Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

The API Builder configuration is stored on disk at rest. For example, connectors may store their username and passwords in the clear on disk. If the API Builder configuration contains sensitive information, storing the configuration on disk may cause a security concern. There are two relatively easy configuration options to avoid or mitigate the security concern:

...

One security configuration option is to remove the configuration settings from the API Builder configuration and retrieve them from the environment configuration. For example, to protect the salutation in the greetflow.default.js sample:

Code Block
languagejs
module.exports = {
    "helloworld": {
        "salutation": "Howdy"
    }
};

Would become:

Code Block
languagejs
module.exports = {
    "helloworld": {
        "salutation": process.env.SALUTATION
    }
};

When running locally, you can set the SALUTATION environment variable. Alternatively, you can hardcode the variable in the development configuration; but environmentalize it in the production configuration. When running in the cloud, you can set the variable on the deployed instance using the appc cloud config setting:

Code Block
languagebash
appc cloud config --set "SALUTATION=Greetings"

...

  1. Generate the encrypted value. The following example is a simple CLI that will AES encrypt a value passed in on the CLI:

    Code Block
    languagejs
    const crypto = require('crypto');
    const algorithm = 'aes256';
    const key = process.env.KEY || 'getKeyFromSomewhere';
    const cipherEncoding = 'hex';
    const textEncoding = 'utf-8';
    function encrypt(clearText) {
        const cipher = crypto.createCipher(algorithm, key)
        let cipherText = cipher.update(clearText, textEncoding, cipherEncoding)
        cipherText += cipher.final(cipherEncoding);
        return cipherText;
    }
    function decrypt(cipherText){
        const decipher = crypto.createDecipher(algorithm, key)
        let clearText = decipher.update(cipherText, cipherEncoding, textEncoding)
        clearText += decipher.final(textEncoding);
        return clearText;
    }
    const text = process.argv[2]
    const cipherText = encrypt(text)
    console.log(`CIPHERTEXT: ${cipherText}`);
    console.log(`CLEARTEXT:  ${decrypt(cipherText)}`);

    Encryption key:

    Code Block
    languagebash
    $ node ./crypt Hello
    CIPHERTEXT: 6b05e3830ba6638b0790a55cde19cdd7
    CLEARTEXT:  Hello
  2. Place the encrypted value in the API Builder configuration. For this to work, API Builder must be able to decrypt the encrypted value. The decrypt function could be placed in a utility and used across multiple config files:

    Code Block
    languagejs
    const crypto = require('crypto');
    const algorithm = 'aes256';
    const key = process.env.KEY;
    function decrypt(cipherText){
            const decipher = crypto.createDecipher(algorithm, key)
            let clearText = decipher.update(cipherText, 'hex', 'utf-8')
            clearText += decipher.final('utf-8');
            return clearText;
    }
    module.exports = {
        "helloworld": {
            "salutation": decrypt('6b05e3830ba6638b0790a55cde19cdd7')
        }
    };
  3. Set the environment variable in the cloud using the encryption key:

    Code Block
    languagebash
    appc cloud config --set "KEY=mySecretKey"

    Now, when the application is published, API Builder will be able to decrypt the encrypted value.