This documentation is for WSO2 Private PaaS 4.0.0. View documentation for the latest release.
Quick Start Guide - WSO2 Private PaaS 4.0.0 - WSO2 Documentation
Skip to end of metadata
Go to start of metadata

This guide focuses on deploying a pre-built EC2 image of WSO2 Private PaaS 4.0.0. For information on configuring Private PaaS from scratch or on other IaaSs, see the Installation Guide.

Watch the screencast series to get a better understanding on how to get started with Private PaaS.

Starting the WSO2 Private PaaS demo image

Prerequisites for step 1

EC2 accountTo follow this guide, you need an EC2 account. Create an AWS account if you do not have an account. For more information, see Sign Up for Amazon EC2. This account must be authorized to manage EC2 instances (including start and stop instances, create security groups and key pairs).
Private PaaS 4.0.0 EC2 imageWe have created an EC2 image (AMI) for Private PaaS, as well as several Cartridges. The Private PaaS 4.0.0 AMI is the main AMI that you should care about. Private PaaS will spawn the Cartridges instances based on the preferences you set at the config time.
Create a security groupFor more information, see Creating a security group.
Create a key pairFor more information, see Creating a key pair.
Gather the required dataFor more information, see Gathering data.


For a quick start, use one of the following public Elastic Compute Cloud (EC2) images:

EC2 ImageAsia Pacific (Singapore) Region
Private PaaSami-4e062c1c
Base imageami-e6bd9eb4


Creating a Security Group

Before launching the instance, you need to create the right security group. This security group defines firewall rules for your instances, which are a list of ports that are used as part of the default Private PaaS deployment. These rules specify which incoming network traffic is delivered to your instance. All other traffic is ignored. For more information on the ports that should be defined, see Required Ports.

To create the security group and configure it:

  1. On the Network and Security menu, click Security Groups.
  2. Click Create Security Group.
  3. Enter the name and description of the security group.
  4. Click Yes.

  5. Add a rule by following the steps below. Note that the following steps need to be repeated to add another rule.

    1. Click Add Rule which is under the Inbound tab section.

    2. Select the rule type.

      You can open all the UDP and TCP ports by adding the following two rules. The latter mentioned two rules are only demo settings. You must add Individual rules with the specified ports for security purposes in a production environment.

      Rule typePort range
      All TCP0 - 65535
      All UDP0 - 65535
    3. Enter the port or port range.
      The Required Ports_Updated section lists two kinds of ports, which are ports opened for outside access and ports restricted for internal access. You will have to ideally enter each of the ports as separate rules.  

    4. You can set the source to be

      Note that setting the source to be is a demo only setting, that must be changed for security purposes in a production environment.

      For more information, see Amazon EC2 Security Groups

  6. Click Create.
Creating a key pair

Before launching the instance, it is recommended to create a key pair. Save your private key in a safe place on your computer. Note the location because you will need the key pair to connect to your instance.

To create a key pair and download it:

  1. On the Network and Security menu, click Key Pairs.
  2. Click Create New Key Pair.
  3. Enter a name for your Key Pair.
  4. Click Create. The Key Pair will get automatically downloaded as a .pem file. 


Gathering data

The following data is required:

  • Access key and Secret key of your EC2 account 
    To get your Access Key ID and Secret Access Key: 

    1. On the EC2 account details menu, click My Account
    2. Click Security Credentials on the left-bar menu.
    3. Switch to the Access Keys tab.
    4. Create an access key for this setup.  Then note the Access Key ID and Secret Access Key.
  • Owner ID
    To view the Owner ID:
    • On the EC2 account details menu, click My Account
    • Your account number will appear, which is your Owner ID. Omit the hyphens when entering the Owner ID.
  • Availability zone
    • This is the zone where the virtual machines will be launched. If you set the Availability zone to "No Preference", the system will set the default value. Only Asia Pacific Singapore is available at this point, and therefore the potential values is ap-southeast-1.

Step 1: Spawning the Private PaaS 4.0.0 instance

  1. Sign in to the Amazon Web Services (AWS) Management Console and open the Amazon EC2 console at
  2. Click EC2 on the home console.
  3. Select the Asia Pacific (Singapore) region for the instance from the region drop down list.
  4. Carry out all steps to gather the prerequisite for step 1.
  5. Navigate to the EC2 Dashboard.

    EC2 Dashboard 

  6. Click Launch Instance and then click Community AMIs.
  7. Search for ami-4e062c1c and click Select.
  8. Select the instance type you want. The recommended instance type is General purpose  m1.xlarge.

  9. Click Next: Configure Instance Details. This will redirect you to configure Instance Details. You do not need to add or select any instance detail configurations.

  10. Click Next: Add Storage. You do not need to add or select any storage configurations.

  11. Click Next: Tag Instance

  12. Enter preferred key-value pair to tag your instance. For more information, see Using Tags.

  13. Click Next: Configure Security Group.

  14. Select the Select an existing security group option and select the security group that you created.

  15. Click Review and Launch. 
  16. After reviewing in instance click Review and Launch

  17. Enter the key pair when prompted. 

  18. Select the I acknowledge that I have access to the selected private key file (xxx.pem), and that without this file, I won't be able to log into my instance checkbox.

  19. Click Launch Instances.

After you successfully configured the EC2 instance, it will redirect you to the page including the instances. It takes a short time for an instance to launch. The status of the instance will appear as pending while it is launching. After the instance is launched, the status will change to running.

Step 2 : Configuring the WSO2 Private PaaS Instance

  1. Change your Key Pair (private key) file permissions. By default your private key file, which has a PEM file extension, will be unprotected. If your private key is unprotected it will be rejected. Use the following command to secure your PEM file so that others will not have access to it: 

    If you have navigated to the directory of the Key Pair, enter only the name of the Key Pair; otherwise, enter the full path of the Key Pair.

    chmod 0600 <path to the private key>

  2. Log in to the created instance using the private key. Use ubuntu as the username.
    ssh -i <KEYPAIR-FILENAME>.pem [email protected]<PUBLIC-IP>

    For example:

    ssh -i kim.pem [email protected]

    The public IP can be located from the instance details as follows:

  3. If you are accessing this machine for the first time, a message similar to the following will appear. Enter 'yes' to connect and add the RSA fingerprint to your known hosts list.

    The authenticity of host ' (' can't be established.
    RSA key fingerprint is 33:99:3b:ct:a8:83:3d:c5:46:w6:fe:a5:cd:83:78:c6.
    Are you sure you want to continue connecting (yes/no)?
  4. Navigate to the /home/ubuntu/private-paas/ directory and execute the following commands using root user permissions. The script is used to automate the WSO2 Private PaaS configuration and installation process. 

    sudo bash 

  5. Enter the following details regarding EC2 and cartridges as required, when prompted. For more information on these EC2 information required by the installation script, see Gathering data section.

Prompted informationDescription
Please enter a preferred domain name for the WSO2 Private PaaS environment :The domain name assigned to your WSO2 Private PaaS environment and the IP addresses assigned to your machine will be listed.
Do you need to deploy AS (Application Server) service ? [y/n]If you want to deploy an Application Server service, enter 'y'.
Do you need to deploy BPS (Business Process Server) service ? [y/n]If you want to deploy a Business Process Server service, enter 'y'.
Do you need to deploy ESB (Enterprise Service Bus) service ? [y/n]If you want to deploy an Enterprise Service Bus service, enter 'y'.
Do you need to deploy APIM (API Manager) service ? [y/n]If you want to deploy an API Manager service, enter 'y'.
  • Are you in a EC2 VPC Environment? [y/n] :
  • Enter EC2 identity:  
  • Enter EC2 credentials:
  • Enter EC2 owner id:  
  • Enter EC2 key pair name:
  • Enter EC2 availability zone:
  • Enter EC2 security groups:
  • Below are the available regions in Amazon EC2
    ap-northeast-1 - Asia Pacific (Tokyo) Region
    ap-southeast-1 - Asia Pacific (Singapore) Region
    ap-southeast-2 - Asia Pacific (Sydney) Region
    eu-west-1 - EU (Ireland) Region
    sa-east-1 - South America (Sao Paulo) Region
    us-east-1 - US East (Northern Virginia) Region
    us-west-1 - US West (Northern California) Region
    us-west-2 - US West (Oregon) Region

    Enter the region of the IaaS you want to spin up instances :

Enter details with respect to EC2, as obtained when creating the EC2 account, when these messages are prompted.
  • Enter the access key of EC2 for EC2 identity.
  • Enter the secret key of EC2 for EC2 credentials.
  • Enter the AWS account ID of EC2 for EC2 owner ID.
  • Enter the created key pair name for EC2 key pair name.
  • Enter the preferred availability zone for EC2 availability zone.
  • Enter the name of the created security group for EC2 security groups.
  • Enter the region of the IaaS you want to spin up instances, out of the available regions.


Do you need to update the latest ubuntu patches?If you wish to install the latest ubuntu updates, enter 'y'.

After the core services are started and when the script has been successfully completed, you can view the following completion message:

 Management Console : https:<stratos_domain>:9443/console  
 WSO2 Private PaaS installation completed successfully!

If you make a mistake during the confirmation, use the  script to reset the configuration before running the  script again. When is run to remove the current installation and prepare for a re-install, deleting the MySQL database information requires entering the default mysql username and password which are root/mysql.

Working with Stratos

Once the Private PaaS main servers are started, connect to the Private PaaS controller, which is the heart of Private PaaS, to create a tenant. A tenant is an organization that will use the PaaS. Inside an organization, one or N Cartridges (runtimes) can be subscribed to.

WSO2 Private PaaS Manager Console/UI runs at: https://<INSTANCE_HOSTNAME>:<PORT>/console (for example, Once connected, log in using the default admin user (admin/admin). This logs you in as the super tenant administrator.

After setting up and starting Stratos, follow the instructions below:

  1. Change your default super tenant admin password.
  2. Optionally, configure the CLI tool if you wish to use the CLI interface.

  3. Subscribe to cartridges. If the cartridge that has been subscribed to is a framework cartridge, Stratos will retrieve the respective artifacts from the Git repository and install then in the cartridge. Thereafter, the user will be able access and invoke their artifacts.
  • No labels