The conf directory of WSO2 products consists of configuration files which contain hidden information like passwords. This section describes how we can secure the plain text passwords in these configuration files. For a clear understanding about secure vault implementation, see here .
| Info |
|---|
Please note |
...
these configurations are only valid for carbon 3.2.X products. |
...
However, in the 4. |
...
X.X |
...
releases, the steps are same |
...
although there are new |
...
configuration files. |
...
For example, we have "master-datasources.xml" file which can be found in " |
...
configure all data source related configurations |
...
. |
...
Therefore, the database configuring passwords would be in this file. |
First, let see what are the secret information that can be secured. The following are the alias names and hidden information pertaining to the Carbon configuration files. This hidden information can be secured.
In user-mgt.xml
Code Block UserManager.AdminUser.Password -> Admin User password in user-mgt.xml UserManager.Configuration.Property.password -> User Manager database connection password in user-mgt.xml (Only in 3.2.X) UserStoreManager.Property.ConnectionPassword -> User store connection password in user-mgt .xml
In registry.xml (Only in 3.2.X )
Code Block wso2registry.[Registry Name].password -> Registry database connection password in registry.xml
In carbon.xml
Code Block Carbon.Security.KeyStore.Password- > Keystore password of Carbon server in carbon.xml Carbon.Security.KeyStore.KeyPassword -> Private key password of Carbon server in carbon.xml Carbon.Security.TrustStore.Password -> Trust store password of Carbon server in carbon.xml
In mgt-transport.xml (Only in 3.2.X )
Code Block transports.https.keystorePass -> SSL key and keystore password in mgt-transport.xml
In master-datasources.xml (With Carbon 4.0.X Only)
Code Block Datasources.[Data source name].Configuration.Password -> Database connection password of defined data source. There can be more than one datasource configurations in this file.
Also by using secure vault you can secure the passwords in axis2.xml file.
Code Block Axis2.Https.Listener.TrustStore.Password -> NIO Listener SSL trust store password in axis2.xml Axis2.Https.Listener.KeyStore.Password -> NIO Listener SSL keystore store password in axis2.xml Axis2.Https.Listener.KeyStore.KeyPassword -> NIO Listener SSL key password in axis2.xml Axis2.Https.Sender.TrustStore.Password -> NIO Sender SSL trust store password in axis2.xml Axis2.Https.Sender.KeyStore.Password -> NIO Sender SSL key store password in axis2.xml Axis2.Https.Sender.KeyStore.KeyPassword -> NIO Sender SSL key password in axis2.xml Axis2.Mailto.Parameter.Password -> Email sender password in axis2.xml
Step 1
Locate cipher-text.properties which can be found in the <PRODUCT_HOME>/repository/conf directory. This file contains the alias names and the corresponding plain text password in square brackets.
...
- Encrypt the passwords defined in the cipher-text.properties file.
- Remove plain text passwords in the configuration files.
- Configure the secret-conf.properties file.
...
For the default way of providing the master password, see here. You can write your own implementation for this. To see a sample implementation for hard coding the master password, see here.
To configure new master password callback handler:
- Replace the default password handler class name (
org.wso2.carbon.securevault.DefaultSecretCallbackHandler) from in the secret-conf.properties file and configure my your own one (com.sample.password.callback.handler.HardCodedSecretCallbackHandler). - Copy own these implementations as a jar file in to <CARBONJar file into the
<PRODUCT_HOME>/repository/components/libdirectory. - If you have secured the passwords in the mgt-transport.xml file, Please Copy please copy your jar Jar file to <CARBON
<PRODUCT_HOME>/lib/apidirectory. - Restart the server.