WSO2 Identity Solution, v1.5 : Deploying Identity Provider in Production

The identity provider by default comes configured with a simple sample and can be used in the localhost to try all the samples. There are a set of configuration changes that one has to follow in deploying the Identity Provider application in production.

These changes should be applied on a fresh identity provider instance. (i.e. Do not start the identity provider until the configurations are finalized)

Step 1: Edit server configuration file

Open wso2-identity-solution-1.5/conf/server.xml file

This private key is used for the HTTPS channel and for the token issuer to sign the issued tokens. This information has to be changed in two files.

Following section of the server.xml should be updated to match your privete key information. The private key must be available in a keystore of type "JKS" or "PKCS12". For more information on keystores please see here .


    <!--
      Security configurations
    -->
    <Security>
        <!--
            KeyStore which will be used for encrypting/decrypting passwords
            and other sensitive information.
        -->
        <KeyStore>
            <!-- Keystore file location-->
            <Location>${wso2wsas.home}/conf/wso2is.jks</Location>
            <!-- Keystore type (JKS/PKCS12 etc.)-->
            <Type>JKS</Type>
            <!-- Keystore password-->
            <Password>wso2is</Password>
            <!-- Private Key alias-->
            <KeyAlias>localhost</KeyAlias>
            <!-- Private Key password-->
            <KeyPassword>wso2is</KeyPassword>
        </KeyStore>

		

Also note that the host name of the Identity Provider must be changed to match the "Common Name" of the certificate of the private key.


    <!--
       Host name of the machine hosting this server
       e.g. www.wso2.org
    -->
    
    <HostName>www.foo.com</HostName>
    

The HTTP and HTTPS port also can be changed by chnaging the following configuration elements.


    <Ports>
        <HTTP>12080</HTTP>
        <HTTPS>12443</HTTPS>
    </Ports>

OpenID provider server url can be changed by changing the following configuration element. Once this is set, OpenIDs will be generated in the following format [OpenIDServerUrl]/user/[User Name].

e.g: http://localhost:12080/user/bob


    <OpenIDServerUrl>http://localhost:12080</OpenIDServerUrl>

Step 2 : wso2-identity-solution-1.5/conf/axis2.xml file

The "transportReceiver" configurations of axis2.xml will have to be updated to match the keystore and ports setting changes.


    <transportReceiver name="http"
                       class="org.wso2.wsas.transport.http.HttpTransportListener">
        <parameter name="port">12080</parameter>
    </transportReceiver>

    <transportReceiver name="https"
                       class="org.wso2.wsas.transport.http.HttpsTransportListener">
        <parameter name="port">12443</parameter>
        <parameter name="sslProtocol">TLS</parameter>
        <parameter name="maxHttpHeaderSize">8192</parameter>
        <parameter name="maxThreads">150</parameter>
        <parameter name="minSpareThreads">25</parameter>
        <parameter name="maxSpareThreads">75</parameter>
        <parameter name="enableLookups">false</parameter>
        <parameter name="disableUploadTimeout">false</parameter>
        <parameter name="clientAuth">false</parameter>
        <parameter name="acceptCount">100</parameter>
        <parameter name="keystore">
            <wso2wsas:KeyStore xmlns:wso2wsas="http://www.wso2.org/products/wsas">
                <!-- Keystore file location-->
                <wso2wsas:Location>conf/wso2is.jks</wso2wsas:Location>
                <!-- Keystore type (JKS/PKCS12 etc.)-->
                <wso2wsas:Type>JKS</wso2wsas:Type>
                <!-- Keystore password-->
                <wso2wsas:Password>wso2is</wso2wsas:Password>
            </wso2wsas:KeyStore>
        </parameter>
    </transportReceiver>