Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 2 Next »

Often an ESB sequence needs access to some secret information that shouldn't be hard coded into the ESB project's source code.  The process outlined here only works for small string values, such as a password or API key.

Overview

The password will be stored in the ESB's "Secure Vault".  The Secure Vault is accessed by ESB administrators using the admin console.  Passwords are encrypted by the ESB's key, and are stored in the ESB's registry.  Sequences can retrieve the password using the "wso2:vault-lookup" xpath function.

Things to know / Potential problems

  • Attempting to retrieve a password that doesn't exist returns an empty node set, it does not throw an error.
  • In xpath "$provided_password != $vault_password" will return true if either variable is an empty node set.  Combined with the observation above, if the password is not set in the vault, comparing it against a string will always return true. This is because the != operator checks if any elements don't match, if there aren't any elements to check then it's considered a success. To avoid this, always separately verify that the values aren't empty.  https://stackoverflow.com/questions/4629416/xpath-operator-how-does-it-work
  • Because passwords must be entered by an ESB administrator, they are a common source of deployment problems.  ESB developer's must be very clear with what passwords are used by their project and explicitly check for the case that a password hasn't been entered.
  • A password entered with the wrong key will look successfull to the ESB Administrator.  Be sure to use the full, quoted password key in all documentation.
  • Password keys must be unique.  Use a key that is prefixed by the applications common prefix.  See "Prefix Idiom"

Solution

  • Check that the password is set.  If not clearly indicate the problem with whatever reporting mechanism you have.  Include the full, quoted key that was being looked for.
  • Use the "wso2:vault-lookup" xpath function to retrieve the password.
  • If comparing passwords, use "not($provided_password != $vault_password)".
  • Document clearly which passwords are expected, and some information about their use, source and format. See "Install_Instructions.txt Idiom"

ESB Code:

<filter xpath="not(wso2:vault-lookup('aca_e2t_APIM_KeySecret'))">
    <then>
        <call-template target="aca_e2t_RaiseException">
            <with-param name="ERROR_MESSAGE" value="The password 'aca_e2t_APIM_KeySecret' has not been set in the secure vault!"/>
        </call-template>
    </then>
</filter>
<property name="KeySecret" expression="wso2:vault-lookup('aca_e2t_APIM_KeySecret')/>
<!-- The lookup can also be used inline -->
<property name="Authorization" expression="concat('Basic ', wso2:vault-lookup('aca_e2t_APIM_KeySecret'))" scope="transport"/>

Install_Instructions.txt:

Passwords:
	aca_e2t_DocumentStatusPassword - The password for Parchement's document status service.
	aca_e2t_APIM_KeySecret - The Client Key and Secret in Basic Auth format (joined with : and Base64Endoded)

 

 

  • No labels