Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions en/docs/manage/icp/access-control.md
Original file line number Diff line number Diff line change
Expand Up @@ -141,6 +141,7 @@ Go to the organization **Access control** and open the **Users** tab. Each user
| **Reset password** | Opens a dialog to set a new password |
| **Unlock account** | Re-enables a locked account |
| **Revoke sessions** | Terminates all active sessions (disabled for your own account) |
| **Delete user** | Permanently removes the user |

## Reference

Expand Down
119 changes: 79 additions & 40 deletions en/docs/manage/icp/encrypt-secrets.md
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@ keywords: [wso2 integrator, icp, cipher tool, encrypt, secrets, manage]

# Encrypt Secrets with the Cipher Tool

The Integration Control Plane (ICP) ships with a cipher tool that lets you encrypt sensitive configuration values such as passwords, JWT signing secrets, and SSO client secrets before storing them in `deployment.toml`. At startup, ICP decrypts these values automatically using the private key in its keystore.
The Integration Control Plane (ICP) ships with a cipher tool that lets you encrypt sensitive configuration values (such as passwords, JWT signing secrets, and SSO client secrets) before storing them in `deployment.toml`. At startup, ICP decrypts these values automatically using the private key in its keystore.

## Prerequisites

Expand All @@ -15,7 +15,7 @@ The Integration Control Plane (ICP) ships with a cipher tool that lets you encry

## Encryptable configuration fields

Only the following fields in `deployment.toml` support encryption. Attempting to use `$secret{alias}` for any other field will have no effect.
Only the following configuration keys in `deployment.toml` support encryption (use of any other key has no effect). You will replace each plaintext value with a `$secret{alias}` reference in a later step.

**Fields stored under `[icp_server.secrets]`:**

Expand Down Expand Up @@ -43,9 +43,55 @@ Only the following fields in `deployment.toml` support encryption. Attempting to
| `dbUser` | Primary database username |
| `dbPassword` | Primary database password |

## Encrypt a secret
## Step 1: Generate a keystore

Run the cipher tool from the ICP installation directory without any flags for the interactive mode.
Generate a new PKCS12 keystore using the Java `keytool` command:

:::note
The keystore generated by this command uses a **self-signed certificate**. For a keystore used solely for local secret encryption and decryption, this is functionally sufficient in production. However, if your organization's security policy or compliance requirements mandate CA-issued certificates, use a CA-backed keystore instead. If you already have a suitable keystore, skip this step.
:::

```bash
keytool -genkeypair -alias <alias-name> -keyalg RSA -keysize 2048 -validity 3650 -storetype PKCS12 -keystore <your-keystore-name>.p12 -storepass <your-keystore-pwd> -keypass <your-key-pwd> -dname "CN=localhost, OU=Security, O=MyOrg, L=City, ST=State, C=US"
```

Replace the placeholders before running the command:

| Placeholder | Description |
|-------------|-------------|
| `<alias-name>` | Name to identify the key inside the keystore |
| `<your-keystore-name>` | Output filename for the `.p12` file |
| `<your-keystore-pwd>` | Password to open/access the keystore |
| `<your-key-pwd>` | Password for the private key itself |

:::warning
Replace all placeholders with your own values before running the command.
:::

## Step 2: Configure the cipher tool

The cipher tool and ICP support both PKCS12 (`.p12`) and JKS keystore types, with PKCS12 being the recommended format. Adjust the type values in the steps below to match your keystore format.

1. Copy your keystore file into the `conf/security/` directory of your ICP installation.
2. Open `conf/cipher-standalone-config.properties` and update the following properties to point to your keystore:

```properties
primary.key.location=conf/security/<your-keystore-file>
primary.key.type=<keystore-type>
primary.key.alias=<alias-name>
```

| Property | Description |
|---|---|
| `primary.key.location` | Path to the keystore file relative to the ICP installation directory |
| `primary.key.type` | Keystore format: `PKCS12` for `.p12` files, `JKS` for Java Keystore files |
| `primary.key.alias` | Alias used to identify the key entry inside the keystore |

These settings tell the cipher tool which keystore to use when encrypting values.

## Step 3: Encrypt a secret

Run the cipher tool from the ICP installation directory:

**Linux/macOS:**
```bash
Expand All @@ -61,7 +107,7 @@ The tool loads the keystore, prompts for the keystore password and the plaintext

```bash
Encrypting using Primary KeyStore.
{type: PKCS12, alias: localhost, path: conf/security/keystore.p12}
{type: <keystore-type>, alias: <alias-name>, path: conf/security/<your-keystore-file>}

[Please Enter Primary KeyStore Password of Carbon Server : ]

Expand All @@ -76,9 +122,9 @@ Encrypted value is :
...
```

Copy the encrypted value you will need it in the next step. Repeat this for every secret you want to encrypt.
Copy the encrypted value, as you will need it in the next step. Repeat this for every secret you want to encrypt.

## Update deployment.toml
## Step 4: Update deployment.toml with ciphertext references

For each secret you encrypted, make two changes to `conf/deployment.toml`:

Expand All @@ -87,19 +133,16 @@ For each secret you encrypted, make two changes to `conf/deployment.toml`:

The alias can be any descriptive name, but using the configuration key name as the alias is the clearest convention.

**Fields from the [Encryptable configuration fields](#encryptable-configuration-fields) table above go into their respective secrets tables:**

```toml
# Ciphertext references for server configurables
# References scattered throughout the main configuration
keystorePassword = "$secret{keystorePassword}"
ssoClientSecret = "$secret{ssoClientSecret}"
keystorePassword = "$secret{keystorePassword}"
ssoClientSecret = "$secret{ssoClientSecret}"
ldapConnectionPassword = "$secret{ldapConnectionPassword}"

# Ciphertexts for server configurables
[icp_server.secrets]
keystorePassword = "RIbyQ0Te..."
ssoClientSecret = "duNHb..."
keystorePassword = "RIbyQ0Te..."
ssoClientSecret = "duNHb..."
ldapConnectionPassword = "P8/7g6rkGB..."

# Ciphertext references for database configurables
Expand All @@ -114,43 +157,39 @@ dbPassword = "ZH84B2a1..."
```

:::note
Every value in a secrets table must be a ciphertext produced by the cipher tool. ICP will fail if a plaintext value is found there.
Every value in a secrets table must be a ciphertext produced by the cipher tool. ICP will fail to start if a plaintext value is found there.
:::

## How ICP decrypts secrets at startup
## Step 5: Point ICP to your keystore

For each configuration field that contains a `$secret{alias}` reference, ICP retrieves the corresponding ciphertext from the secrets table, decrypts it using the private key in the cipher keystore, and uses the resulting plaintext value for the rest of the server lifetime. Decryption happens once during server startup.

## Cipher keystore configuration

By default, the cipher tool and ICP use the same keystore:

| Setting | Default |
|---|---|
| Keystore path | `conf/security/keystore.p12` |
| Keystore alias | `<default-alias>` |
| Keystore password | `<default-password>` |
| Private key password | `<default-password>` |

All four settings can be overridden in `deployment.toml` under `[icp_server.utils]`. The keystore passwords can additionally be set via environment variables, which take precedence over the `deployment.toml` values.

**Option 1 — deployment.toml:**
Add the following block to `conf/deployment.toml` so that ICP uses your keystore to decrypt secrets at startup:

```toml
[icp_server.utils]
cipherKeystorePath = "conf/security/my-keystore.p12"
cipherKeystoreAlias = "my-alias"
cipherKeystorePassword = "my-keystore-password"
cipherPrivateKeyPassword = "my-private-key-password"
cipherKeystorePath = "<full-path-to-your-keystore-file>"
cipherKeystoreAlias = "<alias-name>"
cipherKeystorePassword = "<your-keystore-pwd>"
cipherPrivateKeyPassword = "<your-key-pwd>"
```

**Option 2 — environment variables (passwords only):**
| Property | Description |
|---|---|
| `cipherKeystorePath` | Full path to the keystore file |
| `cipherKeystoreAlias` | Alias of the key entry inside the keystore |
| `cipherKeystorePassword` | Password to open the keystore |
| `cipherPrivateKeyPassword` | Password for the private key entry |

Alternatively, the keystore passwords can be provided as environment variables, which take precedence over the `deployment.toml` values:

```bash
export ICP_CIPHER_KEYSTORE_PASSWORD="<your-keystore-password>"
export ICP_PRIVATE_KEY_PASSWORD="<your-private-key-password>"
export ICP_CIPHER_KEYSTORE_PASSWORD="<your-keystore-pwd>"
export ICP_PRIVATE_KEY_PASSWORD="<your-key-pwd>"
Comment thread
coderabbitai[bot] marked this conversation as resolved.
```

:::note
These settings must match the keystore that was used when encrypting the values with the cipher tool. If they differ, ICP will fail to decrypt the secrets at startup.
For simplicity, this guide points ICP to the same keystore used by the cipher tool in Step 2. This is not required: ICP can use a different keystore file, path, or alias, as long as it contains the same key pair. Secrets are encrypted with the public key, so ICP needs the matching private key to decrypt them. If the key pairs differ, ICP will fail to decrypt the secrets at startup.
:::

## How ICP decrypts secrets at startup

For each configuration field that contains a `$secret{alias}` reference, ICP retrieves the corresponding ciphertext from the secrets table, decrypts it using the private key in the cipher keystore, and uses the resulting plaintext value for the rest of the server lifetime. Decryption happens once during server startup.
4 changes: 2 additions & 2 deletions en/docs/manage/icp/manage-environments.md
Original file line number Diff line number Diff line change
Expand Up @@ -30,11 +30,11 @@ The environments page shows a table with the following columns:
| **Created** | Relative timestamp (e.g. *31 days ago*) |
| **Actions** | **Edit** (pencil) and **Delete** (trash) icons |

Use the search bar to filter environments by name. Pagination controls appear at the bottom when the list exceeds one page.
Use the search bar to filter environments across all columns. Pagination controls are visible at the bottom of the table.

## Create an environment

1. On the environments page, click **+ Create**.
1. On the environments page, click **+ Create Environment**.
2. Fill in the **Create Environment** form:

| Field | Required | Description |
Expand Down
24 changes: 11 additions & 13 deletions en/docs/manage/icp/manage-integrations.md
Original file line number Diff line number Diff line change
Expand Up @@ -15,8 +15,6 @@ An integration in ICP represents a deployable Ballerina or MI application that r

| Field | Required | Description |
|-------|----------|-------------|
| **Organization** | Auto | Pre-filled with the current organization. Read-only when navigating from a project. |
| **Project** | Auto | Pre-filled with the current project. Change via the dropdown if needed. |
| **Display Name** | Yes | Human-readable name shown in the console (e.g. `Order Create`) |
| **Name** | Auto | URL-safe slug derived from the display name. Click the edit icon to override. |
| **Integration Type** | Yes | **Default profile** (Ballerina) or **MI** (Micro Integrator). Defaults to default profile. |
Expand All @@ -30,13 +28,13 @@ The integration appears in the project's integrations table on success.

The integration overview shows one environment card per environment. Each card displays:

- Environment name and runtime count badge (e.g. *0 runtimes* or *1/1 Online*).
- Environment name and runtime count badge (e.g. *0/1 Offline* or *1/1 Online*).
- A refresh icon to reload runtime status.
- **Entry Points** tab listing the services exposed by the integration.
- **Supporting Artifacts** tab showing additional artifacts when present.
- **+ Add Runtime** link when no runtimes are registered yet.

When no runtimes are connected, the card shows: *"No runtimes registered for this environment."*
When no runtimes are connected, the card shows: *"No entry points found for this integration. Add runtime to get started."*

### Integration sidebar

Expand Down Expand Up @@ -74,10 +72,10 @@ The **Logs** page shows runtime log entries when both a connected runtime and Op

When operational, the page provides:

- Environment filter
- Log level filter (INFO, WARN, ERROR, DEBUG)
- Time range selector
- Log entries with timestamps, levels, and messages
- **Filtering**: Environment, log level (INFO, WARN, ERROR, DEBUG), time range, and a keyword search bar
- **Display controls**: Sort order (Newest first / Oldest first), auto-fetch toggle for automatic reload, and an entry count showing how many entries are loaded
- **Actions**: Refresh button for manual reload and a download button to export log entries
- **Log entries**: Each entry shows a timestamp, level, and message

### Loggers

Expand Down Expand Up @@ -113,10 +111,10 @@ The **Metrics** page shows request performance data when both a connected runtim

When operational, the page provides:

- Summary cards: Total Requests, Error Count, Error Percentage, and P95 Latency
- Requests Per Minute chart
- Request Latency chart (average, P50, P95, P99)
- Most Used APIs table with per-endpoint request counts and average response times
- **Summary cards**: Total Requests, Error Count, Error Percentage, and P95 Latency
- **Overview charts**: Requests Per Minute and Request Latency (average, P50, P95, P99)
- **Most Used APIs**: Table with per-endpoint request counts, error counts, and average response times
- **Statistics of APIs**: Section with an API filter dropdown, showing Requests Per Minute, Average Request Latency, Successful Requests by API, and Failed Requests by API charts
Comment thread
coderabbitai[bot] marked this conversation as resolved.

### Listeners

Expand All @@ -129,7 +127,7 @@ Ballerina listeners (HTTP, TCP, and other transport listeners) appear in the **E
1. Open the integration and go to **Overview**.
2. In the environment card, click the **Entry Points** tab.
3. Click the listener you want to control. The listener detail panel opens on the right.
4. Use the toggle in the panel to start or stop the listener.
4. Use the toggle (State) in the panel to start or stop the listener.
5. A confirmation dialog appears. Click **Enable** or **Disable** to confirm.

ICP sends a `START` or `STOP` command to every runtime associated with the listener. The listener state updates to **RUNNING** or **STOPPED** once the runtimes acknowledge the command.
Expand Down
2 changes: 1 addition & 1 deletion en/docs/manage/icp/manage-projects.md
Original file line number Diff line number Diff line change
Expand Up @@ -62,7 +62,7 @@ Clicking a project card opens the project home. It shows all integrations belong
The page includes:

- Project avatar, display name, and description at the top.
- An **Integrations** table with **Name**, **Description**, **Type**, and **Last Updated** columns.
- An **Integrations** table with **Name**, **Description**, **Type**, **Last Updated** and **Actions** columns.
- A **+ Create Integration** button to add a new integration to the project.
- An **Integration Types** summary card on the right showing the count by type (Default, MI, and Total).

Expand Down
6 changes: 3 additions & 3 deletions en/docs/manage/icp/manage-runtimes.md
Original file line number Diff line number Diff line change
Expand Up @@ -27,7 +27,7 @@ Runtimes are grouped by environment. Each environment section shows:
| **Type** | Profile type: default profile or MI |
| **Component** | Integration name this runtime belongs to |
| **Status** | Current state: **RUNNING**, OFFLINE, or similar |
| **Version** | Runtime version, or "Not reported" if unavailable |
| **Version** | Runtime version, or "-" if unavailable |
| **Platform** | Ballerina runtime version (e.g. `Ballerina 2201.13.2`) |
| **OS** | Operating system of the host machine |
| **Registration time** | Timestamp of first connection to ICP |
Expand All @@ -43,8 +43,8 @@ Click **+ Add Runtime** on an environment section to generate a secret and get a
## Manage secrets

1. Navigate to the **Runtimes** section at the integration level, then click **Manage Secrets** on any environment section.
2. The secrets panel opens showing unbound secrets for that environment. Unbound secrets are those not yet claimed by any runtime.
3. If all secrets are already in use, the panel shows: *"No unbound secrets for this environment."*
2. The secrets panel opens showing all secrets for that environment - both bound (claimed by a runtime) and unbound (not yet claimed by any runtime).
3. If there are no secrets, the panel shows: *"No secrets for this integration in this environment."*
4. Click the delete icon next to a secret to revoke it.

## Scope differences
Expand Down
4 changes: 3 additions & 1 deletion en/docs/manage/icp/reverse-proxy.md
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,9 @@ backendAuthBaseUrl = "https://icp.example.com/auth"
backendObservabilityEndpoint = "https://icp.example.com/icp/observability"
```

These values default to `https://localhost:9446`. ICP automatically propagates them to the console frontend on startup, so `www/config.json` does not need to be edited manually. Restart ICP after saving the file.
If not set, these values default to the values shown above under `https://localhost:9446/...`.

When ICP starts, it reads these settings from `conf/deployment.toml` and propagates them into the console frontend automatically (you do not need to edit `www/config.json` directly). Restart ICP for the changes to take effect.

## Update runtime connections

Expand Down
Loading
Loading