Often an ESB sequence needs access to some secret information that shouldn't be hard coded into the ESB project's source code. The process outlined here only works for small string values, such as a password or API key.
Overview
The password will be stored in the ESB's "Secure Vault". The Secure Vault is accessed by ESB administrators using the admin console. Passwords are encrypted by the ESB's key, and are stored in the ESB's registry. Sequences can retrieve the password using the "wso2:vault-lookup" xpath function.
Things to know / Potential problems
- Attempting to retrieve a password that doesn't exist returns an empty node set, it does not throw an error.
- In xpath "$provided_password != $vault_password" will return true if either variable is an empty node set. Combined with the observation above, if the password is not set in the vault, comparing it against a string will always return true. This is because the != operator checks if any elements don't match, if there aren't any elements to check then it's considered a success. To avoid this, always separately verify that the values aren't empty. https://stackoverflow.com/questions/4629416/xpath-operator-how-does-it-work
- Because passwords must be entered by an ESB administrator, they are a common source of deployment problems. ESB developer's must be very clear with what passwords are used by their project and explicitly check for the case that a password hasn't been entered.
- A password entered with the wrong key will look successfull to the ESB Administrator. Be sure to use the full, quoted password key in all documentation.
- Password keys must be unique. Use a key that is prefixed by the applications common prefix. See "Prefix Idiom"
Solutions
Password Storage
- Access the ESB Admin Console (https://soa-qa-esb-1.ucsd.edu:9443/carbon).
- Click on Main->Manage->Secure Vault Tool->Manage Passwords
- Click on "Add New Password to encrypt and store"
Password Retrieval
- Check that the password is set. If not clearly indicate the problem with whatever reporting mechanism you have. Include the full, quoted key that was being looked for.
- Use the "wso2:vault-lookup" xpath function to retrieve the password.
- Document clearly which passwords are expected, and some information about their use, source and format. See "Install_Instructions.txt Idiom"
ESB Sequence Code
<filter xpath="not(wso2:vault-lookup('aca_e2t_APIM_KeySecret'))"> <then> <call-template target="aca_e2t_RaiseException"> <with-param name="ERROR_MESSAGE" value="The password 'aca_e2t_APIM_KeySecret' has not been set in the secure vault!"/> </call-template> </then> </filter> <property name="KeySecret" expression="wso2:vault-lookup('aca_e2t_APIM_KeySecret')/> <!-- The lookup can also be used inline --> <property name="Authorization" expression="concat('Basic ', wso2:vault-lookup('aca_e2t_APIM_KeySecret'))" scope="transport"/>
Install_Instructions.txt Documentation
Passwords: aca_e2t_DocumentStatusPassword - The password for Parchement's document status service. aca_e2t_APIM_KeySecret - The Client Key and Secret in Basic Auth format (joined with : and Base64Endoded)
Password Comparison
- Follow the Password Retrieval steps
- Use "not($provided_password != $vault_password)".
ESB Sequence Code
<filter xpath="not(wso2:vault-lookup('aca_e2t_admin_password'))"> <then> <call-template target="aca_e2t_RaiseException"> <with-param name="ERROR_MESSAGE" value="The password 'aca_e2t_admin_password' has not been set in the secure vault!"/> </call-template> </then> </filter> <property name="admin_password" expression="wso2:vault-lookup('aca_e2t_admin_password')/> <property name="provided_password" expression="//adminpassword"/> <filter xpath="not($ctx:provided_password)"> <then> <call-template target="aca_e2t_RaiseException"> <with-param name="ERROR_MESSAGE" value="Client did not supply an admin password. Access Denied."/> </call-template> </then> </filter> <filter xpath="not($ctx:provided_password = $ctx:admin_password)"> <then> <call-template target="aca_e2t_RaiseException"> <with-param name="ERROR_MESSAGE" value="Incorrect admin password. Access Denied."/> </call-template> </then> </filter>