After you install the APIM, it is recommended to change the default security settings according to the requirements of your production environment. As the APIM is built on top of the WSO2 Carbon platform, some security configurations are inherited from the Carbon platform.
The following topics explain the platform-specific, and product-specific configurations:
WSO2 Carbon platform-based security configurations
The following security configurations are common to all WSO2 products that are built on top of the WSO2 Carbon platform.
|Configuring transport-level security|
WSO2 products support a variety of transports that make them capable of receiving and sending messages over a multitude of transport, and application-level protocols. By default, all WSO2 products are shipped with the HTTP transport. The transport receiver implementation of the HTTP transport is available in Carbon platform. The transport sender implementation comes from the Tomcat HTTP connector, which is configured in the
For more information on securing the HTTP transport, see Configuring transport level security in the WSO2 Carbon documentation.
A keystore is a repository that stores the cryptographic keys and certificates that are used for various security purposes, such as encrypting sensitive information and establishing trust between your server and outside parties that connect to your server. All WSO2 products are shipped with a default keystore (wso2carbon.jks), which is used for all purposes. However, in a production environment, it is recommended to replace the default keystore with a new one. You can also create and configure multiple keystores for different purposes.
See the following in the WSO2 Carbon documentation:
|Securing sensitive passwords|
In all WSO2 products, you can encrypt the sensitive data, such as passwords in configuration files using the Cipher-Tool. This possibility is enabled in WSO2 products by the secure vault implementation that is built into all Carbon products. This section in the documentation explains the following:
|Enabling JAVA security manager||See Enabling JAVA security manager in the WSO2 Carbon documentation on how to prevent untrusted code from manipulating your system.|