API Connect

  • 1.  Handling basic auth credentials securely in API Calls

    Posted Mon August 09, 2021 06:51 AM
    Hi

    We have an API in APIC v5 which is calling some back side APIs (which are secured with basic auth). I am interested in knowing the approaches that we can use to prevent exposing the backside API credentials in the API document.

    Is there a way we can use the datapower password map alias at runtime in the invoke policy? I understand that If I create a password alias in the default domain, it will be inherited by the APIC domain whenever we re-add the gateway via CMC.

    Any suggestions are welcome?

    Regards

    ------------------------------
    Vaibhav Mehra
    ------------------------------


  • 2.  RE: Handling basic auth credentials securely in API Calls

    IBM Select
    Posted Tue August 10, 2021 11:52 AM
    You can either use a custom policy or an extension to hide your credentials, and access that value using a context variable in your Invoke policy. There is no other internal vault that you can currently use in API Connect.

    ------------------------------
    Romil Garg
    ------------------------------



  • 3.  RE: Handling basic auth credentials securely in API Calls

    Posted Mon August 23, 2021 07:57 AM
    Thanks Romil

    I find it strange that IBM has not made any mechanism to hold or pass confidential information in API Connect.

    Anyone else has any suggestions?


    Regards
    Vaibhav Mehra

    ------------------------------
    Vaibhav Mehra
    ------------------------------



  • 4.  RE: Handling basic auth credentials securely in API Calls

    IBM Select
    Posted Mon August 23, 2021 08:29 AM
    The only other way is to store these credentials in the Catalog Properties. You can then limit user access to these properties. I need to check if that option is available in v5. 

    Here is the RFP for the same. https://integration-development.ideas.ibm.com/ideas/APICONN-I-203

    ------------------------------
    Romil Garg
    ------------------------------



  • 5.  RE: Handling basic auth credentials securely in API Calls

    Posted Mon August 23, 2021 02:04 PM
    Thanks @Romil Garg

    we are considering alternate options for this requirement now.​

    ------------------------------
    Vaibhav Mehra
    ------------------------------