Fix: Add deployment.toml configuration for internal keystore for all affected versions (Product IS issue #27537)

[wso2-engineering-bot]

This PR was automatically generated by Claude AI.

• Fixes Missing the deployment.toml configurations to be changed after creating the internal keystore product-is#27537
• Type: Documentation
• Summary: Added missing deployment.toml configuration documentation for the internal keystore. After creating an internal keystore using the keytool commands, users need to configure it in deployment.toml. This documentation was missing and has now been added with examples for both PKCS12 and JKS keystore types, including explanations of the configuration parameters and reference to the Cipher Tool for password encryption.
• Affected Versions: 7.0.0, 7.1.0, 7.2.0, next
• Verification: mkdocs build passed successfully

The fix is applied to the shared include file (en/includes/deploy/security/keystores/create-new-keystores.md), which automatically applies the changes to all affected versions that use this include.

[coderabbitai]

📝 Walkthrough

Walkthrough

Added documentation content to the internal keystore creation guide, instructing users to update deployment.toml with keystore configurations for both PKCS12 and JKS types, including file names, aliases, passwords using $secret{} syntax, and cipher tool references.

Changes

Cohort / File(s)	Summary
Documentation Update en/includes/deploy/security/keystores/create-new-keystores.md	Added deployment.toml configuration instructions for internal keystore setup, including separate configuration blocks for PKCS12 and JKS keystore types with file name, type, alias, and encrypted password placeholders. Includes explanatory note about $secret{} syntax and reference to the Cipher Tool.

Suggested labels

Team/Identity Server Core

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and specifically identifies the main change: adding deployment.toml configuration documentation for internal keystore with the linked issue reference.
Description check	✅ Passed	The PR description provides purpose, issue links, and change summary, though it omits test environment and security checks sections from the template.
Linked Issues check	✅ Passed	The PR fully addresses issue #27537 by adding the missing deployment.toml configuration examples for both PKCS12 and JKS keystore types with all required parameters.
Out of Scope Changes check	✅ Passed	All changes are in-scope, limited to documentation updates in the shared include file for internal keystore configuration as specified in the linked issue.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fixing-product-is-issue-27537-1775827821

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

Warning

⚠️ This pull request might be slop. It has been flagged by CodeRabbit slop detection and should be reviewed carefully.

[coderabbitai]

Actionable comments posted: 2

🧹 Nitpick comments (1)

en/includes/deploy/security/keystores/create-new-keystores.md (1)

203-204: Consider more direct phrasing.

The note uses "You should encrypt," which is slightly passive. Per coding guidelines, prefer direct verbs and active voice.

✏️ Suggested more direct phrasing

 !!! note
-    The password values use the `$secret{}` syntax, which references encrypted passwords. You should encrypt the actual keystore password using the [Cipher Tool]({{base_path}}/deploy/security/encrypt-passwords-with-cipher-tool) and use the encrypted value.
+    The password values use the `$secret{}` syntax, which references encrypted passwords. Encrypt the actual keystore password using the [Cipher Tool]({{base_path}}/deploy/security/encrypt-passwords-with-cipher-tool) and use the encrypted value.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@en/includes/deploy/security/keystores/create-new-keystores.md` around lines
203 - 204, In the note about the $secret{} syntax in create-new-keystores.md,
replace the passive sentence "You should encrypt the actual keystore password
using the [Cipher Tool]... and use the encrypted value." with an active
instruction such as "Encrypt the keystore password using the Cipher Tool and
provide the encrypted value in the $secret{} syntax." Ensure the [Cipher Tool]
link remains and that the note clearly instructs to use the encrypted value.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@en/includes/deploy/security/keystores/create-new-keystores.md`:
- Around line 198-201: Rewrite the placeholder instructions so they clearly
state that `<internal-keystore-name>` is the keystore's base name (no file
extension) while the `file_name` parameter must include the actual filename with
the .jks extension, and clarify that `<internal-key-alias>` is the alias used
when creating the keystore; mirror the clearer phrasing used in the PKCS12
section to avoid contradictory wording.
- Around line 182-186: The placeholder guidance is confusing; update the text
that explains replacing `<internal-keystore-name>` and `<internal-key-alias>` to
remove the contradictory parenthetical and clearly state that users should
replace only the placeholder portion — e.g., keep the example `file_name =
"<internal-keystore-name>.p12"` as-is and instruct "replace
`<internal-keystore-name>` with your keystore name (do not include or remove the
`.p12` suffix in the example as it is already present), and replace
`<internal-key-alias>` with the alias you specified" so readers understand to
substitute just the placeholder parts; adjust the lines referencing
`<internal-keystore-name>` and `file_name = "<internal-keystore-name>.p12"`
accordingly.

---

Nitpick comments:
In `@en/includes/deploy/security/keystores/create-new-keystores.md`:
- Around line 203-204: In the note about the $secret{} syntax in
create-new-keystores.md, replace the passive sentence "You should encrypt the
actual keystore password using the [Cipher Tool]... and use the encrypted
value." with an active instruction such as "Encrypt the keystore password using
the Cipher Tool and provide the encrypted value in the $secret{} syntax." Ensure
the [Cipher Tool] link remains and that the note clearly instructs to use the
encrypted value.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yml

Review profile: CHILL

Plan: Pro

Run ID: aef1eb6d-9e19-4d49-a0c3-39fd89917050

📥 Commits

Reviewing files that changed from the base of the PR and between c976863 and 9370f9c.

📒 Files selected for processing (1)

• en/includes/deploy/security/keystores/create-new-keystores.md

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Clarify the placeholder replacement instructions.

The current explanation "(without the .p12 extension in the file name, but include it in the file_name parameter)" is confusing and appears contradictory. Since the template already shows file_name = "<internal-keystore-name>.p12", users should understand they only need to replace the placeholder part.

📝 Suggested clearer wording

     Replace the placeholders with the values you used when creating the keystore:
     
-    - `<internal-keystore-name>`: The name of your internal keystore file (without the `.p12` extension in the file name, but include it in the `file_name` parameter)
+    - `<internal-keystore-name>`: The name of your keystore (for example, if your keystore file is `internal.p12`, replace `<internal-keystore-name>` with `internal`)
     - `<internal-key-alias>`: The alias you specified when creating the keystore

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	Replace the placeholders with the values you used when creating the keystore:
	- `<internal-keystore-name>`: The name of your internal keystore file (without the `.p12` extension in the file name, but include it in the `file_name` parameter)
	- `<internal-key-alias>`: The alias you specified when creating the keystore
	Replace the placeholders with the values you used when creating the keystore:
	- `<internal-keystore-name>`: The name of your keystore (for example, if your keystore file is `internal.p12`, replace `<internal-keystore-name>` with `internal`)
	- `<internal-key-alias>`: The alias you specified when creating the keystore

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@en/includes/deploy/security/keystores/create-new-keystores.md` around lines
182 - 186, The placeholder guidance is confusing; update the text that explains
replacing `<internal-keystore-name>` and `<internal-key-alias>` to remove the
contradictory parenthetical and clearly state that users should replace only the
placeholder portion — e.g., keep the example `file_name =
"<internal-keystore-name>.p12"` as-is and instruct "replace
`<internal-keystore-name>` with your keystore name (do not include or remove the
`.p12` suffix in the example as it is already present), and replace
`<internal-key-alias>` with the alias you specified" so readers understand to
substitute just the placeholder parts; adjust the lines referencing
`<internal-keystore-name>` and `file_name = "<internal-keystore-name>.p12"`
accordingly.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Clarify the placeholder replacement instructions.

Same clarity issue as the PKCS12 section above. The explanation about the extension is confusing.

📝 Suggested clearer wording

     Replace the placeholders with the values you used when creating the keystore:
     
-    - `<internal-keystore-name>`: The name of your internal keystore file (without the `.jks` extension in the file name, but include it in the `file_name` parameter)
+    - `<internal-keystore-name>`: The name of your keystore (for example, if your keystore file is `internal.jks`, replace `<internal-keystore-name>` with `internal`)
     - `<internal-key-alias>`: The alias you specified when creating the keystore

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@en/includes/deploy/security/keystores/create-new-keystores.md` around lines
198 - 201, Rewrite the placeholder instructions so they clearly state that
`<internal-keystore-name>` is the keystore's base name (no file extension) while
the `file_name` parameter must include the actual filename with the .jks
extension, and clarify that `<internal-key-alias>` is the alias used when
creating the keystore; mirror the clearer phrasing used in the PKCS12 section to
avoid contradictory wording.