Skip to content

Configure WSO2 IS 7 as a Key Manager

WSO2 API Manager supports multiple Key Managers. As a result, WSO2 API Manager is prepacked with an inbuilt resident Key Manager, and it has the inbuilt capability of configuring WSO2 Identity Server 7 (WSO2 IS 7) as a Key Manager.


This document provides instructions on configuring WSO2 Identity Server 7 as a Key Manager. If you are using an older version of WSO2 Identity Server, see Configure WSO2 IS as a Key Manager.


Incompatibilities when using WSO2 IS 7 as a Key Manager
WSO2 API Manager 4.3.0 is not fully compatible with WSO2 Identity Server 7 as the Key Manager. Refer to the Incompatibilities when using WSO2 IS 7 as a Key Manager section for more information.

Incompatibilities when using WSO2 IS 7 as a Key Manager

WSO2 API Manager 4.3.0 is not fully compatible with WSO2 Identity Server 7 as the Key Manager, due to the following limitations.

  • Role Based Authorization: WSO2 API Manager 4.3.0 is not compatible with the Role Based Authorization model of WSO2 Identity Server 7.0. Therefore, role based access control with scopes are not supported as a first class feature.
  • Tenancy: Data models of WSO2 API Manager 4.3.0 and WSO2 Identity Server 7.0 are different, therefore tenancy is not supported.

Follow the steps given below to configure WSO2 IS 7 as a Key Manager component.

Step 1 - Configure WSO2 IS 7

  1. Download and install WSO2 Identity Server 7.

    If you downloaded the archive, extract it. <IS7_HOME> refers to the root folder of the extracted WSO2 IS 7.


    Refer to the Release Matrix for compatible product versions.

  2. Add following configurations in the <IS7_HOME>/repository/conf/deployment.toml file.



    Before you begin:

    You need to import the public certificate of the WSO2 Identity Server 7 to the truststore of the WSO2 API Manager, and vice-versa. For information on importing the certificates, see the Importing certificates to the truststore guide.

  3. Start WSO2 Identity Server 7 with a port offset. portOffset is required only if you are running both API-M and IS 7 in the same JVM.

    sh -DportOffset=1

Step 2 - Configure WSO2 API Manager

  1. Start WSO2 API Manager.

    <APIM_HOME> refers to the root folder of the extracted WSO2 APIM.

  2. Sign in to the Admin Portal.



  3. Click Key Managers.

  4. Click Add Key Manager to add the configuration related to a new Key Manager.

  5. Enter a Name and Display Name, and select WSO2 Identity Server 7 as the Key Manager Type.

  6. Under the Key Manager Endpoints section, provide the following values:


    • The following values are based on the assumption that, WSO2 IS 7 runs on the same JVM as WSO2 APIM, with a port offset of 1 (i.e: localhost:9444).
    • You can use https://localhost:9444/oauth2/token/.well-known/openid-configuration as the Well-known URL, and click on Import to populate most of the fields mentioned below, Grant types, and the Certificates section.
    Configuration Value
    Issuer https://localhost:9444/oauth2/token
    Client Registration Endpoint https://localhost:9444/api/identity/oauth2/dcr/v1.1/register
    Introspection Endpoint https://localhost:9444/oauth2/introspect
    Token Endpoint https://localhost:9444/oauth2/token
    Display Token Endpoint https://localhost:9444/oauth2/token
    Revoke Endpoint https://localhost:9444/oauth2/revoke
    Display Revoke Endpoint https://localhost:9444/oauth2/revoke
    UserInfo Endpoint https://localhost:9444/scim2/Me
    Authorize Endpoint https://localhost:9444/scim2/Me
    Scope Management Endpoint https://localhost:9444/api/identity/oauth2/v1.0/scopes
  7. Under Grant types, provide all the following: password, client_credentials, refresh_token, urn:ietf:params:oauth:grant-type:saml2-bearer, iwa:ntlm, urn:ietf:params:oauth:grant-type:device_code, authorization_code, urn:ietf:params:oauth:grant-type:jwt-bearer, urn:ietf:params:oauth:grant-type:token-exchange.

  8. Under Certificates section, select JWKS. Enter https://localhost:9444/oauth2/jwks as the URL.
  9. Under Connector Configurations, provide the username and password. The default username and password will be admin.