Skip to content

Configure WSO2 IS 7 as a Key Manager

WSO2 API Manager supports multiple Key Managers. As a result, WSO2 API Manager is prepacked with an inbuilt resident Key Manager, and it has the inbuilt capability of configuring WSO2 Identity Server 7 (WSO2 IS 7) as a Key Manager.

Info

This document provides instructions on configuring WSO2 Identity Server 7 as a Key Manager. If you are using an older version of WSO2 Identity Server, see Configure WSO2 IS as a Key Manager.

Warning

Incompatibilities when using WSO2 IS 7 as a Key Manager
WSO2 API Manager 4.3.0 is not fully compatible with WSO2 Identity Server 7 as the Key Manager. Refer to the Incompatibilities when using WSO2 IS 7 as a Key Manager section for more information.

Incompatibilities when using WSO2 IS 7 as a Key Manager

WSO2 API Manager 4.3.0 is not fully compatible with WSO2 Identity Server 7 as the Key Manager, due to the following limitations.

  • Role Based Authorization: WSO2 API Manager 4.3.0 is not compatible with the Role Based Authorization model of WSO2 Identity Server 7.0. Therefore, role based access control with scopes are not supported as a first class feature.
  • Tenancy: Data models of WSO2 API Manager 4.3.0 and WSO2 Identity Server 7.0 are different, therefore tenancy is not supported.

Follow the steps given below to configure WSO2 IS 7 as a Key Manager component.

Step 1 - Configure WSO2 IS 7

  1. Download and install WSO2 Identity Server 7.

    If you downloaded the archive, extract it. <IS7_HOME> refers to the root folder of the extracted WSO2 IS 7.

    Tip

    Refer to the Release Matrix for compatible product versions.

  2. Add following configurations in the <IS7_HOME>/repository/conf/deployment.toml file.

    [[resource.access_control]]
    context="(.*)/scim2/Me"
    secure=true
    http_method="GET"
    cross_tenant=true
    permissions=[]
    scopes=[]
    

    Note

    Before you begin:

    You need to import the public certificate of the WSO2 Identity Server 7 to the truststore of the WSO2 API Manager, and vice-versa. For information on importing the certificates, see the Importing certificates to the truststore guide.

  3. Start WSO2 Identity Server 7 with a port offset. portOffset is required only if you are running both API-M and IS 7 in the same JVM.

    sh wso2server.sh -DportOffset=1

Step 2 - Configure WSO2 API Manager

  1. Start WSO2 API Manager.

    <APIM_HOME> refers to the root folder of the extracted WSO2 APIM.

  2. Sign in to the Admin Portal.

    https://<hostname>:9443/admin

    https://localhost:9443/admin

  3. Click Key Managers.

  4. Click Add Key Manager to add the configuration related to a new Key Manager.

  5. Enter a Name and Display Name, and select WSO2 Identity Server 7 as the Key Manager Type.

  6. Under the Key Manager Endpoints section, provide the following values:

    Note

    • The following values are based on the assumption that, WSO2 IS 7 runs on the same JVM as WSO2 APIM, with a port offset of 1 (i.e: localhost:9444).
    • You can use https://localhost:9444/oauth2/token/.well-known/openid-configuration as the Well-known URL, and click on Import to populate most of the fields mentioned below, Grant types, and the Certificates section.
    Configuration Value
    Issuer https://localhost:9444/oauth2/token
    Client Registration Endpoint https://localhost:9444/api/identity/oauth2/dcr/v1.1/register
    Introspection Endpoint https://localhost:9444/oauth2/introspect
    Token Endpoint https://localhost:9444/oauth2/token
    Display Token Endpoint https://localhost:9444/oauth2/token
    Revoke Endpoint https://localhost:9444/oauth2/revoke
    Display Revoke Endpoint https://localhost:9444/oauth2/revoke
    UserInfo Endpoint https://localhost:9444/scim2/Me
    Authorize Endpoint https://localhost:9444/scim2/Me
    Scope Management Endpoint https://localhost:9444/api/identity/oauth2/v1.0/scopes
  7. Under Grant types, provide all the following: password, client_credentials, refresh_token, urn:ietf:params:oauth:grant-type:saml2-bearer, iwa:ntlm, urn:ietf:params:oauth:grant-type:device_code, authorization_code, urn:ietf:params:oauth:grant-type:jwt-bearer, urn:ietf:params:oauth:grant-type:token-exchange.

  8. Under Certificates section, select JWKS. Enter https://localhost:9444/oauth2/jwks as the URL.
  9. Under Connector Configurations, provide the username and password. The default username and password will be admin.