Secure vault tool which is available in carbon servers, helps to encrypt passwords which are configured in plain text in the configuration files. This tool can be directly used for the passwords which are configured in carbon.xml, axis2.xml, datasources.xml etc..We can not use secure vault tool directly in the mediation configuration , where we might provide passwords to make secured connection for any basic auth protected endpoints.
In the older versions of ESB/APIM, we provide basic auth header by setting the "Authorization" transport header,where password was in plain text.
Eg:
In the newer versions (AM 1.6.0 / ESB 4.8.0 onwards), user can store the encrypted password in registry and the 'alias' can be used to refer the stored passwords.
Eg:
<property name="secPassword" expression="wso2:vault-lookup('securedDS.endpoint.password')"/>
- securedDS.endpoint.password : - Password alias, which is stored in config registry under /repository/components/secure-vault
- wso2:vault-lookup :- Is a custom xpath implementation for synapse to do lookups. To use this custom xpath, user needs to add following synapse property in the synapse.properties file.
In APIManager;
- If user needs to encrypt the password in the mediation configuration, he has to enable the <EnableSecureVault> property in the api-manager.xml, and needs to run the cipher tool before running the product.
- Cipher tool is available in the
/bin folder. - # ciphertool.bat/sh -Dconfigure
- When user enables securevault option and publishes an API via the publisher UI, created API configuration will have the securevault enabled password protection. User can check the alias configured in the API configuration and can map that with the configuration registry entry. Alias is created with the string merge of publisherName+apiName+version;