APIGEE apiproxy encrypted KVM

saravanannatara · 03-17-2020 02:15 PM

not able to create the encry apiproxy KVM default unencrypted

create apiproxy encrypted KVM enterprise not get the value in KeyValueMapOperations policy

dchiesa1

I'd like to be able to help you, but with the incoherent and incomplete information you provided, it's impossible. You wrote a collection of words. No punctuation. No sentences. This is not effective communication.

If you want help here, you can improve your chances of getting it by:

Providing a clear description of what you are trying to accomplish.
Providing a clear description of the specific steps you took. The things you tried. State some of your specific observations, and provide code or explicitly cite the configuration that you are using. (Specific policy or flow config)

If I help you I will probably dedicate 10 minutes or more to writing something. It would be a sign of goodwill on your part if you could invest a similar amount of time carefully explaining what you would like.

Also: I apologize in advance, I am fluent only in English.

saravanannatara

Sorry, because of the limitations in no of characters [60 character]. i could not provide details sentence. I am updating the details.

saravanannatara

It's not working in api proxy encrypted KVM. the values are not returning

I also gone through the below, not sure about this

https://community.apigee.com/questions/34566/not-able-to-create-encrypted-kvm.html

chawkimatta

Hi, if got your point well, i think you are trying to use encrypted KVMs....
To get an encrypted value, you need to add the "private." prefix to the variable name, which prevents the KVM keys/values from appearing in Trace and debug sessions.

<Get assignTo="private.myvar">

For more info about encrypted KVMs check this:

https://docs.apigee.com/api-platform/cache/key-value-maps#aboutencrypted

saravanannatara

It's not working in api proxy encrypted KVM. the values are not returning

I also gone through the below, not sure about this

https://community.apigee.com/questions/34566/not-able-to-create-encrypted-kvm.html

chawkimatta

This is the KVM policy you should have (myPassword is the value that you want to get from the KVM):

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<KeyValueMapOperations async="false" continueOnError="false" enabled="true" name="Get-Encrypted-KVM" mapIdentifier="KVM-Encrypted">
    <DisplayName>Get-Encrypted-KVM</DisplayName>
    <Get assignTo="private.myPassword" index="1">
        <Key>
            <Parameter>myPassword</Parameter>
        </Key>
    </Get>
    <Scope>environment</Scope>
</KeyValueMapOperations>

in the above example the KVM value is assigned to "private.myPassword".
NB:values assigned to "private." variables will not be shown in the Edge Trace

to check it (if its retrieved correctly), use AssignMessage/AssignVariable and assign the value in "private.data" to "myPasswordAssigned" for ex.

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<AssignMessage async="false" continueOnError="false" enabled="true" name="AM-encrypted-Value">
    <DisplayName>AM-encrypted-Value</DisplayName>
    <Properties/>
    <AssignVariable>
        <Name>myPasswordAssigned</Name>
        <Ref>private.myPassword</Ref>
    </AssignVariable>
    <IgnoreUnresolvedVariables>true</IgnoreUnresolvedVariables>
    <AssignTo createNew="false" transport="http" type="request"/>
</AssignMessage>
<br>

NB: When done remove the AssignMessage.

If you keep the AssignMessage then there is no sense to use the encrypted KVM, and you will not be using the Apigee Edge system correctly.

saravanannatara

Thanks for your time.

As per our org we have to use the apiproxy KVM not environment KVM.

If I use the environment KVM the above code works fine. my concern is on apiproxy KVM

Thanks

Sara

saravanannatara

We are using apigee edge

dknezic

You haven't posted all details about what you're doing

1. Have you set the mapidentifier attribute in your kvm policy? This should match the name of your KVM, this is at the top of your kvm policy eg

2. Have you set the scope of your kvm policy to apiproxy?

3. Have you verified via GET requests against the management API that you successfully created your KVM against your proxy? You should be able to see your kvm, as well as the key names and values should be ***'d out

saravanannatara

Sorry I should have posted this after, missed.

1. Using KeyValueMapOperations policy not able to create the apiproxi - Scope encrypted KVM. below is the sample

  <KeyValueMapOperations continueOnError="false" enabled="true" name="apikey-KVM" mapIdentifier="kvm_e4">
    <DisplayName>apikey-KVM</DisplayName>
    <Properties/>
    <ExclusiveCache>false</ExclusiveCache> <ExpiryTimeInSecs>300</ExpiryTimeInSecs>
    <InitialEntries>
      <Entry>
        <Key>
          <Parameter>api_key</Parameter>
        </Key>
        <Value>test</Value>
      </Entry>
    </InitialEntries>

When use private. it fails because it's not encrypted and we do not wan to show the right key in the trace.

2. I created the apiproxy [Scope] encrypted KVM using

https://api.enterprise.apigee.com/v1/organizations/test/apis/testapi/

But when I use the GET of the KVM it's not fetching any value

My requirement is store the encrypted API KEY in the KVM and verify it against the request

We are not using veryi API key policy

Please let me know fi any info will help you to answer my query. your help is appreciated.

Thanks

Sara

dchiesa1

I don't understand this part:

When use private. it fails because it's not encrypted

What fails? What is "it"? Can you show an error or a screenshot? I don't see any "private" in your code. Which KVM map is encrypted and which is not?

Also in that policy I don't see a Get nor a Put. As far as I am aware, the KVM policy needs to have a Get or Put operation. Are you saying that the policy with no Get or Put, only with InitialEntries , fails if the KVM is encrypted?

If that's the case, if that is what you are telling me, then I suggest: Don't do that. The encrypted KVM is for storing sensitive information. Don't hard-code it into a policy. That wouldn't make sense.

If you are telling me that you're using a KVM Get, then show the policy. I don't see a KVM Get policy.

saravanannatara

For Issue#1

I am not able to create apiproxy KVM with encryption Option.

By default it encryption is set to false.

When you create the apiproxy KVM how do we make the encyption flag true ?

For Issue#2

As I was not able to use the option 1 i.e creating an apiproxy KVM in runtime with encryption on

I Used the https://api.enterprise.apigee.com/v1/organizations/test/apis/testapi/

to create the encrypted KVM [Scope = apiproxy]

Sample

{ "name" : "testkey", "encrypted" : "true", "entry" : [ { "name" : "tapikey", "value" : "test123456d" }

get the key using below code

<Key>

<Parameter>tapikey</Parameter>

</Key>

</Get>

The value I am checking private.testapikey = request.header.apikey in the condition I am doing some validation / message

I am passing the api key in the url ....?apikey=test123456d

As both the values are same it should return the message. but it's not happening. it's because it's not able to get the value from the tapikey

Please let me know if you need any information on the same.

saravanannatara

When use private. it fails because it's not encrypted

For this if the KVM is not encrypted and if you use private.testapi it will fail

Thanks

Sara