WSO2 IoT Server is prepackaged with a default key manager to handle clients, security and access token-related operations. The following section provides an alternative to using the default key manager and guides you through using WSO2 Identity Server (WSO2 IS) as the key manger in WSO2 IoT Server. This is useful in a production environment where a WSO2 IS node is already in use and you want to use the WSO2 IoT Server with it.
Before you begin
Before you begin
- Download WSO2 API Manager and unzip it if you have not done it before. The unzipped directory is referred to as
<APIM_HOME>
throughout this documentation. - Download WSO2 Identity Server and unzip it. The unzipped directory is referred to as
<IS_HOME>
throughout this documentation.
- Follow the steps listed in the Configuring WSO2 Identity Server as a Key Manager topic in the WSO2 API-M documentation, to configure WSO2 IS as the key manager.
Download the following feature installation pom file and place it inside the
<APIM_HOME>
directory.Navigate to
<APIM_HOME>
on the terminal and execute the following command. This will install the required features to the WSO2 IoT Server pack.mvn clean install -f apim-feature-installation.xml
Open the
identity.xml
file found in the<APIM_HOME>/repository/conf/identity
directory and add the following grant type under the<SupportedGrantTypes>
element.<SupportedGrantType> <GrantTypeName>urn:ietf:params:oauth:grant-type:jwt-bearer</GrantTypeName> <GrantTypeHandlerImplClass>org.wso2.carbon.device.mgt.oauth.extensions.handlers.grant.ExtendedJWTGrantHandler</GrantTypeHandlerImplClass> <GrantTypeValidatorImplClass>org.wso2.carbon.identity.oauth2.grant.jwt.JWTGrantValidator</GrantTypeValidatorImplClass> </SupportedGrantType>
Update the
OAuthScopeValidator
class as follows.<OAuthScopeValidator class="org.wso2.carbon.device.mgt.oauth.extensions.handlers.ScopeValidationHandler"/>
The default keystore used in WSO2 IoT Server has been updated from version 3.1.0 onwards. Since all servers must use the same certificate, do the following to update the keystore in WSO2 API-M
- Navigate to the
<IOTS_HOME>/repository/resources/security
folder and copy thewso2carbon.jks
file. - Paste a copy of the file in the
<APIM_HOME>/repository/resources/security
folder and replace the existingwso2carbon.jks
file. - Paste a copy of the file in the
<IS_HOME>/repository/resources/security
folder as well and replace the existingwso2carbon.jks
file.
- Navigate to the
Create a file based identity provider using the WSO2 IoT Server certificate and save it inside the
<APIM_HOME>/repository/conf/identity/identity-providers
directory. A sample of a file based identity provider configuration file can be seen below.The default IoT Server certificate can be found under the
<Certificate>
tag of theiot-default.xml
file found in the<IOTS_HOME>/repository/conf/identity/identity-providers
folder.