Add Secure Vault entries in WSO2 EI via Management UI

As you probalbly know, there are some passwords/entries in WSO2 configuration files that are stored in plain text when you install WSO2 products. This is in many cases something that you need to change since passwords are supposed to be secret by design. The solution to this is called Secure Vault and is included in WSO2 products. My colleague Jan Timmerman has written a blog about it, if you want to know more about Secure Vault and the encryption of passwords in the WSO2 configuration files, have a look here.

But there are other situations where we want to store userids and passwords encrypted as well, rather than as plain text in proxies, local entries or other artifacts. We can add Secure Vault entries in WSO2 EI (like user ID and passwords) as additional encrypted values via the management UI.

Setting  it up

The first thing we need to do is to run the CipherTool in order to avoid this message when we add the Secure Vault Entries. Because although it looks like you can just enter ‘passwords’ to the Secure Vault using the UI, when you try to store the values you get the following message. This has to do with the fact that the Vault needs to be secured as well.

Run the Ciphertool.sh -Dconfigure  in the [EI-HOME]/bin directory. Keep in mind that this will result in an EI instance that requires the password for the keystore to be entered manually. This would also be something you would do when you created a new keystore with new certificates rather than the out of the box setting with the certificates everyone else has as well.

As you can see the updates that Ciphertool does, governed the cipher-tool.properties and cipher-text.properties that indicate and store the values.

Starting EI

When we startup the Enterprise Integrator we need to enter the password for the keystore, in this case of an out of the box WSO2 EI, it is wso2carbon (all lowercase, no spaces.)

After that EI will continue to start and when everything is ready you can go to the Secure Vault settings on the main tab.

PS: If you don’t want to enter the password every time EI is started you can store the password in a file named [EI_HOME]/password-persist (with .txt for windows based WSO2 installation) which is read by the startup script of WSO2. Make sure to protect access to the file as read-only by only the WSO2EI process-owner.

Open the admin console in a browser and navigate to the Secure Vault Tool on the main tab and enter a Vault Key with the name ei.training.userid. The ‘Password’ is the value admin and we enter it twice. It is good to note that although it says ‘password’, you can use it to enter any value that you want or need to be encrypted.

In this case we encrypt the userid. This can be used to store userid/password combinations for external services we need to connect to that require userid/password combination.

This can only be done via the Management UI and therefore suited for non-development staff who need to maintain this kind of information.

Retrieving the value

At this moment we have actually stored the value in WSO2 Enterprise Integrator. To retrieve the encrypted value we simply need to create a property in, for instance, a proxy.

When you copy this code from the Yenlo Blog Bitbucket account you can simply deploy this  on the WSO2 EI.

<?xml version="1.0" encoding="UTF-8"?>
<proxy name="SimpleEcho" startOnLoad="true" transports="https http" xmlns="http://ws.apache.org/ns/synapse">
    <target>
        <endpoint name="endpoint_urn_uuid_c772b94d-a65e-4f8d-8f4e-808477e775ab">
            <address uri="http://localhost:8280/services/echo"/>
        </endpoint>
        <inSequence>
            <property expression="wso2:vault-lookup('ei.training.userid')" name="UserID" scope="default" type="STRING"/>
            <log>
                <property expression="wso2:vault-lookup('ei.training.userid')" name="UID"/>
            </log>
        </inSequence>
        <outSequence>
            <send/>
        </outSequence>
        <faultSequence/>
    </target>

</proxy>

We will not use Developer Studio / a CAR file but will do a more quick and dirty approach to quickly deploy this proxy. This is via the Management UI of the EI. This will only work if there is no SimpleEcho proxy available on your EI. If there is one, just rename the proxy, either the existing one or the one you are about to create.

In order to do so, Add a Proxy from the Management UI of the WSO2 EI and choose Custom Proxy.

Switch directly to Source View and copy the text in the editor.

Save the proxy. Verify that the proxy is saved and available in the services list.

Go to SoapUI and create a new Soap project with the http://localhost:8280/services/echo?wsdl. The endpoint we use is the axis2 service echo which is available on the http://localhost:8280/services/echo.

Change the URL to http://localhost:8280/services/SimpleEcho and send a hello world message to the service.

Check the console output for the value

You can use this secure vault for storing things like userId and passwords which are environment/server specific without issues. As we’ve demonstrated here you can easily access this secured information using a property expression inside a proxy of sequence.

If you have any questions about this blogpost contact us via the comments section of this blog. View also our WSO2 Tutorials, webinars or white papers for more technical information. Need support? We do deliver WSO2 Product Support, WSO2 Development Support, WSO2 Operational Support and WSO2 Training Programs.