After you have created a new keystore and updated the
client-truststore.jks file, you must update a few configuration files in order to make the keystore work the way it is intended to. Note that keystores are used for multiple functions in WSO2 products, which includes securing the servlet transport, encrypting confidential information in configuration files, etc. Therefore, you must update the specific configuration files with the relevant keystore information. For example, you may have separate keystores for the purpose of encrypting passwords in configuration files, and for securing the servlet transport.
wso2carbon.jks keystore file, which is shipped with all WSO2 products, is used as the default keystore for all functions. However, in a production environment, it is recommended to create new keystores with keys and certificates.
If you want an easy way to locate all the configuration files that have references to keystores, you can use the
grep command as follows:
- Open a command prompt and navigate to the
<PRODUCT_HOME>/repository/conf/directory where your product stores all configuration files.
- Execute the following command:
grep -nr ".jks".
The configuration files and the keystore files referred to in each file are listed out. See an example of this below.
Configuring the primary keystore
The primary keystore mainly stores the keys certifying SSL connections to Carbon servers and the keys for encrypting administrator passwords as well as other confidential information. The
Keystore element in the
carbon.xml file, stored in the <
PRODUCT_HOME>/repository/conf/ directory must be updated with details of the primary keystore. The default configuration is shown below.
You need to add in the following information:
<jks store password>
- <jks alias>
<jks store password(same as the key password)>
Configuring a keystore for Java permissions
sec.policy file stored in the
<PRODUCT_HOME>/repository/conf/ directory should be updated with details of the keystore used for enabling Java permissions for your server. The default configuration is shown below.
Configuring Secure Vault for password encryption
All passwords in configuration files are made secure by encrypting them using cipher text. When a password is encrypted, a keystore is required for creating the decryption crypto to resolve encrypted secret values. The
secret-conf.properties file, stored in the
<PRODUCT_HOME>/repository/conf/security/ directory is used for this purpose. Therefore, you must update this file with the relevant keystore information.
Configuring a keystore for registry metadata
RegistryKeyStore is a separate keystore element configurable in the
carbon.xml file. This configuration applies for the keystore which stores the keys that certify encrypting/decrypting meta data to the registry. Therefore, using the registry keystore in addition to the primary keystore in the
file allows you to maintain a separate keystore for the purpose of encrypting/decrypting meta data to the registry.
Copy the following
<RegistryKeystore> element to the
carbon.xml file under the
<Security> element. In the following example, we are referring to the default keystore in the product pack (
wso2carbon.jks) as the registry keystore. You can change these values so that the configuration corresponds to the actual registry keystore in your system.
Configuring keystores for WS-Security
If there are WS-Security scenarios implemented in your WSO2 product, you can use separate keystores for these scenarios.
Configuring keystores for advanced transport handling
To have more advanced transport handling functions using keystores, you need to update the
<PRODUCT_HOME>/repository/conf/tomcat/catalina-server.xml file and the