Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

WSO2 products use asymmetric encryption by default for the purposes of authentication and data encryption. In asymmetric encryption, keystores (with key pairs and certificates) are created and stored for the product. It is possible to have multiple keystores so that the keys used for different use cases are kept unique. For more information about creating and configuring keystores, see Using Asymmetric Encryption.

...

Open the <API-M_HOME>/repository/conf/identity/identity.xml file and update the values for Location and Password under the KeyStore section. The default configurations are shown below.

Code Block
<EntitlementSettings>
	<ThirftBasedEntitlementConfig>
		<EnableThriftService>false</EnableThriftService>
		<ReceivePort>${Ports.ThriftEntitlementReceivePort}</ReceivePort>
		<ClientTimeout>10000</ClientTimeout>
		<KeyStore>
			<Location>${carbon.home}/repository/resources/security/wso2carbon.jks</Location>
			<Password>wso2carbon</Password>
		</KeyStore>
		<ThriftHostName>${carbon.host}</ThriftHostName>
	</ThirftBasedEntitlementConfig>
</EntitlementSettings>

...

Open the <API-M_HOME>/repository/conf/identity/EndpointConfig.properties file and update client.keyStore and client.trustStore with the location of the keystore and truststore respectively. The default configurations are shown below.

Code Block
tenantListEnabled=false
hostname.verification.enabled=true
mutual.ssl.username=admin
client.keyStore=./repository/resources/security/wso2carbon.jks
Carbon.Security.KeyStore.Password=wso2carbon
client.trustStore=./repository/resources/security/client-truststore.jks
Carbon.Security.TrustStore.Password=wso2carbon
#identity.server.serviceURL=https://localhost:9443/services/
username.header=UserName
key.manager.type=SunX509
trust.manager.type=SunX509
tls.protocol=TLSv1.2

...

To have more advanced transport handling functions using keystores, you must update the <APIM_HOME>/repository/conf/tomcat/catalina-server.xml file and the <API-M_HOME>/repository/conf/axis2/axis2.xml file.


Configuring keystores for Analytics

Open the <API-M_HOME>/repository/conf/data-bridge/data-bridge-config.xml file and update keyStoreLocation and keyStorePassword with the location of the keystore and its password respectively. The default configurations are shown below.

Code Block
<keyStoreLocation>${carbon.home}/repository/resources/security/wso2carbon.jks</keyStoreLocation>
 <keyStorePassword>wso2carbon</keyStorePassword>

Note

The <API-M_HOME>/repository/conf/data-bridge/data-agent-config.xml file is used by the publishing client. Therefore, a trustore with the public cert of the server is required here. The <API-M_HOME>/repository/conf/data-bridge/data-bridge-config.xml file is used by the listening server. This needs to include a keystore with the public and private certs to support SSL.