||
Skip to end of metadata
Go to start of metadata

WSO2 Carbon products may contain sensitive information (e.g., passwords in configuration files). If such sensitive information is added as plain text in configuration files, it leads to security risks. WSO2 Secure Vault  secures such information by using secret aliases within the configuration files, which in turn are mapped to secrets that are encrypted by the Cipher Tool.

Carry out the following configurations to apply Secure Vault for a WSO2 server before deploying it in Mesos DC/OS.

Please note that the WSO2 IS 5.1.0 server is taken as an example to explain the steps below.

Step 1 - Build the Docker image with Secure Vault

  1. Customize the Puppet Modules.
    Customize the Puppet Modules to apply Secure Vault as follows: 

    1. Download the Puppet Modules and copy the required packs into the modules by following the steps 1.1 and 1.2 which are described in the Build the Product Docker image section for this purpose.

    2. Carry out the following changes in the default profile Hiera file, which is in the <PUPPET_HOME>/hieradata/dev/wso2/wso2is/5.1.0 directory.

      • Enable Secure Vault by uncommenting the below line.

        wso2::enable_secure_vault: true 
      • Add Secure Vault configurations using the following format.

        secret_alias_config
        <secret_alias_config>:
           secret_alias: <secret_alias>
           secret_alias_value: <secret_alias_value>
           password: <password>

        The default Secure Vault configurations are already added and commented. Make sure to uncomment the required configurations and change the passwords as required.

        • For Carbon Kernel 4.4.x based products, in order to set the secret_alias_value, either the relative path or the absolute path of each file starting from <PRODUCT_HOME> should be given. The last value that follows the file path is set to true or false indicating whether or not the value to be encrypted is an attribute.

        • For Carbon Kernel 4.2.0 based products, in order to set the secret_alias_value, use the file name//xpath to the property value to be secured. The last value that follows the file path is set to true or false indicating whether or not the value to be encrypted starts with capital letter.

      • Add Cipher Tool configuration file templates to the template_list.

         wso2::template_list:
           - repository/conf/security/cipher-text.properties
           - repository/conf/security/cipher-tool.properties
           - bin/ciphertool.sh
      • If you are working with one of the following WSO2 Puppet Modules, do the corresponding product-specific additional configurations as mentioned in the README files in the WSO2 Puppet Modules GitHub.

  2. Build the IS 5.1.0 Docker images.
    Follow step 1.3 in the Build the Product Docker image section for this purpose.

Step 2 - Update the Marathon Application with the KeyStore password

The KeyStore password is passed as an environment variable to containers and is used to create the password-tmp file. The latter mentioned file is used to resolve the encrypted passwords when the server starts up. 

The default KeyStore password wso2carbon is set to the environment variable, namely KEY_STORE_PASSWORD, in the Mesos Marathon application definition. Make sure to change the value to the Primary KeyStore password if you are not using the default value.

wso2is-default.json
{  
   "id":"wso2is-default",
   "cpus":0.5,
   "mem":2048,
   "instances":1,
   "container":{  
      "type":"DOCKER",
      "docker":{  
         "image":"wso2is-mesos:5.1.0",
         "network":"BRIDGE",
         "portMappings":[  
            {  
               "name":"hazelcast",
               "containerPort":0,
               "hostPort":0,
               "servicePort":10116,
               "protocol":"tcp"
            },
            {  
               "name":"servlet-http",
               "containerPort":9763,
               "servicePort":10112,
               "protocol":"tcp"
            },
            {  
               "name":"servlet-https",
               "containerPort":9443,
               "servicePort":10113,
               "protocol":"tcp"
            },
            {  
               "name":"kdc-server",
               "containerPort":8000,
               "servicePort":10114,
               "protocol":"tcp"
            },
            {  
               "name":"thrift-entitlement",
               "containerPort":10500,
               "servicePort":10115,
               "protocol":"tcp"
            }
         ]
      }
   },
   "env":{  
      "KEY_STORE_PASSWORD":"wso2carbon"
   },
   "labels":{  
      "HAPROXY_1_GROUP":"marathon-lb",
      "HAPROXY_2_GROUP":"marathon-lb",
      "HAPROXY_2_BACKEND_SERVER_OPTIONS":"  server {serverName} {host_ipv4}:{port}{cookieOptions} ssl verify none \n",
      "HAPROXY_2_BACKEND_STICKY_OPTIONS":"  cookie JSESSIONID prefix nocache \n",
      "HAPROXY_2_STICKY":"true",
      "HAPROXY_2_SSL_CERT":"/etc/ssl/cert.pem",
      "HAPROXY_2_MODE":"http"
   },
   "healthChecks":[  
      {  
         "portIndex":1
      }
   ]
}

Step 3 - Deploy and access the WSO2 IS server

Now, as the changes that need to be applied in the Secure Vault are done. Deploy the WSO2 server in Mesos and access it by following step 2, and 3 in the Deploying and Undeploying a WSO2 Product on Mesos DC-OS section.

  • No labels