Encrypting Passwords Using Secure Vault

Encrypting passwords provides better security and less vulnerability to security attacks than saving passwords in plain text. WSO2 API Manager provides a secure vault implementation that encrypts passwords, stores them in the registry and maps them to aliases, so that you can use the aliases instead of the actual passwords in configuration files. At runtime, the API Manager looks up aliases in the secure vault and decrypts them.

Shown below is how credentials are given in plain text in a configuration:

<property name="Authorization" expression="fn:concat('Basic ', base64Encode('admin:admin'))" scope="transport"/>

Instead, you can encrypt the password and call the encrypted password alias in an API Manager configuration as follows:

<property name="password" expression="wso2:vault-lookup('secured.endpoint.password')"/>

In the above example, vault-lookup is a call to look up the password alias named secured.endpoint.password in the configuration registry path /repository/components/secure-vault where the password is stored.

Before using secured endpoints in your API definition,

Set the element <EnableSecureVault> in <APIM_HOME>/repository/conf/api-manager.xml to true. By default, the system stores passwords in configuration files in plain text because this values is set to false.
Define synapse property in the synapse.properties file as follows: synapse.xpath.func.extensions=org.wso2.carbon.mediation.security.vault.xpath.SecureVaultLookupXPathFunctionProvider.
Run the cipher tool available in <APIM_HOME>/bin to create secret repositories. The command is #ciphertool.bat/sh -Dconfigure. For more information on cipher tool, see Carbon Secure Vault Implementation. Also see Fixing Security Vulnerabilities for information on configuring cipher at the Tomcat level.