Layer7 API Management

Expand all | Collapse all

Authenticate API issue

  • 1.  Authenticate API issue

    Posted Jun 14, 2018 09:32 AM

    Hi There,
    The scenario is,we build an Authentication API which takes input username and password and validate it sends response his email and GUID.During this process if i enable audit i see in the request the password in clear text how could i encrypt this password from seeing it by policy manager administrator's.Please advice how to mitigate it?



  • 2.  Re: Authenticate API issue

    Broadcom Employee
    Posted Jun 21, 2018 11:47 AM

    The following documentation has been added to address your question. This information use to exist in a standalone document. Remove Sensitive Data for Auditing - CA API Gateway - 9.3 - CA Technologies Documentation.

     

    Sincerely,

     

    Stephen Hughes

    Director, CA Support



  • 3.  Re: Authenticate API issue

    Posted Jun 25, 2018 02:26 PM

    Hi Stephen,

    I created a policy filter  and later deleted it, as result i could not see any request and response which is disabled.See below screenshot how could i revert back the changes since i have delete that fragment but it didn't help.pls advice.

     



  • 4.  Re: Authenticate API issue

    Broadcom Employee
    Posted Jun 25, 2018 07:55 PM

    If you have removed the audit-message-filter internal policy this should revert the system back to not using it. Just to be ensured that it is flush, look to restart the Gateway process.

     

    Sincerely,

     

    Stephen Hughes

    Director, CA Support



  • 5.  Re: Authenticate API issue

    Posted Jun 27, 2018 02:24 PM

    Hi Stephen,

    I deleted the internal policy for audit-message-filter,restarted the ssg service and even rebooted multiple times the vm still no luck which still the request and response in disabled state. Pls advice how to mitigate it.



  • 6.  Re: Authenticate API issue

    Broadcom Employee
    Posted Jun 27, 2018 03:25 PM

    The writing out of the Request and Response is controlled by the policy with the Audit Assertion with same request and response checked.

     

    Sincerely,

     

    Stephen Hughes

    Director, CA Support



  • 7.  Re: Authenticate API issue

    Posted Jun 27, 2018 03:45 PM

    Your correct my bad.

    Infact when i create the policy it completely disables entire req & resp.But i want to encrypt or base64 only password.Pls advice.



  • 8.  Re: Authenticate API issue

    Broadcom Employee
    Posted Jul 01, 2018 08:22 PM

    Dear Popleys ,

    Can you show an example of "if i enable audit i see in the request the password in clear text" (or upload your policy), audit should not automatically show the value of a variable unless you print it in audit detail assertion.

    If you use basic authentication, the username/password is already base64 encoded in header.

    I would guess you're using form data to pass the username/password ?

    If yes, as soon as you don't audit the request body/parameter, it should not show the password in audit.

     

    If you have to encode/encrypt the password, it can only be done on client side(browser/mobile app). And we need to decode/decrypt it on server side(gateway) before we can validate it.

     

    Regards,

    Mark



  • 9.  Re: Authenticate API issue

    Posted Jul 02, 2018 02:28 PM

    Hi Zhijun,The below is the policy look alike which authenticates user of the web application via below api against LDAP.I have enabled auditing for this rest API. Essentially what i was looking that,I wanted to audit the user request but not password in it only part of it i,e username in this case.Infact Password value should be sort of stripped or hashed out or encrypted before it stores in the audit,apparently when an administrator or prod support logs to the policy manager he can view the request and he could potentially see the password of the user which is incompliance.

     

    Request

    {

    "username":"test.rob@gmail.com",

    "password:":"userpassword"

    }

    response:

    {success or fail}

     

    Policy:



  • 10.  Re: Authenticate API issue

    Broadcom Employee
    Posted Jul 02, 2018 10:09 PM

    Thanks Popleys ,

    As mentioned, for your case, you need to encrypt/encode the password value on client side, before it is put it the json payload. Then, no matter how you audit it on gateway side, it won't show the clear text for password (unless you audit it after decryption).

    On gateway side, you can decrypt/decode it before authenticate against an identity provider.

     

    Regards,

    Mark



  • 11.  Re: Authenticate API issue

    Posted Jul 02, 2018 10:21 PM

    Thanks Mark for the info.what are the best possible options to encrypt, beside asymmetric(RSA) & AES,if you would say either can be used ,then i think AES is could be the right option.Correct me if am wrong.



  • 12.  Re: Authenticate API issue

    Broadcom Employee
    Posted Jul 03, 2018 12:01 AM

    Sorry, sharathbabu yeramalla ,

    The above is the common way, but not the only way.

    Stephen_Hughes in previous comment shows another way that can be done on gateway site.

     

    Here are the steps,

    1. add AMF policy

    2. build the AMF policy , only one assertion in the policy (the regex is as per your request, if your request has different format, we may need to change accordingly to replace the password value to *****)

     

    3. a simple test api

     

    4. test result in audit event viewer, -- both request and response are masked

     

    That could be easier than doing it on client side.

    But keep in mind that, if you don't do it on client side, you would have chance to leak the password during data transfer. (although you require ssl connection in your policy, it still has a chance that the client sends the request with http, on service side you can reject it but cannot stop it to do so.)

     

    Regards,

    Mark



  • 13.  Re: Authenticate API issue

    Posted Jul 03, 2018 03:41 PM

    I have a question here,may be weird,if you would replace the password with pattern matching then user won't be able to authenticate right,because the password may change and authentication would fail,isn't it?



  • 14.  Re: Authenticate API issue
    Best Answer

    Posted Jul 03, 2018 03:49 PM

    Please ignore my trail comments.This worked great thanks.



  • 15.  Re: Authenticate API issue

    Posted Jul 05, 2018 11:33 AM

    Hi There,

    Similarly i have one more different API for user update, where the gender name field exist in it,i want to mask the filed from the request "Gender": "xxxx". I tried adding Gender regx under the password which didn't trigger masking of Gender filed from request.I also tried creating one more internal AMF policy which does not allow to create one, complains a policy already exist. Pls advice.

     



  • 16.  Re: Authenticate API issue

    Posted Jul 05, 2018 06:59 PM

    pls ignore it after refresh it works.