Encrypting passwords provides better security and less vulnerability to security attacks than saving passwords in plain text. WSO2 API Manager provides a secure vault implementation that encrypts passwords, stores them in the registry and maps them to aliases, so that you can use the aliases instead of the actual passwords in configuration files. At runtime, the API Manager looks up aliases in the secure vault and decrypts them.
Shown below is how credentials are given in plain text in a configuration:
<property name="Authorization" expression="fn:concat('Basic ', base64Encode('admin:admin'))" scope="transport"/>
Instead, you can encrypt the password and call the encrypted password alias in an API Manager configuration as follows:
<property name="password" expression="wso2:vault-lookup('secured.endpoint.password')"/>
vault-lookupis a call to look up the password alias named
secured.endpoint.passwordin the configuration registry path
/repository/components/secure-vaultwhere the password is stored.
Before using secured endpoints in your API definition,
- Set the element
true. By default, the system stores passwords in configuration files in plain text because this values is set to
- Define synapse property in the synapse.properties file as follows:
- Run the cipher tool available in
<APIM_HOME>/binto create secret repositories. The command is
#ciphertool.bat/sh -Dconfigure. For more information on cipher tool, see Carbon Secure Vault Implementation. Also see Fixing Security Vulnerabilities for information on configuring cipher at the Tomcat level.