The conf directory of WSO2 products consists of configuration files which contain hidden information like passwords. This section describes how we can secure the plain text passwords in these configuration files. For a clear understanding about secure vault implementation, see here.
Please note these configurations are only valid for carbon 3.2.X products. However, in the 4.X.X releases, the steps are same although there are new configuration files. For example, we have "master-datasources.xml" file which can be found in "
conf/datasources". In this file, we configure all data source related configurations. Therefore, the database configuring passwords would be in this file.
The following are the alias names and hidden information pertaining to the WSO2 Carbon configuration files. This hidden information can be secured.
In registry.xml (Only in 3.2.X )
In mgt-transport.xml (Only in 3.2.X )
In master-datasources.xml (With Carbon 4.0.X Only)
Also by using secure vault you can secure the passwords in axis2.xml file.
Locate cipher-text.properties which can be found in the
<PRODUCT_HOME>/repository/conf directory. This file contains the alias names and the corresponding plain text password in square brackets.
If you can not find this file in your product, please download it from here and copy to above location.
Configure the cipher-text.properties file with your passwords.
As an example, I want to secure keystore passwords of the carbon.xml file (you should secured them as encryption is done with it), both database and LDAP connection password of the user-mgt.xml file. The cipher-text.properties would be as follows:
Locate the "ciphertool" script which can be found in the
<PRODUCT_HOME>/bin directory. If you can not find this file in your product, please download it from here and copy it to the mentioned location.
Run the "ciphertool" script with the -Dconfigure option. An example in UNIX would look like this:
This script does the following:
- Encrypt the passwords defined in the cipher-text.properties file.
- Remove plain text passwords in the configuration files.
- Configure the secret-conf.properties file.
Check if the above mentioned files are properly configured.
Start the server. During startup, the server prompts for the master password (i.e., the key store password). Provide this password.
To configure new master password callback handler:
- Replace the default password handler class name (
org.wso2.carbon.securevault.DefaultSecretCallbackHandler) in the secret-conf.properties file and configure your own one (
- Copy these implementations as a Jar file into the
- If you have secured the passwords in the mgt-transport.xml file, please copy your Jar file to
- Restart the server.