search

wso2 / product-is

Welcome to the WSO2 Identity Server source code! For info on working with the WSO2 Identity Server repository and contributing code, click the link below.
http://wso2.github.io/
Apache License 2.0
746 stars 724 forks source link

Using PKCS12 keystores as default primary keystore and truststore #18466

Closed hwupathum closed 2 weeks ago

hwupathum commented 10 months ago

WSO2 uses JKS type keystores as the default keystores which uses SHA1 which is no longer considered as secure. Furthermore, JKS keystores are not FIPS compliant [1].

To use PKCS12 keystores, following configs can be used in the deployment.toml

[keystore.primary]
file_name = "wso2carbon.p12"
password = "wso2carbon"
type="PKCS12"

[truststore]
file_name="client-truststore.p12"
password="wso2carbon"
type="PKCS12"

[1] https://docs.oracle.com/en/middleware/fusion-middleware/weblogic-server/12.2.1.4/secmg/fips.html#GUID-8191241C-B9A7-4D41-82B6-BC92AC3BD425

Describe the improvement Primary keystore and trusture will use PKCS12 type keystores

Additional context To convert an existing JKS keystore to PKCS12, following command can be used

keytool -importkeystore -srckeystore wso2carbon.jks -destkeystore wso2carbon.p12 -srcstoretype JKS -deststoretype PKCS12 -deststorepass wso2carbon
Thisara-Welmilla commented 8 months ago

PRs:

Update keystore type:

hwupathum commented 2 months ago

Reopening since default keystore is changed to JKS format with https://github.com/wso2/product-is/pull/19517