General Data Protection Regulation (GDPR) for WSO2 API Manager

The Forget-Me tool pre-packed with API-M 2.2.0 can be used to remove identities of an external user who is deleted according to the system administrator's request. This tool removes user identities stored in the database and also in log files in order to meet GDPR requirements. The following sections guide you through configuring and running this tool in WSO2 API Manager.

Changing the default configurations of the tool.

All configurations related to this tool can be found inside the <API-M_HOME>/repository/components/tools/forget-me/conf directory. The default configurations are set up as follows:

  • Read Logs: <API-M_HOME>/repository/logs

  • Read Datasource: <API-M_HOME>/repository/conf/datasources/

  • Default datasource name: WSO2AM_DB, WSO2_CARBON_DB

  • Log file name regex: (.)*(log|out)

Configuring the master configuration file

The master configuration file of the Identity Anonymization tool is the config.json file. Following is a sample config.json file:

  "processors" : [
    "log-file", "rdbms"
  "directories": [
      "dir": "log-config",
      "type": "log-file",
      "processor" : "log-file",
      "log-file-path" : "logs",
      "log-file-name-regex" : "wso2carbon.log"
      "dir": "sql",
      "type": "rdbms",
      "processor" : "rdbms"
  "extensions": [
      "dir": "datasources",
      "type": "datasource",
      "processor" : "rdbms",
      "properties" : [
        {"identity": "WSO2_CARBON_DB"}

You can configure the following in the config.json file based on your requirement:

  • processors - A list of processors on which you want the tool run. The processors that you can specify are pre-defined. Possible values are RDBMS and log-file.
  • directories - The definitions of directories on which you want the tool to run. When you specify a directory definition, be sure to either specify the directory path relative to the location of the config.json file, or specify the absolute path to the directory.
  • processor - The type of processor to use to process instructions in the corresponding directory.
  • extensions - The extensions to be initialized prior to starting a processor.

Changing the default configurations location

To change the default configurations location for the pre-packed tool, do the following:

  1. Open the file found inside the <API-M_HOME>/bin folder. This file will contain the following.

    sh $CARBON_HOME/repository/components/tools/forget-me/bin/forget-me -d $CARBON_HOME/repository/components/tools/forget-me/conf $@
  2. The location path is the value given after -d within the following line. Modify the value after -d to change the location. The default location path is $CARBON_HOME/repository/components/tools/forget-me/conf .

Running the tool in API Manager

This tool is packaged with WSO2 API Manager by default. Follow the steps below to run this tool.


Before you begin...

  • Note that this tool is designed to run in offline mode (i.e., the server should be shut down or run on another machine) in order to prevent unnecessary load to the server. If this tool runs in online mode (i.e., when the server is running), DB lock situations on the H2 databases may occur. This DB lock may happen if at least one of your databases point to H2. Let's say you have User, REG and AM databases pointed to Mysql but your Carbon DB is in H2, then also you can get this DB lock error when running in online mode.
  • If you have configured a database other than the default H2 database, copy the relevant driver to the <API-M_HOME>/repository/components/tools/forget-me/lib directory.
  1. Open a new terminal window and navigate to the <API-M_HOME>/bin directory.

  2. Execute one of the following commands depending on your operating system:

    • On Linux/Mac OS: ./ -U <username>
    • On Windows: forgetme.bat -U <username>


The command specified above uses only the -U <username> option, which is the only mandatory option to run the tool. There are several other optional command line options that you can specify based on your requirement. The supported options are described in detail below.

  1. The following is the list of all the command line options that can be used with this command.

    Command line option Description Required Default Value Sample value
    U The name of the user whose identity references you want to remove. Yes
    -U alex.doe

    The configuration directory to use when the tool is run.

    If you do not specify a value for this option, the default conf directory will be used.

    -d /users/alex/forgetme/config
    T The tenant domain No carbon.super

    -T example-company


    The tenant ID

    !!! note


    -TID 1234
    D The userstore domain No PRIMARY

    -D Finance-domain

    pu The pseudonym with which the username should be replaced. No A random UUID value is generated as the pseudonym.

    -pu “123-343-435-545-dfd-4”



    This should be replaced with the variable $CARBON_HOM E in directories configured in the main configuration file.

    -carbon “usr/bin/wso2am/wso2am2.2.0”

  2. All references to the user are removed from WSO2 API Manager. You can view the generated reports inside the <API-M_HOME>/repository/components/tools/forget-me/conf directory.

Running the toolkit in standalone mode

This tool can run standalone and therefore cater to multiple products. This means that if you are using multiple WSO2 products and need to delete the user's identity from all products at once, you can do so by running the tool in standalone mode. For information on how to build and run the Forget-Me tool, see Removing References to Deleted User Identities in WSO2 Products in the WSO2 Administration Guide.

GDPR for API Manager Analytics

For information on GDPR for API Manager Analytics, please refer General Data Protection Regulation (GDPR) for WSO2 API Manager Analytics.