Installing a new keystore into WSO2 Products
Basically WSO2 carbon based products are shipped with a default keystore (wso2carbon.jks) which can be found at <CARBON_HOME>/repository/resources/security directory. This has a private/public key pair which is mainly use for encrypt the sensitive information.
When the products are deployed in production environment it is better to replace this default keystore with a self signed or CA signed certificates.
1). Create a new keystore with a private and public key pair using keytool which is shipped with JDK installation.
Go to <CARBON_HOME>/repository/resources/security directory and type the following command
keytool -genkey -alias testcert -keyalg RSA -keysize 1024 -keypass testpassword -keystore testkeystore.jks -storepass testpassword
Then you have to provide necessary information in order to construct the DN of the certificate.
After you enter the information the created keystore can be found at the above location.
Note: You can view the contents of the generated keystore by:
keytool -list -v -keystore testkeystore.jks -storepass testpassword
2). In order to signed the public certificate, you can use two options as follows.
- Get your public certificate signed by a CA(recommended for production environment) - http://blog.facilelogin.com/2008/03/keystore-management-part-i.html
- Use the above generated self signed certificate (for local testing purposes).
3). Export your public certificate from the keystore and import it into the trust store.
In WSO2 Carbon products, this trust store is set as client-truststore.jks which resides in the same above directory as the keystore.
Now we have to imort the new public certificate into this trust store for Front End and Back End communication.
- Export the new public certificate:
keytool -export -alias testcert -keystore testkeystore.jks -storepass testpassword -file testcert.pem
This will export the public certificate into a file called testcert.pem in the same directory.
- Import it into client-truststore.jks with following command:
keytool -import -alias testnewcert -file testcert.pem -keystore client-truststore.jks -storepass wso2carbon
(Password of client-truststore.jks keystore is: wso2carbon)
4). Change the below configuration files:
Go to <CARBON_HOME>/repository/conf and point the new keystore as below:
- carbon.xml
<keystore>
<location>${carbon.home}/repository/resources/security/testkeystore.jks</location>
<type>JKS</type>
<password>testpassword</password>
<keyalias>testcert</keyalias>
<keypassword>testpassword</keypassword>
</keystore>
- axis2.xml (Only for WSO2 ESB) (WSO2 ESB uses different HTTPS transport sender and receiver for accessing the services exposed over HTTPS as below, and the keystore used for this purpose is specified in the following configuration)
<transportreceiver class="org.apache.synapse.transport.nhttp.HttpCoreNIOSSLListener" name="https">
<parameter locked="false" name="port">8243</parameter>
<parameter locked="false" name="non-blocking">true</parameter>
<parameter locked="false" name="httpGetProcessor">org.wso2.carbon.transport.nhttp.api.NHttpGetProcessor</parameter>
<parameter locked="false" name="keystore">
<keystore>
<location>repository/resources/security/testkeystore.jks</location>
<type>JKS</type>
<password>testpassword</password>
<keypassword>testpassword</keypassword>
</keystore>
</parameter>
<parameter locked="false" name="truststore">
<truststore>
<location>repository/resources/security/client-truststore.jks</location>
<type>JKS</type>
<password>wso2carbon</password>
</truststore>
</parameter>
</transportreceiver>
<transportsender class="org.apache.synapse.transport.nhttp.HttpCoreNIOSSLSender" name="https">
<parameter locked="false" name="non-blocking">true</parameter>
<parameter locked="false" name="keystore">
<keystore>
<location>repository/resources/security/testkeystore.jks</location>
<type>JKS</type>
<password>testpassword</password>
<keypassword>testpassword</keypassword>
</keystore>
</parameter>
<parameter locked="false" name="truststore">
<truststore>
<location>repository/resources/security/client-truststore.jks</location>
<type>JKS</type>
<password>wso2carbon</password>
</truststore>
</parameter>
</transportsender>