All WSO2 Carbon-based products are shipped with the secure vault functionality that allows you to store encrypted passwords mapped with aliases. This approach allows you to use the aliases instead of the actual passwords in your configuration files for better security. For example, some configurations require the admin username and password. If the admin user password is "admin", you could use the alias UserManager.AdminUser.Password in your configuration file. You would then map that alias to the actual password "admin". At runtime, the WSO2 ESB will look up this alias in the secure vault and then decrypt and use its password.
...
WSO2 ESB inherits the secure vault functionality from the Carbon platform. Therefore, you can encrypt plain text passwords and other sensitive elements in configuration files of WSO2 ESB using the Cipher Tool tool that is shipped with the product. For most of the sensitive passwords, you can use the automated process of encryption using the Cipher tool. However, if there are passwords or other sensitive information that cannot be specified with an xpath, you must use the manual process of encryption. See the documentation on encrypting passwords in WSO2 products, for for instructions on how to use this feature, which is common to all WSO2 Carbon-based products.
...