Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  • Attempting to retrieve a password that doesn't exist returns an empty node set, it does not throw an error.
  • In xpath "$provided_password != $vault_password" will return true if either variable is an empty node set.  Combined with the observation above, if the password is not set in the vault, comparing it against a string will always return true. This is because the != operator checks if any elements don't match, if there aren't any elements to check then it's considered a success. To avoid this, always separately verify that the values aren't empty.  https://stackoverflow.com/questions/4629416/xpath-operator-how-does-it-work
  • Because passwords must be entered by an ESB administrator, they are a common source of deployment problems.  ESB developer's must be very clear with what passwords are used by their project and explicitly check for the case that a password hasn't been entered.
  • A password entered with the wrong key will look successfull to the ESB Administrator.  Be sure to use the full, quoted password key in all documentation.
  • Password keys must be unique.  Use a key that is prefixed by the applications common prefix.  See Prefix - ESB Idiom/wiki/spaces/APIArchive/pages/22675749

Solutions

Password Storage

...

Note
titleSecure Vault setup

To be able to use the secure vault on a local install the ESB must be configured for password encryption. Either follow the instructions for encrypting the passwords stored in the config files, or follow these instructions to bypass this error quickly.

 

Add the following to repository/conf/secret-conf.properties. If that file already has non-commented values then encryption is likely already setup.

Code Block
languagetext
titlerepository/conf/secret-conf.properties
keystore.identity.location=repository/resources/security/wso2carbon.jks
keystore.identity.type=JKS
keystore.identity.alias=wso2carbon
keystore.identity.store.password=wso2carbon
keystore.identity.key.password=wso2carbon
secretRepositories.file.provider=org.wso2.securevault.secret.repository.FileBaseSecretRepositoryProvider
secretRepositories.file.location=repository/conf/security/cipher-text.properties
secretRepositories=file
carbon.secretProvider=org.wso2.securevault.secret.handler.SecretManagerSecretCallbackHandler

Change the root XML node of repository/conf/tomcat/catalina-server.xml. There is a bug in WSO2 Carbon that causes a failure if this namespace attribute isn't present.

Code Block
languagexml
titlerepository/conf/tomcat/catalina-server.xml
OLD:
<Server port="8005" shutdown="SHUTDOWN">

NEW:
<Server port="8005" shutdown="SHUTDOWN" xmlns:svns="http://org.wso2.securevault/configuration">

...

Password Retrieval

  1. Check that the password is set.  If not clearly indicate the problem with whatever reporting mechanism you have.  Include the full, quoted key that was being looked for.
  2. Use the "wso2:vault-lookup" xpath function to retrieve the password.
  3. Document clearly which passwords are expected, and some information about their use, source and format. See "Install_Instructions.txt Idiom"

...