the following regarding WSO2 keystore management:

  • You cannot import an existing private key to for which you already have a certificate.
  • You cannot delete the default wso2carbon.jks keystore.
  • You must have the same password for both keystore and private key , due to a Tomcat limitation.
  • You cannot remove a service before disabling its security.

...

Excerpt
hiddentrue

Related links

Note to Writers: The 'Related Links' title is bookmarked in the shared spaces so that it is also pulled along with the other content. Therefore, after pulling this page, make sure to add the relevant interspace links in your product spaces. Use the Children Display macro.