If the directory/file paths specified in this guide do not exist in your WSO2 product, see Directory Structure of WSO2 Products to locate the paths applicable to your product.

Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

You can implement your own Secure Vault configurations by changing the default Secret Repository, Repository and the Secret Callback Handler, and by using a custom keystore instead of the default product keystore. See the following for topics for instructions:

...

  1. Write a Secret Callback class. You need to implement the SecretCallbackHandler interface or extend the AbstractSecretCallbackHandler abstract class. For example,

    Code Block
    Java
    Java
    public class HardCodedSecretCallbackHandler extends AbstractSecretCallbackHandler {
         protected void handleSingleSecretCallback(SingleSecretCallback singleSecretCallback) {
                singleSecretCallback.setSecret("password");
         }
    }
  2. We can set multiple password-based as follows:

    Code Block
    public class HardCodedSecretCallbackHandler extends AbstractSecretCallbackHandler {
        protected void handleSingleSecretCallback(SingleSecretCallback singleSecretCallback) {
             if("foo".equals(singleSecretCallback.getId())){
                singleSecretCallback.setSecret("foo_password");
             } else if("bar".equals(singleSecretCallback.getId())){
                singleSecretCallback.setSecret("bar_password");
               }
       }
    }
  3. Create a JAR or an OSGI bundle and copy the JAR file to the <PRODUCT_HOME>/repository/component/lib/ directory or the OSGI bundle to the <PRODUCT_HOME>/repository/component/dropins/ directory
  4. Configure the master-datasources.xml file with an alias name and your Secret Callback handler class name. For example,

    Code Block
    XML
    XML
    <datasource>
                <name>WSO2_CARBON_DB</name>
                <description>The datasource used for registry and user manager</description>
                <jndiConfig>
                    <name>jdbc/WSO2CarbonDB</name>
                </jndiConfig>
                <definition type="RDBMS">
                    <configuration>
     <url>jdbc:h2:repository/database/WSO2CARBON_DB;DB_CLOSE_ON_EXIT=FALSE;LOCK_TIMEOUT=60000</url>
                        <username>wso2carbon</username>
                        <password <passwordsvnssvns:secretAlias="Datasources.WSO2_CARBON_DB.Configuration.Password">password</password>
                        <driverClassName>org.h2.Driver</driverClassName>
                        <maxActive>50</maxActive>
                        <maxWait>60000</maxWait>
                        <testOnBorrow>true</testOnBorrow>
                        <validationQuery>SELECT 1</validationQuery>
                        <validationInterval>30000</validationInterval>
                    </configuration>
                </definition>
            </datasource>
     Also, replace the secret callback handler class name in 

     

  5. Go to <PRODUCT_HOME>/bin and execute ./ciphertool.sh -Dconfigure

  6. Replace the values of two the properties keystore.identity.store.secretProvider and keystore.identity.key.secretProvider in <PRODUCT_HOME>/repository/conf/security/secret-conf.properties file with your Secret Callback handler class name.

  7. Restart the server.

...

To create a custom secret repository, you need to implement the SecretRepository and SecretRepositoryProvider interfaces:

  1. Create your custom secret repository by implementing the org.wso2.securevault.secret.SecretRepository interface:

    Code Block
    public class CustomSecretRepositoryImpl extends SecretRepository {
     public void init(Properties properties, String s) {
     }
     public String getSecret(String s) {
           return null;
     }
     public String getEncryptedData(String s) {
           return null;
     }
     public void setParent(SecretRepository secretRepository) {
     }
     public SecretRepository getParent() {
           return null;
     }
    } 
  2. Then you need to implement the org.wso2.securevault.secret.SecretRepositoryProvider class as shown below. This class returns an instance of the custom SecretRepository that you implemented above.

    Code Block
    public class CustomSecretRepositoryProvider implements SecretRepositoryProvider {
       public SecretRepository getSecretRepository(IdentityKeyStoreWrapper identityKeyStoreWrapper,
           TrustKeyStoreWrapper trustKeyStoreWrapper) {
        return new CustomSecretRepositoryImpl(identityKeyStoreWrapper, trustKeyStoreWrapper);
      }
    } 
  3. Create a JAR or an OSGI bundle. 

  4. Then, copy the JAR file to the <PRODUCT_HOME>/repository/component/lib/directory or the OSGI bundle to the <PRODUCT_HOME>/repository/component/dropins/ directory

  5. Replace the secretRepositories.file.provider entryin the secret-conf.properties file (stored in the <PRODUCT_HOME>/repository/conf/security/ directory) with your secret repository class name. 

Using a custom keystore

You can use a new keystore for Secure Vault instead of using the wso2carbon.jks keystore that is shipped with the product by default.

  1. Create a new keystore.
  2. Then, change your keystore location (keystore.identity.location) in the secret-conf.properties file (stored in the <PRODUCT_HOME>/repository/conf/security/ directory) to the location of your new keystore file.