This is the resulting security configuration section after adding
trust-store related entries (appearing in bold text).
<Security>
<!--
KeyStore which will be used for encrypting/decrypting passwords
and other sensitive information.
-->
<KeyStore>
<!-- Keystore file location-->
<Location>${carbon.home}/resources/security/wso2carbon.jks</Location>
<!-- Keystore type (JKS/PKCS12 etc.)-->
<Type>JKS</Type>
<!-- Keystore password-->
<Password>wso2carbon</Password>
<!-- Private Key alias-->
<KeyAlias>wso2carbon</KeyAlias>
<!-- Private Key password-->
<KeyPassword>wso2carbon</KeyPassword>
</KeyStore>
*<!--*
* System wide trust-store which is used to maintain the
certificates of all*
* the trusted parties.*
* -->*
* <TrustStore>*
* <!-- trust-store file location -->*
*
<Location>${carbon.home}/resources/security/client-truststore.jks</Location>
*
* <!-- trust-store type (JKS/PKCS12 etc.) -->*
* <Type>JKS</Type>*
* <!-- trust-store password -->*
* <Password>wso2carbon</Password>*
* </TrustStore>*
<!--
The directory under which all other KeyStore files will be stored
-->
<KeyStoresDir>${carbon.home}/repository/conf/keystores</KeyStoresDir>
<!--
The Tomcat realm to be used for hosted Web applications. Allowed
values are;
1. UserManager
2. Memory
If this is set to 'UserManager', the realm will pick users & roles
from the system's
WSO2 User Manager. If it is set to 'memory', the realm will pick
users & roles from
CARBON_HOME/repository/conf/tomcat-users.xml
-->
<TomcatRealm>UserManager</TomcatRealm>
</Security>
Thanks,
Thilina
On Fri, Feb 4, 2011 at 7:44 PM, Afkham Azeez <[email protected]> wrote:
> Go ahead and add it to the security section of the carbon.xml. Please send
> the configuration you wish to add along with the full security config
> section.
>
> On Fri, Feb 4, 2011 at 7:00 PM, Thilina Buddhika <[email protected]>wrote:
>
>> Hi Devs,
>>
>> Currently we are setting wso2carbon.jks as the default trust-store in a
>> Carbon instance. This is set during the server startup inside the
>> CarbonServerManager class.
>>
>> IMO, it should be client-truststore.jks which should be set as the default
>> trust-store in Carbon while treating wso2carbon.jks only as the primary key
>> store. Usually users manage their primary key stores separately from the
>> trust store. But with the current implementation, they have to import some
>> of certificates to the primary key store to get certain scenarios working.
>>
>> Also for transports, we are using wso2carbon.jks as the key store while
>> using client-truststore.jks as the trust-store. So it will be more
>> consistent to use client-truststore.jks as the system wide trust store
>> instead of the wso2carbon.jks.
>>
>> To make this change, we have to add a new configuration element to the
>> carbon.xml similar to the existing key store configuration.
>>
>> Let us know your feedback on this.
>>
>> Thanks,
>> Thilina
>>
>> --
>> Thilina Buddhika
>> Senior Software Engineer
>> WSO2 Inc. ; http://wso2.com
>> lean . enterprise . middleware
>>
>> phone : +94 77 44 88 727
>> blog : http://blog.thilinamb.com
>>
>> _______________________________________________
>> Carbon-dev mailing list
>> [email protected]
>> http://mail.wso2.org/cgi-bin/mailman/listinfo/carbon-dev
>>
>>
>
>
> --
> *Afkham Azeez*
> Senior Software Architect & Senior Manager; WSO2, Inc.; http://wso2.com,
> *
> *
> *Member; Apache Software Foundation;
> **http://www.apache.org/*<http://www.apache.org/>
> *
> email: **[email protected]* <[email protected]>* cell: +94 77 3320919
> blog: **http://blog.afkham.org* <http://blog.afkham.org>*
> twitter: **http://twitter.com/afkham_azeez*<http://twitter.com/afkham_azeez>
> *
> linked-in: **http://lk.linkedin.com/in/afkhamazeez*
> *
> *
> *Lean . Enterprise . Middleware*
>
>
> _______________________________________________
> Carbon-dev mailing list
> [email protected]
> http://mail.wso2.org/cgi-bin/mailman/listinfo/carbon-dev
>
>
--
Thilina Buddhika
Senior Software Engineer
WSO2 Inc. ; http://wso2.com
lean . enterprise . middleware
phone : +94 77 44 88 727
blog : http://blog.thilinamb.com
_______________________________________________
Carbon-dev mailing list
[email protected]
http://mail.wso2.org/cgi-bin/mailman/listinfo/carbon-dev
