{ Community }
  • Academy
  • Docs
  • Developers
  • Resources
    • Community Articles
    • Apigee on GitHub
    • Code Samples
    • Videos & eBooks
    • Accelerator Methodology
  • Support
  • Ask a Question
  • Spaces
    • Product Announcements
    • General
    • Edge/API Management
    • Developer Portal (Drupal-based)
    • Developer Portal (Integrated)
    • API Design
    • APIM on Istio
    • Extensions
    • Business of APIs
    • Academy/Certification
    • Adapter for Envoy
    • Analytics
    • Events
    • Hybrid
    • Integration (AWS, PCF, Etc.)
    • Microgateway
    • Monetization
    • Private Cloud Deployment
    • 日本語コミュニティ
    • Insights
    • IoT Apigee Link
    • BaaS/Usergrid
    • BaaS Transition/Migration
    • Apigee-127
    • New Customers
    • Topics
    • Questions
    • Articles
    • Ideas
    • Leaderboard
    • Badges
  • Log in
  • Sign up

Get answers, ideas, and support from the Apigee Community

  • Home /
  • General /
avatar image
0
Question by Siva Prasad Rao Janapati · Sep 12, 2018 at 07:05 PM · 2.2k Views encrypted kvm

Accessing values from encrypted KVM

Hi,

In the APIGEE document I found below statement to access the values from encrypted KVM(highlighted in bold). When I did sample proxy with encrypted KVM, with out private. I could not able to access values.

"Variables without the "private." prefix are displayed in clear text in Trace and debug sessions even if the data comes from an encrypted data store such as an encrypted key value map."

Is the above statement correct?

Here is the link https://docs.apigee.com/api-platform/security/data-masking

Regards,

Siva

Comment
Add comment Show 1
10 |5000 characters needed characters left characters exceeded
▼
  • Viewable by all users
  • Viewable by Apigeeks only
  • Viewable by the original poster
  • Viewable by moderators
  • Viewable by moderators and the original poster
  • Advanced visibility
Viewable by all users
avatar image Cladius Fernando   · Sep 13, 2018 at 07:24 PM 0
Link

@Siva Prasad Rao Janapati, could you please accept @ozanseymen's answer so that it is helpful for others?

Close

2 Answers

  • Sort: 
avatar image
1

Answer by ozanseymen   · Sep 13, 2018 at 10:09 AM

Apigee documentation also says:

If the key value map is encrypted, begin the assignTo name with "private.". For example:

<Get assignTo="private.myvar">

The policy throws an error if you try to retrieve an encrypted key value map without using the prefix. The prefix, which is required for basic security purposes during debugging, hides the encrypted values from API proxy Trace and debug sessions.

Comment
Add comment · Link
10 |5000 characters needed characters left characters exceeded
▼
  • Viewable by all users
  • Viewable by Apigeeks only
  • Viewable by the original poster
  • Viewable by moderators
  • Viewable by moderators and the original poster
  • Advanced visibility
Viewable by all users
avatar image
0

Answer by Sushant Shambharkar · Jan 17, 2019 at 08:31 PM

@ozanseymen

hi ozanseymen,

I am trying to use and encrypted KVM stores values in a Basic authentication.

But getting this below error.

{"fault":{"faultstring":"Unresolved variable : private.username","detail":{"errorcode":"steps.basicauthentication.UnresolvedVariable"}}}

if KVM is encrypted, then what type of Basic Authentication should we be using. Encode or Decode .

I tried both but still not able to get rid of the above message.

Thanks

Sushanth Shambharkar

Comment
Add comment Show 2 · Link
10 |5000 characters needed characters left characters exceeded
▼
  • Viewable by all users
  • Viewable by Apigeeks only
  • Viewable by the original poster
  • Viewable by moderators
  • Viewable by moderators and the original poster
  • Advanced visibility
Viewable by all users
avatar image Siddharth Barahalikar   · Jan 18, 2019 at 04:46 AM 0
Link

Hi @Sushant Shambharkar, please create a new question and provide details on what you have done.

Are you using KVM policy before BasicAuth?

Provide your KVM policy and Trace XML.

avatar image Mike Dunker @Google ♦♦   · Jan 18, 2019 at 05:03 PM 1
Link

Hi @Sushant Shambharkar

Here is an example KeyValueMapOperations policy that retrieves the username and password from an encrypted KVM and populates the variables prefixed with "private." (including the period). Note that the mapIdentifier and Scope values must be correct. You can also remove the "index" attribute from the Get.

<KeyValueMapOperations name="KVM.GetCredentials" mapIdentifier="credentials">
	<Scope>environment</Scope>
	<ExpiryTimeInSecs>300</ExpiryTimeInSecs>
	<Get assignTo="private.username">
		<Key>
			<Parameter>username</Parameter>
		</Key>
	</Get>
	<Get assignTo="private.password">
		<Key>
			<Parameter>password</Parameter>
		</Key>
	</Get>
</KeyValueMapOperations>

Once that policy runs, the variables private.username and private.password should be populated, if your environment-scoped KVM was named credentials and the KVM itself had keys named username and password. Note that I've set ExpiryTimeInSecs to 300 -- this will allow the username and password from the encrypted KVM to be cached for 5 minutes. Otherwise the values will need to be read and decrypted from the database on every call to the proxy.

The following BasicAuthentication policy can be used to create an Authorization header using those two variables. You will need to use "Encode" to encode the username and password into the Authorization header. "Decode" would be used to extract the username and password from an Authorization header into variables.

<BasicAuthentication name="BA.CreateBasicAuthHeader">
	<Operation>Encode</Operation>
	<IgnoreUnresolvedVariables>false</IgnoreUnresolvedVariables>
	<User ref="private.username"/>
	<Password ref="private.password" />
	<AssignTo createNew="true">request.header.Authorization</AssignTo></BasicAuthentication>

Note AssignTo's createNew attribute -- setting it to true means that the Authorization header will be overwritten by this policy if the header already exists.

According to your error, private.username does not exist as a variable. Make sure the KVM policy is before the BasicAuthentication policy and that it runs. You can see this by using the proxy trace tool.

Follow this Question

Answers Answers and Comments

50 People are following this question.

avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image

Related Questions

Is there any way to read encrypted KVM values using management API? 1 Answer

How to create unencrypted KVM in HIPAA org? 2 Answers

Encrypted KVM entries are being shown in trace 3 Answers

Special Character in Encrypted KVM 1 Answer

  • Products
    • Edge - APIs
    • Insights - Big Data
    • Plans
  • Developers
    • Overview
    • Documentation
  • Resources
    • Overview
    • Blog
    • Apigee Institute
    • Academy
    • Documentation
  • Company
    • Overview
    • Press
    • Customers
    • Partners
    • Team
    • Events
    • Careers
    • Contact Us
  • Support
    • Support Overview
    • Documentation
    • Status
    • Edge Support Portal
    • Privacy Policy
    • Terms & Conditions
© 2021 Apigee Corp. All rights reserved. - Apigee Community Terms of Use - Powered by AnswerHub
  • Anonymous
  • Sign in
  • Create
  • Ask a question
  • Create an article
  • Post an idea
  • Spaces
  • Product Announcements
  • General
  • Edge/API Management
  • Developer Portal (Drupal-based)
  • Developer Portal (Integrated)
  • API Design
  • APIM on Istio
  • Extensions
  • Business of APIs
  • Academy/Certification
  • Adapter for Envoy
  • Analytics
  • Events
  • Hybrid
  • Integration (AWS, PCF, Etc.)
  • Microgateway
  • Monetization
  • Private Cloud Deployment
  • 日本語コミュニティ
  • Insights
  • IoT Apigee Link
  • BaaS/Usergrid
  • BaaS Transition/Migration
  • Apigee-127
  • New Customers
  • Explore
  • Topics
  • Questions
  • Articles
  • Ideas
  • Badges