Friday, November 30, 2012

How to Enable Secure Vault in a WSO2 Carbon Product

1. Extract the carbon product to a preferred location

2. Make sure that file is available in CARBON_HOME/repository/conf

3. Make sure that file is available in CARBON_HOME/bin

4. From a command line, navigate to CARBON_HOME/bin. From there, run the following command; In Linux, sh -Dconfigure 
In Windows,   ciphertool.bat -Dconfigure
This would prompt the following in the command line
[Please Enter Primary KeyStore Password of Carbon Server : ]There, you can give ‘wso2carbon’

5. After finishing the execution of, check the values in the file. It would contain an encrypted value as below.

6. Then start up the server normally with In Linux, sh In Windows,   wso2server.batDuring the server start up, it would prompt the following twice.
[Enter KeyStore and Private Key Password :] There also you  need to provide ‘wso2carbon’ in both the instances.

7. Now your server system is protected with the secure vault configuration, and all the passwords are encrypted and exposed to outside via aliases.


When configuring Secure Vault with WSO2 products : Error initializing Cipher

You can configure Secure Vault with WSO2 ESB (or any other Carbon product) to secure the data in the configuration files such as
 - User Store passwords
 - Database passwords           etc.
You may get this work completely if you follow this blog on How to configure Secure Vault in WSO2 Products.
If you try with a custom keystore, you might encounter the following error for certain instances.
Exception in thread "main" org.wso2.ciphertool.CipherToolException: Error initializing Cipher
at org.wso2.ciphertool.CipherTool.handleException(
at org.wso2.ciphertool.CipherTool.initCipher(
at org.wso2.ciphertool.CipherTool.main(
Caused by: Wrong key usage
at javax.crypto.Cipher.init(DashoA13*..)
at javax.crypto.Cipher.init(DashoA13*..)
at org.wso2.ciphertool.CipherTool.initCipher(
... 1 more
Then you can analyze the public certificates of the two jks's  - In default wso2carbon.jks, the KeyUsage is
KeyUsage [
 - In the custom .jks, the KeyUsage is
KeyUsage [
Since the custom key store's certificate does not have 'Data_Encipherment' it can't use the Ciphertool and encrypt data for secure vault. So they may have to generate a new key store with at least a Self signed certificate.