WSO2 Carbon is shipped with a secure vault implementation which is a modified version of synapse secure vault. This guide describes how to secure the plain text password in carbon configuration files.
Secret
...
Manager
The Secret Manager initializes the secret repository and the keystores. It uses secret repository to keep the secret values (encrypted values). These secrets can be accessed through aliases. The keystore is required to create the decryption crypto, which can be used to resolve encrypted secrets values. The keystore and Secret Repository are configurable through the <GREG_HOME>/repository/conf/security/secret-conf.properties file, which is generated once you execute the Cipher tool.
...
This is used to store the secret values. Currently, there is only one secret repository implemented within secure vault and it is called the FileBaseSecretRepository. It uses the <GREG_HOME>/repository/conf/security/cipher-text.properties file, and stores aliases vs. their actual secrets in encrypted format (encrypted via a key in keystore). Any secret repositories can be written by implementing the SecretRepository and SecretRepositoryProvider classes.
...
- A file-base secret repository is used. (<
GREG_HOME>/repository/conf/security/cipher-text.propertiesfile). - Carbon Server's primary keystore is used for encrypting and decrypting passwords, which can be found in the <
GREG_HOME>/repository/resourcesconf/security/folder. - DefaultSecretCallbackHandler (org.wso2.carbon.securevault.DefaultSecretCallbackHandler) is used as the password resolver for the keystore and the private key passwords of the Carbon server's primary Keystore.
- SecretManagerSecretCallbackHandler (org.wso2.securevault.secret.handler.SecretManagerSecretCallbackHandler) is used as the password resolver for all the secret values which are defined in the carbon configuration files.
...