Layer7 API Management

Hello.

Within the routing of a request I remove unneeded authentication cookies. They contain sensitive information in terms of identification tokens. So I use the "Manage Cookie" Assertion to delete some cookies. Works fine.

But within the CA API GW logs I see the cookie transformation (update or delete), with the whole values of cookies logged  in clear. I would like to not log these values by default. How could this be done ?

I read How to completely disable all logging for a policy? and tried the assertion "Audit Message in Policy" in order to raise the log level to warning as opposed to info. It seamed nice also in terms of granularity : I could change for a given policy the logging level as opposed to do an API GW level change. No success : sensitive info still logged. I suppose this assertion changes the *audit* level but not the *log* level.

Ideas ?

--

Gilles

To change how some of the classes are logged you can modify the cluster wide property log.levels and add the line com.l7tech.message.HttpCookiesKnobImpl.level = SEVERE to remove this entry from being logged.

Sincerely,

Stephen Hughes

Broadcom Support

Thanks. That's one direction. Tried it. It works.

Any comments about assertion "Audit Message in Policy" ?

Regards.

Gilles

Gilles,

Your question: 

"I read How to completely disable all logging for a policy? and tried the assertion "Audit Message in Policy" in order to raise the log level to warning as opposed to info. It seamed nice also in terms of granularity : I could change for a given policy the logging level as opposed to do an API GW level change. No success : sensitive info still logged. I suppose this assertion changes the *audit* level but not the *log* level.

Ideas ? "

The way audits work is that they take the default cluster wide property for the default level for audit.messageThreshold which is set to WARNING so it will not write out an audit unless it is this level or higher. By using the Audit Message in Policy will force all audit level messages to be moved up to the level specified forcing it to be written to the audit subsystem. It can also be reverted later in the policy if a happy path is reached by setting it to below the CWP threshold so no auditing is done. This covers how it is written to the Audit DB and typically for the logging as well. What is interesting about this error being logged is that it is showing up under the gateway category not the audit category so you would need to change the logging levels to Warning or higher.  

I've created an idea to look to adjust the way this is logged. Please review to add any additional insight and vote up the idea. Manage Cookie should not log entries under the gateway category 

Sincerely,

Stephen Hughes

Broadcom Support

You may also want to look at for sensitive information in general an Audit Message Filter. 
Remove Sensitive Data for Auditing - CA API Gateway - 9.3 - CA Technologies Documentation 

Good afternoon,

Were you able to resolve the issue? What was the final result?

Sincerely,

Stephen Hughes
Broadcom Support

Hello.

I sepcified cluster wide logging property com.l7tech.message.HttpCookiesKnobImpl.level = SEVERE. It is not the best solution but better than nothing. It works. But now at INFO we don't see any more cookie manipulation in the logs.

I added a comment on Manage Cookie should not log entries under the gateway category : AFAIU the best would be to change the logging level at which cookie content is logged. It is very usefull at INFO to have in the log the fact that a cookie is touched without cookie value.

Regards.

GIlles