Skip to content
This repository was archived by the owner on Oct 5, 2021. It is now read-only.

Applying Carbon Secure Vault for WSO2 Products

Jump to bottom
Thanuja Uruththirakodeeswaran edited this page Aug 3, 2016 · 2 revisions

Carbon Secure Vault enables encryptioin of sensitive configuration data in WSO2 product deployments. wso2/puppet-modules supports configuration of Secure Vault using Hiera.

Configuring KeyStores

Several KeyStores are used in WSO2 products for different features and the references to those KeyStores are templated in the product configuration files. The KeyStores are defined in common.yaml file (<PUPPET_HOME>/hieradata/dev/wso2/common.yaml) with the default values as follows. Users can configure custom KeyStore files using below configurations as they need. KeyStore passwords are defined separately at the bottom as flat Hiera key value pairs and referenced in the wso2::key_stores array using Hiera lookup.

# KeyStores
wso2::key_stores:
  # primary key store for the purpose of storing the keys for encrypting sensitive data
  key_store:
    location: 'repository/resources/security/wso2carbon.jks'
    type: 'JKS'
    password: "%{hiera('wso2::key_stores::key_store::password')}"
    key_alias: 'wso2carbon'
    key_password: "%{hiera('wso2::key_stores::key_store::key_password')}"
  # Encrypt Decrypt Store will be used for encrypting and decrypting
  registry_key_store:
    location: 'repository/resources/security/wso2carbon.jks'
    type: 'JKS'
    password: "%{hiera('wso2::key_stores::registry_key_store::password')}"
    key_alias: 'wso2carbon'
    key_password: "%{hiera('wso2::key_stores::registry_key_store::key_password')}"
  # key store for the purpose of storing the trusted certificates of public keys in keystores
  trust_store:
    location: 'repository/resources/security/client-truststore.jks'
    type: 'JKS'
    password: "%{hiera('wso2::key_stores::trust_store::password')}"
  # keystore for authenticating the communication over SSL/TLS for Tomcat level connections
  connector_key_store:
    location: 'repository/resources/security/wso2carbon.jks'
    password: "%{hiera('wso2::key_stores::connector_key_store::password')}"
  user_trusted_rp_store:
    location: 'repository/resources/security/userRP.jks'
    type: 'JKS'
    password: "%{hiera('wso2::key_stores::user_trusted_rp_store::password')}"
    key_password: "%{hiera('wso2::key_stores::user_trusted_rp_store::key_password')}"

# KeyStore passwords
wso2::key_stores::key_store::password: 'wso2carbon'
wso2::key_stores::key_store::key_password: 'wso2carbon'
wso2::key_stores::registry_key_store::password: 'wso2carbon'
wso2::key_stores::registry_key_store::key_password: 'wso2carbon'
wso2::key_stores::trust_store::password: 'wso2carbon'
wso2::key_stores::connector_key_store::password: 'wso2carbon'
wso2::key_stores::user_trusted_rp_store::password: 'wso2carbon'
wso2::key_stores::user_trusted_rp_store::key_password: 'wso2carbon'

Applying Secure Vault

Follow the instructions below to apply secure vault:

  • Set wso2::enable_secure_vault to true in the relatedHiera YAML files to enable secure vault.
wso2::enable_secure_vault: true
  • Add any new configuration entries that are added to Secure Vault. Configuration entries that are frequently added to Secure Vault are already added in the Hiera YAML files. For example, the Key Store Password of a particular node is added to Secure Vault with the following entry.
wso2::secure_vault_configs :
  key_store_password :
    secret_alias: Carbon.Security.KeyStore.Password
    secret_alias_value: repository/conf/carbon.xml//Server/Security/KeyStore/Password,false
    password: wso2carbon

However you can add new configuration entries as well. To add a such configuration entry to Secure Vault, add a new field in the wso2::secure_vault_configs hash.

wso2::secure_vault_configs :
  custom_config_entry :
    secret_alias: Carbon.Custom.Config.Entry
    secret_alias_value: repository/conf/customconfig.xml//Server/Custom/Config/Entry,false
    password: hidethis

For Carbon Kernel 4.4.x based products, in order to set the secret_alias_value, either the relative path or the absolute path of each file starting from <PRODUCT_HOME> should be given. The last value that follows the file path is set to true or false indicating whether or not the value to be encrypted is an attribute. For Carbon Kernel 4.2.0 based products, in order to set the secret_alias_value, use the file name//xpath to the property value to be secured. The last value that follows the file path is set to true or false indicating whether or not the value to be encrypted starts with capital letter.

  • Uncomment the following Puppet template files, which are required for the Cipher Tool to work, in the Hiera file.
wso2::template_list :
 - repository/conf/security/cipher-text.properties
 - repository/conf/security/cipher-tool.properties
 - bin/ciphertool.sh

If the vm_type is not docker, add the password-tmp template as well to the template_list when running the server in default platform.

Clone this wiki locally