I thought to completely separate the securing password and make it available for anywhere securing for plaintext want.
Rather than using encrypted data in each location, keep encrypted text in a separate file. For example: Without setting encrypted password in configurations for each datasource,dbreport,lookup or in any place, keep every encrypted text in a single location.
Cipher text file
- Common properties
- configuration per each plaintext
Then, For example, if the password for dblookup mediator has to be secured
Then, within dblookup mediator, before make connection, can get the decrypted password as
This is same for anywhere needs decrypted password or any decrypted text.
In this approach, the 'admin' plaintext password is really a logical one and it only uses for lookup actual password from encrypted text file.
Even this approaches, adds another configuration file, there are lot of benefit.
(1) Single point of configuration for each plaintext-cipher-text pairs. Therefore, we can separately specify algorithms or any parameters for each plaintext.
(2) We can add extra security. For example, we can sign "cipher-text.properties" file. If the encrypted texts are scatted everywhere, then adding extra security will not be feasible.
(3) This will become a reusable component that can be used anywhere, even, with in any other projects.