Fix: Add deployment.toml configuration for internal keystore for all affected versions (Product IS issue #27537)

en/includes/deploy/security/keystores/create-new-keystores.md

@@ -8,12 +8,12 @@
 2. Generate a keystore using an existing CA-signed certificate
 
 !!! note
     If you are creating a new keystore for [data encryption]({{base_path}}/deploy/security/asymmetric-encryption/use-asymmetric-encryption), make sure to acquire a public key certificate that contains the **Data Encipherment** key usage as explained [here]({{base_path}}/deploy/security/asymmetric-encryption/use-asymmetric-encryption/#recommendations-for-setting-up-keystores).
 
 ## Create a keystore using a new certificate
 
 !!! note
     The pubic key certificate we generate for the keystore is self-signed. For a CA-signed certificate, either [import it into the keystore](#add-ca-signed-certificates-to-keystores) or [create a new keystore with a CA-signed certificate](#create-a-keystore-using-an-existing-certificate).
 
 1. Navigate to the `<IS_HOME>/repository/resources/security/` directory in a command prompt. All keystores should be stored here.
 
@@ -21,7 +21,7 @@
 
     === "JKS"
         ``` bash
         keytool -genkeypair -alias newcert -keyalg RSA -keysize 2048 -keystore newkeystore.jks -dname "CN=<testdomain.org>, OU=Home,O=Home,L=SL,S=WS,C=LK" -storepass mypassword -keypass mypassword 
         ```
 
         This command will create a keystore with the following details.
@@ -31,10 +31,10 @@
         - **Keystore password**: `mypassword`
         - **Private key password**: `mypassword`
 
 
     === "PKCS12"
         ``` bash
         keytool -genkeypair -alias newcert -keyalg RSA -keysize 2048 -storetype PKCS12 -keystore newkeystore.p12 -dname "CN=<testdomain.org>, OU=Home,O=Home,L=SL,S=WS,C=LK" -storepass mypassword -keypass mypassword 
         ```
 
         This command will create a keystore with the following details.
@@ -164,6 +164,45 @@
 
 {% endif %}
 
+After creating the internal keystore, you need to configure it in the `deployment.toml` file located in the `<IS_HOME>/repository/conf/` directory.
+
+Add the following configuration based on your keystore type:
+
+=== "PKCS12"
+
+    ```toml
+    [keystore.internal]
+    file_name = "<internal-keystore-name>.p12"
+    type = "PKCS12"
+    alias = "<internal-key-alias>"
+    password = "$secret{keystore_password}"
+    key_password = "$secret{keystore_password}"
+    ```
+
+    Replace the placeholders with the values you used when creating the keystore:
+
+    - `<internal-keystore-name>`: The name of your internal keystore file (without the `.p12` extension in the file name, but include it in the `file_name` parameter)
+    - `<internal-key-alias>`: The alias you specified when creating the keystore
+
+=== "JKS"
+
+    ```toml
+    [keystore.internal]
+    file_name = "<internal-keystore-name>.jks"
+    type = "JKS"
+    alias = "<internal-key-alias>"
+    password = "$secret{keystore_password}"
+    key_password = "$secret{keystore_password}"
+    ```
+
+    Replace the placeholders with the values you used when creating the keystore:
+
+    - `<internal-keystore-name>`: The name of your internal keystore file (without the `.jks` extension in the file name, but include it in the `file_name` parameter)
+    - `<internal-key-alias>`: The alias you specified when creating the keystore
+
+!!! note
+    The password values use the `$secret{}` syntax, which references encrypted passwords. You should encrypt the actual keystore password using the [Cipher Tool]({{base_path}}/deploy/security/encrypt-passwords-with-cipher-tool) and use the encrypted value.
+
 !!! warning
     Adding an internal keystore to an existing deployment will make already encrypted data unusable. This should be done during initial setup only.