This documentation is for WSO2 Carbon 4.2.0. View documentation for the latest release.
Configuring Keystores - Carbon 4.2.0 - WSO2 Documentation
Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 45 Next »

Keystores allow you to manage the keys that are stored in a database. A keystore must contain a key pair with a certificate signed by a trusted Certification Authority (CA). A CA is an entity trusted by all parties participating in a secure communication. This entity will certify the trusted party's public keys by signing them. Since the certificate authority is trusted, it will accept the public key certificates signed by that particular CA as trusted. WSO2 Carbon uses several keystores to power the HTTPS transport and to encrypt other confidential information such as administrator passwords.

The keystores used to encrypt administrator passwords and other confidential information in Carbon is configured in the <PRODUCT_HOME>/repository/conf/carbon.xml file (under the <security> element). Two keystore elements in the carbon.xml file can be used to configure keystores: Primary keystore (Keystore) and Registry Keystore (RegistryKeystore). 

The default keystore named wso2carbon.jks can be found in the <PRODUCT_HOME>/repository/resources/security directory of your product pack. Other required keystores can be created using the management console of each carbon product.

Note that when keystones are configured, two keystore passwords are specified in the relevant .xml file:

  • The <Password> element indicates the password of the keystore file.
  • The <KeyPassword> element points to the password required to access the private key.

Primary Keystore

The KeyStore element configured in the carbon.xml file can be considered as the default Carbon keystore configuration. This is used for the primary keystore, which mainly stores the keys certifying SSL connections to Carbon servers, and for encrypting administrator passwords as well as other confidential information. The keystore configuration in the  carbon.xml file is as given below. Note that in this example, we are using the default key store in the product pack (wso2carbon.jks).

<KeyStore>
	<Location>${carbon.home}/resources/security/wso2carbon.jks</Location>
	<Type>JKS</Type>
	<Password>wso2carbon</Password>
	<KeyAlias>wso2carbon</KeyAlias>
	<KeyPassword>wso2carbon</KeyPassword>
</KeyStore>

Registry Keystore

RegistryKeyStore is a separate keystore element configurable in the carbon.xml file. This configuration applies for the keystore which stores the keys that certify encrypting/decrypting meta data to the registry. Therefore, using this RegistryKeystore element in addition to the Keystore element in the carbon.xml file allows you to maintain a separate keystore for the purpose of encrypting/decrypting meta data to the registry. The registry keystore configuration in the carbon.xml file is as given below. Note that in this example, we are referring to the default keystore in the product pack (wso2carbon.jks) as the registry keystore.

<RegistryKeyStore>
            <!-- Keystore file location-->
            <Location>${carbon.home}/repository/resources/security/wso2carbon.jks</Location>
            <!-- Keystore type (JKS/PKCS12 etc.)-->
            <Type>JKS</Type>
            <!-- Keystore password-->
            <Password>wso2carbon</Password>
            <!-- Private Key alias-->
            <KeyAlias>wso2carbon</KeyAlias>
            <!-- Private Key password-->
            <KeyPassword>wso2carbon</KeyPassword>
</RegistryKeyStore>

Keystore of the HTTPS transport

The keystore of the HTTPS transport is configured in the axis2.xml file under the HTTPS transport receiver and HTTPS transport sender configurations. 

<parameter name="keystore" locked="false">
	<KeyStore>
		<Location>resources/security/wso2carbon.jks</Location>
		<Type>JKS</Type>
		<Password>wso2carbon</Password>
		<KeyPassword>wso2carbon</KeyPassword>
	</KeyStore>
</parameter>
<parameter name="truststore" locked="false">
	<TrustStore>
		<Location>resources/security/client-truststore.jks</Location>
		<Type>JKS</Type>
		<Password>wso2carbon</Password>
	</TrustStore>
</parameter>

The default keystore named wso2carbon.jks, can be found in the <PRODUCT_HOME>/repository/resources/security directory. To change the keystores used by the HTTPS transport, update the HTTPS transport receiver and sender configurations by specifying the paths to keystores files and other attributes of the files such as the keystores passwords.

Under the <KeyStore> element two password values must be specified.

  • No labels