API Connect

API Connect

Join this online group to communicate across IBM product users and experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only
Expand all | Collapse all

Gateway script encryption / decryption using API Connect certificate key

  • 1.  Gateway script encryption / decryption using API Connect certificate key

    Posted Sun April 09, 2023 03:57 AM
    Hi Team...
     
    I am implementing encryption/decryption logic in API Connect gateway assembly. The encryption logic for the fields in my API response to consumer should be as below,
     
    1. Generate a 32 byte random key
    2. Use the 32 byte random key to encrypt API response fields from algorithms like HMAC or SHA256
    3. Load the API Connect certificate / private key (stored in the datapower) in the gateway script code and use it to encrypt the 32 byte random key.
     
    Please advise on how the 3rd step can be achieved using gateway script code.


    ------------------------------
    Ashok Beshra
    ------------------------------


  • 2.  RE: Gateway script encryption / decryption using API Connect certificate key

    Posted Mon April 10, 2023 12:46 AM

    Dear Ashok,

    For the 3rd step you will required to use asymmetric encryption, which is not possible in Gatewayscript, as Datapower crypto module only provide Symmetric encryption functions.

    So to do this, you can write XSL stylesheet to implement RSA Encryption. Store that XSL File at datapower file management. Now from Gatewayscript you can use Transform module to execute the xsl stylesheet placed at datapower.


    Reference to do Asymmetric Encryption (32-byte key encryption)
    https://www.ibm.com/mysupport/s/topic/0TO0z000000RdtIGAS/dpencryptkey?language=th

    Reference to use Transform module to execute Xslt from Gatewayscript code.
    https://www.ibm.com/docs/en/datapower-gateway/7.5.0?topic=methods-transform-module




    ------------------------------
    Jayprakash Yadav
    ------------------------------



  • 3.  RE: Gateway script encryption / decryption using API Connect certificate key

    Posted Mon April 10, 2023 09:45 AM
    Hi Jay...
     
    Thanks for your response. I have a clarification on the above approach.
     
    1. My response message is JSON and I need to pass a XML message to transform.xslt function in order to encrypt using asymmetric key approach. Please let me know how to implement asymmetric encryption using XSLT as the link which you have provided is not working
    2. I also got the below github solution where encryption/decryption was implemented using JOSE module and JWK using set variable. Please let me know whether the below approach will work for my encryption scenario?
     
    https://github.com/sachinjha/apiconnect/blob/master/EncryptionDecryption/encryptAndDecryptPII.md


    ------------------------------
    Ashok Beshra
    ------------------------------



  • 4.  RE: Gateway script encryption / decryption using API Connect certificate key

    Posted Mon April 10, 2023 09:54 AM
    This completely depends on what type of Encryption  you are planning to encrypt the key. As you mentioned private key will be used so as per my thought you might be going for asymmetric Encryption approach i.e. RSA  with PKCS1 padding.







  • 5.  RE: Gateway script encryption / decryption using API Connect certificate key

    Posted Thu April 13, 2023 09:27 AM
      |   view attached
    Hi...
     
    We have followed the below approach for encryption / decryption using assymmetric key approach.
     
    1. We were able to generate 32 byte random string and encryt the string using API Gateway public key
    2. We have created Datapower MPGW to decrypt using the API Gateway private key
    3. This MPGW uses the decrypt action in the datapower processing policy to decrypt the 32 byte random string
    4. This process requires an encrypted public key to be passed along with encrypted random string and we wanted to know how it can be generated when encryption is done outside datapower(for example in a Java application). 
     
    Query
     
    Basically, if you encrypt a string in datapower, this gives public key(EncryptedPublicKey) and an encrypted value (EncryptedValue) so that Datapower can decrypt using Encrypted pubilc key and private key. But, if encryption is done outside datapower, how can the EncryptedPublicKey  be generated to decrypt in datapower


    ------------------------------
    Ashok Beshra
    ------------------------------

    Attachment(s)

    zip
    Crypto_Encrypt.zip   1 KB 1 version


  • 6.  RE: Gateway script encryption / decryption using API Connect certificate key

    Posted Thu April 13, 2023 09:42 AM

    What type of Encryption algorithm you are planning to do? On basis of that I can share you the xslt that can be used to decrypt at Datapower.



    ------------------------------
    Jayprakash Yadav
    ------------------------------



  • 7.  RE: Gateway script encryption / decryption using API Connect certificate key

    Posted Sat April 15, 2023 06:58 AM

    Hi Jay...

    We are using AES256GCM algorithm to encrypt the 32-byte secret key.



    ------------------------------
    Ashok Beshra
    ------------------------------



  • 8.  RE: Gateway script encryption / decryption using API Connect certificate key

    Posted Sun April 16, 2023 03:21 AM

    Hi Jay....

    We have the XSLT already and we are able to encrypt and decrypt the 32 byte random string. My query is, while doing encryption, we get the encrypted public key with the encrypted random string data. We wanted to know, how datapower generates this encrypted public key so that, we wanted to generate it and send it for decryption. In this case, an external consumer will be doing 32 byte random string encryption and datapower will be doing the decryption.



    ------------------------------
    Ashok Beshra
    ------------------------------



  • 9.  RE: Gateway script encryption / decryption using API Connect certificate key

    Posted Wed April 19, 2023 09:03 AM

    Hi Jay...

    Thanks for your reply on this topic, we were able to use dp:encrypt-key() method to encrypt the 32 byte random string using the certificate key.



    ------------------------------
    Ashok Beshra
    ------------------------------



  • 10.  RE: Gateway script encryption / decryption using API Connect certificate key

    Posted Tue May 09, 2023 09:26 AM
    Edited by Stefen Salvatore Thu June 08, 2023 01:50 AM
      |   view attached

    Hi @Jayprakash Yadav 

    I have a requirement like symmetric encryption and symmetric decryption using Gatewayscript in API Connect V10 based on the java code.

    can you say this can be possible to do? if so please let me know the way.

    A file with code and detailed process is attached. I have tried to decode the code and I am done doing it. but the thing is can we implement same process using Gatewayscript or not in API Connect?

    Can our API Connect Supports "PBKDF2WithHmacSHA1" algorithm?. As they used it in there java code.  

    Here the Case is Like :

    If java encrypts the data and sends that Data to API Connect, Gatewayscript should decrypt it without any errors and vice versa.
    Hi @Steve Linn your views on this are also required here. Hope you have an answer for everything by the way : )

    Hoping the reply from anyone asap!

    Thanks in Advance!!



    ------------------------------
    Stefen Salvatore
    ------------------------------

    Attachment(s)

    java
    Gatewayscript.java   5 KB 1 version


  • 11.  RE: Gateway script encryption / decryption using API Connect certificate key

    Posted Wed April 19, 2023 10:14 AM

    I'm really lucky that I found this thead here



    ------------------------------
    Maria Novak
    ------------------------------