WSO2 Carbon is shipped with a secure vault implementation which is a modified version of synapse secure vault. It provides capability to securely store sensitive data such as plain-text passwords in configuration files of the WSO2 Carbon platform, such as user-mgt.xml, Carbon.xml, Axis2.xml, registry.xml etc. All WSO2 Carbon-based products inherit the secure vault implementation from the core Carbon platform. For more information, refer to section WSO2 Carbon Secure Vault under Carbon Tools.
However, when securing passwords of more product-specific configuration files such as data service configurations, the steps may vary.
WSO2 Data Services Server provides the feature to securely store sensitive data in data service configuration files, using the Secure Vault functionality. Users can encrypt their passwords using tokens instead of the actual password inside the data service configuration file. The instructions below explain how to secure passwords in a data-source configuration.
1. Run ciphertool script from <CARBON_HOME>/bin directory
- Linux: sh ciphertool.sh -Dconfigure
- Windows: ciphertool.bat -Dconfigure
2. To encrypt the plain text using ciphertool, run the ciphertool script again without '-Dconfigure' option.
It will ask for the KeyStore Password of the running Carbon instance. The default value of the KeyStore password is 'wso2carbon'. Then provide the plain text value that needs to be encrypted and the tool will return the encrypted text value.
3. Update the <CARBON_HOME>/repository/conf/security/cipher-text.properties file by adding a new alias (any name of your preference) and the encrypted value. For example,
4. Log on to the product's management console and select "Data Services -> Create" under the "Main" menu.
5. The "Create Data Service" page appears. Fill in the fields and click "Next" . The Data Service name is mandatory.
6. The "Add New Data Source" page appears. Fill in the fields accordingly.
Select the "Use as Secret Alias" option. In the "Password" filed, provide the alias name instead of the actual password.
7. The namespace and alias will be added to the .dbs file as follows.