Manu, I prefer the approach Sameera mentioned as it is independent of the config file and will work with any future config file as well.
--Srinath On Fri, May 13, 2016 at 7:26 PM, Manuranga Perera <m...@wso2.com> wrote: > 1) > >> Now we don't maintain passwords or any sensitive data in the >> configuration files. All such data should be maintained in the >> *secret.properties*file. > > +1 for having in one file and not having to change in multiple places. > > 2) > Have you considered not having an alias, instead using path > > *carbon.yml file* > > security: > keystore: > password: > > *secret.properties file* > > carbon-yml.security.keystore.password=[wso2carbon] > > > > On Fri, May 13, 2016 at 4:07 AM, Niranjan Karunanandham <niran...@wso2.com > > wrote: > >> Hi all, >> >> On Fri, May 13, 2016 at 12:43 PM, Sameera Jayasoma <same...@wso2.com> >> wrote: >> >>> Hi All, >>> >>> We introduced this new design to solve the issues in the previous secure >>> vault implementation. We've simplified the configuration of secure vault >>> module with this new design. >>> >>> Now we don't maintain passwords or any sensitive data in the >>> configuration files. All such data should be maintained in the >>> *secret.properties* file. We will see whether we can use YAML as the >>> file format here. >>> >> >>> When you develop Carbon components and if you happen to introduce >>> configs which contain passwords, you shouldn't put the actual password >>> there. Just put a secret alias in your config file and add an entry the >>> secret.properties file. This should happen at the development time. End >>> users do not need to worry such configurations. But if they want to change >>> passwords, they can change them only in the secret.properties file. >>> >> +1 to have a the sensitive data in one file since it will easy to >> maintain. >> >> >> >>> e.g. Consider the carbon.yml file. You should put a secret alias such >>> as, >>> >>> password: ${secvault:carbon.security.keystore.password} >>> >> >>> Now you need put an entry in the secret.properties file as follows. >>> >>> carbon.security.keystore.password=[wso2carbon] >>> >>> >>> Thanks, >>> Sameera. >>> >>> >>> On Wed, May 4, 2016 at 6:52 PM, Nipuni Perera <nip...@wso2.com> wrote: >>> >>>> Hi all, >>>> >>>> We are trying to add Carbon secure-vault support to C5. >>>> >>>> We have done some changes to the way how we configure ciphertool and >>>> securevault in C5 compared to C4. Please find the new design details below: >>>> >>>> There are two configuration files that we maintain for Ciphertool and >>>> Securevault: >>>> >>>> [1]. *secrets.properties* - This file will contains the >>>> secret-allias and secrets (encrypted/or plain-text). Act as the file-based >>>> secret repository. We define all the passwords/secrets which need to be >>>> secured in this file. >>>> eg: SecureVault.Keystore.Password=[wso2carbon] >>>> Carbon.Security.KeyStore.Password=[somepassword] >>>> >>>> [2]. *secure-vault.yaml* - This file will have the main >>>> configurations (eg: default secret repository implementation, default >>>> Callbackhandler implementation etc) >>>> eg: carbon.secretProvider: >>>> org.wso2.securevault.secret.handler.SecretManagerSecretCallbackHandler >>>> keystore.identity.type: JKS >>>> keystore.identity.store.password: identity.store.password >>>> >>>> The CipherTool will be used for creating encrypted values for given >>>> plain text secrets in the *secrets**.properties* [1]. >>>> >>>> If a user need to make a value secure, >>>> >>>> 1. they have to add a unique name (alias) to their carbon >>>> configuration element (eg: a value of an element in carbon.yml) >>>> 2. add the same unique-name along with the plain-text password to >>>> the *secrets.properties* file. >>>> >>>> *Example:* >>>> >>>> Assume that we need to secure a value "password" under element >>>> "Security/Keystore" in Carbon.yml configuration. First we add a unique a >>>> alias as the value to the Password as below [3]. Second we add that unique >>>> alias with its plain text password to *secrets*.properties file[4]. >>>> >>>> CipherTool will encrypt the plain-text password and replace the >>>> plain-text password with the encrypted value. (In c4 we have added >>>> plain-text passwords within square brackets. If not they are identified as >>>> encrypted values). >>>> >>>> When loading the carbon.yml (or any other custom configuration file), >>>> we read the secured values using secure-vault service. This secure vault >>>> service will either return the password from the *secrets*.properties >>>> file if the secret is not encrypted, OR return the encrypted value. >>>> >>>> [3] >>>> ################################################################################ >>>> >>>> id: carbon-kernel #Value to uniquely identify a server >>>> name: WSO2 Carbon Kernel #Server Name >>>> version: 5.1.0-SNAPSHOT #Server Version >>>> tenant: default #Tenant Name >>>> >>>> # Keystore used by this server >>>> Security: >>>> Keystore >>>> Password: Carbon.Security.Keystore.Password >>>> >>>> >>>> ############################################################################### >>>> >>>> [4] Carbon.Security.Keystore.Password=[wso2carbon] >>>> >>>> >>>> *New design decisions taken compared to C4 SecureVault implementation:* >>>> >>>> 1. We have removed the usage of cipher-tool.properties file. (This >>>> file was used to keep the alias, the location to the configuration file, >>>> and the xpath to the secret element in the configuration file). >>>> 2. We can support any format of configuration file with this model >>>> as we only care about the secret-key that we define in the >>>> *secrets*.properties >>>> file and do not depend on the xpath to find the location of the secret >>>> element. >>>> >>>> Thanks, >>>> Nipuni >>>> >>>> -- >>>> Nipuni Perera >>>> Software Engineer; WSO2 Inc.; http://wso2.com >>>> Email: nip...@wso2.com >>>> Git hub profile: https://github.com/nipuni >>>> Blog : http://nipunipererablog.blogspot.com/ >>>> Mobile: +94 (71) 5626680 >>>> <http://wso2.com> >>>> >>>> >>> >>> >>> -- >>> Sameera Jayasoma, >>> Software Architect, >>> >>> WSO2, Inc. (http://wso2.com) >>> email: same...@wso2.com >>> blog: http://blog.sameera.org >>> twitter: https://twitter.com/sameerajayasoma >>> flickr: http://www.flickr.com/photos/sameera-jayasoma/collections >>> Mobile: 0094776364456 >>> >>> Lean . Enterprise . Middleware >>> >>> >> >> Regards, >> Nira >> -- >> >> *Niranjan Karunanandham* >> Senior Software Engineer - WSO2 Inc. >> WSO2 Inc.: http://www.wso2.com >> > > > > -- > With regards, > *Manu*ranga Perera. > > phone : 071 7 70 20 50 > mail : m...@wso2.com > > _______________________________________________ > Architecture mailing list > Architecture@wso2.org > https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture > > -- ============================ Srinath Perera, Ph.D. http://people.apache.org/~hemapani/ http://srinathsview.blogspot.com/
_______________________________________________ Architecture mailing list Architecture@wso2.org https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture