Follow the instructions below to deploy Identity Server in production.
The following changes should be applied on a fresh Identity Server instance. Do not start the Identity Server until the configurations are finalized.
Step 1. Changing the default key store
1. Open <IS_HOME>/repository/conf/carbon.xml
file.
2. The private key is used for the HTTPS channel and for the token issuer to sign the issued tokens.
The following section of the carbon.xml
should be updated to match your private key information.
The private key must be available in a keystore of the "JKS" or "PKCS12" type. More information on key stores can be found here.
<!-- Security configurations --> <Security> <!-- KeyStore which will be used for encrypting/decrypting passwords and other sensitive information. --> <KeyStore> <!-- Keystore file location--> <Location>${carbon.home}/repository/resources/security/wso2carbon.jks</Location> <!-- Keystore type (JKS/PKCS12 etc.)--> <Type>JKS</Type> <!-- Keystore password--> <Password>wso2carbon</Password> <!-- Private Key alias--> <KeyAlias>wso2carbon</KeyAlias> <!-- Private Key password--> <KeyPassword>wso2carbon</KeyPassword> </KeyStore> <!-- The directory under which all other KeyStore files will be stored --> <KeyStoresDir>${carbon.home}/repository/resources/security</KeyStoresDir> </Security>
Step 2. Changing the host name
1. Open <IS_HOME>/repository/conf/carbon.xml
file.
2. Change the host name of the Identity Provider to match the "Common Name" of the certificate of the private key.
<!-- Host name of the machine hosting this server e.g. www.wso2.org --> <HostName>localhost</HostName> <ServerURL>https://localhost:${carbon.https.port}${carbon.context}/services/</ServerURL>
Step 3. Changing the HTTP/HTTPS ports
1. Open <IS_HOME>/repository/conf/tomcat/catalina-server.xml
file and change the HTTP and HTTPS ports in the <connector> elements. For example,
<Connector protocol="org.apache.coyote.http11.Http11NioProtocol" port="9763" ... /> <Connector protocol="org.apache.coyote.http11.Http11NioProtocol" port="9443 scheme="https" ... />
Step 4. Changing the OpenID Provider configurations
1. Open the <IS_HOME>/repository/conf/identity.xml
file.
2. Change the OpenID provider server URL by changing the corresponding configuration element.
Once this is set, OpenIDs will be generated in the following format: <OpenIDUserPattern>/<User Name>
.
For example, https://localhost:9443/openid/bob
Both configurations must have the HTTPS
port.
<OpenIDServerUrl>https://localhost:9443/openidserver</OpenIDServerUrl> <OpenIDUserPattern>https://localhost:9443/openid/</OpenIDUserPattern>