26 Jun 2020

Secure Vault Implementation for WSO2 EI

Secure Vault Implementation for WSO2 EI

One simple mechanism that comes with all the WSO2 products to overcome this vulnerability is called Secure Vault implementation. It’s an extended version of synapse Secure Vault and hence it has been inherited to WSO2 Carbon platform. This particular feature simply allows us to replace the real password with an alias and then this alias will be mapped with the encrypted version of the real password inside the Secure Vault.

The user-mgt.xml which resides at <EI_HOME>/conf folder contains the password of the Admin User which is ‘admin’. Using the secure vault, this can be replaced by an alias such as UserManager.AdminUser. Password and the encrypted version of the real password will go to Secure Vault. During the runtime, the WSO2 product will check this alias in Secure Vault and decrypt the corresponding password.

The entire Secure Vault implementation mainly based on three files.

  • cipher-tool.properties
  • cipher-text.properties
  • cipher-tool.sh

Following are the summarized steps to make it work.

Step 1: Open the cipher-tool.properties file resides in the <EI_HOME>/conf/security folder and adds the file name and the XPath of the password which you wants to be encrypted in the following format.


  • <alias>: The value which is going to replace the hard-coded password.
    ex: UserManager.AdminUser.Password
  • <file_name>: The file name of the configuration file where the password resides.
    ex: repository/conf/user-mgt.xml
  • <xpath>: XPath to the password in the configuration file
    ex: UserManager/Realm/Configuration/AdminUser/Password
  • <true, false>: Use value ‘false’ if you are encrypting the value of an XML element, or the value of an XML attribute’s tag. Use the value ‘true’ if you are encrypting the tag of an XML attribute.


Step2: Open the cipher-text. properties file (<EI_HOME>/conf/security) and adds the alias and the corresponding plaintext password.

<alias>=[plain_text_password] ex: UserManager.AdminUser.Password=[admin]

Step 3. Run the cipher-tool.sh file (<EI_HOME>/bin) by using the ‘./ciphertool.bat -Dconfigure’ command.

That’s it!!! You will see the original password has been replaced by an alias in the configuration file and the encrypted password appearing in the cipher-text. properties file with the corresponding alias.

Observe the changes in below screenshots

Decrypt Encrypted text with the WSO2 Cipher tool:

1. Download the pre-built client jar file and put this jar file in libraries from https://github.com/ashok1995-b/decryptedJarfile/blob/master/org.wso2.samples.decrypt-1.0-jar-with-dependencies.jar

    Jar file   =   org.wso2.samples.decrypt-1.0-jar-with-dependencies.jar

1.        Execute as interactive command-line inputs at YOUR_EI_HOME/6.6.0/lib
The command for this is (Inputs will be asked one by one);
java -jar org.wso2.samples.decrypt-1.0-jar-with-dependencies.jar 
2. Encrypted Text from (\YOUR_EI_HOME\6.6.0\conf\security\cipher-text.properties)

For Example for UserManager.AdminUser.Password = “admin”


3. KeyStore file path : /YOUR_EI_HOME/6.6.0/repository/resources/security/wso2carbon.jks
4. KeyStore alias : wso2carbon
5. KeyStore password : wso2carbon

Result in Plain Text:

At last, If you are looking for consultants and systems integration experts who understand all these with a strong play in a variety of Integrations products, Genysoft is to consider for all your needs of middleware integration needs.

We are an Integration Experts and Implementation partners of Fiorano, WSO2, JitterBit, MuleSoft, Talend, SnapLogic, Dell Boomi, Apigee from Offshore Hyderabad, India with offices in Johannesburg, South Africa, Texas, USA. We have been working with large scale integration projects Hybrid, Cloud, OnPremise since 2008. We have vast experience working on multiple middleware integration products, which is a very unique combination of skills that we proud of. Be it is On-premise or Cloud, Proprietary or Open source, Frameworks, or Integration Suites we have expertise.

Our integration experts have experience in various integration products such as Fiorano, WSO2, JitterBit, MuleSoft, Talend, SnapLogic, Dell Boomi, Apigee and we are active contributors to the community where we learn and share the experiences. We recognize that each customer integration project is unique and we understand your integration puzzles and we apply our expertise to solve them. Our delivery methodology ensures scalable, cost-effective integration solutions to your problems.

We’ve gathered our knowledge over the decade; a knowledge that we are happy to now place at your service. Please Write to Us your needs for middleware to info@genysoft.com.

© 2021 GenySoft. All rights reserved.