Friday, 17 June 2016

Configuring an email notification to define user password

This blog will discuss how to configure an auto generate email to define the password when creating a user via management console. In WSO2 Identity Server there is an inbuilt feature called 'Ask Password' to fulfill this requirement. Lets look at how to implement this in other wso2 products.

'Ask Password' is a feature that comes with wso2 Identity Server. The purpose of this feature is to allow the users to decide there own password rather than defining a password by the server administration and allow the user to change the defined password.

So let me move on to the purpose of writing this blog.

While I was working with WSO2 API Manager, I got a requirement that the APIM administrator wants to create users via APIM management console, but the administrator wants to allow the users to define a password by the user itself. This requirement can be fulfilled using the 'Ask Password' feature available in wso2 Identity Server.

Scenario

APIM Administrator creates a user by providing a username and a user email through the management console. Then an email will be sent to the defined email address with a redirection URL to define a password for the user account.

I will use APIM 1.10.0 product to explain this.


Steps to configure 'Ask Password' feature in APIM 1.10.0


1. Download APIM server

2. Log in to APIM server as the administrator

When you go to 'Add User' option you can see a window like below.



Now lets look at how to configure auto-email to set user password.

3. Install 'Account Recovery and Credential Management' feature in APIM

Due to some of the limitations in identify server feature activation, you have to install 'Account Recovery and Credential Management' feature in APIM 1.10.0. ( Steps to install a feature in wso2 product can be found from [1]).

4. As the next step, do the configuration changes mentioned here in APIM server.

These configurations are required to enable 'Ask Password' feature.

5. Restart the server after above changes.

When you navigate to 'Add User' option you can see that 'Ask password' feature is installed in UI as below.



6. Now create a user from APIM management console by defining the user email address.

You can verify whether auto generate email is received to the defined user email address and the user can define a password through the redirection screen provided in the auto-generated mail. Then check whether the user can successfully log in to APIM server.



Now APIM administrator can add the users via management console and allow the users to define a password they prefer.





[1] https://docs.wso2.com/display/Carbon440/Installing+Features+via+the+UI

Tuesday, 14 June 2016

Encrypting sensitive information in configuration files


Encrypting information 

I thought to start from basics before dig in to the target topic. So lets look at what is "encrypting".

Encrypting information is converting information in to another format, which is hard to understood. As we all know encrypting information is really useful to secure sensitive data.

In wso2 products, there is an inbuilt 'Secure Vault' implementation to encrypt plain text information in the configuration files to provide more security.


In this post I will not discuss about the secure vault implementation in details. You can refer 'secure vault implementation' to get more insight about it.
In wso2 products based on carbon 4.4.0 or later visions, 'Ciper Tool' feature is installed by default, therefore you can easily use that to encrypt sensitive information in the configuration file. 

Lets move on to the main purpose of this blog.

We already know that we can use ciper tool encrypt the information in configuration files. But can we encrypt the sensitive information in properties files or .json files ??

How to encrypt information when we can't use xpath notation?


Using the ciper tool we can encrypt any information if we can specify the xpath location of the property correctly. So basically if xpath notation can be defined for a certain property we can encrypt that using the ciper tool without much effort. Detailed steps to encrypt information based on an xpath can be found from here.

But in the properties file or .json files we can not define a xpath. Now you might be thinking how can we encrypt the information in these files !!!

To overcome this, we can manually encrypt the sensitive information using the ciper tool. You can refer the detailed steps provided here to manually encrypt the sensitive information in properties file and .json files.

However, I want to point you out to a very important fact. When you encrypt a sensitive information in a properties file or .json file, the product component which reading the encrypted property should have written in a way to call the secure vault to decrypt the value correctly.