Skip to main content

Configure "Secure Vault" to secure plain text passwords in WSO2 config files

If we take a WSO2 product, there are so many config files which contains plain text passwords. This blog post explains how we can secure those passwords.

Let's take WSO2 DAS . analytics-datasource.xml file and secure the password in following configuration.

<datasource>
<name>WSO2_ANALYTICS_EVENT_STORE_DB</name>
<description>The datasource used for analytics record store</description>
<definition type="RDBMS">
<configuration>
<url>jdbc:mysql://localhost:3306/das_event_store?autoReconnect=true</url>
<username>das_event_store</username>
<password>das_event_store_password</password>
<driverClassName>com.mysql.jdbc.Driver</driverClassName>
<maxActive>50</maxActive>
<maxWait>60000</maxWait>
<validationQuery>SELECT 1</validationQuery>
<defaultAutoCommit>false</defaultAutoCommit>
<initialSize>0</initialSize>
<testWhileIdle>true</testWhileIdle>
<minEvictableIdleTimeMillis>4000</minEvictableIdleTimeMillis>
</configuration>
</definition>
</datasource>
view raw WSO2_config_3 hosted with ❤ by GitHub

Step 1:
Go to <WSO2_DAS>/repository/conf/security and add the following line to the cipher-tool.properties file

Datasources.WSO2_ANALYTICS_EVENT_STORE_DB.Configuration.Password=repository/conf/datasources/analytics-datasources.xml//datasources-configuration/datasources/datasource[name='WSO2_ANALYTICS_EVENT_STORE_DB']/definition[@type='RDBMS']/configuration/password,true
view raw WSO2_config_4 hosted with ❤ by GitHub
Create alias with file path, xpath to the element and boolean value true.

Step 2:
Add the following line to the cipher-text.properties file.

Datasources.WSO2_ANALYTICS_EVENT_STORE_DB.Configuration.Password=[das_event_store_password]
view raw WSO2_config_5 hosted with ❤ by GitHub
You have to provide the alias with the plain text password

Step 3:
Go to <WSO2_DAS>/bin and execute ./ciphertool.sh -Dconfigure

This will,
- Encrypt the password defined in cipher-text.properties file
- Configure the analytics-datasauces.xml as follows

<datasource>
<name>WSO2_ANALYTICS_EVENT_STORE_DB</name>
<description>The datasource used for analytics record store</description>
<definition type="RDBMS">
<configuration>
<url>jdbc:mysql://localhost:3306/das_event_store?autoReconnect=true</url>
<username>das_event_store</username>
<password svns:secretAlias="Datasources.WSO2_ANALYTICS_EVENT_STORE_DB.Configuration.Password">password</password>
<driverClassName>com.mysql.jdbc.Driver</driverClassName>
<maxActive>50</maxActive>
<maxWait>60000</maxWait>
<validationQuery>SELECT 1</validationQuery>
<defaultAutoCommit>false</defaultAutoCommit>
<initialSize>0</initialSize>
<testWhileIdle>true</testWhileIdle>
<minEvictableIdleTimeMillis>4000</minEvictableIdleTimeMillis>
</configuration>
</definition>
</datasource>
view raw WSO2_config_6 hosted with ❤ by GitHub
Step 4: Restart the server.

How to change a password

Configure cipher-text.properties file with the password you want to change.  You need to remove the encrypted value and replace it with plain text password with  [ ] square brackets.
Execute the ./ciphertool.sh -Dconfigure
Start the server.

Labels

Labels:

Comments

Post a Comment

Popular posts from this blog

How to generate random unique number in SOAP UI request

eg 1: ${=System.currentTimeMillis() + ((int)(Math.random()*10000))} eg 2: ${=java.util.UUID.randomUUID()} ${=java.util.UUID.randomUUID()} ${=System.currentTimeMillis() + ((int)(Math.random()*10000))} - See more at: http://tryitnw.blogspot.com/2014/03/generating-random-unique-number-in-soap.html#sthash.m2S4tUFu.dpuf ${=System.currentTimeMillis() + ((int)(Math.random()*10000))} - See more at: http://tryitnw.blogspot.com/2014/03/generating-random-unique-number-in-soap.html#sthash.m2S4tUFu.dpuf ${=System.currentTimeMillis() + ((int)(Math.random()*10000))} - See more at: http://tryitnw.blogspot.com/2014/03/generating-random-unique-number-in-soap.html#sthash.m2S4tUFu.dpuf
Post a Comment
Read more

WSO2 ESB communication with WSO2 ESB Analytics

This blog post is about how & what ports involved when connecting from WSO2 ESB to WSO2 ESB Analytics. How to configure: This document explains how to configure it https://docs.wso2.com/display/ESB500/Prerequisites+to+Publish+Statistics Let's say we have WSO2 ESB  and WSO2 ESB Analytics packs we want to run in same physical machine, then we have to offset one instance.  But we don't want to do that since WSO2 ESB Analytics by default come with the offset. So WSO2ESB will run on 9443 port, WSO2 ESB Analytics will run on 9444 port WSO2 ESB publish data to the WSO2 ESB Analytics via thrift. By default thrift port is 7611 and corresponding ssl thrift port is 7711 (7611+100), check the data-bridge-config.xml file which is in analytics server config directory .  Since we are shipping analytics products with offset 1 then thrift ports are 7612 and ssl port is 7712. Here, ssl port (7712) is used for initial authentication purposes of data publisher ...
Post a Comment
Read more

Tips on using environment variables in WSO2 Integration Cloud

Environment variables allow you to change an application's internal configuration without changing its source code. Let’s say you want to deploy the same application in development, testing  and production environments. Then database related configs and some other internal configurations may change from one environment to another. If we can define these configurations as an environment variables we can easily set those without changing the source code of that application. When you deploy your application in WSO2 Integration Cloud, it lets you define environment variables via the UI. Whenever you change the values of environment variables, you just need to redeploy the application for the changes to take effect. Predefined environment variables Key Concepts - Environment Variables   provides you some predefined set of environment variables which will be useful when deploying applications in WSO2 Integration Cloud. Sample on how to use environment variables ...
Post a Comment
Read more