{ Community }
  • Academy
  • Docs
  • Developers
  • Resources
    • Community Articles
    • Apigee on GitHub
    • Code Samples
    • Videos & eBooks
    • Accelerator Methodology
  • Support
  • Ask a Question
  • Spaces
    • Product Announcements
    • General
    • Edge/API Management
    • Developer Portal (Drupal-based)
    • Developer Portal (Integrated)
    • API Design
    • APIM on Istio
    • Extensions
    • Business of APIs
    • Academy/Certification
    • Adapter for Envoy
    • Analytics
    • Events
    • Hybrid
    • Integration (AWS, PCF, Etc.)
    • Microgateway
    • Monetization
    • Private Cloud Deployment
    • 日本語コミュニティ
    • Insights
    • IoT Apigee Link
    • BaaS/Usergrid
    • BaaS Transition/Migration
    • Apigee-127
    • New Customers
    • Topics
    • Questions
    • Articles
    • Ideas
    • Leaderboard
    • Badges
  • Log in
  • Sign up

Get answers, ideas, and support from the Apigee Community

  • Home /
  • General /
avatar image
1
Question by Raju · Apr 12, 2019 at 07:15 PM · 341 Views kvmkvmap keyvaluemapencryption

Issue using encrypted KVM

Hi,

I've an issue using encrypted KVM, the Proxy works fine if I'm trying to get values from Un-encrypted KVM but the issue begins if I use an encrypted KVM

I see the query param in outbound request when I use un-encrypted KVM and the request is successful.

    <Get assignTo="request.queryparam.key">
        <Key>
            <Parameter>required_key</Parameter>
        </Key>
    </Get>

But when I try to use encrypted KVM I dont see the query param in outbound request and the request is failed.

    <Get assignTo="private.request.queryparam.key">
        <Key>
            <Parameter>required_key</Parameter>
        </Key>
    </Get>

Is there anything that I'm missing. I don't see any errors from processing the step but the backend returns error due to missing key.

Comment
Add comment
10 |5000 characters needed characters left characters exceeded
▼
  • Viewable by all users
  • Viewable by Apigeeks only
  • Viewable by the original poster
  • Viewable by moderators
  • Viewable by moderators and the original poster
  • Advanced visibility
Viewable by all users

Close

2 Answers

  • Sort: 
avatar image
1

Answer by Dino-at-Google   · Apr 12, 2019 at 08:44 PM

Well let's see.

As you may be aware, there's a restriction when performing a GET using an encrypted KVM: the assignTo variable must have the prefix "private." I forget what happens if you don't use the private. prefix, I think you get a validation error at the time you try to save the API proxy. Whether you get the error then, or later, in any case , it won't work.

Variables named with the "private." prefix are treated specially in the Apigee Edge runtime. The values assigned to such variables will not be shown in the Edge Trace (Debugsession). This preserves privacy of the data.

I see you have used a name that begins with "private." and then finishes with "request.queryparam.key". And from that name, and from your example using the un-encrypted KVM, I am inferring that you'd like to set a queryparam named "key" with the data you retrieve from the encrypted KVM.

Two things on that.

  1. in general, setting a variable private.X is not the same as "quietly" setting the variable X. In particular, setting the variable "private.request.queryparam.key" does not quietly set the actual context variable request.queryparam.key. It's not the case that the "private." prefix sets a variable with a different name, only quietly. Setting the variable with the name "private.request.queryparam.key" does not have any effect on the queryparams in the request object.
  2. It does not make sense to use an encrypted KVM to store data presumably because it is secret, and then put that data into a query param! And transmit it over the network. The query param is not secret at all, and will be logged in web logs on the target system, and also in logs on the Apigee side. So this seems like a bad idea. If you really are putting data into the queryparam, it's not a secret, so don't use encrypted KVM. If you really have a secret, don't put it into a query param.
  3. (Bonus thing) If you really want to read frrom an encrypted KVM and then set a queryparam with that data, then... Use two policies. One KeyValueMapOperations/GET and use "private.data" or whatever. Then use AssignMessage/AssignVariable and explicitly assign the value in "private.data" to "request.queryparam.key". But if you do this, it really seems to me that you are not using the Apigee Edge system correctly.
Comment
Add comment · Link
10 |5000 characters needed characters left characters exceeded
▼
  • Viewable by all users
  • Viewable by Apigeeks only
  • Viewable by the original poster
  • Viewable by moderators
  • Viewable by moderators and the original poster
  • Advanced visibility
Viewable by all users
avatar image
0

Answer by Nagashree B   · Apr 12, 2019 at 09:02 PM

@Raju

The first policy without encrypted value works, since Apigee sees the reference as request.queryparam.key, which is a defined flow variable. In the second policy with private.request.param.key, Apigee will create a variable with name "private.request.query.param.key", the "private" is like a variable prefix. Variables request.param.key and private.request.param.key are hence not treated as the same variable references. That's the reason its not passed to your backend. You can test it by writing a JS policy to print the values

print(context.getVariable("request.queryparam.key"));

print("key value with private prefix");

print(context.getVariable("private.request.queryparam.key"));

You will see that the output of the first print statement will be empty, while the third statement will give you the required value.

You will need to explicitly set the value in request.queryparam.key using Assign Message or JavaScript policy, after retrieving the value from the KVM. Here is an example

<Get assignTo="private.request.queryparam.key">
  <Key><Parameter>required_key</Parameter></Key>
</Get>
<AssignMessage name="AM-Set-Key">
  <Set>  
    <QueryParams>
      <QueryParam name="key">{private.request.queryparam.key}</QueryParam>
    </QueryParams>
  </Set>
  <AssignTo type="request" transport="http" createNew="false"/>
</AssignMessage>

Comment
Add comment Show 1 · Link
10 |5000 characters needed characters left characters exceeded
▼
  • Viewable by all users
  • Viewable by Apigeeks only
  • Viewable by the original poster
  • Viewable by moderators
  • Viewable by moderators and the original poster
  • Advanced visibility
Viewable by all users
avatar image Dino-at-Google ♦♦   · Apr 16, 2019 at 10:49 PM 0
Link

this works; it is basically what I described in #3 in my answer.

Follow this Question

Answers Answers and Comments

50 People are following this question.

avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image

Related Questions

change the "value" using KVM 3 Answers

How to dynamically update key value map entries in proxy flow 2 Answers

How to add or update KVM in which key is an integer? 3 Answers

Questions pertaining to KVM 1 Answer

KVM monitoring 4 Answers

  • Products
    • Edge - APIs
    • Insights - Big Data
    • Plans
  • Developers
    • Overview
    • Documentation
  • Resources
    • Overview
    • Blog
    • Apigee Institute
    • Academy
    • Documentation
  • Company
    • Overview
    • Press
    • Customers
    • Partners
    • Team
    • Events
    • Careers
    • Contact Us
  • Support
    • Support Overview
    • Documentation
    • Status
    • Edge Support Portal
    • Privacy Policy
    • Terms & Conditions
© 2021 Apigee Corp. All rights reserved. - Apigee Community Terms of Use - Powered by AnswerHub
  • Anonymous
  • Sign in
  • Create
  • Ask a question
  • Create an article
  • Post an idea
  • Spaces
  • Product Announcements
  • General
  • Edge/API Management
  • Developer Portal (Drupal-based)
  • Developer Portal (Integrated)
  • API Design
  • APIM on Istio
  • Extensions
  • Business of APIs
  • Academy/Certification
  • Adapter for Envoy
  • Analytics
  • Events
  • Hybrid
  • Integration (AWS, PCF, Etc.)
  • Microgateway
  • Monetization
  • Private Cloud Deployment
  • 日本語コミュニティ
  • Insights
  • IoT Apigee Link
  • BaaS/Usergrid
  • BaaS Transition/Migration
  • Apigee-127
  • New Customers
  • Explore
  • Topics
  • Questions
  • Articles
  • Ideas
  • Badges