WSO2 Secure Vault for WSO2 Open Banking

The WSO2 Open Banking solution consists of WSO2 API Manager and WSO2 Identity Server as Key Manager. Both these products contain several configuration files that store passwords in plain text format. Using WSO2 Secure vault implementation these plain texts can be encrypted.

Let’s try to encrypt the password value under the <APISecurity> element in open-banking.xmlusing Secure Vault.

1. Open the <WSO2_OB_KM_HOME>/repository/conf/security/cipher-tool.properties file.

This file contains information about the configuration files in which the passwords (that require encryption) are located. It used the following format:

<alias>=<file_name>//<xpath>,<true/false>

• <alias>: The hardcoded value in the relevant Carbon component.
• <file_path> : The path to the XML file that contains the password. (Relative file path or the absolute file path starting from WSO2_OB_KM_HOME).
• <xpath> : The XPath to the XML element/attribute/tag that needs to be encrypted.
• The flag value: If you are encrypting the tag of an XML attribute, set this flag to true. If you are encrypting the value of an XML element, or the value of an XML attribute’s tag, set this flag to false.

For example, open the <WSO2_OB_KM_HOME>/repository/conf/finance/open-banking.xml file and notice the<APISecurity> notice element.

<APISecurity>
 <Global>
  <Username>admin@wso2.com</Username>
  <Password>wso2123</Password>
 </Global>
</APISecurity>

To encrypt this password, the cipher-tool.properties file should contain the following entry:

APISecurity.Global.Password=repository/conf/finance/open-banking.xml//APISecurity/Global/Password,false

• We want to encrypt the value given to the<Password> XML element. So the flag is set to false.

2. Open the <WSO2_OB_KM_HOME>/repository/conf/security/cipher-text.properties file.

This file contains the secret alias names and the corresponding plaintext passwords (enclosed within square brackets).

<alias>=[plain_text_password]

So, for the above example, the entry for this file should be:

APISecurity.Global.Password=[wso2123]

3. Go to the<WSO2_OB_KM_HOME>/bin directory and open a terminal. This directory contains the cipher tool. Execute the cipher tool script using the following command:

./ciphertool.sh -Dconfigure

4. Provide the keystore password to start the encryption process.

Now, to verify the password encryption:

• Open the <WSO2_OB_KM_HOME>/repository/conf/security/cipher-text.properties file and see that the plain text passwords are replaced by a cipher value.

APISecurity.Global.Password=Ql3dikNnNj8PP8L3yAMj18XCVKWwA7nnBgEyUG8GwMY2I/Z+i+6DOx3PE4Knn01aYO732IlhSHlrOM61sE++UEbWjX/mAH7ussXjvGQmM3eoOTePG0hJrxXTYWVxsqNp+AlJ2URBFtWIHkdx/DoePwKP2gPW6U6DNEt+XBJhg+XYvycJ88RRZZMfEQWJ/N2wFiTsI5Fej2L/t9nLv8lUh+WbWj04fdVZ+luJ9UH4qZxU/4+a7BjzrHKVuLf4U+17DjDFtgUnabmPpXJYTNAJgodD/XgOaXVcgxMu5oiOVqbvSbmfJYKyGHz52MF3DZ4ENEsnoMww8cXvEs8uaG/LCA\=\=

A file namedsecret-conf.properties is created in the <WSO2_OB_KM_HOME>/repository/conf/security/ directory once you run the cipher tool. This file contains the keystore location and configurations.