WSO2 Carbon products may contain sensitive information (e.g., passwords in configuration files). If such sensitive information is added as plain text in configuration files, it leads to security risks. WSO2 Secure Vault secures such information by using secret aliases within the configuration files, which in turn are mapped to secrets that are encrypted by the Cipher Tool.
Carry out the following configurations to apply Secure Vault for a WSO2 server before deploying it in Mesos DC/OS.
Please note that the WSO2 IS 5.1.0 server is taken as an example to explain the steps below.
Step 1 - Build the Docker image with Secure Vault
Customize the Puppet Modules.
Customize the Puppet Modules to apply Secure Vault as follows:
Carry out the following changes in the default profile Hiera file, which is in the
Enable Secure Vault by uncommenting the below line.
Add Secure Vault configurations using the following format.
The default Secure Vault configurations are already added and commented. Make sure to uncomment the required configurations and change the passwords as required.
For Carbon Kernel 4.4.x based products, in order to set the
secret_alias_value, either the relative path or the absolute path of each file starting from
<PRODUCT_HOME>should be given. The last value that follows the file path is set to
falseindicating whether or not the value to be encrypted is an attribute.
For Carbon Kernel 4.2.0 based products, in order to set the
secret_alias_value, use the file name//xpath to the property value to be secured. The last value that follows the file path is set to
falseindicating whether or not the value to be encrypted starts with capital letter.
Add Cipher Tool configuration file templates to the
If you are working with one of the following WSO2 Puppet Modules, do the corresponding product-specific additional configurations as mentioned in the README files in the WSO2 Puppet Modules GitHub.
Step 2 - Update the Marathon Application with the KeyStore password
The KeyStore password is passed as an environment variable to containers and is used to create the
password-tmp file. The latter mentioned file is used to resolve the encrypted passwords when the server starts up.
The default KeyStore password
wso2carbon is set to the environment variable, namely
KEY_STORE_PASSWORD, in the Mesos Marathon application definition. Make sure to change the value to the Primary KeyStore password if you are not using the default value.
Step 3 - Deploy and access the WSO2 IS server
Now, as the changes that need to be applied in the Secure Vault are done. Deploy the WSO2 server in Mesos and access it by following step 2, and 3 in the Deploying and Undeploying a WSO2 Product on Mesos DC-OS section.