Tuesday, January 24, 2017

Encrypting passwords in WSO2 APIM 2.0.0

WSO2 products support encrypting passwords which are in configuration files using secure vault.
You can find the detailed documentation form here of how to apply secure vault to WSO2 products.

This post will provide you the required instructions to apply secure vault to WSO2 APIM 2.0.0.

1. Using the automatic approach to encrypt the passwords given in XML configuration files.


Most of the passwords in WSO2 APIM 2.0.0 are in XML configuration files. Therefore you can follow the instructions given in here to encrypt them.



2. Encrypting passwords in jndi.properties file and log4j.properties files.


As did in above section, the passwords in XML configurations can be referred in cipher-tool.properties file via Xpaths. Therefore cipher-tool can automatically replace the plain text passwords in XML configuration files.

However, passwords in files such as jndi.properties file and log4j.properties filee need to be manually encrypted.

  • Encrypting passwords in jndi.properties file.
Since passwords in jndi.properties file are embedded into the connection URLs of connectionfactory.TopicConnectionFactory and connectionfactory.QueueConnectionFactory, we have to encrypt the complete connection URL. 

Assume that I have my connection URLs as below.


connectionfactory.TopicConnectionFactory = amqp://admin:admin@clientid/carbon?brokerlist='tcp://localhost:5672'

connectionfactory.QueueConnectionFactory = amqp://admin:admin@clientID/test?brokerlist='tcp://localhost:5672'

First I will be encrypting the connection URL of connectionfactory.TopicConnectionFactory.
For that I am going to execute ciphertool which will prompt me to enter the plain text password.

So I gave amqp://admin:admin@clientid/carbon?brokerlist='tcp://localhost:5672'

It returned me the encrypted value as below.



Now I have to update the cipher-text.properties file with the encrypted string as below. As the alias I used connectionfactory.TopicConnectionFactory

connectionfactory.TopicConnectionFactory=hY17z32eA/AWzsGuJPf+XNgd5YkhgYkAgxse/JoPIUmxDMl6XnDen+JN7319tRS8aYLN1LcKOgOpUpbm9DAKfm/zXXGdLPLb7QzCCabkAXEtiloH02jMyNYjvUd9cLFksNojaJyZT6c5j4Je4niRuRjr/scyhzBsQ6L3HHJ5hkQ=

Similarly I encrypted the connection URL of connectionfactory.QueueConnectionFactory and updated the cipher-text.properties file.

connectionfactory.QueueConnectionFactory=c3uectqczNf28SOTW3IFYcj4Sk6ZhdXaFd1ie44XCvA4q4McKFGn1FdicscVvXTD2pp8zVZkDoFE3PQ23J85+QoCOy7jICfLwagkbqi8fSlJcjorhMEOzMJ7xgzFrEJ/AnOHHJqw3vsh/NU13wG3dNy0QRkfYWzQWmfp+i9HeL0=

Then I have to modify the jndi.properties file with the alias values instead of the plain text URLs. For that update it as below.

connectionfactory.TopicConnectionFactory = secretAlias:connectionfactory.TopicConnectionFactory

connectionfactory.QueueConnectionFactory = secretAlias:connectionfactory.QueueConnectionFactory

  • Encrypting passwords in log4j.properties file.
Similar to above we can encrypt the password of log4j.appender.LOGEVENT.password in log4j.properties file and add the encrypted string to cipher-text.properties and update the log4.properties file with the alias.

log4j.appender.LOGEVENT.password=secretAlias:log4j.appender.LOGEVENT.password


That's it. 

Now when you start the server, provide the keystore password which will be used to decrypt the passwords in run time.


1 comment: