Monday, May 11, 2015

Update key stores in WSO2 API Manager and Identity server(production recommendation )


Here in this post i will discuss how we can generate keystores and include them to WSO2 products before they deploy in production deployment.

Most of organizations have their own crt file and keys. So lets see how we can use them to create certificates required for WSO2 servers and deploy them.

Step 1: Follow follow steps to update the keystore.

openssl pkcs12 -export -in /etc/pki/tls/certs/sanjeewa-com.crt -inkey /etc/pki/tls/private/private-key.key -name "wso2sanjeewa" -certfile /etc/pki/tls/certs/DigiCertCA.crt -out wso2sanjeewa.pfx
Enter Export Password:
Verifying - Enter Export Password:

/usr/java/default/bin/keytool -importkeystore -srckeystore wso2sanjeewa.pfx -srcstoretype pkcs12 -destkeystore wso2sanjeewa.jks -deststoretype JKS
Enter destination keystore password: 
Re-enter new password:
Enter source keystore password: 
Entry for alias wso2sanjeewa successfully imported.
Import command completed:  1 entries successfully imported, 0 entries failed or cancelled

 /usr/java/default/bin/keytool -export -alias wso2sanjeewa -keystore wso2sanjeewa.jks -file wso2sanjeewa.pem
Enter keystore password: 
Certificate stored in file

/usr/java/default/bin/keytool -import -alias wso2sanjeewa -file /opt/o2/wso2sanjeewa.pem -keystore client-truststore.jks -storepass wso2carbon
Certificate was added to keystore

Now we have all files we need to copy.

Step 2: We need to copy them to /opt/o2/WSO2Servers/wso2am-1.8.0/repository/resources/security
This file path change with product you use(normally its /repository/resources/security ).
We need to do this for all products deployed in this deployment.

Step 3: Then after that you need to find all occurrence of wso2carbon.jks( grep -rnw 'wso2carbon.jks') and replace them with wso2sanjeewa.jks file we generated in above steps.

Step 4:Then search for alias(grep -rnw 'alias') and KeyAlias(grep -rnw 'KeyAlias') in all files in wso2Server. If you found them as wso2carbon then only replace it with wso2sanjeewa.

We need to follow these steps very carefully. Here we have listed filenames and changed parameters for your reference.

While you carry out step 3 and 4 for IS you need to change following files and lines

repository/conf/security/application-authentication.xml:96:         
<Parameter name="TrustStorePath">/repository/resources/security/wso2sanjeewa.jks</Parameter>

repository/conf/identity.xml:244:               
<Location>${carbon.home}/repository/resources/security/wso2sanjeewa.jks</Location>

repository/conf/carbon.xml:302:            
<Location>${carbon.home}/repository/resources/security/wso2sanjeewa.jks</Location>

repository/conf/carbon.xml:308:            
<KeyAlias>wso2sanjeewa</KeyAlias>

repository/conf/carbon.xml:318:            
<Location>${carbon.home}/repository/resources/security/wso2sanjeewa.jks</Location>

repository/conf/carbon.xml:324:           
<KeyAlias>wso2sanjeewa</KeyAlias>




While you carry out step 3 and 4 for APIM you need to change following files and lines

repository/deployment/server/jaggeryapps/store/site/conf/site.json:14:       
"identityAlias" : "wso2sanjeewa",

repository/deployment/server/jaggeryapps/store/site/conf/site.json:16:        
"keyStoreName" :"/opt/o2/WSO2Servers/wso2am-1.8.0/repository/resources/security/wso2sanjeewa.jks"

repository/deployment/server/jaggeryapps/publisher/site/conf/site.json:14:        
"identityAlias" : "wso2sanjeewa",

repository/deployment/server/jaggeryapps/publisher/site/conf/site.json:16:        
"keyStoreName" :"/opt/o2/WSO2Servers/wso2am-1.8.0/repository/resources/security/wso2sanjeewa.jks"

repository/conf/security/secret-conf.properties:21:
keystore.identity.location=repository/resources/security/wso2sanjeewa.jks

repository/conf/security/secret-conf.properties:23:
keystore.identity.alias=wso2sanjeewa

repository/conf/security/secret-conf.properties:32:
keystore.trust.alias=wso2sanjeewa

repository/conf/carbon.xml:313:            
<Location>${carbon.home}/repository/resources/security/wso2sanjeewa.jks</Location>

repository/conf/carbon.xml:319:            
<KeyAlias>wso2sanjeewa</KeyAlias>

repository/conf/carbon.xml:329:            
<Location>${carbon.home}/repository/resources/security/wso2sanjeewa.jks</Location>

repository/conf/carbon.xml:335:            
<KeyAlias>wso2sanjeewa</KeyAlias>



No comments:

Post a Comment