Hi All,
An example for a secure vault YAML configuration file is as shown below
according to the current implementation.
secretRepository:
type:
org.wso2.carbon.kernel.securevault.repository.DefaultSecretRepository
parameters:
privateKeyAlias: wso2carbon
keystoreLocation: resources/security/wso2carbon.jks
masterKeyReader:
type: org.wso2.carbon.kernel.securevault.reader.DefaultMasterKeyReader
However, according to the discussion made in [1]
<http://wso2-oxygen-tank.10903.n7.nabble.com/C5-Moving-Carbon-Configuration-and-Carbon-Sec-Vault-to-2-Separate-Repositories-Removing-from-Kernel-td146953.html>
, we decided to move Carbon Secure Vault out of Carbon Kernel for the
specified reasons in [1]
<http://wso2-oxygen-tank.10903.n7.nabble.com/C5-Moving-Carbon-Configuration-and-Carbon-Sec-Vault-to-2-Separate-Repositories-Removing-from-Kernel-td146953.html>.
According to this change, in OSGi mode the Secret repository and the master
key reader will be an implementation of the specified classes (
org.wso2.carbon.kernel.securevault.repository.DefaultSecretRepository and
org.wso2.carbon.kernel.securevault.reader.DefaultMasterKeyReader) and will
be registered via the Secure Vault Component while in standalone mode the
secret repository and master key reader will be instances of the specified
classes and will be created using the class.forName() method.
According to this implementation, it was decided to delegate providing
other file paths (secret.properties, master-key.yaml) to relevant
implementation classes because other file paths (secret.properties,
master-key.yaml) are bound to the relevant implementation. However, with
this approach, we are forced to check whether the code is being executed in
OSGi mode or non-OSGi mode in order to provide the correct location of the
file paths (secret.properties, master-key.yaml).
*Suggestion:*
secretRepository:
type:
org.wso2.carbon.secvault.securevault.repository.DefaultSecretRepository
parameters:
privateKeyAlias: wso2carbon
keystoreLocation: securevault/resources/security/wso2carbon.jks
secretProperties: securevault/resources/security/secrets.properties
masterKeyReader:
type:
org.wso2.carbon.secvault.securevault.utils.DefaultHardCodedMasterKeyReader
parameters:
masterKeyFile: securevault/resources/security/master-keys.yaml
If we could add the highlighted properties to the secure vault YAML
configuration file specifying the location of the master-keys.yaml and
secrets.properties, we only need to check whether the code is being
executed in OSGi mode or non-OSGi mode once at the time of secure vault
initialisation.
WDYT?
[1] [C5] Moving Carbon Configuration and Carbon Sec-Vault to 2 Separate
Repositories (Removing from Kernel)
<http://wso2-oxygen-tank.10903.n7.nabble.com/C5-Moving-Carbon-Configuration-and-Carbon-Sec-Vault-to-2-Separate-Repositories-Removing-from-Kernel-td146953.html>
Best Regards,
*Vidura Nanayakkara*
Software Engineer
Email : [email protected]
Mobile : +94 (0) 717 919277
Web : http://wso2.com
Blog : https://medium.com/@viduran <http://wso2.com/>
Twitter : http://twitter.com/viduranana
LinkedIn : https://lk.linkedin.com/in/vidura-nanayakkara <http://wso2.com/>
_______________________________________________
Architecture mailing list
[email protected]
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
