Hi All
I have done required changes in synapse, there won't be any existing
API's effected due to the given changers , so the overall process will be
as shown in [1] where attributes required encryption required to embedded a
key [*enc:] *so during the serialization it will be saved as [2], and
during run-time those encrypted values will be decrypted using the *
WSO2MediationSecurityInterceptor* ], the give solution has implemented and
tested in scratch environment and works as expected.
[1] before saving to configuration embedded enc: for the filed which
requires encryption
<twitter.config>
<parameter name="oauth.consumerSecret"
value="*enc:*mmmmmmmmmmmmmmm"/>
<parameter name="oauth.accessTokenSecret"
value="*enc:*xxxxxxx"/>
<parameter name="oauth.accessToken"
value="*enc:*eeeeeee"/>
<parameter name="oauth.consumerKey" value="eeeexxxxxx"/>
</twitter.config>
<twitter.search>
<parameter name="search" value="hotel"/>
</twitter.search>
[2] once serialized the values will be encrypted using wso2carbon key store
values
algorithm of encryption
* /***
* * Encrypt a given plain text*
* * *
* * @param plainTextBytes*
* * The plaintext bytes to be encrypted*
* * @return The cipher text bytes*
* * @throws CryptoException*
* * On error during encryption*
* */*
* public byte[] encrypt(byte[] plainTextBytes) throws CryptoException {*
* try {*
*
*
* KeyStoreManager keyMan = KeyStoreManager.getInstance(*
* MultitenantConstants.SUPER_TENANT_ID, this.serverConfigService,*
* this.registryService);*
* KeyStore keyStore = keyMan.getPrimaryKeyStore();*
*
*
* Certificate[] certs = keyStore.getCertificateChain(keyAlias);*
* Cipher cipher = Cipher.getInstance("RSA", "BC");*
* cipher.init(Cipher.ENCRYPT_MODE, certs[0].getPublicKey());*
*
*
* return cipher.doFinal(plainTextBytes);*
*
*
* } catch (Exception e) {*
* e.printStackTrace();*
* throw new CryptoException(Messages.getMessage("erorDuringEncryption"), e);
*
* }*
* }*
<twitter.config>
<parameter name="oauth.consumerSecret"
value="*encrypted:*
K+PTyrN7K1KM2kOeFKMv0x9X5EP9qCpS7mJm9mpi9p3FqyYNyd1qCAlHKMA6dXAkCg1mdzL0TvF9ApMjwuVUoijO/C3EWn6Pf4Ju+70e2rsJ3hrbUVuD/SI/NaxS0QAg9mJzg/p0frnugbC+uha85d32yotUWcosKHW26Yjb6Ao="/>
<parameter name="oauth.accessTokenSecret"
value="*encypted:*
WfUb4sTrimV/WDjER8UldK2E2ez/0kC8r3RUWL3o0Lfuq+uZwjJxfIn3YYwRcPT52FSriKdesNg9Hi6sHW2gN4NqyI9pFqG1L3sfDwnlS0u4RAl8ZLq+62rUuVhA2C+XORyEBp8AZYUf1ew1dUSf8LG/+NfyoHmiLmwO3MvPqbo="/>
<parameter name="oauth.accessToken"
value="*encypted:*
FK2gv27JwmPrR7wybWI732HDQlR6p4jPlbTJQJKga386yGJ43gYpFsgoeilhDz/24tEe+4IqSuajsrWFa7wi8Ot6p+bLsufartodJhHt6zQfNTq6yaVzZWUExRjV2bsnJ477yfwc4Oz30c59rhZvkNtGkXXaVp8Fo1nlS18H3mQ="/>
<parameter name="oauth.consumerKey"
value=*"*eeeexxxxxx"/>
</twitter.config>
<twitter.search>
[3] Synapse config
<definitions xmlns="http://ws.apache.org/ns/synapse";>
<registry provider="org.wso2.carbon.mediation.registry.WSO2Registry">
<parameter name="cachableDuration">15000</parameter>
</registry>
* <security
provider="org.wso2.carbon.mediation.security.WSO2MediationSecurityInterceptor"/>
*
any thoughts or improvements which you guys think ?
On Sat, Jul 20, 2013 at 8:45 PM, Dushan Abeyruwan <dus...@wso2.com> wrote:
> Hi all,
> A small correction the relevant config should look like as below described
>
> <twitter.config>
> <parameter name="oauth.consumerSecret"
>
> value="*enc:*EvTEzc3jj9Z1Kx58ylNfkpnuXYuCeGgKhkVkziYNMs"/>
>
>
> Cheers
> Dushan
>
>
> On Sat, Jul 20, 2013 at 8:39 PM, Dushan Abeyruwan <dus...@wso2.com> wrote:
>
>> Hi
>> IMO seems like
>> EntitlementMediato<https://svn.wso2.org/repos/wso2/carbon/platform/trunk/components/identity/org.wso2.carbon.identity.entitlement.mediator/src/main/java/org/wso2/carbon/identity/entitlement/mediator/EntitlementMediator.java>r
>> approach
>> quite suitable and handy and I would think what it does for the time being
>> is _ _okay _ _ since Entitlement component is NOT resides within synapse
>> (need expert suggestion form IS since they are the one who implemented the
>> current approach) , according to the discussion had (with Kasun at el)
>> thought how we could probably include the same approach for
>> the components resides in synapse.
>> There we have identified the approach which registry getting
>> intercepted could be useful [2].We thought of introducing a security
>> related component [3] a kind of extension point where the
>> SecurityInteceptors will be initialized during init()
>> and readily available in *synapseConfiguration* during serialization or
>> during run-time and with that we could probably utilize the attributes
>> which required for encrypt with special character or sequence as shown [1]
>> anyway I am still doing a feasibility study of the
>> described approach, may be there we might have jump few hurdles to get this
>> done without harming synapse API ..
>>
>> really appreciate thoughts from IS for this approach, do you guys
>> feel any _ _ better more reliable approach than this _ _ ?
>>
>> e.g
>> [1]
>> <twitter.config>
>> <parameter name="*enc:*oauth.consumerSecret"
>>
>> value="EvTEzc3jj9Z1Kx58ylNfkpnuXYuCeGgKhkVkziYNMs"/> (if used enc: then
>> during serialization those values encrypited same can be integrated for
>> UI's even this might not be any issue when use DevS approach as well)
>>
>>
>>
>>
>> [2]
>> <registry provider="org.wso2.carbon.mediation.registry.WSO2Registry">
>> <parameter name="cachableDuration">15000</parameter>
>> </registry>
>>
>> [3]
>> <registry provider="org.wso2.carbon.security.*SecurityInterceptor*">
>> *SecurityInterceptor
>> (class name or package not finalized yet)*
>> <parameter name="cachableDuration">15000</parameter>
>> </registry>
>>
>>
>>
>> On Sat, Jul 20, 2013 at 7:17 PM, Sanjiva Weerawarana <sanj...@wso2.com>wrote:
>>
>>> Dushan connector creds are going to be user specific. So that means they
>>> have to be able to configure them in a user-accessible way .. and then the
>>> data needs to be stored in a secure vault of some kind.
>>>
>>> For UI driven configs that's easy - we get the password in the UI, store
>>> in the vault and refer to it in the mediator config.
>>>
>>> For hand edited synapse.xml stuff you'd need to let the user do the
>>> same. Do we have a per-user vault type concept?
>>>
>>> Sanjiva.
>>>
>>>
>>> On Fri, Jul 19, 2013 at 11:18 AM, Dushan Abeyruwan <dus...@wso2.com>wrote:
>>>
>>>> Hi
>>>> Regarding $subject, what would be the best way to accomplish ?
>>>> According to the EntitlementMediator implementation it
>>>> seems we are using a different approach as shown below [1], any reason
>>>> which prevent us moving to synapse secure vault and also seems there are
>>>> zero documentation related to Synapse secure vault configuration.
>>>>
>>>>
>>>> [1]
>>>>
>>>> https://svn.wso2.org/repos/wso2/carbon/platform/trunk/components/identity/org.wso2.carbon.identity.entitlement.mediator/src/main/java/org/wso2/carbon/identity/entitlement/mediator/EntitlementMediator.java
>>>>
>>>>
>>>> public void setRemoteServicePassword(String remoteServicePassword) {
>>>> if (remoteServicePassword.startsWith("enc:")) {
>>>> try {
>>>> * this.remoteServicePassword = new
>>>> String(CryptoUtil.getDefaultCryptoUtil()*
>>>> *
>>>> .base64DecodeAndDecrypt(remoteServicePassword.substring(4)));*
>>>> } catch (CryptoException e) {
>>>> log.error(e);
>>>> }
>>>> } else {
>>>> this.remoteServicePassword = remoteServicePassword;
>>>> }
>>>> }
>>>>
>>>> Cheers,
>>>> Dushan Abeyruwan
>>>> Associate Tech Lead
>>>> *Integration Technologies Team*
>>>> *WSO2 Inc. http://wso2.com/*
>>>> *Mobile:(+94)714408632*
>>>>
>>>> _______________________________________________
>>>> Architecture mailing list
>>>> Architecture@wso2.org
>>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
>>>>
>>>>
>>>
>>>
>>> --
>>> Sanjiva Weerawarana, Ph.D.
>>> Founder, Chairman & CEO; WSO2, Inc.; http://wso2.com/
>>> email: sanj...@wso2.com; phone: +94 11 763 9614; cell: +94 77 787 6880| +1
>>> 650 265 8311
>>> blog: http://sanjiva.weerawarana.org/
>>>
>>> Lean . Enterprise . Middleware
>>>
>>> _______________________________________________
>>> Architecture mailing list
>>> Architecture@wso2.org
>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
>>>
>>>
>>
>>
>> --
>> Dushan Abeyruwan
>> Associate Tech Lead
>> *Integration Technologies Team*
>> *WSO2 Inc. http://wso2.com/*
>> *Mobile:(+94)714408632*
>>
>
>
>
> --
> Dushan Abeyruwan
> Associate Tech Lead
> *Integration Technologies Team*
> *WSO2 Inc. http://wso2.com/*
> *Mobile:(+94)714408632*
>
--
Dushan Abeyruwan
Associate Tech Lead
*Integration Technologies Team*
*WSO2 Inc. http://wso2.com/*
*Mobile:(+94)714408632*
_______________________________________________
Architecture mailing list
Architecture@wso2.org
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
