Layer7 API Management

  • 1.  How to securely add Basic Authentication to outgoing request?

    Posted Mar 07, 2017 10:07 AM

    Hi,

    We got a case where we are asked to add Basic Authentication to the outgoing call.

     

    Best method I found so far, is by:

    Adding the password to Stored Passwords with 'Permit use via context variable reference' checked

    +

    HTTPs routing assertion > tab Authentication > Specify HTTP Credentials:

    • User Name: <name>
    • Password: ${secpass.<name>.plaintext}

     

    However, CA documentation discourages using the 'Permit use via context variable reference' checkbox and rightly so (e.g. anybody doing a debug can see the password by adding ${secpass.<name>.plaintext} to the debug params).

     

    Is there a more secure way to achieve this?

     

    Kind regards,

    Tim



  • 2.  Re: How to securely add Basic Authentication to outgoing request?

    Broadcom Employee
    Posted Mar 07, 2017 05:29 PM

    Hi Tim,

    As long as you use Basic Authentication, the developer can get the password in some way.

    Using client certificate for outgoing call may be better, at least you don't need to worry about the leak of the password. But still, a developer can export the private key if he wants.

     

    Regards,

    Mark



  • 3.  Re: How to securely add Basic Authentication to outgoing request?

    Posted Mar 08, 2017 07:17 AM

    Hi Mark,

     

    In this case it would be used in combination with mutual SSL.

    I grant that it's a difficult issue to solve on the Api Gateway as limiting access to the password via the context variable is one thing, but limiting access to the actual http-headers that were sent out is another. I guess conclusion is there is no real solution for this.

     

    Thanks for the input,

    Tim



  • 4.  Re: How to securely add Basic Authentication to outgoing request?
    Best Answer

    Broadcom Employee
    Posted Mar 08, 2017 06:42 PM

    Hello Tim,

    When you build a basic authentication header, you need the plain password, the developer can print the password at that moment.

    So the problem is on basic authentication.

    If the backend service abandon the basic authentication, and accept a private key for authentication, then it will be more secure, as we only need to protect this private key ( same as protecting password for basic authentication). This can be done by setting proper roles to the developer, so that the normal developers can only use the private keys in policies, but cannot access it directly. 

    (I tested to create a new user for gateway without administrator role and Manage private keys role, when that user access manage private keys window, all the buttons gray out, but the user can select an existing private key for route via https assertion.)

     

    And yes, security against insider is always harder.

     

    Regards,

    Mark