WSO2 products use asymmetric encryption by default for the purposes of authentication and protection of data. In asymmetric encryption, keystores (with private keys and public key certificates) and truststores (only public key certificates) are created and stored for a product. It is possible to have multiple keystores so that the keys used for different use cases are kept unique. The following topics explain more details on keystores and truststores.
Understanding keystores and truststores
A keystore is a repository (protected by a password) that holds the keys and certificates that form (one or multiple) trust chains of digital certificates. You use these artifacts for security purposes such as protecting sensitive information and establishing trust between your server and outside parties that connect to the server. The usage of keys and certificates contained in a keystore are explained below.
Keys: According to public-key cryptography, the concept of a key pair (public key and the corresponding private key) is used for protecting sensitive information and for authenticating the identity of external parties that communicate with your server. For example, information that is encrypted in your server using the public key can only be decrypted using the corresponding private key. Therefore, if any party wants to decrypt this encrypted data, they should have the corresponding private key, which is usually kept as a secret (not publicly shared).
In a keystore, each trust chain entry contains the following:
- A private key protected by a password.
- A digital certificate in which the public key (corresponding to the private key) is embedded.
- If the digital certificate (with the server's public key) is not self-signed, the chain of certificates of the trusted certificate signing authorities that have certified the server's public key. There may be one or multiple certificates of CAs depending on the number of CAs involved in the chain.
Digital certificate: When there is a key pair, it is also necessary to have a digital certificate to verify the identity of the keys. Typically, the public key of a key pair is embedded in this digital certificate, which also contains additional information such as the owner, validity, etc. of the keys. For example, if an external party wants to verify the integrity of data or validate the identity of the signer (by validating the digital signature), it is necessary for them to have this digital certificate of the signer.
Trusted certificates and certificate signing authorities: To establish trust, the digital certificate containing the public key should be signed by a trusted certificate signing authority (CA). You can generate self-signed certificates for the public key (thereby creating your own certifying authority), or you can get the certificates signed by an external CA. Both types of trusted certificates can be effectively used depending on the sensitivity of the information that is protected by the keys. When the certificate is signed by a reputed CA, all the parties that trust this CA will also trust the certificates signed by them.
The usage of a truststore in WSO2 products aligns with this concept of trust. A truststore is just another repository that is protected by a password (similar to a keystore), which stores digital certificates. These certificates can be either of the following:
- Certificates of trusted third parties with which a software system intends to communicate directly.
- Certificates of reputed certificate signing authorities (CA) that can be used to validate the identity of untrusted third parties that are being contacted. For example, consider a scenario where the exact certificate of the third party that the WSO2 server is attempting to contact is not in the truststore. In this scenario, if the third party has a CA-signed certificate and one of the certificates of its trust chain is already included in the WSO2 server's truststore, the trust is automatically granted and a successful SSL connection is established between the WSO2 server and the third party.
By default, every WSO2 product is shipped with a truststore that contains certificates of reputed CAs that can validate the identity of third party systems that are being contacted.
Default keystore and truststore in WSO2 products
All WSO2 products are by default shipped with a keystore file and truststore file (stored in the
wso2carbon.jks: This is the default keystore, which contains the server’s private key and the self-signed public key certificate.
.jks: This is the default trust store, which contains the trusted certificates of the keystore used in SSL communication. This is the default truststore, which contains many of the reputed root CAs that customers can use.
Setting up keystores for WSO2 products
In WSO2 products, asymmetric encryption is used by default for the following purposes:
- Authenticating the communication over Secure Sockets Layer (SSL)/Transport Layer Security (TLS) protocols.
Encrypting sensitive data such as plain-text passwords found in both product-level and product feature-level configurations/configuration files using secure vault.
- Encrypting and signing SOAP messages using WS-Security.
The default keystore that is shipped with a WSO2 product (
wso2carbon.jks) is by default configured for all of the above purposes. However, in a production environment, it is required and advised to set up several different keystores with separate trust chains for the above use cases.
You can set up several keystores with separate key pairs and certificates for the above use cases in your system. It is recommended to maintain the following keystores:
Maintain one primary keystore for encrypting sensitive internal data such as admin passwords and any other sensitive information found at both product-level and product feature-level configurations/configuration files.
Maintain another secondary keystore, containing the server’s public key certificate for authenticating communication over SSL/TLS (for both Tomcat and Axis2 level HTTP connections).
If your deployment contains multiple products, instances of the same product must use the same keystore for SSL. Different products can use different keystores for SSL, but it is not mandatory.
It is recommended to use a CA-signed keystore for the keystore used for SSL communication; however, this is not mandatory. Even a self-signed certificate may suffice, if it can be trusted by the clients.
Keystore used for SSL must contain same password for both KeyStore and private key passwords due to a Tomcat limitation.
Primary keystore used for admin passwords and other data encryption requirements can be a self-signed one. You can use a CA-signed keystore, But there is no added value of using such CA-signed keystore as it is not used for external communication, but only for internal data encryption.
The primary keystore's public key certificate must have the Data Encipherment key usage to allow direct encipherment of raw data using its public key. Therefore, note that it is necessary to create the public key certificate with “Data_Encipherment” key usage. This key usage is already included in the default self-signed certificate.
Optionally, you can set up separate keystores for message-level data encryption in WS-Security as well.
All the functions of keystore management are exposed via APIs. As a result, if you are writing a custom extension to a WSO2 product (e.g., for WSO2 ESB mediators), you can directly access the configured keystores using the API. The API hides the underlying complexity, allowing you to easily use it in third-party applications to manage their keystores as well.
This functionality is bundled with the following feature that is installed in your product.
Name: WSO2 Carbon - Security Management Feature