This documentation is for WSO2 API Manager 1.8.0 View documentation for the latest release.
Page Comparison - Encrypting Passwords (v.21 vs v.22) - API Manager 1.8.0 - WSO2 Documentation

Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: https://wso2.org/jira/browse/DOCUMENTATION-6192

...

  1. Shutdown the server if it is already running and open <APIM_HOME>/repository/conf/security/cipher-tool.properties file. It contains all the aliases to different server components.

  2. Note that the file has several aliases already defined as the alias name and the value where the value is <file name>//<xpath to the property value to be secured>, <true if the XML element starts with a capital letter>. Uncomment the entries you want to encrypt.

    Code Block
    transports.https.keystorePass=mgt-transports.xml//transports/transport[@name='https']/parameter[@name='keystorePass'],false
    Carbon.Security.KeyStore.Password=carbon.xml//Server/Security/KeyStore/Password,true
    Carbon.Security.KeyStore.KeyPassword=carbon.xml//Server/Security/KeyStore/KeyPassword,true
    Carbon.Security.TrustStore.Password=carbon.xml//Server/Security/TrustStore/Password,true
    UserManager.AdminUser.Password=user-mgt.xml//UserManager/Realm/Configuration/AdminUser/Password,true
    Datasources.WSO2_CARBON_DB.Configuration.Password=master-datasources.xml//datasources-configuration/datasources/datasource[name='WSO2_CARBON_DB']/definition[@type='RDBMS']/configuration/password,false
    #Datasource.WSO2AM_DB.configuration.password=master-datasources.xml//datasources-configuration/datasources/datasource[name='WSO2AM_DB']/definition[@type='RDBMS']/configuration/password,false
    #Datasource.WSO2AM_STATS_DB.configuration.password=master-datasources.xml//datasources-configuration/datasources/datasource[name='WSO2AM_STATS_DB']/definition[@type='RDBMS']/configuration/password,false
    #UserStoreManager.Property.ConnectionPassword=user-mgt.xml//UserManager/Realm/UserStoreManager/Property[@name='ConnectionPassword'],true
    #UserStoreManager.Property.password=user-mgt.xml//UserManager/Realm/UserStoreManager/Property[@name='password'],true
    #AuthManager.Password=api-manager.xml//APIManager/AuthManager/Password,true
    
    ...
  3. Open <APIM_HOME>/repository/conf/security/cipher-text.properties file, which maps the default alias to their plain text passwords in square brackets. Uncomment the ones you want.

    Code Block
    Carbon.Security.KeyStore.Password=[wso2carbon]
  4. If you are on Linux or a Unix-based operating system, run the cipher tool available here.
    If you are on Windows, get the cipher tool from the <APIM_HOME>/bin folder. Due to a known issue in the 1.8.0 release on Linux, we provide the .sh file separately. This script reads the aliases, encrypts their plain-text passwords, and stores them in the secure vault. If you are using the default primary keystore, give wso2carbon as its password when prompted.

    Tip

    Tip: By default, the primary keystore, which is <APIM_HOME>/repository/resources/security/wso2carbon.jks is used as the secure vault. If you want to use another keystore or a custom callback class to handle decryption, modify the <APIM_HOME>/repository/conf/security/secret-conf.properties file as described in WSO2 Carbon Secure Vault Implementation in the WSO2 Carbon documentation.

    Code Block
    On Windows: ciphertool.bat -Dconfigure
    On Linux: sh ciphertool.sh -Dconfigure
  5. Note that the configuration files are automatically updated with the relevant password alias after running the cipher tool. For example, as the Carbon.Security.KeyStore.Password property is uncommented in this example, after you run the cipher tool, the plain-text password in <APIM_HOME>/repository/conf/carbon.xml file will be replaced by the alias as follows.

    Code Block
    languagexml
    <KeyStore>
    ...
        <!-- Keystore password-->
        <Password svns:secretAlias="Carbon.Security.KeyStore.Password">password</Password>
    ...
    </KeyStore>
    Tip

    Tip: As you encrypted the primary keystore's password in this example, you are prompted to enter the primary keystore password every time you start the server.


...