If the directory/file paths specified in this guide do not exist in your WSO2 product, see Directory Structure of WSO2 Products to locate the paths applicable to your product.

Versions Compared


  • This line was added.
  • This line was removed.
  • Formatting was changed.



This feature is available via the WUM update 2792 released on the 8th of July 2018 for the following product versions:

  • WSO2 Identity Server 5.5.0
  • WSO2 API Manager 2.2.0
  • WSO2 Data Analytics Server 3.2.0
  • WSO2 Enterprise Integrator 6.2.0

This is available as part of the newly introduced Crypto Service. It is an extensible framework that facilitates the cryptography needs of WSO2 products. This is relevant for the following WSO2 products.

Currently, the primary keystore configured by the <Security>/<KeyStore> element in the <PRODUCT_HOME>/repository/conf/carbon.xml file is used for internal data encryption (encrypting data in internal data stores and configuration files) as well as for signing messages that are communicated with external parties. However, it is sometimes a common requirement to have separate keystores for communicating messages with external parties (such SAML, OIDC id_token signing) and for encrypting information in internal data stores. This is because, for the first scenario of signing messages, the keystore certificates need to be frequently renewed. However, for encrypting information in internal data stores, the keystore certificates should not be changed frequently because the data that is already encrypted will become unusable every time the certificate changes.