This site contains the documentation that is relevant to older WSO2 product versions and offerings.
For the latest WSO2 documentation, visit https://wso2.com/documentation/.

Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

Version 1 Next »

WSO2 ESB provides a secure vault that allows you to store encrypted passwords that are mapped to aliases. This approach allows you to use the aliases instead of the actual passwords in your configuration files for better security. For example, some configurations require the admin username and password. If the admin user password is "admin", you could use the alias UserManager.AdminUser.Password in your configuration file. You would then map that alias to the actual password "admin". At runtime, the ESB will look up this alias in the secure vault and then decrypt and use its password.

Mapping aliases to passwords

There are several aliases such as UserManager.AdminUser.Password already defined for you in the cipher-text.properties file in <ESB_HOME>/repository/conf/security. You map the aliases to plain-text passwords in this file (enter passwords in plain text in square brackets). For example:

UserManager.AdminUser.Password=[admin]

You then run the cipher script to upload them to the secure vault. If you want to create custom aliases, add them to this file before running the script.

You can also add new aliases and passwords in the user interface by clicking Manage Passwords on the Main tab and then entering the vault key (alias) and its password.

Configuring the secure vault

By default, the ESB instance's primary key store (<ESB_HOME>/repository/resources/security/wso2carbon.jks) is used as the secure vault. If you want to use another key store or cipher text properties file, or if you want to use a custom callback class to handle decryption, modify the <ESB_HOME>/repository/conf/security/secret-conf.properties file. For more information on configuring the secure vault and creating custom callback classes, see WSO2 Carbon Secure Vault in the Carbon documentation.

Running the cipher script

To store passwords in the secure vault, run the ciphertool script from the command line as follows:

On Windows:

ciphertool.bat -Dconfigure

On UNIX:

sh ciphertool.sh -Dconfigure

This script reads the aliases and plain-text passwords in cipher-text.properties, encrypts the passwords, and stores them in the secure vault. It uses the settings in the secret-conf.properties file described above.

Using aliases in your configurations

To use an alias in your configuration, you add {wso2:vault-lookup('xx')} to your configuration, where xx is the alias. For example, instead of hard coding the admin user's password like this:

<Password>admin</Password>

You would enter it like this:

<Password>{wso2:vault-lookup('UserManager.AdminUser.Password')}</Password>
  • No labels