Tuesday, July 24, 2012

WSO2 Autoscaler Service - Part II



This is a continuation of my series of posts on WSO2 Autoscaler Service. If you missed the part-I, please visit here. As I mentioned there, in this post I will show how we secure the confidential information specified in the configuration file.

How to use WSO2 Secure Vault to secure your confidential data?


WSO2 Secure-vault can be used to hide your confidential data, from been appearing in the configuration files as plain text. In WSO2 Autoscaler service's configuration file i.e. elastic-scaler-config.xml file, we are securing the confidential information such as the identity and credential for accessing your account on an IaaS provider.

I will go through the steps you need to follow in order to secure an example property value.

In elastic-scaler-config.xml we have an element called “identity” at “elasticScalerConfig/iaasProviders/iaasProvider[@type='ec2']/identity”. Following is the exact element structure.
<identity svns:secretalias="elastic.scaler.ec2.identity"/>

Note that you don't need to provide your identity for a particular IaaS (EC2 in the case of the example) here, as plain text. Instead there is a secret alias defined as an attribute of the identity element, namely “ elastic.scaler.ec2.identity”.

Firstly, you need to add following line into the “${CARBON_HOME}/repository/conf/security/cipher-tool.properties”.
elastic.scaler.ec2.identity=elastic-scaler-config.xml//elasticScalerConfig/iaasProviders/
iaasProvider[@type='ec2']/identity,false

Structure of the above line is:
<secretAlias>=<nameOfTheConfigurationFile>//<XpathExpressionToThePropertyToBeSecured>,
<whetherTheXmlElementStartsWithACapitalLetter>

Then you need to edit the “${CARBON_HOME}/repository/conf/security/cipher-text.properties” file.
There you need to add your plain text confidential information against the secret alias.
elastic.scaler.ec2.identity=[abcd]
Structure of the above line is:
<secretAlias>=[<plainTextValue>]
Note that you need to add the plain text value within square brackets.

Now navigate to the “${CARBON_HOME}/bin” directory and run following command;

./ciphertool.sh -Dconfigure
Type primary key store password of Carbon Server, when prompted. The default value is “wso2carbon”.

Ok, that is it. Now if you revisit “${CARBON_HOME}/repository/conf/security/cipher-text.properties” file, you could see all your plain text data are replaced by cipher text.

3 comments:

Ashwini Kuntamukkala said...

How about attributes? catalina-server.xml has keystorePass as an attribute. How do we encrypt that. It seems to me that this utility does not work with attributes that need to be encrypted

Nirmal Fernando said...

Hi Ashwini,

I think it's a limitation of current implementation of Secure Vault, you may ask this query in dev@wso2.org.

Martin Brennan said...

Has there been any update to this? It's a bit pointless to encrypt this everywhere else and leave it as plain text in catalina-server.xml