1. Change element <EnableSecureVault> in <APIM_HOME>/repository/conf/api-manager.xml to true.
<EnableSecureVault>true</EnableSecureVault>
2. Update synapse.properties file in <APIM_HOME>/repository/conf with following synapse property. synapse.xpath.func.extensions=org.wso2.carbon.mediation.security.vault.xpath.SecureVaultLookupXPathFunctionProvider.
3. Run the cipher tool available in <APIM_HOME>/bin to create secret repositories.
#ciphertool.sh -Dconfigure.
3. In api configuration <APIM_HOME>/repository/deployment/ server/synaps-config, replace;
<property name="Authorization" expression="fn:concat('Basic ', base64Encode('admin:admin'))" scope="transport"/>
property in the api's with;
<property name="password" expression="wso2:vault-lookup('secured.endpoint.password')"/>
For example: I have an api called 'shoppingCart' created by admin.
So I need to change above entries in repository/deployment/server/synapse-configs/default/api/admin--shoppingCart_v1.0.0.xml
4. When starting the server; it will prompt you to enter keystore password.
Thats all. Above changes need to be done on Gateway node.