How to Change Default Keystores and password in WSO2 carbon products.

Posted by on
There will be 2 main reasons you to change keystore default password which is "wso2carbon".

  1. When moving to production environments keystore should be altered from the default of 'wso2carbon'.
  2. When changing the default keystore.

Step 1


Lets take the first reason from above list. For ease demonstration I will use WSO2 BAM therefore along the road you will understand how to change below parameters in other WSO2 carbon products. 

First you should do a grep for "wso2carbon.jks" usages in conf(<carbon_product_home>/repository/conf) directory.

$ grep -nr "wso2carbon.jks" .

For WSO2 BAM we could find below result.


thushara@Thusharas-MacBook-Pro: ~/<bam_home>/repository/conf $ grep -nr ".jks" .
./axis2/axis2.xml:260:                <Location>repository/resources/security/wso2carbon.jks</Location>
./axis2/axis2.xml:268:                <Location>repository/resources/security/client-truststore.jks</Location>
./axis2/axis2.xml:431:                <Location>repository/resources/security/wso2carbon.jks</Location>
./axis2/axis2.xml:439:                <Location>repository/resources/security/client-truststore.jks</Location>
./carbon.xml:316:            <Location>${carbon.home}/repository/resources/security/wso2carbon.jks</Location>
./carbon.xml:332:            <Location>${carbon.home}/repository/resources/security/wso2carbon.jks</Location>
./carbon.xml:349:            <Location>${carbon.home}/repository/resources/security/client-truststore.jks</Location>
./data-bridge/thrift-agent-config.xml:40:        .../wso2cep-1.0.0/repository/resources/security/client-truststore.jks
./identity.xml:29: <Location>${carbon.home}/repository/resources/security/userRP.jks
./identity.xml:180: <Location>${carbon.home}/repository/resources/security/wso2carbon.jks</Location>
./security/secret-conf.properties:21:#keystore.identity.location=repository/resources/security/wso2carbon.jks
./security/secret-conf.properties:30:#keystore.trust.location=repository/resources/security/client-truststore.jks

As per the result in order to reset keystore password you should replace below tags with your new password.

In carbon.xml
  1. <Security><KeyStore><Password> 
  2. <Security><KeyStore><KeyPassword> 
  3. <Security><RegistryKeyStore><KeyPassword> 
  4. <Security><TrustStore><Password> 

In identity.xml
  1. <Security><UserTrustedRPStore><Password> 
  2. <Security><UserTrustedRPStore><KeyPassword> 
  3. <EntitlementSettings><ThirftBasedEntitlementConfig><KeyStore><Password> 

In axis2.xml(/axis2/axis2.xml)(Below tag values also should change if you want to use NIO sender)
  1. <transportSender><parameter name="keystore" locked="false"><KeyStore><Password> 
  2. <transportSender><parameter name="keystore" locked="false"><KeyStore><KeyPassword> 
  3. <transportSender><parameter name="truststore" locked="false"><KeyStore><Password> 

Since /security/secret-conf.properties is not used in BAM we wouldn't want to change this file. Please edit it accordingly if your using(uncommented '#') it already. Other than that /data-bridge/thrift-agent-config.xml should also be change accordingly if your integrating WSO2 BAM with CEP.

As per the best practice changing the truststore password is preferred(In identitiy.xml 4, In axis2.xml 10, etc.. ).

Step 2

Now lets check the second reason. In order to change the default keystore, a keystore must have been generated using the command below: 

$ keytool -genkey -alias box1keystore -keyalg RSA -keystore box1keystore.jks



After your done creating the new keystore please do the following changes :
  1. In the <carbon_product_home>/repository/resources/security folder, remove the default wso2carbon.jks file.
  2. Copy the generated keystore to the <carbon_product_home>/repository/resources/security folder.
  3. Rename all the occurrences of wso2carbon.jks to box1keystore.jks.
  4. Then you have to redo what we have done in previous step including above 3rd point.

That's it now you can use the new keystore and password after you restart the WSO2 carbon application. Since most of the WSO2 products behaves as above you can refer this[1] documentation for more clarification.

[1] - https://docs.wso2.com/display/MB220/Changing+Default+Keystores

Comments

Post a Comment