wso2 / api-manager

All issues, tasks, improvements and new features of WSO2 API Manager
Apache License 2.0
34 stars 8 forks source link

Avoid using password file when using ciphertool #3045

Open sanethmaduranga opened 3 months ago

sanethmaduranga commented 3 months ago

Problem

As of now, when using the 'Secure Vault'[1] for WSO2 APIM, it needs to store the internal key-store password to file(password-tmp or password-persist).

For Kubernetes based deployments, there are external CSI drivers that can copy the password value dynamically to password-tmp or password-persist files as guided in [2]. Also, we know the WSO2 products support Hashcrop vault integration as per[3].

Taking those as an advantage, is there any possibility to avoid having the password saved in the file system during startup in the 'password-tmp' like connecting to the external vaults and performing the server startup?

[1] - https://apim.docs.wso2.com/en/4.0.0/install-and-setup/setup/security/logins-and-passwords/working-with-encrypted-passwords/#resolving-already-encrypted-passwords-during-server-startup [2] - https://github.com/wso2/helm-apim/blob/4.2.x/all-in-one/templates/am/wso2am-conf-entrypoint.yaml#L45 [3] - https://github.com/wso2-extensions/carbon-securevault-hashicorp

Thanks,

Solution

Connecting to the external vaults and getting the password value during the startup in a more secured way.

Affected Component

APIM

Version

No response

Implementation

No response

Related Issues

No response

Suggested Labels

No response

alienfs commented 2 months ago

Something like this works for Apache Tomcat: https://stackoverflow.com/questions/16194052/encrypt-tomcat-keystore-password And here is a useful link: https://cwiki.apache.org/confluence/display/TOMCAT/Password