How to secure the plain text password of NetworkAuthenticatorConfig element in carbon.xml with WSO2 Carbon Secure Vault

If you are familiar with Carbon servers you may have noticed that the passwords are set in plain text in configuration files. This is prone to security vulnerabilities. But with Secure Vault implementation you can get rid of plain text passwords.

Following blog posts provide through knowledge on how to work with  WSO2 Carbon Secure Vault.

[1] http://ajithvblogs.blogspot.com/2014/01/secure-custom-configuration-filexml.html
[2] http://pathberiya.blogspot.com/2012/08/secure-plain-text-passwords-in-wso2.html

In this post I am going to discuss how to secure the password field under 'NetworkAuthenticatorConfig' element defined in carbon.xml

This will require custom implementation as this password field is not supported out of the box. You can follow the 7 steps provided in Blog [1].

I will describe the Implementation details:

You need to modify setupAuthenticator method in https://svn.wso2.org/repos/wso2/carbon/kernel/branches/4.2.0/core/org.wso2.carbon.utils/4.2.0/src/main/java/org/wso2/carbon/context/internal/CarbonContextDataHolder.java class.
Note: The version 4.2.0 may vary depending on your carbon server release.

By default it reads the password value from carbon.xml. But after we use Secure Vault the actual password is not in carbon.xml. Therefore we have to implement the logic in such a way that it will get the decrypted secured password accordingly.

The modified method is as follows:

 private static void setupAuthenticator(CarbonAuthenticator authenticator) throws Exception {
        OMElement documentElement = XMLUtils.toOM(
                CarbonUtils.getServerConfiguration().getDocumentElement());
        OMElement authenticators = documentElement.getFirstChildWithName(
                new QName(ServerConstants.CARBON_SERVER_XML_NAMESPACE, "Security")).
                getFirstChildWithName(
                        new QName(ServerConstants.CARBON_SERVER_XML_NAMESPACE, "NetworkAuthenticatorConfig"));

        if (authenticators == null) {
            return;
        }

         String password = null;
         String secretAlias = "xxxxxxxxxxxxxxxxxxxxx: Set the entry key used in cipher-tool.properties/cipher-text.properties xxxxxxxxxxxxxxxxxxx";
         SecretResolver secretResolver = SecretResolverFactory.create(documentElement, false);

        for (Iterator iterator = authenticators.getChildElements(); iterator.hasNext(); ) {
            OMElement authenticatorElement = (OMElement) iterator.next();
            if (!authenticatorElement.getLocalName().equalsIgnoreCase("Credential")) {
                continue;
            }
            String pattern = authenticatorElement.getFirstChildWithName(
                    new QName(ServerConstants.CARBON_SERVER_XML_NAMESPACE, "Pattern")).getText();
            String type = authenticatorElement.getFirstChildWithName(
                    new QName(ServerConstants.CARBON_SERVER_XML_NAMESPACE, "Type")).getText();
            String username = authenticatorElement.getFirstChildWithName(
                    new QName(ServerConstants.CARBON_SERVER_XML_NAMESPACE, "Username")).getText();

            if (secretResolver != null && secretResolver.isInitialized()) {
            if (secretResolver.isTokenProtected(secretAlias)) {
                password = secretResolver.resolve(secretAlias);
            } else {
              password = authenticatorElement.getFirstChildWithName(
                    new QName(ServerConstants.CARBON_SERVER_XML_NAMESPACE, "Password")).getText();
            }
            }
            authenticator.addAuthenticator(type, pattern, username, password);
        }
    }




Patch process:

 - build the org.wso2.carbon.utils bundle with 'mvn clean install'
 - create a directory called patch000X (X can be a preferred number greater than the existing ones) in $PRODUCT_HOME/repository/components/patches/ directory.
 - place the built jar in patch000X directory
 - restart the server with "-DapplyPatches" as follows:

 ./wso2server.sh -DapplyPatches 

How to write a client to invoke WSO2 Carbon Admin Services

Background:
In WSO2 Carbon platform, there is a concept call admin services which are a set of secured SOAP web services used to handle administrative tasks. There are certain cases where you might want to directly interact with these services to get your work done.

How do you find the list of available Admin Services?
You can start the carbon product with -DosgiConsole option.  This is because all carbon products are based on OSGi.

./wso2server.sh -DosgiConsole

You can list the admin services with "listAdminServices" command in OSGi console.

By default the wsdl files are inaccessible via Management Console url. But you can set "HideAdminServices" value to false in carbon.xml to view these wsdl files easily as follows (If the port offset is set to 0 in carbon.xml the url is as follows).

https://localhost:9443/services/AuthenticationAdmin?wsdl 

Usecase:
Think that you have a requirement to get permission set for each role you have defined through Management Console. In order to full fill this requirement you can write a client with the help of "AuthenticationAdmin" and "UserAdmin" admin services.

Steps:

1. Get yourself authenticated with AuthenticationAdmin service and retrieve the session cookie
2. Using the session cookie access other services.

Sample Code:

I am using a maven project to write this client. The repositories and dependencies used in pom.xml are as follows:

<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
    <modelVersion>4.0.0</modelVersion>
    <groupId>Aloo</groupId>
    <artifactId>AdminServicesInvoker</artifactId>
    <version>0.0.1-SNAPSHOT</version>
    <repositories>
        <repository>
            <id>wso2-nexus</id>
            <name>WSO2 internal Repository</name>
            <url>http://maven.wso2.org/nexus/content/groups/wso2-public/</url>
            <releases>
                <enabled>true</enabled>
                <updatePolicy>daily</updatePolicy>
                <checksumPolicy>fail</checksumPolicy>
            </releases>
        </repository>
    </repositories>
    <dependencies>
        <dependency>
            <groupId>org.wso2.carbon</groupId>
            <artifactId>org.wso2.carbon.authenticator.stub</artifactId>
            <version>4.2.0</version>
        </dependency>
        <dependency>
            <groupId>org.wso2.carbon</groupId>
            <artifactId>org.wso2.carbon.user.mgt.stub</artifactId>
            <version>4.2.0</version>
        </dependency>
        <dependency>
            <groupId>org.apache.axis2.wso2</groupId>
            <artifactId>axis2-client</artifactId>
            <version>1.6.1.wso2v5</version>
        </dependency>
    </dependencies>
</project>

The below class has a implementation to invoke AuthenticationAdmin service and get the session cookie as follows:

<pre class="brush: csharp">

import java.rmi.RemoteException;

import org.apache.axis2.AxisFault;
import org.apache.axis2.context.ServiceContext;
import org.apache.axis2.transport.http.HTTPConstants;
import org.wso2.carbon.authenticator.stub.AuthenticationAdminStub;
import org.wso2.carbon.authenticator.stub.LoginAuthenticationExceptionException;
import org.wso2.carbon.authenticator.stub.LogoutAuthenticationExceptionException;

public class LoginAdminServiceClient {
    private final String serviceName = "AuthenticationAdmin";
    private AuthenticationAdminStub authenticationAdminStub;
    private String endPoint;

    public LoginAdminServiceClient(String backEndUrl) throws AxisFault {
        this.endPoint = backEndUrl + "/services/" + serviceName;
        authenticationAdminStub = new AuthenticationAdminStub(endPoint);
    }

    public String authenticate(String userName, String password)
            throws RemoteException, LoginAuthenticationExceptionException {

        String sessionCookie = null;

        if (authenticationAdminStub.login(userName, password, "localhost")) {
            System.out.println("Login Successful");

            ServiceContext serviceContext = authenticationAdminStub
                    ._getServiceClient().getLastOperationContext()
                    .getServiceContext();
            sessionCookie = (String) serviceContext
                    .getProperty(HTTPConstants.COOKIE_STRING);
            System.out.println(sessionCookie);
        }

        return sessionCookie;
    }

    public void logOut() throws RemoteException,
            LogoutAuthenticationExceptionException {
        authenticationAdminStub.logout();
    }

} 

</pre>

The below class has a implementation to invoke UserAdmin service and get set of permissions belongs to a given role:

<pre class="brush: csharp">

 import java.rmi.RemoteException;
import java.util.ArrayList;
import java.util.List;

import org.apache.axis2.AxisFault;
import org.apache.axis2.client.Options;
import org.apache.axis2.client.ServiceClient;
import org.wso2.carbon.user.mgt.stub.UserAdminStub;
import org.wso2.carbon.user.mgt.stub.UserAdminUserAdminException;
import org.wso2.carbon.user.mgt.stub.types.carbon.UIPermissionNode;

public class ServiceAdminClient {
    private final String serviceName = "UserAdmin";
    private UserAdminStub userAdminStub;
    private String endPoint;

    public ServiceAdminClient(String backEndUrl, String sessionCookie)
            throws AxisFault {
        this.endPoint = backEndUrl + "/services/" + serviceName;
        userAdminStub = new UserAdminStub(endPoint);
        // Authenticate Your stub from sessionCooke
        ServiceClient serviceClient;
        Options option;

        serviceClient = userAdminStub._getServiceClient();
        option = serviceClient.getOptions();
        option.setManageSession(true);
        option.setProperty(
                org.apache.axis2.transport.http.HTTPConstants.COOKIE_STRING,
                sessionCookie);
    }

    public void getRolePermissions(String role) throws RemoteException,
            UserAdminUserAdminException {
        List allowedPermissions = new ArrayList();
        UIPermissionNode uiPermissionNode = userAdminStub
                .getRolePermissions(role);
        getResourcePath(uiPermissionNode, allowedPermissions);
        System.out.println(allowedPermissions);
    }

    public void getResourcePath(UIPermissionNode uiPermissionNode,
            List allowedPermissions) {

        if (uiPermissionNode.getNodeList() != null) {
            UIPermissionNode[] uiPermissionNodes = uiPermissionNode
                    .getNodeList();
            for (int i = 0; i < uiPermissionNodes.length; i++) {
                UIPermissionNode uPermissionNode1 = uiPermissionNodes[i];
                if (uPermissionNode1.getSelected()) {
                    allowedPermissions.add(uPermissionNode1.getResourcePath());
                }
                getResourcePath(uPermissionNode1, allowedPermissions);
            }
        }
        return;
    }
}

</pre>

 

 The below class act as the invoker:

 Note: Change the path variable accordingly by pointing the certificate of your  carbon product.

<pre class="brush: csharp">

import java.rmi.RemoteException;

import org.wso2.carbon.authenticator.stub.LoginAuthenticationExceptionException;
import org.wso2.carbon.authenticator.stub.LogoutAuthenticationExceptionException;
import org.wso2.carbon.user.mgt.stub.UserAdminUserAdminException;

public class ServiceInvoker {
    public static void main(String[] args) throws RemoteException,
            LoginAuthenticationExceptionException,
            LogoutAuthenticationExceptionException {
        String path = "/home/punnadi/wso2is-4.5.0/repository/resources/security/"
                + "wso2carbon.jks";
        System.setProperty("javax.net.ssl.trustStore", path);
        System.setProperty("javax.net.ssl.trustStorePassword", "wso2carbon");
        String backEndUrl = "https://localhost:9443";

        LoginAdminServiceClient login = new LoginAdminServiceClient(backEndUrl);
        String sessionCookie = login.authenticate("admin", "admin");
        ServiceAdminClient serviceAdminClient = new ServiceAdminClient(
                backEndUrl, sessionCookie);

        try {
            serviceAdminClient.getRolePermissions("admin");
        } catch (UserAdminUserAdminException e) {
            // TODO Auto-generated catch block
            e.printStackTrace();
        }

        login.logOut();

    }
}

</pre>

 

Before invoking the above code you will have to start the carbon server on port 9443.

Adding a MySQL datasource to JBoss AS 7.1.1

Prerequisites:
JBoss AS 7.1.1
mysql-connector-java-your_version-bin.jar

My Environment:
Ubuntu 12.04
java version "1.6.0_45"

1. Extract the JBoss server and I call it "JBOSS_HOME" here onwards.
2. Create "com/mysql/main" directory structure in JBOSS_HOME/modules directory.
3. Copy mysql-connector-java--bin.jar to the above created directory.
4. Create a file called module.xml which has following content in the same directory. Update the jar version accordingly.

<?xml version="1.0" encoding="UTF-8"?>
<module xmlns="urn:jboss:module:1.1" name="com.mysql">
    <resources>
        <resource-root path="mysql-connector-java-5.1.27-bin.jar"/>
    </resources>
    <dependencies>
        <module name="javax.api"/>
        <module name="javax.transaction.api"/>
        <module name="javax.servlet.api" optional="true"/>
    </dependencies>
</module>

The created directory structure including files is as depicted above.

5. Modify JBOSS_HOME/standalone/configuration/standalone.xml as follows:
    Add mysql datasource and the driver configs as given below under datasources tag.

<datasources>
<datasource jndi-name="java:jboss/datasources/ExampleDS" pool-name="ExampleDS" enabled="true" use-java-context="true">
    <connection-url>jdbc:h2:mem:test;DB_CLOSE_DELAY=-1</connection-url>
    <driver>h2</driver>
    <security>
        <user-name>sa</user-name>
        <password>sa</password>
    </security>
</datasource>
<datasource jta="true" jndi-name="java:/jboss/datasources/dsJaasProject" pool-name="my_pool" enabled="true" use-java-context="true" use-ccm="true">
    <connection-url>jdbc:mysql://localhost:3306/jaasProject</connection-url>
    <driver>mysql</driver>
    <security>
        <user-name>root</user-name>
        <password>root</password>
    </security>
    <statement>
        <prepared-statement-cache-size>100</prepared-statement-cache-size>
        <share-prepared-statements>true</share-prepared-statements>
    </statement>
</datasource>
<drivers>
    <driver name="mysql" module="com.mysql">
        <xa-datasource-class>com.mysql.jdbc.jdbc2.optional.MysqlXADataSource</xa-datasource-class>
    </driver>
    <driver name="h2" module="com.h2database.h2">
        <xa-datasource-class>org.h2.jdbcx.JdbcDataSource</xa-datasource-class>
    </driver>
</drivers>
</datasources>
                   
 6. Now start the server from JBOSS_HOME/bin directory as follows:
             ./standalone.sh

You would notice that there will be a file called "mysql-connector-java-your_version-bin.jar.index" generated inside JBOSS_HOME/module/com/mysql/main directory.