This is a continuation of my series of posts on WSO2 Autoscaler Service. If you missed the part-I, please visit here. As I mentioned there, in this post I will show how we secure the confidential information specified in the configuration file.
How to use WSO2 Secure Vault to secure your confidential data?
WSO2 Secure-vault can be used to hide your confidential data, from been appearing in the configuration files as plain text. In WSO2 Autoscaler service's configuration file i.e. elastic-scaler-config.xml file, we are securing the confidential information such as the identity and credential for accessing your account on an IaaS provider.
I will go through the steps you need to follow in order to secure an example property value.
In elastic-scaler-config.xml we have an element called “identity” at “elasticScalerConfig/iaasProviders/iaasProvider[@type='ec2']/identity”. Following is the exact element structure.
<identity svns:secretalias="elastic.scaler.ec2.identity"/>
Note that you don't need to provide your identity for a particular IaaS (EC2 in the case of the example) here, as plain text. Instead there is a secret alias defined as an attribute of the identity element, namely “ elastic.scaler.ec2.identity”.
Firstly, you need to add following line into the “${CARBON_HOME}/repository/conf/security/cipher-tool.properties”.
elastic.scaler.ec2.identity=elastic-scaler-config.xml//elasticScalerConfig/iaasProviders/ iaasProvider[@type='ec2']/identity,false
Structure of the above line is:
<secretAlias>=<nameOfTheConfigurationFile>//<XpathExpressionToThePropertyToBeSecured>, <whetherTheXmlElementStartsWithACapitalLetter>
Then you need to edit the “${CARBON_HOME}/repository/conf/security/cipher-text.properties” file.
There you need to add your plain text confidential information against the secret alias.
elastic.scaler.ec2.identity=[abcd]Structure of the above line is:
<secretAlias>=[<plainTextValue>]Note that you need to add the plain text value within square brackets.
Now navigate to the “${CARBON_HOME}/bin” directory and run following command;
./ciphertool.sh -DconfigureType primary key store password of Carbon Server, when prompted. The default value is “wso2carbon”.
Ok, that is it. Now if you revisit “${CARBON_HOME}/repository/conf/security/cipher-text.properties” file, you could see all your plain text data are replaced by cipher text.
3 comments:
How about attributes? catalina-server.xml has keystorePass as an attribute. How do we encrypt that. It seems to me that this utility does not work with attributes that need to be encrypted
Hi Ashwini,
I think it's a limitation of current implementation of Secure Vault, you may ask this query in dev@wso2.org.
Has there been any update to this? It's a bit pointless to encrypt this everywhere else and leave it as plain text in catalina-server.xml
Post a Comment