Configure WSO2 IS 7 as a Key Manager¶
WSO2 API Manager supports multiple Key Managers. As a result, WSO2 API Manager is prepacked with an inbuilt resident Key Manager, and it has the inbuilt capability of configuring WSO2 Identity Server 7 (WSO2 IS 7) as a Key Manager.
Follow the steps given below to configure WSO2 IS 7 as a Key Manager component.
Info
This document provides instructions on configuring WSO2 Identity Server 7 as a Key Manager. If you are using an older version of WSO2 Identity Server, see Configure WSO2 IS as a Key Manager.
Step 1 - Configure WSO2 IS 7¶
-
Download and install WSO2 Identity Server 7.
If you downloaded the archive, extract it.
<IS7_HOME>
refers to the root folder of the extracted WSO2 IS 7.Tip
Refer to the Release Matrix for compatible product versions.
-
Add following configurations in the
<IS7_HOME>/repository/conf/deployment.toml
file. -
Add the following unique key constraint to the
IDN_OAUTH_CONSUMER_APPS
table ofWSO2IDENTITY_DB
. By default, theWSO2IDENTITY_DB
database is an H2 database which is located in<IS7_HOME>/repository/database/WSO2IDENTITY_DB.mv.db
.ALTER TABLE IDN_OAUTH_CONSUMER_APPS ADD CONSTRAINT UNIQUE_CONSUMER_KEY_CONSTRAINT UNIQUE (CONSUMER_KEY);
Note
Before you begin:
You need to import the public certificate of the WSO2 Identity Server 7 to the truststore of the WSO2 API Manager, and vice-versa. For information on importing the certificates, see the Importing certificates to the truststore guide.
-
Start WSO2 Identity Server 7 with a port offset. portOffset is required only if you are running both API-M and IS 7 in the same JVM.
sh wso2server.sh -DportOffset=1
Step 2 - Configure WSO2 API Manager¶
-
Start WSO2 API Manager.
<APIM_HOME>
refers to the root folder of the extracted WSO2 APIM. -
Sign in to the Admin Portal.
https://<hostname>:9443/admin
https://localhost:9443/admin
-
Click Key Managers.
-
Click Add Key Manager to add the configuration related to a new Key Manager.
-
Enter a Name and Display Name, and select WSO2 Identity Server 7 as the Key Manager Type.
-
Under the Key Manager Endpoints section, provide the following values:
Note
- The following values are based on the assumption that, WSO2 IS 7 runs on the same JVM as WSO2 APIM, with a port offset of 1 (i.e:
localhost:9444
). - You can use
https://localhost:9444/oauth2/token/.well-known/openid-configuration
as the Well-known URL, and click on Import to populate most of the fields mentioned below, Grant types, and the Certificates section.
Configuration Value Issuer https://localhost:9444/oauth2/token
Client Registration Endpoint https://localhost:9444/api/identity/oauth2/dcr/v1.1/register
Introspection Endpoint https://localhost:9444/oauth2/introspect
Token Endpoint https://localhost:9444/oauth2/token
Display Token Endpoint https://localhost:9444/oauth2/token
Revoke Endpoint https://localhost:9444/oauth2/revoke
Display Revoke Endpoint https://localhost:9444/oauth2/revoke
UserInfo Endpoint https://localhost:9444/scim2/Me
Authorize Endpoint https://localhost:9444/scim2/Me
Scope Management Endpoint https://localhost:9444/api/identity/oauth2/v1.0/scopes
- The following values are based on the assumption that, WSO2 IS 7 runs on the same JVM as WSO2 APIM, with a port offset of 1 (i.e:
-
Under Grant types, provide all the following:
password
,client_credentials
,refresh_token
,urn:ietf:params:oauth:grant-type:saml2-bearer
,iwa:ntlm
,urn:ietf:params:oauth:grant-type:device_code
,authorization_code
,urn:ietf:params:oauth:grant-type:jwt-bearer
,urn:ietf:params:oauth:grant-type:token-exchange
. - Under Certificates section, select JWKS. Enter
https://localhost:9444/oauth2/jwks
as the URL. - Under Connector Configurations, provide the username and password. The default username and password will be
admin
.