Open in app

Sign in

Write

Sign in

Navigating the Process: A Step-by-Step Guide to Changing the Hostname of WSO2 Identity Server

Niluka Sripali Monnankulama
Many Minds
Published in
7 min readOct 8, 2023

Follow these easy steps to change the hostname of your WSO2 Identity Server and ensure seamless integration and secure communication within your network.

Changing the hostname of WSO2 Identity Server can be necessary for several reasons, including:

  • Security: Changing the default hostname can enhance security by making it more challenging for potential attackers to identify and target your server. Attackers often target servers with well-known hostnames.
  • Compliance: Certain compliance standards and regulations may require specific hostnames to meet security and privacy standards. Changing the hostname ensures compliance with these requirements.
  • Branding and Customization: Customizing the hostname allows you to align the server’s online presence with your organization’s branding and naming conventions. It helps in creating a consistent and professional image.
  • Network Management: In complex network environments, changing the hostname can help differentiate servers, reduce naming conflicts, and simplify network management, especially when dealing with multiple servers or services.
  • Integration Requirements: When integrating WSO2 Identity Server with other systems or services, those services may require specific hostnames for communication. Changing the hostname allows for seamless integration with these services.
  • Domain Changes: If your organization undergoes a domain name change, updating the hostname ensures consistency with the new domain, avoiding confusion and potential access issues.
  • Load Balancing: In load-balanced setups, using distinct hostnames for different server instances helps facilitate effective traffic distribution and load balancing.
  • Testing and Development: Unique hostnames are essential in testing and development environments to prevent conflicts and accurately mimic production setups.

In summary, changing the hostname of WSO2 Identity Server serves security, compliance, branding, and network management purposes while ensuring smooth integration with other systems and aligning with your organization’s evolving needs.

Here are the general steps to change the hostname for WSO2 Identity Server:

Step 1: Backup Configuration

Before making any changes, it’s always a good practice to backup your existing configuration files and database.

Step 2: Update Hostname in deployment.toml File

In simple terms, the default hostname for WSO2 Identity Server is “localhost.” When you open the WSO2 Identity Server Console or My Account using the default package or configurations, you can see this hostname in the web address. It’s the address you use to access the server on your own computer.

When using WSO2 Identity Server in different deployments, we often need to modify the host file. The first step is to make changes in the deployment.toml file.

Modify deployment.toml File:

  • First, open thedeployment.toml file, which is a configuration file for WSO2 Identity Server.
  • For WSO2 Identity Server versions 5.11.0 and above, by default, the deployment.toml file is located inside the <IS_HOME>/repository/conf directory, where <IS_HOME> refers to the directory where WSO2 Identity Server is installed.
  • Specify the hostname: In thedeployment.toml file, you can specify the hostname under the [server] section. Here's an example of how you can set the hostname:
 [server]
 hostname = "dev.wso2.com"
  1. Replace "dev.wso2.com" with the desired hostname you want to configure.
  2. Save the changes: Save the deployment.toml file after making the necessary changes.

By following these steps, you can configure the hostname in the deployment.toml file for WSO2 Identity Server. This hostname will be used for various purposes, including generating URLs and references within the server.

Step 2: Create New KeyStore and Certificate

When changing the hostname of WSO2 Identity Server, creating a new keystore is not a requirement in itself.

However, there are situations where creating a new keystore may be necessary or advisable.

Creating a new keystore for WSO2 Identity Server after changing the hostname involves generating a new SSL/TLS certificate and private key, which are essential for securing communication between clients and the server.

Here are some reasons why you might consider creating a new keystore when changing the hostname:

  • Hostname Mismatch: If your existing keystore was generated with the old hostname embedded in the SSL certificate (common for production setups), it’s a good practice to create a new keystore with a certificate that matches the new hostname. Mismatches between the certificate’s Common Name (CN) or Subject Alternative Names (SANs) and the server’s hostname can lead to security warnings in browsers.
  • Enhanced Security: Changing the hostname may also be an opportunity to enhance security. You can generate a new, more secure SSL certificate and private key when creating the new keystore.
  • Certificate Expiry: If the SSL certificate in the existing keystore is close to expiry, it’s a good time to create a new one with an extended validity period.
  • Best Practices: Following best practices, you might want to generate fresh SSL material whenever there is a significant configuration change, such as a hostname change.
  • Compliance: If your organization has specific compliance requirements, such as using certificates with certain attributes or from specific certificate authorities, creating a new keystore allows you to meet those requirements.

In summary, while it’s not mandatory to create a new keystore when changing the hostname of WSO2 Identity Server, doing so can help ensure a smoother transition, improved security, and alignment with best practices and compliance requirements. The decision to create a new keystore should be based on your specific security and operational needs.

Prerequisites:

  • OpenSSL (or any other tool for generating SSL certificates)
  • Keytool (Java Key and Certificate Management Tool)

Backup the Existing Keystore (Optional but Highly Recommended):

Before making any changes, it’s crucial to back up the existing wso2carbon.jks file. Copy it to a safe location on your server or another secure location.

Generate a New Keystore with a Self-Signed Certificate:

To create a new keystore with a self-signed certificate, you can use the Java keytool utility. Open a command prompt or terminal and run the following command:

keytool -genkeypair -alias dev.wso2.com -keyalg RSA -keysize 2048 -keystore dev-wso2-keystore.jks -validity 365 -storepass your_keystore_password

Replace your_keystore_password with a strong password. You will be prompted to provide additional information, including the Common Name (CN), which should be set to "dev.wso2.com."

Once we have successfully created the Java keystore we can export the public certificate from the new keystore in PEM format.

keytool -export -alias dev.wso2.com -keystore dev-wso2-keystore.jks -file dev-wso2.cer -storepass your_keystore_password

openssl x509 -inform der -in dev-wso2.cer -out dev-wso2.pem

This will create a dev-wso2.pem file containing the public certificate in PEM format.

Share the Public Certificate in PEM Format:

Share the dev-wso2.pem file, which contains the public certificate in PEM format, with external systems, clients, or services that need to trust the SSL certificate of your WSO2 Identity Server.

Make sure the recipients import the dev-wso2.pem certificate into their truststore to establish secure SSL connections with your Identity Server.

These detailed steps ensure you have a new keystore, the public certificate in PEM format, and the hostname changed to dev.wso2.com for your WSO2 Identity Server. Remember to replace <your_keystore_password> with a strong and secure password for your keystore.

Step 4: Import the Public Certificate into the WSO2 Identity Server Client Truststore

To import the certificate into the WSO2 Identity Server’s client truststore, follow these steps:

a. Locate the client truststore file used by the WSO2 Identity Server. By default, it is named client-truststore.jks.

b. Backup the truststore file in case something goes wrong:

cp client-truststore.jks client-truststore.jks.backup

Import the certificate into the client truststore:

keytool -import -alias dev.wso2.com -file dev-wso2.pem -keystore client-truststore.jks -storepass your_truststore_password

Replace your_truststore_password with the truststore password.

d. When prompted, confirm that you trust the certificate by typing “yes.”

Verify the Certificate Import:

You can verify that the certificate has been successfully imported into the client truststore by listing the certificates in the truststore:

keytool -list -keystore client-truststore.jks -storepass your_truststore_password

Make sure that the “dev.wso2.com” certificate is listed.

Restart the WSO2 Identity Server:

After importing the certificate, it’s a good practice to restart the WSO2 Identity Server to ensure that the changes take effect.

Step 5: HostFile Entries

Indeed, if you have configured the WSO2 Identity Server to use the hostname “dev.wso2.com,” you will need to make corresponding host file entries on your machine to map that hostname to the server’s IP address. This is necessary for your local machine to resolve the hostname correctly. Here’s how you can do it:

  1. Open the Hosts File:On most operating systems, the hosts file can be found in the following locations:
  • Windows: C:\Windows\System32\drivers\etc\hosts
  • Linux and macOS: /etc/hosts

You may need administrator or superuser privileges to edit this file.

2. Edit the Hosts File:Open the hosts file using a text editor with administrator or superuser privileges.

3. Add an Entry for "dev.wso2.com":

  1. Add an entry to map "dev.wso2.com" to the IP address of your WSO2 Identity Server. You can do this by adding a line like the following:
<IP_ADDRESS>   dev.wso2.com

Replace <IP_ADDRESS> with the actual IP address of your WSO2 Identity Server.

For example:

192.168.1.100 dev.wso2.com

4. Save the Hosts File: Save the changes to the hosts file and close the text editor.

5. Flush DNS Cache (Optional): On some systems, you may need to flush the DNS cache to ensure that the new host file entry takes effect immediately. The command to flush the DNS cache varies depending on your operating system:

  • Windows: Open Command Prompt as an administrator and run ipconfig /flushdns.
  • Linux: Open a terminal and run sudo systemctl restart nscd or sudo systemctl restart systemd-resolved, depending on your Linux distribution.
  • macOS: Open Terminal and run sudo killall -HUP mDNSResponder.

6. Test the Configuration: To verify that the host file entry is working as expected, open a web browser on your local machine and enter "https://dev.wso2.com" in the address bar. It should resolve to your WSO2 Identity Server, and you should be able to access it securely over HTTPS.

By adding the host file entry, you've ensured that your local machine can resolve "dev.wso2.com" to the correct IP address, allowing you to access the WSO2 Identity Server using the configured hostname.

By following this step-by-step guide, you can smoothly navigate the process of changing the hostname of your WSO2 Identity Server. Planning, thorough testing, and effective communication are the keys to a successful transition. Remember, each environment may have specific configurations, so always refer to the official WSO2 Identity Server documentation[1] for detailed information. Good luck with your hostname change!

[1] (Change the hostname)

https://is.docs.wso2.com/en/latest/deploy/change-the-hostname/

Wso2 Identity Server
Wso2

--

--

Niluka Sripali Monnankulama
Many Minds

Written by Niluka Sripali Monnankulama

258 Followers
Editor for

An IT professional with over 7+ years of experience. Member of the WSO2 Identity & Access Management Team.

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams