How to Change Hostname in WSO2 IS with self-signed certificate

Isuru Gunawardana
Oct 15 · 3 min read

Assume you have setup WSO2 Identity Server instance in cloud and you want to access it with a hostname instead of the IP. It’s not very hard task if you are just accessing the console only. But if you are accessing the /dashboard of the WSO2 IS then it is.

Below steps will guide you through how to do that, and also it will fix the below common errors occurring when you are accessing the /dashboard.

HTTP Status 500 - org.mozilla.javascript.JavaScriptException: JavaException: org.jaggeryjs.scriptengine.exceptions.ScriptException: SSL peer failed hostname validation for name:{x.x.x.x} (/dashboard/controllers/wsUtil.jag#76)
HTTP Status 500 - org.mozilla.javascript.JavaScriptException: JavaException: org.jaggeryjs.scriptengine.exceptions.ScriptException: SSL peer failed hostname validation for name: null (/dashboard/controllers/wsUtil.jag#76)
The javax.net.ssl.SSLException: hostname in certificate didn't match: <ip addrees> != <localhost>

Let’s imagine our hostname is, is.demo.com. And IS console url would be https://is.demo.com:9443/carbon and the dashboard url would be https://is.demo.com:9443/dashboard. And below steps are tested with WSO2IS-5.7.0

  1. Update the {WSO2IS_HOME}/repository/conf/carbon.xml as below

2. Update the local machine’s /etc/hosts file with below entry
{instance-ip} is.demo.com

3. And in the remote instance /etc/hosts file you need to add below entry
{internal-ip} is.demo.com

4. Let’s create the self-signed certificate. First let’s create JKS file as below. Note that the hostname is used as the CN. And wso2carbon is used as the alias. Below command will generate wso2demo.jks file.

keytool -genkey -alias wso2carbon -keyalg RSA -keysize 2048 -keystore wso2demo.jks -dname “CN=is.demo.com, OU=Is,O=Chakray,L=SL,S=WS,C=LK” -storepass wso2carbon -keypass wso2carbon

5. Then let’s export the public certificate from the above created KeyStore and let’s import that to the WSO2 IS client-trustore.jks as well. (Use the password wso2carbon)

keytool -export -alias wso2carbon -keystore wso2demo.jks -file pkn.pem

Since there’s an already existing cert with the wso2carbon alias in client-truststore.jks first we need to remove that and add the new one as below. If not it will reject importing the certificate with the below error.

keytool error: java.lang.Exception: Certificate not imported, alias <wso2carbon> already exists

First delete the cert as below, (Use wso2carbon as the password)

keytool -delete -trustcacerts -alias wso2carbon -keystore {WSO2IS_HOME}/repository/resources/security/client-truststore.jks

Then import the new cert with the same wso2carbon alias as below.

keytool -import -alias wso2carbon -file pkn.pem -keystore {WSO2IS_HOME}/repository/resources/security/client-truststore.jks -storepass wso2carbon

6. Next step is to add the PKCS12 file to the wso2carbon.jks in WSO2IS. In this case also we have to replace the existing cert which uses the wso2carbon alias with the new one.

First generating p12 file with wso2carbon password.

keytool -importkeystore -srckeystore wso2demo.jks -srcstorepass wso2carbon -srckeypass wso2carbon -srcalias wso2carbon -destalias wso2carbon -destkeystore wsdemo.p12 -deststoretype PKCS12 -deststorepass wso2carbon -destkeypass wso2carbon

Then importing the wsdemo.p12 file to wso2carbon.jks of the WSO2IS

keytool -v -importkeystore -srckeystore wsdemo.p12 -srcstoretype PKCS12 -destkeystore {WSO2IS_HOME}/repository/resources/security/wso2carbon.jks -deststoretype JKS

Above command will prompt for the keystore’s password and at the end ask whether we want to replace the existing entry for wso2carbon alias, enter yes and hit enter. Below is a sample output.

Now everything is setup to access the remote WSO2 IS server’s dashboard via https://is.demo.com:9443/dashboard without any errors.

Earlier

Earlier with errors
Earlier with errors

Now

Now
Now

References
https://docs.wso2.com/display/DS200/Troubleshooting+Guide
https://docs.wso2.com/display/IS570/Changing+the+hostname

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade