WSO2 MI - Use encrypted secret with secure vault

WSO2 MI - Use encrypted secret with secure vault

Access the secrets

From synapse artifact

To access the secret as decrypted format, use vault lookup syntax as below

<log level="custom">
    <property expression="wso2:vault-lookup('ALIAS')" name="propertyName"/>
</log>

The parameters:

  • ALIAS The alias of the secret. The alias must be pre-defined. Refer to Define the secrets for more detail

From configuration files

To access the secret as decrypted format, use the following syntax

password = "$secret{ALIAS}"

The parameters:

  • ALIAS The alias of the secret. The alias must be pre-defined. Refer to Define the secrets for more detail

Configure the default Secret Repository

Go to {MI_HOME}/conf/security, and edit the file secret-conf.properties as below

keystore.identity.alias=wso2carbon
secretRepositories.file.algorithm=RSA/ECB/OAEPwithSHA1andMGF1Padding
keystore.identity.type=JKS
keystore.identity.key.secretProvider=org.wso2.carbon.securevault.DefaultSecretCallbackHandler
carbon.secretProvider=org.wso2.securevault.secret.handler.SecretManagerSecretCallbackHandler
keystore.identity.store.password=identity.store.password
secretRepositories=file
secVault.enabled=true
secretRepositories.file.provider=org.wso2.securevault.secret.repository.FileBaseSecretRepositoryProvider
keystore.identity.store.secretProvider=org.wso2.carbon.securevault.DefaultSecretCallbackHandler
keystore.identity.key.password=identity.key.password
secretRepositories.file.location=conf/security/cipher-text.properties
keystore.identity.location=/home/wso2carbon/wso2mi-4.0.0/repository/resources/security/wso2carbon.jks

Configure keystore and key password

Create file named password-persist in the MI_HOME directory with following default value

wso2carbon
wso2carbon

Define the secrets in deployment

Defining secrets is the action to declare the encrypted value and its corresponding alias. You must declare the secrets in the deployment.toml secrets section as below syntax:

[secrets]
ALIAS = "$env{ENVIRONMENT_VARIABLE}"

The parameters:

  • ALIAS The unique name of the secret, it's used in synapse artifacts and configuration files to refer to the secret
  • ENVIRONMENT_VARIABLE The environment variable to contain actual encrypted data of the secret

Create environment variable

Encrypt the secret

To encrypt the secret, use WSO2 MI CLI as below sample:

>mi secret create
>Enter plain alias for secret:pwdAlias
>Enter plain text secret: {SECRET_TEXT}
>Repeat plain text secret: {SECRET_TEXT}
pwdAlias : CoSp6vHYByI3KG8snzIEO0tjnkaN/BoklzKzD9FU2LIYSI6zmsO7TyVmsy3cCo5C3GXnyG8DemoPusPEW9M2TO5FmsJ7rgL8RQwJ300Q3wm8MRID98V2w2UBgiYEpqO8dgDvgHZDsA3VXRZq1+Uqh4FtOSHDPYak3/F3aQMK0bzIJf7NfHeAA7IRvXrz/5m/oQdg5To/9YAQXCCuLe8EoZ0Zs/qYYazAh0zZLmjq5wqS2RSVpAtWVc7aNygaWfbeoHHgP10LZ+eeid3POIDxuUS9csZ/H+DaDAi/IvA3lMdGkfEmRR9Ii9HOaj6l5wq0XhJLSb2Lvzplkht+4CTRfw==
Encryption completed successfully...

The parameters:

  • SECRET The data you want to encrypt The ablue base64 text is the encrypted data of the secret

Create environment variable

For Linux

export ENVIRONMENT_VARIABLE=CoSp6vHYByI3KG8snzIEO0tjnkaN/BoklzKzD9F...

And finally, just go ahead and start Micro Integrator