This site contains the documentation that is relevant to older WSO2 product versions and offerings.
For the latest WSO2 documentation, visit https://wso2.com/documentation/.
Secure Plain Text Passwords
The conf
directory of WSO2 products consists of configuration files which contain hidden information like passwords. This section describes how we can secure the plain text passwords in these configuration files. For a clear understanding about secure vault implementation, see here .
Please note these configurations are only valid for carbon 3.2.X products. However, in the 4.X.X releases, the steps are same although there are new configuration files. For example, we have "master-datasources.xml" file which can be found in "conf/datasources
". In this file, we configure all data source related configurations. Therefore, the database configuring passwords would be in this file.
The following are the alias names and hidden information pertaining to the Carbon configuration files. This hidden information can be secured.
In user-mgt.xml
UserManager.AdminUser.Password -> Admin User password in user-mgt.xml UserManager.Configuration.Property.password -> User Manager database connection password in user-mgt.xml (Only in 3.2.X) UserStoreManager.Property.ConnectionPassword -> User store connection password in user-mgt .xml
In registry.xml (Only in 3.2.X )
wso2registry.[Registry Name].password -> Registry database connection password in registry.xml
In carbon.xml
Carbon.Security.KeyStore.Password- > Keystore password of Carbon server in carbon.xml Carbon.Security.KeyStore.KeyPassword -> Private key password of Carbon server in carbon.xml Carbon.Security.TrustStore.Password -> Trust store password of Carbon server in carbon.xml
In mgt-transport.xml (Only in 3.2.X )
transports.https.keystorePass -> SSL key and keystore password in mgt-transport.xml
In master-datasources.xml (With Carbon 4.0.X Only)
Datasources.[Data source name].Configuration.Password -> Database connection password of defined data source. There can be more than one datasource configurations in this file.
Also by using secure vault you can secure the passwords in axis2.xml file.
Axis2.Https.Listener.TrustStore.Password -> NIO Listener SSL trust store password in axis2.xml Axis2.Https.Listener.KeyStore.Password -> NIO Listener SSL keystore store password in axis2.xml Axis2.Https.Listener.KeyStore.KeyPassword -> NIO Listener SSL key password in axis2.xml Axis2.Https.Sender.TrustStore.Password -> NIO Sender SSL trust store password in axis2.xml Axis2.Https.Sender.KeyStore.Password -> NIO Sender SSL key store password in axis2.xml Axis2.Https.Sender.KeyStore.KeyPassword -> NIO Sender SSL key password in axis2.xml Axis2.Mailto.Parameter.Password -> Email sender password in axis2.xml
Step 1
Locate cipher-text.properties which can be found in the <PRODUCT_HOME>/repository/conf
directory. This file contains the alias names and the corresponding plain text password in square brackets.
If you can not find this file in your product, please download it from here and copy to above location.
Step 2
Configure the cipher-text.properties file with your passwords.
As an example, I want to secure keystore passwords of the carbon.xml file (you should secured them as encryption is done with it), both database and LDAP connection password of the user-mgt.xml file. The cipher-text.properties would be as follows:
Carbon.Security.KeyStore.Password=[mykeystorepass] Carbon.Security.KeyStore.KeyPassword=[mykeystorepass] Carbon.Security.TrustStore.Password=[mytruststorepass] UserManager.Configuration.Property.password=[myuserdbpass] UserStoreManager.Property.ConnectionPassword=[myldappass]
Step 3
Locate the "ciphertool" script which can be found in the <PRODUCT_HOME>/bin
directory. If you can not find this file in your product, please download it from here and copy it to the mentioned location.
Step 4
Run the "ciphertool" script with the -Dconfigure
option. An example in UNIX would look like this:
>ciphertool.sh -Dconfigure
This script does the following:
- Encrypt the passwords defined in the cipher-text.properties file.
- Remove plain text passwords in the configuration files.
- Configure the secret-conf.properties file.
Step 5
Check if the above mentioned files are properly configured.
Step 6
Start the server. During startup, the server prompts for the master password (i.e., the key store password). Provide this password.
For the default way of providing the master password, see here. You can write your own implementation for this. To see a sample implementation for hard coding the master password, see here.
To configure new master password callback handler:
- Replace the default password handler class name (
org.wso2.carbon.securevault.DefaultSecretCallbackHandler
) in the secret-conf.properties file and configure your own one (com.sample.password.callback.handler.HardCodedSecretCallbackHandler
). - Copy these implementations as a Jar file into the
<PRODUCT_HOME>/repository/components/lib
directory. - If you have secured the passwords in the mgt-transport.xml file, please copy your Jar file to
<PRODUCT_HOME>/lib/api
directory. - Restart the server.