Access the secrets
From synapse artifact
To access the secret as decrypted format, use vault lookup syntax as below
<log level="custom">
<property expression="wso2:vault-lookup('ALIAS')" name="propertyName"/>
</log>
The parameters:
- ALIAS The alias of the secret. The alias must be pre-defined. Refer to Define the secrets for more detail
From configuration files
To access the secret as decrypted format, use the following syntax
password = "$secret{ALIAS}"
The parameters:
- ALIAS The alias of the secret. The alias must be pre-defined. Refer to Define the secrets for more detail
Configure the default Secret Repository
Go to {MI_HOME}/conf/security
, and edit the file secret-conf.properties
as below
keystore.identity.alias=wso2carbon
secretRepositories.file.algorithm=RSA/ECB/OAEPwithSHA1andMGF1Padding
keystore.identity.type=JKS
keystore.identity.key.secretProvider=org.wso2.carbon.securevault.DefaultSecretCallbackHandler
carbon.secretProvider=org.wso2.securevault.secret.handler.SecretManagerSecretCallbackHandler
keystore.identity.store.password=identity.store.password
secretRepositories=file
secVault.enabled=true
secretRepositories.file.provider=org.wso2.securevault.secret.repository.FileBaseSecretRepositoryProvider
keystore.identity.store.secretProvider=org.wso2.carbon.securevault.DefaultSecretCallbackHandler
keystore.identity.key.password=identity.key.password
secretRepositories.file.location=conf/security/cipher-text.properties
keystore.identity.location=/home/wso2carbon/wso2mi-4.0.0/repository/resources/security/wso2carbon.jks
Configure keystore and key password
Create file named password-persist
in the MI_HOME
directory with following default value
wso2carbon
wso2carbon
Define the secrets in deployment
Defining secrets is the action to declare the encrypted value and its corresponding alias. You must declare the secrets in the deployment.toml secrets section as below syntax:
[secrets]
ALIAS = "$env{ENVIRONMENT_VARIABLE}"
The parameters:
- ALIAS The unique name of the secret, it's used in synapse artifacts and configuration files to refer to the secret
- ENVIRONMENT_VARIABLE The environment variable to contain actual encrypted data of the secret
Create environment variable
Encrypt the secret
To encrypt the secret, use WSO2 MI CLI as below sample:
>mi secret create
>Enter plain alias for secret:pwdAlias
>Enter plain text secret: {SECRET_TEXT}
>Repeat plain text secret: {SECRET_TEXT}
pwdAlias : CoSp6vHYByI3KG8snzIEO0tjnkaN/BoklzKzD9FU2LIYSI6zmsO7TyVmsy3cCo5C3GXnyG8DemoPusPEW9M2TO5FmsJ7rgL8RQwJ300Q3wm8MRID98V2w2UBgiYEpqO8dgDvgHZDsA3VXRZq1+Uqh4FtOSHDPYak3/F3aQMK0bzIJf7NfHeAA7IRvXrz/5m/oQdg5To/9YAQXCCuLe8EoZ0Zs/qYYazAh0zZLmjq5wqS2RSVpAtWVc7aNygaWfbeoHHgP10LZ+eeid3POIDxuUS9csZ/H+DaDAi/IvA3lMdGkfEmRR9Ii9HOaj6l5wq0XhJLSb2Lvzplkht+4CTRfw==
Encryption completed successfully...
The parameters:
- SECRET The data you want to encrypt The ablue base64 text is the encrypted data of the secret
Create environment variable
For Linux
export ENVIRONMENT_VARIABLE=CoSp6vHYByI3KG8snzIEO0tjnkaN/BoklzKzD9F...
And finally, just go ahead and start Micro Integrator