Add documentation regarding the configuration to use the truststore for self signed certificates when invoking actions

[ashanthamara]

Purpose

$subject

Related issue

• Truststore Configuration for Outbound HTTPS Calls when configuring actions. product-is#26925

[coderabbitai]

📝 Walkthrough

Walkthrough

Added WSO2 Identity Server–specific troubleshooting steps for self-signed certificate failures affecting custom authenticators and action invocations: import the external service certificate into the Carbon client truststore and, for IS update versions <= 7.2.0, enable [actions.http_client] use_carbon_truststore = true in deployment.toml. Also inserted a blank line for is_version > "7.2.0".

Changes

Cohort / File(s)

Summary

WSO2 Identity Server troubleshooting docs en/includes/guides/service-extensions/in-flow-extensions/custom-authentication.md, en/includes/guides/service-extensions/pre-flow-extensions/setting-up-actions.md

Added a new troubleshooting step for self-signed certificate validation failures: instruct importing the external service certificate into <IS_HOME>/repository/resources/security/client-truststore.jks; for is_version <= "7.2.0" add [actions.http_client] use_carbon_truststore = true to deployment.toml. Included version-gated note blocks for is_version == "7.1.0" and is_version == "7.2.0", and inserted a blank line for (product_name == "WSO2 Identity Server" and is_version > "7.2.0").

Suggested labels

Team/Identity Server Core

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Description check	⚠️ Warning	The PR description is incomplete. It lacks required sections: Test environment details and Security checks checklist are missing entirely.	Add Test environment section listing tested JDK versions, operating systems, and browsers. Include the Security checks checklist with all three items marked as complete or not applicable.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately describes the main change: adding documentation about truststore configuration for self-signed certificates when invoking actions.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[Copilot]

Pull request overview

Adds troubleshooting documentation for WSO2 Identity Server on using the Carbon truststore for outbound HTTPS calls when invoking service extensions (actions and custom authenticators), specifically for scenarios involving self-signed certificates.

Changes:

• Documented how to enable using the Carbon truststore for action invocations via deployment.toml.
• Documented the same truststore configuration for custom authenticator invocations.
• Added version/update-level notes for when the configuration becomes available.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 7 comments.

File	Description
en/includes/guides/service-extensions/pre-flow-extensions/setting-up-actions.md	Adds a troubleshooting step describing truststore import + use_carbon_truststore configuration for action HTTPS calls.
en/includes/guides/service-extensions/in-flow-extensions/custom-authentication.md	Adds a troubleshooting step describing truststore import + use_carbon_truststore configuration for custom authenticator HTTPS calls.

[coderabbitai]

Actionable comments posted: 2

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

en/includes/guides/service-extensions/in-flow-extensions/custom-authentication.md (1)

693-694: ⚠️ Potential issue | 🔴 Critical

Add blank line before the heading.

The pipeline check fails because the heading on line 694 lacks a blank line above it. Markdown headings should be surrounded by blank lines for proper rendering and linting compliance.

🔧 Proposed fix

 {% if (product_name == "WSO2 Identity Server" and is_version > "7.2.0" ) %}
+
 ## Custom authentication with app-native authentication

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In
`@en/includes/guides/service-extensions/in-flow-extensions/custom-authentication.md`
around lines 693 - 694, Add a blank line immediately above the heading "##
Custom authentication with app-native authentication" in the conditional block
that starts with "{% if (product_name == \"WSO2 Identity Server\" and is_version
> \"7.2.0\" ) %}" so the markdown heading is separated by an empty line and
passes the linter; ensure there is exactly one empty line above that heading.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In
`@en/includes/guides/service-extensions/in-flow-extensions/custom-authentication.md`:
- Line 178: Split the long sentence into two clear sentences: one instructing to
import the self-signed certificate into the WSO2 Carbon truststore
(client-truststore.jks) and a second instructing to configure {{product_name}}
to use that truststore for outbound HTTPS calls; also change "made by custom
authenticator" to "made by custom authenticators" (or "made by a custom
authenticator") so the noun and article agree. Ensure each sentence stays under
~30 words and retains the original references to client-truststore.jks and
{{product_name}}.

In
`@en/includes/guides/service-extensions/pre-flow-extensions/setting-up-actions.md`:
- Line 138: The sentence about self-signed certificates is too long and combines
two instructions; split it into two clear sentences: one stating to import the
certificate into the WSO2 Carbon truststore (client-truststore.jks under
<IS_HOME>/repository/resources/security/) and a second instructing to configure
{{product_name}} to use that truststore for outbound HTTPS calls made by
actions, ensuring readability and keeping each sentence under 30 words.

---

Outside diff comments:
In
`@en/includes/guides/service-extensions/in-flow-extensions/custom-authentication.md`:
- Around line 693-694: Add a blank line immediately above the heading "## Custom
authentication with app-native authentication" in the conditional block that
starts with "{% if (product_name == \"WSO2 Identity Server\" and is_version >
\"7.2.0\" ) %}" so the markdown heading is separated by an empty line and passes
the linter; ensure there is exactly one empty line above that heading.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yml

Review profile: CHILL

Plan: Pro

Run ID: 9abb4f3c-cf2f-4a2e-86c5-6c6ac159ed96

📥 Commits

Reviewing files that changed from the base of the PR and between 36e9175 and cd7ed5f.

📒 Files selected for processing (2)

• en/includes/guides/service-extensions/in-flow-extensions/custom-authentication.md
• en/includes/guides/service-extensions/pre-flow-extensions/setting-up-actions.md

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In
`@en/includes/guides/service-extensions/pre-flow-extensions/setting-up-actions.md`:
- Line 138: Revise the sentence to use active voice and precise terminology:
replace "WSO2 Carbon truststore" with "Carbon client truststore" and change
"ensure the certificate is imported" to "import the external service certificate
into the Carbon client truststore (client-truststore.jks)"; add a brief example
command using keytool (e.g., keytool -importcert -file <cert.pem> -alias <alias>
-keystore client-truststore.jks) and include or link to the existing certificate
import documentation for full steps; update the text around the {{product_name}}
placeholder and split the import instruction from any subsequent configuration
guidance as suggested.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yml

Review profile: CHILL

Plan: Pro

Run ID: eb5f8681-1997-4663-bc1a-df18b15db951

📥 Commits

Reviewing files that changed from the base of the PR and between cd7ed5f and 2cdcaaa.

📒 Files selected for processing (2)

• en/includes/guides/service-extensions/in-flow-extensions/custom-authentication.md
• en/includes/guides/service-extensions/pre-flow-extensions/setting-up-actions.md

🚧 Files skipped from review as they are similar to previous changes (1)

• en/includes/guides/service-extensions/in-flow-extensions/custom-authentication.md

[coderabbitai]

Actionable comments posted: 1

♻️ Duplicate comments (1)

en/includes/guides/service-extensions/pre-flow-extensions/setting-up-actions.md (1)

138-139: ⚠️ Potential issue | 🟠 Major

Use active voice, precise terminology, and provide import instructions.

Several issues need addressing:

1. Passive voice: "ensure the certificate is imported" should use active voice per coding guidelines.
2. Imprecise terminology: The file path shows client-truststore.jks, so use "Carbon client truststore" for precision.
3. Missing instructions: No guidance on how to import the certificate. Either provide a brief example or link to certificate import documentation.

✍️ Proposed revision

-3. If your external service uses a self-signed certificate, ensure the certificate is imported into the WSO2 Carbon truststore. By default, {{product_name}} uses the WSO2 Carbon truststore at `<IS_HOME>/repository/resources/security/client-truststore.jks`.
+3. If your external service uses a self-signed certificate, import the external service certificate into the Carbon client truststore (`<IS_HOME>/repository/resources/security/client-truststore.jks`). Use the Java `keytool` command to import the certificate:
+
+    ```bash
+    keytool -importcert -file <certificate-file> -alias <alias> -keystore <IS_HOME>/repository/resources/security/client-truststore.jks
+    ```

Alternatively, if certificate import documentation exists elsewhere:

-3. If your external service uses a self-signed certificate, ensure the certificate is imported into the WSO2 Carbon truststore. By default, {{product_name}} uses the WSO2 Carbon truststore at `<IS_HOME>/repository/resources/security/client-truststore.jks`.
+3. If your external service uses a self-signed certificate, import the external service certificate into the Carbon client truststore (`<IS_HOME>/repository/resources/security/client-truststore.jks`). For detailed import instructions, see [Managing keystores]({{base_path}}/deploy/security/keystores).

As per coding guidelines, use active voice and present tense, and use precise technical terminology.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In
`@en/includes/guides/service-extensions/pre-flow-extensions/setting-up-actions.md`
around lines 138 - 139, Rewrite the sentence to active voice and use precise
terminology by referring to the "Carbon client truststore
(client-truststore.jks)"; then add a brief certificate import example using
keytool (showing placeholders for <certificate-file>, <alias>, and
<IS_HOME>/repository/resources/security/client-truststore.jks) and/or a link to
the certificate import documentation so readers can follow exact steps—update
the paragraph in setting-up-actions.md to include the active-voice sentence and
the keytool import example or doc link.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In
`@en/includes/guides/service-extensions/in-flow-extensions/custom-authentication.md`:
- Around line 178-179: Rewrite the passive sentence to active voice and use
precise terminology by saying "Import the certificate into the Carbon client
truststore (client-truststore.jks)." Add a short certificate-import example
using the Java keytool (provide a one-line keytool command template with
placeholders for <certificate-file>, <alias>, and the keystore path) and/or add
a link to existing certificate-import documentation; update the sentence in
custom-authentication.md where the current client-truststore.jks reference
appears.

---

Duplicate comments:
In
`@en/includes/guides/service-extensions/pre-flow-extensions/setting-up-actions.md`:
- Around line 138-139: Rewrite the sentence to active voice and use precise
terminology by referring to the "Carbon client truststore
(client-truststore.jks)"; then add a brief certificate import example using
keytool (showing placeholders for <certificate-file>, <alias>, and
<IS_HOME>/repository/resources/security/client-truststore.jks) and/or a link to
the certificate import documentation so readers can follow exact steps—update
the paragraph in setting-up-actions.md to include the active-voice sentence and
the keytool import example or doc link.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yml

Review profile: CHILL

Plan: Pro

Run ID: 2d28b2fb-e215-46a5-ae8f-612eb6581a51

📥 Commits

Reviewing files that changed from the base of the PR and between 2cdcaaa and 72e6a1f.

📒 Files selected for processing (2)

• en/includes/guides/service-extensions/in-flow-extensions/custom-authentication.md
• en/includes/guides/service-extensions/pre-flow-extensions/setting-up-actions.md

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Use active voice, precise terminology, and provide import instructions.

Several issues need addressing:

1. Passive voice: "ensure the certificate is imported" should use active voice per coding guidelines.
2. Imprecise terminology: The file path shows client-truststore.jks, so use "Carbon client truststore" for precision.
3. Missing instructions: No guidance on how to import the certificate. Either provide a brief example or link to certificate import documentation.

✍️ Proposed revision

-4. If your external service uses a self-signed certificate, ensure the certificate is imported into the WSO2 Carbon truststore. By default, {{product_name}} uses the WSO2 Carbon truststore at `<IS_HOME>/repository/resources/security/client-truststore.jks`.
+4. If your external service uses a self-signed certificate, import the external service certificate into the Carbon client truststore (`<IS_HOME>/repository/resources/security/client-truststore.jks`). Use the Java `keytool` command to import the certificate:
+
+    ```bash
+    keytool -importcert -file <certificate-file> -alias <alias> -keystore <IS_HOME>/repository/resources/security/client-truststore.jks
+    ```

Alternatively, if certificate import documentation exists elsewhere:

-4. If your external service uses a self-signed certificate, ensure the certificate is imported into the WSO2 Carbon truststore. By default, {{product_name}} uses the WSO2 Carbon truststore at `<IS_HOME>/repository/resources/security/client-truststore.jks`.
+4. If your external service uses a self-signed certificate, import the external service certificate into the Carbon client truststore (`<IS_HOME>/repository/resources/security/client-truststore.jks`). For detailed import instructions, see [Managing keystores]({{base_path}}/deploy/security/keystores).

As per coding guidelines, use active voice and present tense, and use precise technical terminology.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	4. If your external service uses a self-signed certificate, ensure the certificate is imported into the WSO2 Carbon truststore. By default, {{product_name}} uses the WSO2 Carbon truststore at `<IS_HOME>/repository/resources/security/client-truststore.jks`.
	4. If your external service uses a self-signed certificate, import the external service certificate into the Carbon client truststore (`<IS_HOME>/repository/resources/security/client-truststore.jks`). For detailed import instructions, see [Managing keystores]({{base_path}}/deploy/security/keystores).

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In
`@en/includes/guides/service-extensions/in-flow-extensions/custom-authentication.md`
around lines 178 - 179, Rewrite the passive sentence to active voice and use
precise terminology by saying "Import the certificate into the Carbon client
truststore (client-truststore.jks)." Add a short certificate-import example
using the Java keytool (provide a one-line keytool command template with
placeholders for <certificate-file>, <alias>, and the keystore path) and/or add
a link to existing certificate-import documentation; update the sentence in
custom-authentication.md where the current client-truststore.jks reference
appears.