WSO2 Carbon is shipped with a Secure Vault implementation which is a modified version of synapse Secure Vault. This guide describes how to secure the plain text password in carbon Carbon configuration files.
Secret Manager
...
This is used to store the secret values. Currently, there is only one Secret Repository implemented within Secure Vault: FileBaseSecretRepository. It uses cipher-text.properties, which can be found in the <PRODUCT_HOME>/repository/conf/security
folder. It stores aliases vs. their actual secrets in encrypted format (encrypted via a key in keystore). Any secret repositories can be written by implementing the SecretRepository
and SecretRepositoryProvider
classes.
Secret Callback
This provides the actual password for a given alias. There is a SecretManagerSecretCallbackHandler
, which is combined with Secret Manager to resolve the secret. Any callback can be written by implementing the SecretCallbackHandler
class.
Secret Resolver
Any configuration builder that uses secret information within its own configuration file needs to initialize the Secret Resolver when building its own configuration. The Secret Resolver keeps a list of secured elements that need to be defined in the configuration file with secret aliases. Secret Resolver initializes the Secret Callback handler class, which is defined in the configuration file.
...
- A file-base Secret Repository is used. The cipher-text.properties file can be found in the
<PRODUCT_HOME>/repository/conf/security
folder. - Carbon Server's primary keystore is used for encrypting and decrypting passwords, which can be found in the
<PRODUCT_HOME>/repository/resources/security
folder. DefaultSecretCallbackHandler
(or to be specific,org.wso2.carbon.securevault.DefaultSecretCallbackHandler
) is used as the password resolver for the keystore and the private key passwords of the Carbon server's primary Keystore.SecretManagerSecretCallbackHandler
(or to be specific,org.wso2.securevault.secret.handler.SecretManagerSecretCallbackHandler
) is used as the password resolver for all the secret values that are defined in the Carbon configuration files.
...
- This option allows the user to secure plain text passwords in carbon configuration files.
- Read alias values and their corresponding plain text passwords from the cipher-text.properties file. Note that the CipherTool identifies plain text defined within square brackets as the plain text passwords. If a password is not specified in the cipher-text.properties file for a corresponding alias, the user needs to provide it through the command-line.
- Check whether the alias is a known password alias in Carbon configurations. If the tool modifies the configuration element and file, then replace the configuration element with the alias name. Define a Secret Callback in the configuration file and add proper name spaces for defining the Secure Vault.
- Encrypt the plain text value using the primary keystore of the carbon server (Details of the primary keytore is taken from the carbon.xml file, which can be found in the
<PRODUCT_HOME>/repository/conf
folder.) - Replace plain text values in the cipher-text.properties file with the encrypted passwords.
- Add the default configuration to secret-conf.properties file.
-Dchange (sh ciphertool.sh -Dchange)
- This option allows the user to change a secured password.
The default Secret CallbackHandler
...