This site contains the documentation that is relevant to older WSO2 product versions and offerings.
For the latest WSO2 documentation, visit https://wso2.com/documentation/.

Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 4 Next »

All WSO2 Carbon-based products are shipped with the secure vault functionality that allows you to store encrypted passwords mapped with aliases. This approach allows you to use the aliases instead of the actual passwords in your configuration files for better security. For example, some configurations require the admin username and password. If the admin user password is "admin", you could use the alias UserManager.AdminUser.Password in your configuration file. You would then map that alias to the actual password "admin". At runtime, the ESB will look up this alias in the secure vault and then decrypt and use its password.

See the following topics for details.

Encrypting passwords in WSO2 Carbon products

WSO2 ESB inherits the secure vault functionality from the Carbon platform. Therefore, you can encrypt plain text passwords and other sensitive elements in configuration files of WSO2 ESB using the Cipher Tool that is shipped with the product. For most of the sensitive passwords, you can use the automated process of encryption using the Cipher tool. However, if there are passwords or other sensitive information that cannot be specified with an xpath, you must use the manual process of encryption. See the documentation on encrypting passwords in WSO2 products, for instructions on how to use this feature, which is common to all WSO2 Carbon-based products.

Encrypting and storing new passwords via the Management Console

WSO2 ESB has extended the secure vault feature to allow new passwords to be encrypted and stored using the management console. 

Follow the steps below to encrypt and store new passwords via the management console.

  1. Click the Main tab on the Management Console, go to Manage -> Secure Vault Tool and then click Manage Passwords. The Secure Vault Password Management screen appears.
  2. Click Add New Password to encrypt and store and specify values for the following fields:
    Vault Key - The alias for the password.
    Password -  The actual password.
    Re-enter password - The password that you specified as the actual password. 

This creates a new password entry in the registry encrypted with the alias that you specified.

If you need to retrieve this password in your ESB configuration, you can use the {wso2:vault-lookup('alias')}custom path expression to logically reference the password mapping. See the next section for information on how to use an alias in your configuration.

Using aliases in your configurations

To use an alias in your configuration, you add {wso2:vault-lookup('xx')} to your configuration, where xx is the alias. For example, instead of hard coding the admin user's password as follows:

<Password>admin</Password>

You can encrypt and store the password with the alias AdminUser.Password, and retrieve this password in your ESB configuration as follows:

<Password>{wso2:vault-lookup('AdminUser.Password')}</Password>
  • No labels