Ask a question
IBM TechXchange Dev Day: Virtual Agents
Join us 23 January from 11 AM - 6 PM ET as over 30 speakers from IBM and key AI industry leaders discuss the latest AI trends.
The RPA API is a powerful way to invoke bots programmatically. For details see the docs here:starting-bots-by-api-callHowever, this API is not authenticated and not secure against malicious use. In this blog, I provide two ways to secure itMethod 1 - Use an API-KeyThis is the simplest approach. Simply add an API Key bot parameter. The script validates the API Key against the key in the Vault. If they match then the bot continues to execute, otherwise, a 401 Not Authorized error is returned. See bot script example below:// This WAL script demonstrates how to validate the api_key passed as input to the bot script// The script compares the api_key defined in the system vault to the passed-in key.// If they do not match then a 401 Authentication Error is returned.//// Input parameter rpa_api_key_param contains a secret key to protect the API from unauthorized usebeginSub --name validateApiServiceAccount getVaultItem --name RPA_API_KEY --system retVal=success rpa_api_key_vault=userName dummyValue=password if --left "${retVal}" --operator "Is_True" --negate logMessage --message "Failed to get creds" --type "Info" setVar --name "${out_code}" --value 401 setVar --name "${out_type}" --value ERROR setVar --name "${out_message}" --value "Authentication Error. RPA_API_KEY not found in system Vault" return endIf if --left "${rpa_api_key_vault}" --operator "Equal_To" --right "${rpa_api_key_param}" --negate logMessage --message "Failed authorization" --type "Info" setVar --name "${out_code}" --value 401 setVar --name "${out_type}" --value ERROR setVar --name "${out_message}" --value "Authentication Error. RPA_API_KEY does not match - Expected ${rpa_api_key_vault} but received ${rpa_api_key_param}" return endIfendSubMethod 2 - Secure API GatewayThe disadvantage of Method 1 is that the bot script is only secure if it implements API-Key validation. Any bot script not implementing this pattern is vulnerable to unauthorized invocation. Furthermore, if you expose your RPA agent to the outside world, it is open to attack. A safer approach is to install a Secure API Gateway running in a DMZ that bridges API requests from the insecure internet to the secure RPA environment. The internet-facing API authenticates requests with LDAP. If the request validates, it is forwarded to the RPA Agent behind the firewall. See Below.
Both methods 1 and 2 can be implemented for belt and braces security. Further information and working code on both these patterns can be found in my tutorial here:App Connect tutorial