Hi

We have an API in APIC v5 which is calling some back side APIs (which are secured with basic auth). I am interested in knowing the approaches that we can use to prevent exposing the backside API credentials in the API document.

Is there a way we can use the datapower password map alias at runtime in the invoke policy? I understand that If I create a password alias in the default domain, it will be inherited by the APIC domain whenever we re-add the gateway via CMC.

Any suggestions are welcome?

Regards

------------------------------
Vaibhav Mehra
------------------------------

You can either use a custom policy or an extension to hide your credentials, and access that value using a context variable in your Invoke policy. There is no other internal vault that you can currently use in API Connect.

Thanks Romil

I find it strange that IBM has not made any mechanism to hold or pass confidential information in API Connect.

Anyone else has any suggestions?


Regards
Vaibhav Mehra

------------------------------
Vaibhav Mehra
------------------------------

Original Message:
Sent: Tue August 10, 2021 11:31 AM
From: Romil Garg
Subject: Handling basic auth credentials securely in API Calls

You can either use a custom policy or an extension to hide your credentials, and access that value using a context variable in your Invoke policy. There is no other internal vault that you can currently use in API Connect.

------------------------------
Romil Garg

Original Message:
Sent: Mon August 09, 2021 06:50 AM
From: Vaibhav Mehra
Subject: Handling basic auth credentials securely in API Calls

Hi

We have an API in APIC v5 which is calling some back side APIs (which are secured with basic auth). I am interested in knowing the approaches that we can use to prevent exposing the backside API credentials in the API document.

Is there a way we can use the datapower password map alias at runtime in the invoke policy? I understand that If I create a password alias in the default domain, it will be inherited by the APIC domain whenever we re-add the gateway via CMC.

Any suggestions are welcome?

Regards

------------------------------
Vaibhav Mehra
------------------------------

The only other way is to store these credentials in the Catalog Properties. You can then limit user access to these properties. I need to check if that option is available in v5. 

Here is the RFP for the same. https://integration-development.ideas.ibm.com/ideas/APICONN-I-203

Thanks @Romil Garg

we are considering alternate options for this requirement now.​

------------------------------
Vaibhav Mehra
------------------------------

Original Message:
Sent: Mon August 23, 2021 08:29 AM
From: Romil Garg
Subject: Handling basic auth credentials securely in API Calls

The only other way is to store these credentials in the Catalog Properties. You can then limit user access to these properties. I need to check if that option is available in v5. 

Here is the RFP for the same. https://integration-development.ideas.ibm.com/ideas/APICONN-I-203

------------------------------
Romil Garg

Original Message:
Sent: Mon August 23, 2021 07:56 AM
From: Vaibhav Mehra
Subject: Handling basic auth credentials securely in API Calls

Thanks Romil

I find it strange that IBM has not made any mechanism to hold or pass confidential information in API Connect.

Anyone else has any suggestions?


Regards
Vaibhav Mehra

------------------------------
Vaibhav Mehra

Original Message:
Sent: Tue August 10, 2021 11:31 AM
From: Romil Garg
Subject: Handling basic auth credentials securely in API Calls

You can either use a custom policy or an extension to hide your credentials, and access that value using a context variable in your Invoke policy. There is no other internal vault that you can currently use in API Connect.

------------------------------
Romil Garg

Original Message:
Sent: Mon August 09, 2021 06:50 AM
From: Vaibhav Mehra
Subject: Handling basic auth credentials securely in API Calls

Hi

We have an API in APIC v5 which is calling some back side APIs (which are secured with basic auth). I am interested in knowing the approaches that we can use to prevent exposing the backside API credentials in the API document.

Is there a way we can use the datapower password map alias at runtime in the invoke policy? I understand that If I create a password alias in the default domain, it will be inherited by the APIC domain whenever we re-add the gateway via CMC.

Any suggestions are welcome?

Regards

------------------------------
Vaibhav Mehra
------------------------------