Migrating the Secondary Userstore Password to the Internal Keystore¶
WSO2 Identity Server by default has one keystore. To mitigate security incidents it is advisable to maintain multiple keystores. For example, if one keystores gets compromised, you can continue with the other keystores that are intact. Mainly, you may maintain three keystores:
- A keystore to store tokens, which is mentioned in the
- An internal keystore to store internal critical data such as encrypted passwords.
- A keystore for Tomcat SSL connection, which is the secondary keystore of the WSO2 Identity Server.
Ideally, the internal keystore should be used for encrypting internal critical data. However, currently, the secondary userstore passwords are encrypted using the primary keystore, which is also used to sign and encrypt tokens. Thus, it is preferable to move the secondary userstore password encryption functionality from the primary keystore to the internal keystore.
After moving the secondary userstore password encryption functionality to the internal keystore, WSO2 Identity Server secondary userstore password encryption tool allows you to decrypt all the existing secondary userstore passwords using the primary keystore and re-encrypt them using the internal keystore.
Let's get started!
- If you are using an NFS-like file system, make sure to isolate the newly-downloaded binary from others.
- The secondary userstore password encryption tool is a one-time tool. Do not use the WSO2 Identity Server pack that contains this tool in production.
To add the details about the primary keystore and internal keystore, add the following configurations to the
deployment.tomlfile in the
Copy the following files and directories from your existing WSO2 Identity Server pack to the respective directories of the newly-downloaded pack.
File/Directory Purpose The
This contains the tenant's secondary userstore configurations. The
This contains the super tenant secondary userstore configurations. The keystore in the
This is the primary keystore. The internal keystore in the
This is the internal keystore.
If you are using a cipher tool, copy the following files in the
<IS_HOME>/repository/conf/securitydirectory in your existing WSO2 Identity Server pack to the respective directory of the newly-downloaded pack.
secret-conf.propertiesfile in an editor and replace the
keystore.identity.locationelement value with the directory path of the current internal keystore.
Re-encrypt the secondary userstore passwords¶
Follow the steps below to re-encrypt the secondary userstore passwords:
Download the password encryption tool from here and copy the
To start the modified WSO2 Identity Server pack:
Navigate to the directory where the modified WSO2 Identity Server pack is located in a command prompt.
Execute the following command.
sh wso2server.sh -DreEncryptSecondaryUserStorePassword
Observer the logs in the
wso2carbon.logfile in the
<IS_HOME>/repository/logsdirectory to monitor the re-encryption of the secondary userstore passwords.
- The following appears when the
.jarfile is being read by the server.
"secondary userstore password re-encryption component activated"
- The following appears when the migration starts.
"secondary userstore password re-encryption started"
- The following appears when the migration ends.
"secondary userstore password re-encryption ended"
- The following appears when the
Once the process ends, stop the WSO2 Identity Server.
Copy the userstore to the existing WSO2 Identity Server pack¶
To copy the user store to the existing WSO2 Identity Server pack, copy the following directories in the modified WSO2 Identity Server pack into the respective directories of the original pack.
- As a precautionary measure, take a backup of the existing userstore.
- During the directory copying process, the userstores may get unavailable for a few seconds.
||This contains the tenant's secondary user store configurations.|
||This contains the super tenant secondary user store configurations.|