Follow the instructions below to create a new Keystore in WSO2 Enterprise Store (ES):
Step 1 - Create a Keystore
You can either create a new Keystore or use an existing Keystore. For more information, see the following WSO2 Carbon documentation.
Step 2 - Import the Keystore into the trust store
In SSL handshake, the client needs to verify the certificate presented by the server. For this purpose, the client usually stores the certificates it trusts, in a trust store. For more information, see Adding the public key to client-truststore.jks, which is in the WSO2 Carbon documentation.
Step 3 - Update the required configuration files
Update the
carbon.xml
file, which is in the<ES_HOME>/repository/conf
directory, with the location of the newly created Keystore.<KeyStore> <!-- Keystore file location--> <Location>${carbon.home}/repository/resources/security/mykeystore.jks</Location> <!-- Keystore type (JKS/PKCS12 etc.)--> <Type>JKS</Type> <!-- Keystore password--> <Password>mypkpassword</Password> <!-- Private Key alias--> <KeyAlias>mycert</KeyAlias> <!-- Private Key password--> <KeyPassword>mypkpassword</KeyPassword> </KeyStore> <RegistryKeyStore> <!-- Keystore file location--> <Location>${carbon.home}/repository/resources/security/mykeystore.jks</Location> <!-- Keystore type (JKS/PKCS12 etc.)--> <Type>JKS</Type> <!-- Keystore password--> <Password>mypkpassword</Password> <!-- Private Key alias--> <KeyAlias>mycert</KeyAlias> <!-- Private Key password--> <KeyPassword>mypkpassword</KeyPassword> </RegistryKeyStore>
Update the following configuration in the
<ES_HOME>/repository/conf/tomcat/
file under the Connector protocol, which corresponds to port 9443.catalina-server.xml
keystoreFile="${carbon.home}/repository/resources/security/mykeystore.jks" keystorePass="mypkpassword"
Update the
publisher.json
file, which is in the<ES_HOME>/repository/deployment/server/jaggeryapps/publisher/config
directory.You need to update this file in order to authenticate the Store successfully. You can not log into the Publisher if the following configurations are not carried out. The
identityAlias
should be the alias that you used when importing the PEM details of your key to theclient-trustore.jks
."authentication": { "activeMethod": "sso", "methods": { "sso": { "attributes": { "issuer": "publisher", "identityProviderURL": "%https.carbon.local.ip%/samlsso", "identityAlias": "mynewcert", "responseSigningEnabled": "true", "acs": "%https.host%/publisher/acs", "useTenantKey": false } }
Update the
store.json
file, which is in the<ES_HOME>/repository/deployment/server/jaggeryapps/store/config
directory.You need to update this file in order to authenticate the Publisher successfully. You can not log into the Store if the following configurations are not carried out. The
identityAlias
should be the alias that you used when importing the PEM details of your key to theclient-trustore.jks
."authentication": { "activeMethod": "sso", "methods": { "sso": { "attributes": { "issuer": "store", "identityProviderURL": "%https.carbon.local.ip%/samlsso", "identityAlias": "mynewcert", "responseSigningEnabled": "true", "acs": "%https.host%/store/acs", "useTenantKey": false } },
Now, the Keystore is installed into WSO2 Enterprise Store. If the Keystore related configurations change, carryout the following instructions to update the files that have references to the Keystores.
Open a command prompt and navigate to the
<ES_HOME>/repository/conf
directory where your product stores all configuration files.cd <ES_HOME>/repository/conf
Locate all the configuration files that have references to the Keystores by executing the
grep
command as follows:grep -nr ".jks"
The configuration files and the Keystore files that are referred to in each file are listed.
Check what files you have not configured and point to the new Keystore.