Sunday, August 12, 2012

Secure plain text passwords in WSO2 Carbon configuration files

Please visit new my blog for this blog post from here

If you go through the conf directory of WSO2 products, there are some configuration file, that contains secret informations such as passwords...This blog post describes how we can secure the plain text passwords in these configuration files. This [1] document gives you clear understanding about secure vault implementation. But here i am going step by step to configure it. Please note this configurations only valid for carbon 3.2.X products.  But with 4.0.X release, steps are same..  but there are new configurations files....  as an example,  we have "master-datasources.xml" file which can be found in "conf/datasources".  In this file, we are configuring all data source related configurations...  Therefore database configuring passwords would be in this file.   

First, let see what are the secret information that can be secured. Following are the alias names and secrets of carbon configuration files.  

1. in user-mgt.xml  

UserManager.AdminUser.Password -> Admin User password in user-mgt.xml
UserManager.Configuration.Property.password -> User Manager database connection password in user-mgt.xml  
(Only in 3.2.X)
UserStoreManager.Property.ConnectionPassword -> User store connection password in user-mgt .xml 

2. in registry.xml (Only in 3.2.X )

wso2registry.[Registry Name].password -> Registry database connection password in registry.xml 

3. in carbon.xml

Carbon.Security.KeyStore.Password- > Keystore password of Carbon server in carbon.xml
Carbon.Security.KeyStore.KeyPassword -> Private key password of Carbon server in carbon.xml
Carbon.Security.TrustStore.Password -> Trust store password of Carbon server in carbon.xml 

4. in mgt-transport.xml   (Only in 3.2.X )

transports.https.keystorePass -> SSL key and keystore password in mgt-transport.xml 

5.  master-datasources.xml  (With Carbon 4.0.X Only)

Datasources.[Data source name].Configuration.Password  ->  Database connection password of defined data source.  There can be more than one datasource configurations in this file.

Also by using secure vault you can secure the passwords in axis2.xml file, i.e.

Axis2.Https.Listener.TrustStore.Password -> NIO Listener SSL trust store password in axis2.xml
Axis2.Https.Listener.KeyStore.Password -> NIO Listener SSL keystore store password in axis2.xml
Axis2.Https.Listener.KeyStore.KeyPassword -> NIO Listener SSL key password in axis2.xml
Axis2.Https.Sender.TrustStore.Password -> NIO Sender SSL trust store password in axis2.xml
Axis2.Https.Sender.KeyStore.Password -> NIO Sender SSL key store password in axis2.xml
Axis2.Https.Sender.KeyStore.KeyPassword -> NIO Sender SSL key password in axis2.xml
Axis2.Mailto.Parameter.Password -> Email sender password in axis2.xml 

Step 1.   Locate which can be found at <CARBON_HOME>/repository/conf directory in your WSO2 product.  This file contains the alias names and the corresponding plain text password in square brackets. 

If you can not find this file in your product, Please download it from this svn location [2]  and copy to above location. 

Step 2.  Configure file with your passwords. 

As an example, I want to secure keystore passwords of carbon.xml file (You should secured them as encryption is done with it) ,  both database and LDAP connection password of user-mgt.xml file.  My would be as follows,




Step 3. Locate  "ciphertool" script which can be found at <CARBON_HOME>/bin directory. If you can not find this file in your product, Please download it from this svn location [3]  and copy to above location.

Step 4. Run "ciphertool" script with -Dconfigure option.  

as an example in UNIX,

>  -Dconfigure

This script does followings 
1. encrypt the passwords defined in file
2. remove plain text passwords in conf files.
3. configure file

Step 5. Check above mentioned files, are properly configured. 

Step 6. Start server.     in startup, server would promote for  master password (i.e is key store password) you need to provide it. 

Personally, I do not like to provide master password each server startup,  although it is one of a secured way to provide it....  This is the default way of providing the master password according to this [4].  You can write your own implementation for this. Therefore i just write a simple implementation for this where i have hard coded my master password. Please find the my project from here [5]. 

Let see how we can configure new master password callback handler

1. Replace the default password handler class name (org.wso2.carbon.securevault.DefaultSecretCallbackHandler) from file and configure my own one (com.sample.password.callback.handler.HardCodedSecretCallbackHandler). 

2. Copy own implementations as a jar file in to <CARBON_HOME>/repository/components/lib directory 

3. If you have secured the passwords in mgt-transport.xml file, Please Copy your jar file to <CARBON_HOME>/lib/api directory.

4. Restart the server.

Links again :) 


1 comment: