WSO2 products use asymmetric encryption by default for the purposes of authentication and data encryption. In asymmetric encryption, keystores (with key pairs and certificates) are created and stored for the product. It is possible to have multiple keystores so that the keys used for different use cases are kept unique. For more information about creating and configuring keystores, see Using Asymmetric Encryption.
After you have created a new keystore and updated the client-truststore.jks
file, you must update a few configuration files in order to make the keystore work.
For instructions on the default carbon keystore configurations, see Configuring Keystores in WSO2 Products in the WSO2 Product Administration Guide.
Follow the steps below to configure a keystore in WSO2 API Manager.
Configuring keystores for AMQP and MQTT transports
To configure AMQP and MQTT transports, open the <APIM_HOME>/repository/conf/broker.xml
file. The values for the location
and password
parameters under keyStore
and trustStore
must be updated. The code below shows the default values.
<sslConnection enabled="true" port="8672"> <keyStore> <location>repository/resources/security/wso2carbon.jks</location> <password>wso2carbon</password> </keyStore> <trustStore> <location>repository/resources/security/client-truststore.jks</location> <password>wso2carbon</password> </trustStore> </sslConnection>
Configuring keystores for Jaggery Apps SSO configuration
Open the <APIM_HOME>/repository/deployment/server/jaggeryapps/publisher/site/conf/site.json
file. Update the values for keyStoreName
and keyStorePassword
as shown below.
"ssoConfiguration" : { "enabled" : "true", "issuer" : "API_PUBLISHER", "identityProviderURL" : "https://localhost:9444/samlsso", "keyStorePassword" : "wso2carbon", "identityAlias" : "wso2carbon", "responseSigningEnabled":"true", "assertionSigningEnabled":"true", "keyStoreName" :"wso2carbon.jks", },
Configuring keystores for endpoints
Open the <APIM_HOME>/repository/conf/identity/
EndpointConfig.properties
file and update client.keyStore
and client.trustStore
with the location of the keystore and truststore respectively. The default configurations are shown below.
tenantListEnabled=false hostname.verification.enabled=true mutual.ssl.username=admin client.keyStore=./repository/resources/security/wso2carbon.jks Carbon.Security.KeyStore.Password=wso2carbon client.trustStore=./repository/resources/security/client-truststore.jks Carbon.Security.TrustStore.Password=wso2carbon #identity.server.serviceURL=https://localhost:9443/services/ username.header=UserName key.manager.type=SunX509 trust.manager.type=SunX509 tls.protocol=TLSv1.2
Configuring keystores for advanced transport handling
To have more advanced transport handling functions using keystores, you must update the <APIM_HOME>/repository/conf/tomcat/catalina-server.xml
file and the <APIM_HOME>/repository/conf/axis2/axis2.xml
file.