Cant change WSO2 API-M Certificate for authenticating communication over SSL/TLS in Docker

Question

I'm running WSO2 API-M in Docker version 3.0.0-centos7( link image)

I try to change Certificate which is exposed by WSO2 API-M, I followed this tutorial.

First, I generated key pair in existing keystore /wso2am-3.0.0/repository/resources/security/wso2carbon.jks of API-M:

keytool -genkeypair -dname "cn=wso2carbon.com" -alias wso2apim -keypass wso2carbon -keystore wso2carbon.jks -storepass wso2carbon

Showing this certificate:

[wso2carbon@4ef6e35bf497 security]$ keytool -list -v -alias wso2apim -keystore wso2carbon.jks
Enter keystore password:
Alias name: wso2apim
Creation date: Jan 15, 2020
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=wso2carbon.com
Issuer: CN=wso2carbon.com
Serial number: 3ad5ca3b
Valid from: Wed Jan 15 04:13:03 UTC 2020 until: Tue Apr 14 04:13:03 UTC 2020
Certificate fingerprints:
         MD5:  99:CF:3B:0F:7D:31:9A:AB:05:E6:79:F7:B3:C7:35:21
         SHA1: D9:26:2A:18:C6:31:64:DA:8E:71:61:B7:1D:5E:7E:31:73:A0:4A:4A
         SHA256: B0:BE:74:BE:09:5C:48:79:39:B9:9A:B4:38:1F:30:36:ED:9D:5A:2E:01:DE:F5:C9:95:94:BF:33:E1:0F:39:9F
Signature algorithm name: SHA256withDSA
Subject Public Key Algorithm: 2048-bit DSA key
Version: 3

Extensions:

#1: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 01 39 89 99 D0 E3 6D E6   C8 1E CE 3B D3 33 39 EC  .9....m....;.39.
0010: 38 E9 40 01                                        8.@.
]
]


Warning:
The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore wso2carbon.jks -destkeystore wso2carbon.jks -deststoretype pkcs12".

Then, I updated SSLHostConfig section in /home/wso2carbon/wso2am-3.0.0/repository/conf/tomcat/catalina-server.xml ( change the certificateKeyAlias from "wso2carbon" to "wso2apim"):

<SSLHostConfig
                                           protocols="+TLSv1,+TLSv1.1,+TLSv1.2"
                                           truststorePassword="wso2carbon"
                                           truststoreType="JKS"
                                           truststoreFile="${carbon.home}/repository/resources/security/client-truststore.jks"
                                           certificateVerification="false"
                                           sslProtocol="TLS"
                                           >
                    <Certificate
                                                           certificateKeystorePassword="wso2carbon"
                                                           certificateKeystoreFile="${carbon.home}/repository/resources/security/wso2carbon.jks"
                                                           certificateKeyAlias="wso2apim"
                                                           certificateKeystoreType="JKS"
                                                           certificateKeyPassword="wso2carbon"
                                 />
                </SSLHostConfig>

But, after I restart container API-M, this configuration is not applied (the certificateKeyAlias keeps stable "wso2carbon"):

<SSLHostConfig
                                               protocols="+TLSv1,+TLSv1.1,+TLSv1.2"
                                               truststorePassword="wso2carbon"
                                               truststoreType="JKS"
                                               truststoreFile="${carbon.home}/repository/resources/security/client-truststore.jks"
                                               certificateVerification="false"
                                               sslProtocol="TLS"
                                               >
                        <Certificate
                                                               certificateKeystorePassword="wso2carbon"
                                                               certificateKeystoreFile="${carbon.home}/repository/resources/security/wso2carbon.jks"
                                                               certificateKeyAlias="wso2carbon"
                                                               certificateKeystoreType="JKS"
                                                               certificateKeyPassword="wso2carbon"
                                     />
                    </SSLHostConfig>

So please, am I wrong in any step? Or there some reference for this configuration?

Thank you very much.

Answer 1

WSO2 released new product versions in 2019 Q4 and they have a new configuration model. Instead of changing xml config files in repository/conf directory, now there is a single file called deployment.toml. All the configurations should be done in this file.

There are configuration template files which reside in wso2am-3.0.0/repository/resources/conf/templates/repository/conf/. When you update configurations in deployment.toml, those changes applied based on the templates and will get copied to wso2am-3.0.0/repository/conf location. That is the reason why your changes get overridden.

To update the alias of the cert, you can add the following configuration in the deployment.toml file. This file can be found in repository/conf location.

[transport.https.sslHostConfig.certificate.properties]
certificateKeyAlias = "wso2apim"

For more info, please refer https://is.docs.wso2.com/en/next/administer/configuring-keystores-in-wso2-products/