This documentation is for WSO2 Identity Server 5.4.0 . View documentation for the latest release.

Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Follow the guidelines below to deploy Identity Server in production. In addition to this, see Production Deployment Guidelines. 

Info

The following changes should be applied on a fresh Identity Server instance. Do not start the Identity Server until the configurations are finalized.

Table of Contents
maxLevel3
minLevel3
locationtop
styleborder:1
separatorpipe

Changing the default keystore

  1. Open <IS_HOME>/repository/conf/carbon.xml file.
  2. The private key is used for the HTTPS channel and for the token issuer to sign the issued tokens. 

The following section of the carbon.xml should be updated to match your private key information.

Info

The private key must be available in a keystore of the "JKS" or "PKCS12" type. More information on key stores can be found here. See Setting up Keystores for more details on changing the default keystore.

Code Block
<!--
      Security configurations
     -->
    <Security>
        <!--
            KeyStore which will be used for encrypting/decrypting passwords
            and other sensitive information.
        -->
        <KeyStore>
            <!-- Keystore file location-->
            <Location>${carbon.home}/repository/resources/security/wso2carbon.jks</Location>
            <!-- Keystore type (JKS/PKCS12 etc.)-->
            <Type>JKS</Type>
            <!-- Keystore password-->
            <Password>wso2carbon</Password>
            <!-- Private Key alias-->
            <KeyAlias>wso2carbon</KeyAlias>
            <!-- Private Key password-->
            <KeyPassword>wso2carbon</KeyPassword>
        </KeyStore>

        <!--
           The directory under which all other KeyStore files will be stored
        -->
        <KeyStoresDir>${carbon.home}/repository/resources/security</KeyStoresDir>
    </Security>

Changing the host name

  1. Open <IS_HOME>/repository/conf/carbon.xml file.
  2. Change the host names of the Identity Provider to match the "Common Name" of the certificate of the private key.

    Code Block
    <!--
           Host name or IP address of the machine hosting this server
           e.g. www.wso2.org, 192.168.1.10
           This is will become part of the End Point Reference of the
           services deployed on this server instance.
        -->
        <HostName>localhost</HostName>
        <!--
        Host name to be used for the Carbon management console
        -->
        <MgtHostName>localhost</MgtHostName>
        <!--
            The URL of the back end server. This is where the admin services are hosted and
            will be used by the clients in the front end server.
            This is required only for the Front-end server. This is used when seperating BE server from FE server
           -->
        <ServerURL>local:/${carbon.context}/services/</ServerURL>

Changing the HTTP/HTTPS ports

  • Open <IS_HOME>/repository/conf/tomcat/catalina-server.xml file and change the HTTP and HTTPS ports in the <connector> elements.

    Code Block
    languagehtml/xml
     <Connector  protocol="org.apache.coyote.http11.Http11NioProtocol"
                   port="9763"
                   ...
    />
    
    <Connector  protocol="org.apache.coyote.http11.Http11NioProtocol"
                   port="9443
                   scheme="https"
                   ...
    />

Configuring session data and chunk size

In a production environment, there is a possibility for a deadlock/database lock to occur when running a session data cleanup task in high load scenarios. To mitigate this, configure the following property to clean data in chunks. Configure this property in the <IS_HOME>/repository/conf/identity/identity.xml file under <SessionDataCleanUp> with the required chunk size. This value is in the number of records and depends on the database type and server capacity. It also depends on the amount of load generated by single sign-on (SSO). A higher value increases the chances of deadlocks and a lower value increases the time it takes for a cleanup.

Code Block
languagexml
<DeleteChunkSize>50000</DeleteChunkSize>

For more information on configuring sessions in production, see Authentication Session Persistence.

Configuring security

After you install WSO2 IS, it is recommended to change the default security settings according to the requirements of your production environment.

...

hiddentrue

...

Include Page
ADMIN44x:Production Deployment Guidelines
ADMIN44x:Production Deployment Guidelines