Working with Security

After you install the API-M, it is recommended to change the default security settings according to the requirements of your production environment. As the API-M is built on top of the WSO2 Carbon platform, some security configurations are inherited from the Carbon platform.

Important!

If you are configuring your production environment, be sure to check the Security Guidelines for Production Deployment before applying any security configurations.

The following topics explain the platform-specific, and product-specific configurations:

API-M-specific security configurations

See the following topics:

Pass a Custom Authorization Token to the Backend

WSO2 Carbon platform-based security configurations

The following security configurations are common to all WSO2 products that are built on top of the WSO2 Carbon platform.

Configuration	Description
Configuring transport-level security	WSO2 products support a variety of transports that make them capable of receiving and sending messages over a multitude of transport, and application-level protocols. By default, all WSO2 products are shipped with the HTTP transport. The transport receiver implementation of the HTTP transport is available in Carbon platform. The transport sender implementation comes from the Tomcat HTTP connector, which is configured in the `<API-M_HOME>/repository/conf/tomcat/catalina-server.xml` file. For more information on securing the HTTP transport, see Configuring transport level security in the WSO2 Administration Guide.
Configuring keystores	A keystore is a repository that stores the cryptographic keys and certificates. These artifacts are used for encrypting sensitive information, and establishing trust between your server and outside parties that connect to your server. All WSO2 products come with a default keystore (`wso2carbon.jks`). In a production environment, it is recommended to replace it with one. You can also configure multiple keystores for different purposes. See the following in the WSO2 Administration Guide: Learn how public key encryption and keystores are used. Learn how to create new keystores and replace the default one. Learn how configuration files should be updated to use the relevant keystore for different purposes. To download a keystore in WSO2 API Manager, do the following: Sign in to `https://<hostname>:9443/carbon` as the tenant admin and click on Configure. Select Keystores. Click Public Key to download the keystore for the selected tenant.
Securing sensitive passwords	As a secure vault implementation is available in all WSO2 products, you can encrypt the sensitive data (i.e., passwords in configuration files and passwords for mediation flows) using the Cipher tool. For more information, see the following sections. Working with Encrypted Passwords Encrypting Secure Endpoint Passwords
Enabling JAVA security manager	See Enabling JAVA security manager in the WSO2 Administration Guide on how to prevent untrusted code from manipulating your system.

API Endpoint Security

Look into the following topics under enabling endpoint security for the APIs.