Message Image  

Storing encrypted security credentials in a vault using App Connect Enterprise v11.0.0.6

 View Only
Thu July 23, 2020 11:46 AM

In this article, I describe how to create a vault in App Connect Enterprise V11 Fixpack 6 and then store credentials in it in encrypted form. These encrypted credentials are used by a flow running in an Integration Server on a Mac to access a DB/2 database on Windows using JDBC. I am accessing data from the database using a Java Compute node and a JDBC Provider policy. The credential is referenced in the JDBC Provider policy for accessing the database.


(Watch the video to follow the steps described in this article)

App Connect Enterprise Vault

New in App Connect Enterprise V11 Fixpack 6, is a vault which uses symmetric encryption to encrypt and decrypt data records that are stored in the vault. AES 256-bit Encryption is used for encrypting the data in the vault. The vault is accessed using a vault key.

A new command called mqsivault is provided which allows you to create or destroy a vault in a work directory, that is used by an Integration Server. If a vault has been created in the work directory, then the vault key must be specified when starting the Integration Server. The vault key can be stored in a .mqsivaultrc file which can be used instead of specifying the vault key as a parameter value for a command.

Storing Credentials in the Vault

Having created the vault, you can use it to store data in it which will be encrypted in the vault. In V11 fixpack 6, we have provided a new command called mqsicredentials which allows you to store credentials in the vault. The mqsicredentials command can be used as an alternative to mqsisetdbparms. The credentials will be encrypted in the vault and can be used by the Integration Server to access external resources like databases. You must specify the vault key when using the mqsicredentials command if the Integration Server is stopped.

End-to-end example using JDBC

Create a Work Directory

  • I can create a work directory using mqsicreateworkdir.
  • This creates four sub-directories and a server.conf.yaml:

Create a Vault in the Work Directory

  • I create a vault in the work directory, using mqsivault and specifying a vault key. In this example, the vault key is ‘myvaultkey’.

Start an Integration Server which has a vault

    • If I try and start the Integration Server without specifying the vault key, an error is reported.

  • If I specify the vault key, then the Integration Server starts up.

Message Flow Overview

  • The message flow contains a JavaCompute node which references a JDBC Provider policy:
  • The Java Compute node contains:

  • The JDBC Provider policy is called DB2Policy and it is in a Policy Project called MyPolicies:

  • The DB2Policy references a security credential called ‘demo_id’.

Put a message through the flow before defining a credential

    • I can connect to the Integration Server from the toolkit. If I deploy the Policy Project and deploy the application using the Flow Exerciser, I can put a message through the flow. However, an exception is caught and propagated from the catch terminal of the Input node.

  • The exception has occurred as the credentials referenced by ‘demo_id’ in the policy, had not been defined in the vault, so the flow could not connect to the database and access the data.

Create credentials in the vault

    • I can create the credentials in the vault while the Integration Server is started or stopped using the mqsicredentials command. When using the mqsicredentials command, I must specify the work directory location, a credential name and credential type. In this example, I am issuing the mqsicredentials command while the Integration Server is running.

    • Having created the credentials, I can confirm that they are stored in the vault using the mqsicredentials command or using the webui. Note that passwords are not shown on either the command line or in the webui.

  • You can create, report, update and delete credentials while the Integration Server is stopped. The vault key is required when the Integration Server is stopped.
  • You can create and report credentials while the Integration Server is running. The vault key is not required when the Integration Server is running.

Put a message through the flow after defining the credential

    • If I now put a 2nd message through the same flow, I can now see that the data has been accessed from the database using the credentials that were stored in the vault.

  • Notice, that I did not need to restart the Integration Server for the changes to take effect. I also didn’t need to re-deploy the flow or re-start the flow. The credentials were accessed from the vault on the next message through the flow in this example.

Summary

In this article, I have shown how to create a vault in an Integration Server, using mqsivault. The vault can be used to store credentials in encrypted form. A vault key must be supplied for the Integration Server to access the vault. The vault key can be supplied in different ways, either as a parameter value, or using a .mqsivaultrc file. The mqsicredentials command can be used as an alternative to mqsisetdbparms.

For more information see these topics in the App Connect Enterprise Knowledge Center:

Configuring encrypted security credentials

mqsivault

mqsicredentials


#AppConnectEnterprise(ACE)
#ACEV11
#Security
#credentials
#Integration
#Integrationserver
#JDBCproviderpolicy