Tuesday, January 24, 2017

Encrypting passwords in WSO2 APIM 2.0.0

WSO2 products support encrypting passwords which are in configuration files using secure vault.
You can find the detailed documentation form here of how to apply secure vault to WSO2 products.

This post will provide you the required instructions to apply secure vault to WSO2 APIM 2.0.0.

1. Using the automatic approach to encrypt the passwords given in XML configuration files.

Most of the passwords in WSO2 APIM 2.0.0 are in XML configuration files. Therefore you can follow the instructions given in here to encrypt them.

2. Encrypting passwords in jndi.properties file and log4j.properties files.

As did in above section, the passwords in XML configurations can be referred in cipher-tool.properties file via Xpaths. Therefore cipher-tool can automatically replace the plain text passwords in XML configuration files.

However, passwords in files such as jndi.properties file and log4j.properties filee need to be manually encrypted.

  • Encrypting passwords in jndi.properties file.
Since passwords in jndi.properties file are embedded into the connection URLs of connectionfactory.TopicConnectionFactory and connectionfactory.QueueConnectionFactory, we have to encrypt the complete connection URL. 

Assume that I have my connection URLs as below.

connectionfactory.TopicConnectionFactory = amqp://admin:admin@clientid/carbon?brokerlist='tcp://localhost:5672'

connectionfactory.QueueConnectionFactory = amqp://admin:admin@clientID/test?brokerlist='tcp://localhost:5672'

First I will be encrypting the connection URL of connectionfactory.TopicConnectionFactory.
For that I am going to execute ciphertool which will prompt me to enter the plain text password.

So I gave amqp://admin:admin@clientid/carbon?brokerlist='tcp://localhost:5672'

It returned me the encrypted value as below.

Now I have to update the cipher-text.properties file with the encrypted string as below. As the alias I used connectionfactory.TopicConnectionFactory


Similarly I encrypted the connection URL of connectionfactory.QueueConnectionFactory and updated the cipher-text.properties file.


Then I have to modify the jndi.properties file with the alias values instead of the plain text URLs. For that update it as below.

connectionfactory.TopicConnectionFactory = secretAlias:connectionfactory.TopicConnectionFactory

connectionfactory.QueueConnectionFactory = secretAlias:connectionfactory.QueueConnectionFactory

  • Encrypting passwords in log4j.properties file.
Similar to above we can encrypt the password of log4j.appender.LOGEVENT.password in log4j.properties file and add the encrypted string to cipher-text.properties and update the log4.properties file with the alias.


That's it. 

Now when you start the server, provide the keystore password which will be used to decrypt the passwords in run time.


  1. Wow amazing i saw the article with execution models you had posted. It was such informative. Really its a wonderful article. Thank you for sharing and please keep update like this type of article because i want to learn more relevant to this topic.

    Laser Root Canal Treatment In Chennai

    Best Dental Clinic In Velachery

  2. Great post! I am actually getting ready to across this information, It's very helpful for this blog.Also great with all of the valuable information you have Keep up the good work you are doing well.

    Digital Marketing Company in Chennai