Applying secure-vault to WSO2 Micro Integrator
For a more secured integration solution…
NOTE: (Applicable for WSO2 Micro Integrator 1.1.0 — Enterprise Integrator 7.0.0)
The integration world is moving towards micro-services architecture. WSO2, the famous middleware company, now offers WSO2 Micro Integrator (WSO2 MI) which is the container friendly version of WSO2 Enterprise Integrator (WSO2 EI). WSO2 MI runs the same mediation engine as WSO2 EI, which is battle tested over integration use cases over the past decade. Hence, it is not a pure new product from WSO2 — only the body of the vehicle is made lightweight and small, keeping the same engine.
WSO2 MI uses a configuration driven approach to build integration logic. Users can use WSO2 Integration Studio to build an achieve having integration logic and place it to WSO2 MI runtime.
Having said that, in this article what out focus is, how to encrypt passwords used in integration logic using Secure Vault feature of WSO2 MI. Idea is to encrypt passwords using RSA algorithm. The article follows the official documentation of WSO2 with details.
WSO2 may decide to move the functionality to go with K8S secrets, until then this would be way to encrypt the passwords.
Configuring secure vault
First, let us download WSO2 MI and configure secure vault.
- Download WSO2 MI zip file (binary format) from here.
- Run cipher tool. For that, you need to navigate to <WSO2 MI>/bin and execute `./ciphertool.sh -Dconfigure`. Note that the password of the keystore shipped by default with WSO2 MI is
wso2carbon. - Create a folder called
dockerProjectto keep the docker project. - Copy `<MI_HOME>/conf/security/cipher-tool.properties` file to the
dockerProjectfolder. - Copy `<MI_HOME>/conf/security/secret-conf.properties` file to the
dockerProjectfolder. - Update following entry in file secret-conf.properties copied in above step.
keystore.identity.location=/home/wso2carbon/wso2mi-1.1.0/repository/resources/security/wso2carbon.jks- Create a file named `password-tmp` in dokcerProject folder. Add key store password in plain text in that file. NOTE: After the container is started
this file will get deleted automatically. Hence, in a running container password is not kept anywhere.
Adding entries to be encrypted
Now we can add some entries to be encrypted and used in our mediation logic.
- Navigate to <WSO2 MI>/bin folder and execute the script
securevault.sh(please refer WSO2 doc) to add some vault entries. For an example add,mypassword1as the alias andhasithaas the value. - When done, copy <MI_HOME>/registry/config/repository/components/secure-vault/secure-vault.properties file to the `dockerproject` folder above.
We can use the vault entries in the integration logic now. For testing purpose, we can just print a log line.
- Download WSO2 Integration Studio from here.
- Create an integration project and define an API with the context
/testapi. - Following is the full configuration of the test API .
- Export the integration logic as a .CAR application (as
test.car).
- Copy test car file to the
dockerprojectfolder.
Creating Docker image
Now as all the components that should go into the MI based docker image is ready, we can go ahead and create the image. Make sure you have installed Docker on you machine.
- Create a file called
DockerfileinsidedockerProjectfolder with following content.
- Now the content of
dockerProjectfolder will look like below.
- Execute below command to create the docker image. It will pull the WSO2 MI base image from WSO2 docker registry and build the image. NOTE: You will need a valid WSO2 subscription for this. If you do not own one, you can use the WSO2 MI image at DockerHub instead.
docker build -t test-secure-vault-mi .- Make sure image is created successfully using below command to view the Docker images.
docker imagesRunning and testing
- Run the docker image as below.
docker run -d -p 8290:8290 test-secure-vault-mi- Invoke the API defined using
curl.
curl -v -X POST -H "Content-Type:application/json" "http://localhost:8290/testapi"- Observe the logs of docker container as below.
Get container ID by $docker ps
Then get logs by $docker logs <containerID>- You will see log line as below
INFO {org.apache.synapse.mediators.builtin.LogMediator} - secure valut log = hasitha
