All docs This doc

Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

It is recommended to change the default security settings in each profile of WSO2 EI according to the requirements of your production environment.  As all profiles in WSO2 EI are WSO2 servers built on top of the WSO2 Carbon Kernel, the  The main security configurations of WSO2 Micro Integrator are inherited from the Carbon kernel.  For instructions on configuring these main security settings, see the following topics in the WSO2 Product Administration Guide:

Configuring Transport-Level Security

The transport level security protocol of the Tomcat server is configured in the catalina-server.xml file. Note that the ssLprotocol attribute is set to "TLS" by default. 
The following topics will guide you through the configuration options:

Using Asymmetric Encryption

WSO2 servers use asymmetric encryption by default for the purposes of authentication and data encryption. In asymmetric encryption, keystores (with key pairs and certificates) are created and stored for the product. It is possible to have multiple keystores so that the keys used for different use cases are kept unique. The following topics explain more details on keystores. 

Using Symmetric Encryption

You also have the option of switching to symmetric encryption for the EI profile. Using symmetric encryption means that a single key will be shared for encryption and decryption of information. 

Enabling Java Security Manager

The Java Security Manager is used to define various security policies that prevent untrusted code from manipulating your system.  Enabling the Java Security Manager for WSO2 products activates the Java permissions that are in the sec.policy file. You modify this file to change the Java security permissions as required.

Securing Passwords in Configuration Files

All WSO2 servers contain some configuration files with sensitive information such as passwords. Let's take a look at how such plain text passwords in configuration files can be secured using the Secure Vault implementation that is built into each the server.

The following topics will be covered under this section:


Securing Passwords in Synapse Configurations

When you use the WSO2 Micro Integrator or the ESB profile of WSO2 EI, it is also possible to encrypt passwords and other sensitive information in synapse configurations. See Encrypting Passwords in Synapse Configurations for instructions.

Resolving Hostname Verification

Hostname verification is enabled in WSO2 servers by default, which means that when a hostname is being accessed by a particular client, it will be verified against the hostname specified in the product's SSL certificate.

...

When you run multiple instances of the same profile or multiple clusters on the same server or virtual machines (VMs), you must change the default ports with an offset value to avoid port conflicts.

  • The ports used by all the profiles of WSO2 EI WSO2 Micro Integrator are listed here, along with the complete list of ports in all WSO2 products.
  • For instructions on configuring ports, see Changing the Default Ports in the WSO2 Administration Guide.

...

For information on updating WSO2 EI Micro Integrator with the latest available patches (issued by WSO2) using the WSO2 Update Manager (WUM), see Getting Started with WUM in the WSO2 Administration GuideWSO2 Updates.

Configuring custom proxy paths

...

You can make sure that sensitive information about the server is not revealed in error messages , by customizing the error pages in the servers. For instructions, see Customizing Error Pages in the WSO2 Administration Guide.