This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

Encrypt and Decrypt target password

Posted on 09-30-2020 10:55 PM
ravikumbar-1
New Member
Reply posted on --/--/---- --:-- AM

Hi All,

I have a kvm at proxy level as below,

{
    "encrypted": false,
    "entry": [
        {
            "name": "targetURL",
            "value": "https://targethost.com:2002/targetResource/esource"
        },
        {
            "name": "targetUserName",
            "value": "Iamuser"
        },
        {
            "name": "targetPassword",
            "value": "IamPassword"
        }
],
    "name": "MyDecryptionProxy_ENV_KVM"
}

I want to keep encrypted value for targetPassowrd key in the above KVM and in the proxy flow I would want to decrypt it and send it to target as a header 'Password'.

Please help me if there is any sample code to encrypt and decrypt a key value.

Thank you.

Regards

Ravi

0 4 387
Topic Labels
0 Likes
Reply
4 REPLIES 4

Posted on --/--/---- --:-- AM
Not applicable
Reply posted on --/--/---- --:-- AM

encrypting only one key value in a KVM is not available now.

0 Likes
Reply

Posted on --/--/---- --:-- AM
dchiesa1
Staff
Reply posted on --/--/---- --:-- AM

The KVM facility in Apigee allows you to persistently store ... anything.
There are two "types" of KVM. Encrypted and not-encrypted.

In the not-encrypted KVM, every key and value is stored in cleartext. In the context of an API request, you can use the KeyValueMapOperations policy with a Get to retrieve the stored value into a context variable.

In an encrypted KVM, every key is in cleartext, and every value is encrypted. When you use a KeyValueMapOperations policy in your proxy, the policy automatically decrypts the value at runtime and inserts it into a context variable. You specify the name of the context variable in your policy config, but there is a restriction: the variable MUST use a prefix of "private.". This is to insure that the variable is masked in any trace session that might be active.

If you want some things to be stored in cleartext and some things (like a password) to be stored in encrypted fashion then you have these options:

  1. use two distinct KVMs to store the respective data, and then use a separate policy to insert those things where you want them in the target request
  2. Store both things in the unencrypted KVM, then Rely on your own encryption to decrypt at runtime. (Maybe using a Java callout that does RSA or AES decryption) This latter case requires a decryption key, which.... also should be stored as a secret, in other words, should be stored in an encrypted KVM.

In option 2, you're relying on the same encrypted KVM, just for a different data item. It seems like a much less efficient way to do things. But you might want that if you want more control over the format of the encryption.

0 Likes
Reply

Posted on --/--/---- --:-- AM
ravikumbar-1
New Member
In response to dchiesa1
Reply posted on --/--/---- --:-- AM

Hi Dino,

Thanks for your response.

Yes, I want to go with the second option you have explained. Could you please share a sample jar to do encryption and decryption by considering my KVM posted in question.

0 Likes
Reply

Posted on --/--/---- --:-- AM
dchiesa1
Staff
In response to ravikumbar-1
Reply posted on --/--/---- --:-- AM

Here are some resources for you. "Some assembly required." I won't build the complete solution for you, but these are building blocks you may wish to use.

I suggest you break down the problem into parts.

First deploy a proxy that does simple RSA encryption of a small payload.

Then build a proxy that extracts things from the KVM

Then build a proxy that extracts a few fields from a JSON payload, and then replaces them with something different.

Then , .... combine all of those ingredients to produce the solution you are imagining.

0 Likes
Reply