Accessing values from encrypted KVM

janapatisiva · 09-12-2018 12:05 PM

Hi,

In the APIGEE document I found below statement to access the values from encrypted KVM(highlighted in bold). When I did sample proxy with encrypted KVM, with out private. I could not able to access values.

"Variables without the "private." prefix are displayed in clear text in Trace and debug sessions even if the data comes from an encrypted data store such as an encrypted key value map."

Is the above statement correct?

Here is the link https://docs.apigee.com/api-platform/security/data-masking

Regards,

Siva

ozanseymen

Apigee documentation also says:

If the key value map is encrypted, begin the assignTo name with "private.". For example:

<Get assignTo="private.myvar">

The policy throws an error if you try to retrieve an encrypted key value map without using the prefix. The prefix, which is required for basic security purposes during debugging, hides the encrypted values from API proxy Trace and debug sessions.

cladius_fernand

@Siva Prasad Rao Janapati, could you please accept @ozanseymen's answer so that it is helpful for others?

sushanthshambha

@ozanseymen

hi ozanseymen,

I am trying to use and encrypted KVM stores values in a Basic authentication.

But getting this below error.

{"fault":{"faultstring":"Unresolved variable : private.username","detail":{"errorcode":"steps.basicauthentication.UnresolvedVariable"}}}

if KVM is encrypted, then what type of Basic Authentication should we be using. Encode or Decode .

I tried both but still not able to get rid of the above message.

Thanks

Sushanth Shambharkar

sidd-harth

Hi @Sushant Shambharkar, please create a new question and provide details on what you have done.

Are you using KVM policy before BasicAuth?

Provide your KVM policy and Trace XML.

mdunker

Hi @Sushant Shambharkar

Here is an example KeyValueMapOperations policy that retrieves the username and password from an encrypted KVM and populates the variables prefixed with "private." (including the period). Note that the mapIdentifier and Scope values must be correct. You can also remove the "index" attribute from the Get.

<KeyValueMapOperations name="KVM.GetCredentials" mapIdentifier="credentials">
	<Scope>environment</Scope>
	<ExpiryTimeInSecs>300</ExpiryTimeInSecs>
	<Get assignTo="private.username">
		<Key>
			<Parameter>username</Parameter>
		</Key>
	</Get>
	<Get assignTo="private.password">
		<Key>
			<Parameter>password</Parameter>
		</Key>
	</Get>
</KeyValueMapOperations>

Once that policy runs, the variables private.username and private.password should be populated, if your environment-scoped KVM was named credentials and the KVM itself had keys named username and password. Note that I've set ExpiryTimeInSecs to 300 -- this will allow the username and password from the encrypted KVM to be cached for 5 minutes. Otherwise the values will need to be read and decrypted from the database on every call to the proxy.

The following BasicAuthentication policy can be used to create an Authorization header using those two variables. You will need to use "Encode" to encode the username and password into the Authorization header. "Decode" would be used to extract the username and password from an Authorization header into variables.

<BasicAuthentication name="BA.CreateBasicAuthHeader">
	<Operation>Encode</Operation>
	<IgnoreUnresolvedVariables>false</IgnoreUnresolvedVariables>
	<User ref="private.username"/>
	<Password ref="private.password" />
	<AssignTo createNew="true">request.header.Authorization</AssignTo></BasicAuthentication>

Note AssignTo's createNew attribute -- setting it to true means that the Authorization header will be overwritten by this policy if the header already exists.

According to your error, private.username does not exist as a variable. Make sure the KVM policy is before the BasicAuthentication policy and that it runs. You can see this by using the proxy trace tool.