From fdba9243904262591cb84a1b706e4d4d75183456 Mon Sep 17 00:00:00 2001 From: Scott Date: Wed, 23 Oct 2024 10:40:06 -0500 Subject: [PATCH] Update configuring-keystores-in-wso2-api-manager.md primary keystore jwt requirements Added link to JWT Access Tokens page to address gateway_certificate_alias dependency when replacing the primary key store. --- .../configuring-keystores-in-wso2-api-manager.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/en/docs/install-and-setup/setup/security/configuring-keystores/configuring-keystores-in-wso2-api-manager.md b/en/docs/install-and-setup/setup/security/configuring-keystores/configuring-keystores-in-wso2-api-manager.md index af74d0284e..7052a50686 100644 --- a/en/docs/install-and-setup/setup/security/configuring-keystores/configuring-keystores-in-wso2-api-manager.md +++ b/en/docs/install-and-setup/setup/security/configuring-keystores/configuring-keystores-in-wso2-api-manager.md @@ -79,6 +79,9 @@ The elements in the above configuration are described below: By default, the primary keystore configured as above is used for internal data encryption (encrypting data in internal data stores and configuration files) as well as for signing messages that are communicated with external parties. In other words, if we define the primary keystore only, it will be used as both Secondary Keystore (TLS) and Internal Keystore. However, it is sometimes a common requirement to have separate keystores for SSL/TSL connections, communicating messages with external parties (such as JWT, SAML, OIDC id\_token signing) and for encrypting information in internal data stores. This is because, for signing messages and external communications, the keystore certificates need to be frequently renewed. However, for encrypting information in internal data stores, the keystore certificates should not be changed frequently because the data that is already encrypted will become unusable every time the certificate changes. +!!! Important + If you replace the Primary Key Store refer to JWT Requirements: [Importing the public certificate into the client trust store]({{base_path}}/design/api-security/oauth2/access-token-types/jwt-tokens/#importing-the-public-certificate-into-the-client-trust-store) + ## Configuring the Secondary Keystore for TLS connections In order to configure a separate keystore as the secondary keystore, add below configurations to `deployment.toml`.