This documentation is for WSO2 API Manager 1.6.0 View documentation for the latest release.
Encrypt Workflow Service Credentials - API Manager 1.6.0 - WSO2 Documentation
Skip to end of metadata
Go to start of metadata

The external workflow would typically be a secured web service. Therefore the calling client (the API Manager in this case) requires to pass in necessary credentials to invoke the service. The configuration related to executing an external workflow would be as shown below. Following is an example for executing an external workflow to be executed when subscribing an Application to APIs. This configuration can be found in the <AM_HOME>/repository/conf/api-manager.xml file.

    <SubscriptionCreation executor="org.wso2.carbon.apimgt.impl.workflow.SubscriptionCreationWSWorkflowExecutor">
           <Property name="serviceEndpoint">http://localhost:9765/services/SubscriptionApprovalWorkFlowProcess/</Property>
           <Property name="username">admin</Property>
           <Property name="password">admin</Property>
           <Property name="callbackURL">https://localhost:8243/services/WorkflowCallbackService</Property>


In this section, the 'serviceEndpoint' property provides the location of the external web service whereas the 'username' and 'password' properties are the credentials required to access that service.

This section describes how the 'password' property value can be encrypted by using the Secure Vault support in the WSO2 Carbon Framework. Follow the steps given below to encrypt the plain text value of the 'password' property.

1. Shutdown the server if already running.

2. Open the <AM_HOME>/repository/conf/security/ file and add the following entry


Note that the key (APIManager.WorkFlowExtensions.SubscriptionCreation.Password) is static and cannot be changed. For the User Sign Up and Application Creation workflows, the values should be as below, respectively.  



Save and close the file once done.

3. Open the file in the same location and add the above key and the password value as shown below.


'admin' is the plain text value of the password. Note to add the User Sign Up and Application Creation keys (if necessary) as appropriate.

Save and close the file.

4. Navigate to the <AM_HOME>/bin directory and run the script with the -Dconfigure option. If on windows, it should be the ciphertool.bat.

Ex: ./ -Dconfigure

You will be prompted to enter the Primary KeyStore Password of the Carbon Server once you run this. If you are using the default keystores of the product, the password is 'wso2carbon'.

5) Once the process is over you should get a message saying 'Secret Configurations are written to the property file successfully'. Now open the <AM_HOME>/repository/conf/api-manager.xml file and check the value of the password property. The actual value should be replaced with the text 'password'.

Ex: <Property name="password" svns:secretAlias="APIManager.WorkFlowExtensions.SubscriptionCreation.Password">password</Property> 

When starting the server, you will now be required to enter the Primary Key Store Password always.

  • No labels