Replace the WSO2 Governance Registry certificate in SOI
search cancel

Replace the WSO2 Governance Registry certificate in SOI

book

Article ID: 370299

calendar_today

Updated On:

Products

CA Service Operations Insight (SOI)

Issue/Introduction

This article describes the procedure for replacing/updating the SSL certificate for the WSO2 Governance Registry

Environment

SOI 4.x 

Resolution

Please find the steps to remediate the SSL Certificate Signed Using Weak Hashing Algorithm vulnerabilities on the Manager machine (wso2).
 
 
  • Stop CA SOI WSO2 Carbon service
  • Take a backup of the below two files from folder <SOI Installation Directory>\wso2registry\repository\resources\security on the Manager machine, and delete the same from that location:
    • wso2carbon.jks
    • client-truststore.jks

 

  • Please find the steps to regenerate the new self-signed certificates 
keytool should be in the path, if not please set the same (for example by including the jre from SOI Installation set PATH=<SOI Installation Directory>\jre\bin;%PATH%), run the below commands. You can use your own password for keystore creation, please replace the highlighted places with yellow background in the below commands from command line:
    • keytool -genkeypair -alias wso2carbon -keyalg RSA -keysize 2048 -keystore wso2carbon.jks -dname "CN=localhost,O=WSO2,L=Mountain View,ST=CA,C=US" -validity 7300 -storepass wso2carbon -keypass wso2carbon -ext bc=ca:true
    • keytool -certreq -keystore wso2carbon.jks -storepass wso2carbon -alias wso2carbon -file wso2carbon.csr
    • keytool -gencert -keystore wso2carbon.jks -validity 7300 -storepass wso2carbon -alias wso2carbon -infile wso2carbon.csr -outfile wso2carbon.cer
    • keytool -noprompt -import -alias wso2carbon -file wso2carbon.cer -storetype JKS -keystore client-truststore.jks -storepass wso2carbon
  • After the above commands are completed successfully. You are required to copy the below two files to  <SOI Installation Directory>\wso2registry\repository\resources\security
    • wso2carbon.jks
    • client-truststore.jks
  • In case you have changed the default password (wso2carbon) while generating the keystore as per the above commands, update the below files with the new password
    • C:\Program Files (x86)\CA\SOI\wso2registry\repository\conf\carbon.xml
      • update new password in <Password> and <KeyPassword> tags
    • C:\Program Files (x86)\CA\SOI\wso2registry\repository\conf\identity\application-authentication.xml
      • update new password in <Parameter name="TrustStorePassword"> 
    • C:\Program Files (x86)\CA\SOI\wso2registry\repository\conf\identity\EndpointConfig.properties
      • update new password for Carbon.Security.KeyStore.Password and Carbon.Security.TrustStore.Password
    • C:\Program Files (x86)\CA\SOI\wso2registry\repository\conf\identity\identity.xml
      • update new password in tag <Password>wso2carbon</Password>
    • C:\Program Files (x86)\CA\SOI\wso2registry\repository\conf\tomcat\catalina-server.xml
      • update new password in keystorePass="wso2carbon"
  • Start CA SOI WSO2 Carbon service

Additional Information

Not only self signed certificates can be in use - CA signed certificates are also allowed by SOI 

Powered by Wolken Software