This documentation is for WSO2 Identity Server 5.0.0. View documentation for the latest release.
Securing Plain Text Passwords - Identity Server 5.0.0 - WSO2 Documentation
Skip to end of metadata
Go to start of metadata

The conf directory of WSO2 products consists of configuration files which contain hidden information like passwords. This section describes how we can secure the plain text passwords in these configuration files. For a clear understanding about secure vault implementation, see here.

Please note these configurations are only valid for carbon 3.2.X products. However, in the 4.X.X releases, the steps are same although there are new configuration files. For example, we have "master-datasources.xml" file which can be found in "conf/datasources". In this file, we configure all data source related configurations. Therefore, the database configuring passwords would be in this file.

The following are the alias names and hidden information pertaining to the WSO2 Carbon configuration files. This hidden information can be secured.

  • In user-mgt.xml

    UserManager.AdminUser.Password -> Admin User password in user-mgt.xml
    UserManager.Configuration.Property.password -> User Manager database connection password in user-mgt.xml (Only in 3.2.X)
    UserStoreManager.Property.ConnectionPassword -> User store connection password in user-mgt .xml
  • In registry.xml (Only in 3.2.X )

    wso2registry.[Registry Name].password -> Registry database connection password in registry.xml
  • In carbon.xml

    Carbon.Security.KeyStore.Password- > Keystore password of Carbon server in carbon.xml
    Carbon.Security.KeyStore.KeyPassword -> Private key password of Carbon server in carbon.xml
    Carbon.Security.TrustStore.Password -> Trust store password of Carbon server in carbon.xml
  • In mgt-transport.xml (Only in 3.2.X )

    transports.https.keystorePass -> SSL key and keystore password in mgt-transport.xml
  • In master-datasources.xml (With Carbon 4.0.X Only)

    Datasources.[Data source name].Configuration.Password -> Database connection password of defined data source. There can be more than one datasource configurations in this file.

    Also by using secure vault you can secure the passwords in axis2.xml file.

    Axis2.Https.Listener.TrustStore.Password -> NIO Listener SSL trust store password in axis2.xml
    Axis2.Https.Listener.KeyStore.Password -> NIO Listener SSL keystore store password in axis2.xml
    Axis2.Https.Listener.KeyStore.KeyPassword -> NIO Listener SSL key password in axis2.xml
    Axis2.Https.Sender.TrustStore.Password -> NIO Sender SSL trust store password in axis2.xml
    Axis2.Https.Sender.KeyStore.Password -> NIO Sender SSL key store password in axis2.xml
    Axis2.Https.Sender.KeyStore.KeyPassword -> NIO Sender SSL key password in axis2.xml
    Axis2.Mailto.Parameter.Password -> Email sender password in axis2.xml


Step 1

Locate which can be found in the <PRODUCT_HOME>/repository/conf directory. This file contains the alias names and the corresponding plain text password in square brackets.

If you can not find this file in your product, please download it from here and copy to above location.

Step 2

Configure the file with your passwords.

As an example, I want to secure keystore passwords of the carbon.xml file (you should secured them as encryption is done with it), both database and LDAP connection password of the user-mgt.xml file. The would be as follows:



Step 3

Locate the "ciphertool" script which can be found in the <PRODUCT_HOME>/bin directory. If you can not find this file in your product, please download it from here and copy it to the mentioned location.

Step 4

Run the "ciphertool" script with the -Dconfigure option. An example in UNIX would look like this:

> -Dconfigure

This script does the following:

  1. Encrypt the passwords defined in the file.
  2. Remove plain text passwords in the configuration files.
  3. Configure the file.

Step 5

Check if the above mentioned files are properly configured.

Step 6

Start the server. During startup, the server prompts for the master password (i.e., the key store password). Provide this password.

For the default way of providing the master password, see here. You can write your own implementation for this. To see a sample implementation for hard coding the master password, see here.

To configure new master password callback handler:

  1. Replace the default password handler class name (org.wso2.carbon.securevault.DefaultSecretCallbackHandler) in the file and configure your own one (com.sample.password.callback.handler.HardCodedSecretCallbackHandler).
  2. Copy these implementations as a Jar file into the <PRODUCT_HOME>/repository/components/lib directory.
  3. If you have secured the passwords in the mgt-transport.xml file, please copy your Jar file to <PRODUCT_HOME>/lib/api directory.
  4. Restart the server.
  • No labels