Open sanethmaduranga opened 3 months ago
Something like this works for Apache Tomcat: https://stackoverflow.com/questions/16194052/encrypt-tomcat-keystore-password And here is a useful link: https://cwiki.apache.org/confluence/display/TOMCAT/Password
Problem
As of now, when using the 'Secure Vault'[1] for WSO2 APIM, it needs to store the internal key-store password to file(password-tmp or password-persist).
For Kubernetes based deployments, there are external CSI drivers that can copy the password value dynamically to password-tmp or password-persist files as guided in [2]. Also, we know the WSO2 products support Hashcrop vault integration as per[3].
Taking those as an advantage, is there any possibility to avoid having the password saved in the file system during startup in the 'password-tmp' like connecting to the external vaults and performing the server startup?
[1] - https://apim.docs.wso2.com/en/4.0.0/install-and-setup/setup/security/logins-and-passwords/working-with-encrypted-passwords/#resolving-already-encrypted-passwords-during-server-startup [2] - https://github.com/wso2/helm-apim/blob/4.2.x/all-in-one/templates/am/wso2am-conf-entrypoint.yaml#L45 [3] - https://github.com/wso2-extensions/carbon-securevault-hashicorp
Thanks,
Solution
Connecting to the external vaults and getting the password value during the startup in a more secured way.
Affected Component
APIM
Version
No response
Implementation
No response
Related Issues
No response
Suggested Labels
No response