This documentation is for WSO2 Carbon 4.2.0. View documentation for the latest release.
Page Comparison - Configuring Keystores in WSO2 Products (v.18 vs v.19) - Carbon 4.2.0 - WSO2 Documentation

Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Keystores allow Keystores allow you to manage the keys that are stored in a database. A Keystore must contain a key pair with a certificate signed by a trusted Certification Authority (CA). A CA is an entity trusted by all parties participating in a secure communication. This entity will certify the trusted party's public keys by signing them. Since the certificate authority is trusted, it will accept the public key certificates signed by that particular CA as trusted. WSO2 Carbon uses several keystores to power the HTTPS transport and to encrypt other confidential information such as administrator passwords.

Table of Contents
maxLevel3
minLevel3

Keystore of the HTTPS transport

The keystore of the HTTPS transport is configured in the axis2.xml file under the HTTPS transport receiver and HTTPS transport sender configurations. 

Code Block
<parameter name="keystore" locked="false">
	<KeyStore>
		<Location>resources/security/wso2carbon.jks</Location>
		<Type>JKS</Type>
		<Password>wso2carbon</Password>
		<KeyPassword>wso2carbon</KeyPassword>
	</KeyStore>
</parameter>
<parameter name="truststore" locked="false">
	<TrustStore>
		<Location>resources/security/client-truststore.jks</Location>
		<Type>JKS</Type>
		<Password>wso2carbon</Password>
	</TrustStore>
</parameter>

The default keystore named wso2carbon.jkscan be found in the <PRODUCT_HOME>/repository/resources/security directory. To change the keystores used by the HTTPS transport, update the HTTPS transport receiver and sender configurations by specifying the paths to keystores files and other attributes of the files such as the keystores passwords.

Info

Under the <KeyStore> element two password values must be specified.

The <Password> element should indicate the password of the keystore file.
The <KeyPassword> element should point to the password required to access the private key.

Keystore for encrypting confidential information

...

Carbon Keystores

The keystores used to encrypt administrator passwords and other confidential information in Carbon is configured in the <PRODUCT_HOME>/repository/conf/carbon.xml file . These keystore configurations can be found (under the <security> element of ).Two keystore elements in the carbon.xml file can be used to configure the keystore: Primary keystore (Keystore) and Registry Keystore (RegistryKeystore).

Primary Keystore

The keystore configuration used to store the certified keys for the SSL server connection Keystore can be considered as the default Carbon keystore element. This is primarily used for storing keys certifying SSL connections to Carbon servers, and for encrypting administrator passwords and other confidential information. The keystore configuration that should be added to the carbon.xml file is as follows.

Code Block
<KeyStore>
	<Location>${carbon.home}/resources/security/wso2carbon.jks</Location>
	<Type>JKS</Type>
	<Password>wso2carbon</Password>
	<KeyAlias>wso2carbon</KeyAlias>
	<KeyPassword>wso2carbon</KeyPassword>
</KeyStore>

Registry Keystore

The keystore configuration used for encrypting meta data into the registry in Carbon is as RegistryKeystore is a separate keystore, used only for the purpose of encrypting/decrypting meta data to the registry. The registry keystore configuration that should be added to the carbon.xml file is as follows.

Code Block
<RegistryKeyStore>
            <!-- Keystore file location-->
            <Location>${carbon.home}/repository/resources/security/wso2carbon.jks</Location>
            <!-- Keystore type (JKS/PKCS12 etc.)-->
            <Type>JKS</Type>
            <!-- Keystore password-->
            <Password>wso2carbon</Password>
            <!-- Private Key alias-->
            <KeyAlias>wso2carbon</KeyAlias>
            <!-- Private Key password-->
            <KeyPassword>wso2carbon</KeyPassword>
</RegistryKeyStore>

Keystore of the HTTPS transport

The keystore of the HTTPS transport is configured in the axis2.xml file under the HTTPS transport receiver and HTTPS transport sender configurations. 

Code Block
<parameter name="keystore" locked="false">
	<KeyStore>
		<Location>resources/security/wso2carbon.jks</Location>
		<Type>JKS</Type>
		<Password>wso2carbon</Password>
		<KeyPassword>wso2carbon</KeyPassword>
	</KeyStore>
</parameter>
<parameter name="truststore" locked="false">
	<TrustStore>
		<Location>resources/security/client-truststore.jks</Location>
		<Type>JKS</Type>
		<Password>wso2carbon</Password>
	</TrustStore>
</parameter>

The default keystore named wso2carbon.jks, can be found in the <PRODUCT_HOME>/repository/resources/security directory. To change the keystores used by the HTTPS transport, update the HTTPS transport receiver and sender configurations by specifying the paths to keystores files and other attributes of the files such as the keystores passwords.

Info

Under the <KeyStore> element two password values must be specified.

The <Password> element should indicate the password of the keystore file.
The <KeyPassword> element should point to the password required to access the private key.