WSO2 Carbon uses several keystores to power the servlet transport and to encrypt other confidential information such as administrator passwords. The keystores used to encrypt administrator passwords and other confidential information in Carbon is configured in the <
PRODUCT_HOME>/repository/conf/carbon.xml file (under the <
security> element). Two keystore elements can be used to configure keystores in the
carbon.xml file: Primary keystore (
Keystore) and Registry Keystore (
The default keystore named
wso2carbon.jks can be found in the <
PRODUCT_HOME>/repository/resources/security directory of your product pack.
Note that when keystones are configured, two keystore passwords are specified in the relevant .xml file:
- The <
Password> element indicates the password of the keystore file.
- The <
KeyPassword> element points to the password required to access the private key.
The primary keystore mainly stores the keys certifying SSL connections to Carbon servers and the keys for encrypting administrator passwords as well as other confidential information. The
Keystore element in the carbon.xml file is used to configure the primary keystore as given below. Note that in this example, the default keystore in your product pack (wso2carbon.jks) is used as the primary keystore.
RegistryKeyStore is a separate keystore element configurable in the
carbon.xml file. This configuration applies for the keystore which stores the keys that certify encrypting/decrypting meta data to the registry. Therefore, using the registry keystore in addition to the primary keystore in the
carbon.xml file allows you to maintain a separate keystore for the purpose of encrypting/decrypting meta data to the registry. The registry keystore configuration which needs to be added in the
carbon.xml file is as given bellow. Note that in this example, we are referring to the default keystore in the product pack (wso2carbon.jks) as the registry keystore.