This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

Restricting some API proxies on not to use Encrypted KVMs of Apigee

Posted on 01-23-2017 03:55 AM
nagaraju_kummar
New Member
Reply posted on --/--/---- --:-- AM

Hi, Is there a way in Apigee to restrict certain API proxies not able to access encrypted KVM's via Key Value Map policy?

As per the current functionality in the latest release of Apigee we can create Encrypted KVM's and access the values of it using Key Value Map policy like <Get assignTo = "private.myvar">. So any API Proxy should be able to access these KVM's data if they know the "key" name. But I would like to restrict the API developers not able to use these KVM's even if they know the "key" names?

0 4 200
Topic Labels
0 Likes
4 REPLIES 4

Posted on --/--/---- --:-- AM
ozanseymen
Staff
Reply posted on --/--/---- --:-- AM

Hi @Nagaraju

All API proxies deployed in an environment can read KVMs in that environment or org. There is no way to selectively enable/disable proxy access to KVMs in the same env/org. In order to implement what you want, proxies and KVMs should be segregated in different envs and/or orgs.

You can also restrict KVMs to a single api proxy by creating it in that proxy's scope: http://docs.apigee.com/management/apis/post/organizations/%7Borg_name%7D/apis/%7Bapi_name%7D/keyvalu...

See more on KVM scoping:

http://docs.apigee.com/api-reference/content/keyvalue-maps-management-api

0 Likes

Posted on --/--/---- --:-- AM
Not applicable
Reply posted on --/--/---- --:-- AM

you can add proxyname in key to make the data specific to a proxy.

0 Likes

Posted on --/--/---- --:-- AM
nagaraju_kummar
New Member
Reply posted on --/--/---- --:-- AM

Thank you @Ozan Seymen and @Dinesh Kumar for your responses. Our real requirement is how securely we can store private key or pem files or crypto algorithms information required to generate OpenID Connect JWT token and digital sign it. Request to suggest us the best way to securely generate the JWT token in Apigee using private key or pem file combination.

0 Likes

Posted on --/--/---- --:-- AM
ozanseymen
Staff
Reply posted on --/--/---- --:-- AM

Hi @Nagaraju

You can create an encrypted KVM in proxy scope, store your private key in there and use this key during runtime to sign your JWT. You will need to use the KeyValueMapOperations policy to read the KVM value and custom code to sign the token. You can optionally cache the value read from KVM so you don't hit the datastore for every request.

0 Likes