DataPower

DataPower

Join this online group to communicate across IBM product users and experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only

  • 1.  Is it possible to send shared secret in the header?

    Posted Mon August 21, 2023 10:40 AM

    I have a backend that requires shared secret send in a header (Azure function). I would like to store secret securely on Datapower in shared secret object, and then read it somehow and send in the header, base64 encoded. Is that possible to do? Or shared secret objects can only be used for encryption purposes?  Thanks in advance for any help!



    ------------------------------
    Olga Terlyga
    ------------------------------


  • 2.  RE: Is it possible to send shared secret in the header?

    Posted Mon August 21, 2023 11:09 AM
    OK.  I'm sure you're going to hear a whole bunch of screaming about this question, and even more about my answer, but... with that said, yes, it is possible.
    However, you're going to have to store your shared secret key outside of the secured file stores (cert:, etc.).  From there, you can definitely read the content base64 encode it into an injected header.
    Come see me at TechXchange


    ------------------------------
    Joseph Morgan
    ------------------------------

    Original Message


  • 3.  RE: Is it possible to send shared secret in the header?

    Posted Mon August 21, 2023 12:24 PM

    OK.  Even though I said this, I had actually never tried to read a secure file from the "cert:".   This is not to say you cannot read certificates from those directories, you can, but, I'm talking about just reading the file, especially something like a private key, keytab, shared secret key, etc.

    So, this is what I did, FWIW:

    I built a loopback XMLFW with three fetch actions. 

    The first attempts to read a file from the "cert:".  That generates an error.

    The second attempts to read a file from "sharedcert:".    This one doesn't generate an error, but, it doesn't produce any output.

    The third attempts to read a file from "pubcert:".  Likewise, no error, but no output.

    Just out of curiosity, I then attempted an old WebGUI hack where one could actually extract a file from the cert: directory (which was patched back in the 2018 firmware) just to see if a shared secret key could be read, and, thankfully, that failed as well.



    ------------------------------
    Joseph Morgan
    ------------------------------

    Original Message


Related Content