This documentation is for WSO2 Identity Server 5.7.0 . View documentation for the latest release.

All docs This doc
||
Skip to end of metadata
Go to start of metadata

WSO2 Identity Server enables adding multiple keys to the primary keystore. Let's explore the following topics to learn more: 

 

To use this feature, apply the  4563 WUM update for WSO2 Identity Server 5.7.0 using the WSO2 Update Manager (WUM).

To deploy a WUM update into production, you need to have a paid subscription. If you do not have a paid subscription, you can use this feature in a future version of WSO2 Identity Server when it is released. For more information on updating WSO2 Identity Server using WUM, see Getting Started with WUM in the WSO2 Administration Guide.

Before you begin

Sign in to the WSO2 Identity Server Management Console that will be hereafter called Management Console.

Adding new keys to the super tenant

Follow the steps below to add new keys to the super tenant:

  1. Locate the wso2carbon.jks file in the <IS_HOME>/repository/resources/security directory in a command prompt. 

    wso2carbon is the default keystore. To learn how to change the default keystore see, Creating New Keystores and Configuring Keystores in WSO2 Products.

  2. To generate the new keys and add them to the keystore. 

    1. Navigate to the <IS_HOME>/repository/resources/security directory on a command prompt. 

      By default, all WSO2 Identity Server keystores are stored here. You may change it based on your requirement.

    2. Execute the following command.  

      Format
      keytool -genkey -alias <PUBLIC_CERTIFICATE_ALIAS> -keyalg RSA -keysize 2048 -keystore <KEYSTORE_NAME> -dname "CN=<<Common Name>>,OU=<<Organization Unit>>,O=<<Organization>>,L=<<Locality>>,S=<<StateofProvice Name>>,C=<<Country Name>>"-storepass <KEYSTORE_PASSWORD> -keypass <PRIVATE_KEY_PASSWORD>
      Example
      keytool -genkey -alias newkey -keyalg RSA -keysize 2048 -keystore wso2carbon.jks -dname "CN=localhost, OU=IT,O=ABC,L=SL,S=WS,C=LK" -storepass wso2carbon -keypass wso2carbon


    If you are planning to delete the newly-added keys in the future, it is recommended to maintain separate keystores for internal and external encryption purposes.

    Make sure to use the same password for all the keys and add it to the <Password> element in the in the Security/Keystore XPath in the carbon.xml file in the <IS_HOME>/repository/conf directory.

  3. To set the newly-added key as the primary encrypting and signing key:
    1. Open the carbon.xml file in the <IS_HOME>/repository/conf directory.
    2. Update the <keyAlias> element in the Security/Keystore XPath with the new keystore alias.

      Example
      <KeyStore>
      	<!-- Keystore file location-->
      	<Location>${carbon.home}/repository/resources/security/wso2carbon.jks</Location>
      	<!-- Keystore type (JKS/PKCS12 etc.)-->
      	<Type>JKS</Type>
      	<!-- Keystore password-->
      	<Password>wso2carbon</Password>
      	<!-- Private Key alias-->
      	<KeyAlias>newkey</KeyAlias>
      	<!-- Private Key password-->
      	<KeyPassword>wso2carbon</KeyPassword>
      </KeyStore
  4. Restart WSO2 Identity Server.

Viewing the private keys via Management Console

Following the steps below to view the private keys via Management Console:

  1. On Main menu of the Management Console, click Manage > Keystore > List.
  2. Click View of the relevant keystore. 

    The certificate of the private key appears.

Viewing public key sets via JWKS endpoint

To view super tenant keys, visit https://<IS_HOST>:<PORT>/oauth2/jwks

// 20190612140905
// https://localhost:9443/oauth2/jwks

{
  "keys": [
    {
      "kty": "RSA",
      "e": "AQAB",
      "use": "sig",
      "kid": "MGZlMjg1MTEyZjE5ZGEyZTI2MWY4ODNlOGM5ZWQwZDIyNzk4MTJiZg",
      "alg": "RS256",
      "n": "swfFo3uUhsEE5SSJSUrzE4-U-PuYmQn-d71GOV59VcL1_cZRAPS89GE1_M3fmFP4xzB7X4p5vYW7lYYZvOUeZGC0BwR1YXz7uK9VRqXDQM1t_X8yUxtYf6u6hajD5fR3PzirlMzjW1ckojeGTgKS5G-HdixOs2OX2n_kQ5LVUHwIEJ2lryGkfd2Vfq7IBgAifQqYDLcrKqK3-iwF7-foii0lLFg8E_dRuOD5sa6Ec01WjogsA14fZRHzmNKiocjP_FOzmvfq7uHRYta6erTVHtsdOvJBVDy1ANvR0cxGdydfRnGwDYI05kgA5L27MnlN6NMroffDBtHmlCvvwToylw"
    },
    {
      "kty": "RSA",
      "e": "AQAB",
      "use": "sig",
      "kid": "NTAxZmMxNDMyZDg3MTU1ZGM0MzEzODJhZWI4NDNlZDU1OGFkNjFiMQ",
      "alg": "RS256",
      "n": "luZFdW1ynitztkWLC6xKegbRWxky-5P0p4ShYEOkHs30QI2VCuR6Qo4Bz5rTgLBrky03W1GAVrZxuvKRGj9V9-PmjdGtau4CTXu9pLLcqnruaczoSdvBYA3lS9a7zgFU0-s6kMl2EhB-rk7gXluEep7lIOenzfl2f6IoTKa2fVgVd3YKiSGsyL4tztS70vmmX121qm0sTJdKWP4HxXyqK9neolXI9fYyHOYILVNZ69z_73OOVhkh_mvTmWZLM7GM6sApmyLX6OXUp8z0pkY-vT_9-zRxxQs7GurC4_C1nK3rI_0ySUgGEafO1atNjYmlFN-M3tZX6nEcA6g94IavyQ"
    },
    {
      "kty": "RSA",
      "e": "AQAB",
      "use": "sig",
      "kid": "MGZlMjg1MTEyZjE5ZGEyZTI2MWY4ODNlOGM5ZWQwZDIyNzk4MTJiZg_RS256",
      "alg": "RS256",
      "n": "swfFo3uUhsEE5SSJSUrzE4-U-PuYmQn-d71GOV59VcL1_cZRAPS89GE1_M3fmFP4xzB7X4p5vYW7lYYZvOUeZGC0BwR1YXz7uK9VRqXDQM1t_X8yUxtYf6u6hajD5fR3PzirlMzjW1ckojeGTgKS5G-HdixOs2OX2n_kQ5LVUHwIEJ2lryGkfd2Vfq7IBgAifQqYDLcrKqK3-iwF7-foii0lLFg8E_dRuOD5sa6Ec01WjogsA14fZRHzmNKiocjP_FOzmvfq7uHRYta6erTVHtsdOvJBVDy1ANvR0cxGdydfRnGwDYI05kgA5L27MnlN6NMroffDBtHmlCvvwToylw"
    },
    {
      "kty": "RSA",
      "e": "AQAB",
      "use": "sig",
      "kid": "NTAxZmMxNDMyZDg3MTU1ZGM0MzEzODJhZWI4NDNlZDU1OGFkNjFiMQ_RS256",
      "alg": "RS256",
      "n": "luZFdW1ynitztkWLC6xKegbRWxky-5P0p4ShYEOkHs30QI2VCuR6Qo4Bz5rTgLBrky03W1GAVrZxuvKRGj9V9-PmjdGtau4CTXu9pLLcqnruaczoSdvBYA3lS9a7zgFU0-s6kMl2EhB-rk7gXluEep7lIOenzfl2f6IoTKa2fVgVd3YKiSGsyL4tztS70vmmX121qm0sTJdKWP4HxXyqK9neolXI9fYyHOYILVNZ69z_73OOVhkh_mvTmWZLM7GM6sApmyLX6OXUp8z0pkY-vT_9-zRxxQs7GurC4_C1nK3rI_0ySUgGEafO1atNjYmlFN-M3tZX6nEcA6g94IavyQ"
    }
  ]
}
  • No labels