Encrypting passwords provides better security and less vulnerability to security attacks than saving passwords in plain text. It is recommended in a production setup. WSO2 App Factory provides a secure vault implementation that encrypts passwords, stores them in the registry, maps them to aliases and uses the alias instead of the actual passwords in configuration files. At runtime, the App Factory looks up aliases and decrypts the passwords.
Encrypting passwords in configuration files
Shutdown the server if it is already running and open
<AF_HOME>/repository/conf/security/cipher-tool.propertiesfile. It contains all the aliases to different server components.
Note that the file has several aliases already defined as the alias name and the value where the value is
<file name>//<xpath to the property value to be secured>, <true if the XML element starts with a capital letter>. . Uncomment the entries you want to encrypt.
<AF_HOME>/repository/conf/security/cipher-text.propertiesfile, which maps the default alias to their plain text passwords in square brackets. Uncomment the ones you want.
Run the cipher tool available in
<AF_HOME>/bin. This script reads the aliases, encrypts their plain-text passwords, and stores them in the secure vault. If you are using the default primary keystore, give
wso2carbonas its password when prompted.
Tip: By default, the App Factory instance's primary keystore, which is
<AF_HOME>/repository/resources/security/wso2carbon.jksis used as the secure vault. If you want to use another keystore or a custom callback class to handle decryption, modify the
<AF_HOME>/repository/conf/security/secret-conf.propertiesfile as described in WSO2 Carbon Secure Vault in the WSO2 Carbon documentation.
Note that the configuration files are automatically updated with the relevant password alias after after running the cipher tool. For example, as the
Carbon.Security.KeyStore.Passwordproperty is uncommented in this example, after you run the cipher tool, the plain-text password in
<AF_HOME>/repository/conf/carbon.xmlfile will be replaced by the alias as follows.
Tip: As you encrypted the primary keystore's password in this example, you are prompted to enter the primary keystore password every time you start the App Factory.