This documentation is for WSO2 Carbon 4.4.0. View documentation for the latest release.
Secure Vault Implementation - Carbon 4.4.0 - WSO2 Documentation
Due to a known issue do not use JDK1.8.0_151 with WSO2 products. Use JDK 1.8.0_144 until JDK 1.8.0_162-ea is released.
Skip to end of metadata
Go to start of metadata

WSO2 Carbon is shipped with a Secure Vault implementation, which is a modified version of synapse Secure Vault. This allows you to store encrypted passwords that are mapped to aliases. That is, you can use the aliases instead of the actual passwords in your configuration files for better security. For example, some configurations require the admin username and password. If the admin user password is "admin", you could use the alias UserManager.AdminUser.Password in your configuration file. You would then map that alias to the actual password "admin". At runtime, the product will look up this alias in the secure vault and then decrypt and use its password.

Some of the important elements in the secure vault implementation, which are used in Carbon products for encrypting plain text passwords are as follows:

  • Secret Repository: This is used to store the secret values (encrypted values). The file, located in the <PRODUCT_HOME>/repository/conf/security folder is the default file based secret repository used by the Secret Manager in your Carbon product. Note that, currently, Secure Vault only implements file based secret repositories. The Secret Repository stores aliases vs. their actual secrets in encrypted format (encrypted via a key in keystore). Any secret repositories can be written by implementing the SecretRepository and SecretRepositoryProvider classes. See the topic on creating custom secure vault configurations.
  • Secret Manager: The Secret Manager initializes the Secret Repository and the keystore configured for the Carbon server. The secrets stored in the Secret Repository are accessed using the aliases indicated in the file. The keystore is required to create the decryption crypto, which can be used to resolve encrypted secrets values. The keystore and Secret Repository are configurable through the '' file found in the <PRODUCT_HOME>/repository/conf/security folder.
  • Secret Callback: This provides the actual password for a given alias. There is a SecretManagerSecretCallbackHandler, which is combined with Secret Manager to resolve the secret. Any callback can be written by implementing the SecretCallbackHandler class. See the topic on creating custom secure vault configurations.
  • Secret Resolver: Any configuration builder that uses secret information within its own configuration file needs to initialize the Secret Resolver when building its own configuration. The Secret Resolver keeps a list of secured elements that need to be defined in the configuration file with secret aliases. Secret Resolver initializes the Secret Callback handler class, which is defined in the configuration file.

See the following topics for details on how Secure Vault is used in Carbon products:


Default Secure Vault configuration

The default secure vault configuration in WSO2 Carbon products is as follows:

  1. The file located in the <PRODUCT_HOME>/repository/conf/security folder is the default file-based secret repository.
  2. The Carbon server's primary keystore is used for encrypting and decrypting the plain text passwords in configuration files. The default keystore file is stored in the <PRODUCT_HOME>/repository/resources/security folder.
  3. DefaultSecretCallbackHandler (org.wso2.carbon.securevault.DefaultSecretCallbackHandler) is used as the password resolver of the Carbon server's primary keystore.
  4. SecretManagerSecretCallbackHandler (org.wso2.securevault.secret.handler.SecretManagerSecretCallbackHandler) is used as the password resolver for all the secret values that are defined in the Carbon configuration files.

The Secure Vault configuration is made easier by the command-line tool called Ciphertool.

Create custom Secure Vault configuration

You can implement your own Secure Vault configurations by changing the following according to your choice:

  • Secret Repository.
  • Secret Callback Handler.
  • Using a keystore other than the primary keystore of the carbon server.

Let's see how we can write a new Secret Callback Handler class to secure the user management and registry database connection password. In this sample, you do not need to configure a Secret Repository or keystore ( as you are not going to store the secret or encrypted values.

  1. Write a Secret Callback class. You need to implement the SecretCallbackHandler interface or extend the AbstractSecretCallbackHandler abstract class. For example,

    public class HardCodedSecretCallbackHandler extends AbstractSecretCallbackHandler {
         protected void handleSingleSecretCallback(SingleSecretCallback singleSecretCallback) {
  2. We can set multiple password-based as follows:

    public class HardCodedSecretCallbackHandler extends AbstractSecretCallbackHandler {
        protected void handleSingleSecretCallback(SingleSecretCallback singleSecretCallback) {
             } else if("bar".equals(singleSecretCallback.getId())){
  3. Create a JAR or an OSGI bundle and copy the JAR file to the <PRODUCT_HOME>/repository/component/lib/ directory or the OSGI bundle to the <PRODUCT_HOME>/repository/component/dropins/ directory
  4. Configure the master-datasources.xml file with an alias name and your Secret Callback handler class name. For example,

                <description>The datasource used for registry and user manager</description>
                <definition type="RDBMS">
                        <validationQuery>SELECT 1</validationQuery>

     Also, replace the secret callback handler class name in <PRODUCT_HOME>/repository/conf/ file with your Secret Callback handler class name.

  5. Restart the server.
  • No labels