When you are using WSO2 ESB to do some mediation there come the times that you have to send user credentials to the backend services for authentication and authorization purposes. In that case, you have to store the usernames and passwords in your synapse configuration. One problem of that approach is that other people get to see the credentials which is not very secured.
To overcome that issue you can use the secure vault feature in ESB. What happens there is, first you create a registry entry for your password with an alias for the password. In the registry the password is NOT stored in plain text, but encrypted using the certificate in wso2carbon.jks file. This entry is stored as a property under the location /_system/config/repository/components/secure-vault in the registry. Then in your synapse configuration you use the alias instead of the password, and use a custom xpath expression to lookup for the password from the registry and decode it before sending it to the endpoint.
First of all you need to configure the ciphering part. For that you need configure the 'repository/conf/security/secret-conf.properties' file and add the following.
Restart the ESB server if you have already started it. Log in, and go to the "Manage Passwords" link under the "Secure Vault Tool" entry in the left hand menu. In that page you can create a new password (or username) entry in the registry by providing a key(alias) and the actual password. Then your password will be stored in the registry encrypted with the key in wso2carbon.jks .
Now setting up the alias is done, let's see how to retrieve it in your synapse configuration. You can use the custom xpath expression called "wso2:vault-lookup('alias')" to retrieve the decrypted password mapping to the alias. See the example given below.
To overcome that issue you can use the secure vault feature in ESB. What happens there is, first you create a registry entry for your password with an alias for the password. In the registry the password is NOT stored in plain text, but encrypted using the certificate in wso2carbon.jks file. This entry is stored as a property under the location /_system/config/repository/components/secure-vault in the registry. Then in your synapse configuration you use the alias instead of the password, and use a custom xpath expression to lookup for the password from the registry and decode it before sending it to the endpoint.
First of all you need to configure the ciphering part. For that you need configure the 'repository/conf/security/secret-conf.properties' file and add the following.
keystore.identity.location=<ESB_HOME_Absolute_path>/repository/resources/security/wso2carbon.jks keystore.identity.type=JKS keystore.identity.store.password=identity.store.password keystore.identity.store.secretProvider=org.wso2.carbon.securevault.DefaultSecretCallbackHandler secretRepositories.file.provider=org.wso2.securevault.secret.repository.FileBaseSecretRepositoryProvider secretRepositories.file.location=repository/conf/security/cipher-text.properties secretRepositories=file keystore.identity.key.password=identity.key.password carbon.secretProvider=org.wso2.securevault.secret.handler.SecretManagerSecretCallbackHandler keystore.identity.key.secretProvider=org.wso2.carbon.securevault.DefaultSecretCallbackHandler keystore.identity.alias=wso2carbon
Restart the ESB server if you have already started it. Log in, and go to the "Manage Passwords" link under the "Secure Vault Tool" entry in the left hand menu. In that page you can create a new password (or username) entry in the registry by providing a key(alias) and the actual password. Then your password will be stored in the registry encrypted with the key in wso2carbon.jks .
Now setting up the alias is done, let's see how to retrieve it in your synapse configuration. You can use the custom xpath expression called "wso2:vault-lookup('alias')" to retrieve the decrypted password mapping to the alias. See the example given below.
<log> <property name="Sec_Password" expression="wso2:vault-lookup('pass')"/> </log>