All WSO2 Carbon-based products are shipped with the WSO2 ESB provides a secure vault functionality that allows you to store encrypted passwords that are mapped with to aliases. This approach allows you to use the aliases instead of the actual passwords in your configuration files for better security. For example, some configurations require the admin username and password. If the admin user password is "admin", you could use the alias alias UserManager.AdminUser.Password in in your configuration file. You would then map that alias to the actual password "admin". At runtime, WSO2 the ESB will look up this alias in the secure vault and then decrypt and use its password.
See the following topics for details.
| Table of Contents | ||||
|---|---|---|---|---|
|
Encrypting passwords in WSO2 Carbon products
...
Mapping aliases to passwords
There are several aliases such as UserManager.AdminUser.Password already defined for you in the cipher-text.properties file in <ESB_HOME>/repository/conf/security. You map the aliases to plain-text passwords in this file (enter passwords in plain text in square brackets). For example:
UserManager.AdminUser.Password=[admin]
You then run the cipher script to upload them to the secure vault. If you want to create custom aliases, add them to this file before running the script.
You can also add new aliases and passwords in the user interface by clicking Manage Passwords on the Main tab and then entering the vault key (alias) and its password.
Configuring the secure vault
By default, the ESB instance's primary key store (<ESB_HOME>/repository/resources/security/wso2carbon.jks) is used as the secure vault. If you want to use another key store or cipher text properties file, or if you want to use a custom callback class to handle decryption, modify the <ESB_HOME>/repository/conf/security/secret-conf.properties file. For more information on configuring the secure vault and creating custom callback classes, see WSO2 Carbon Secure Vault in the Carbon documentation.
| Anchor | ||||
|---|---|---|---|---|
|
To store passwords in the secure vault, run the ciphertool script from the command line as follows:
On Windows:
ciphertool.bat -Dconfigure
On UNIX:
sh ciphertool.sh -Dconfigure
This script reads the aliases and plain-text passwords in cipher-text.properties, encrypts the passwords, and stores them in the secure vault. It uses the settings in the secret-conf.properties file described above.
Encrypting and storing new passwords via the Management Console
WSO2 ESB has extended the secure vault feature to allow new passwords to be encrypted and stored using the management console.
Follow the steps below to encrypt and store new passwords via the management consolethe ESB Management Console.
- Run the cipher script as specified above to setup the secure vault environment.
- Click the Main tab on the Management Console, go to Manage -> Secure Vault Tool and then click Manage Passwords. The Secure Vault Password Management screen appears.
- Click Add New Password to encrypt and store, and then specify values for the following fields:
Vault Key - The alias for the password.
Password - The actual password.
Re-enter password - The password that you specified as the actual password.
This creates a new password entry in the registry encrypted with the alias that you specified.
If you need to retrieve this password in your ESB configuration, you can use the {wso2:vault-lookup('alias')}custom path expression to logically reference the password mapping. See the next section for information on how to use an alias in your configuration.
...
You can encrypt and store the password with the alias AdminUser.Password, and retrieve this password in your ESB synapse configuration as follows:
...