| |
|
RSS Feed - WebSphere MQ Support
|
RSS Feed - Message Broker Support
|
  |
|
| Securing an API : Use IIB or API Connect |
« View previous topic :: View next topic » |
| Author |
Message
|
| Pats21 |
 Posted: Tue Apr 18, 2017 4:54 am Post subject: Securing an API : Use IIB or API Connect |
 |
|
Disciple
Joined: 08 Sep 2006
Posts: 154
|
Hi,
We have IIB and API Connect products in our environment, whereby API are developed on IIB and exposed to internal consumer directly. Whereas, an consumer outside the organisation comes via API Connect.
We have an existing working API, which is being used by multiple interenal consumers. Now, we want to expose this API to external consumer. However, there are few sensitive data present as part of the request/response message.
We would like to implement some sort of security around it, like encrypt the entire message, encrypt only the sensitive fields, mask the fields, etc.
I would like to know that if I go with the approach of encrypting the entire message or only the sensitive fields, then which product should I implement this change?
I am not an API Connect expert, so not sure whether this is even achievable in API Connect. However, I would like to know from a architecture principle perspective as well.
Would appreciate your valuable thoughts on this.
Thanks in advance. |
|
| Back to top |
|
 |
| Vitor |
| Posted: Tue Apr 18, 2017 5:01 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
Understand that I would not describe myself as an API Connect expert.
Having said that, I believe the only security API Connect adds is access security - who can access what URL and how often. I don't believe it has a native capability to encrypt any part of the payload outside of the HTTPS conversation with the customer. You'd need to do that in IIB / DataPower / somewhere else I think
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| ruimadaleno |
| Posted: Tue Apr 18, 2017 8:42 am Post subject: |
|
|
Master
Joined: 08 May 2014
Posts: 274
|
you need to plan ahead before 
Do you want all your service to be protected ? do you want to expose an "hybrid secured" service where some capabilities are "open" to all authenticated users and a few capabilities are available to a well defined set of authenticaded user ?
Do you have any kind of security repository in place you can use to manage users and their profile/access rights? maybe an LDAP server ?
after these decisions there are some methods you can you use like PepSecurity Node, security profiles etc.
About message data: is it enough to encrypt message data ? do you need to validate if the message was sent by the consumer and that the message was not modified ? you may need digital signatures 
Just my two cents in this security theme
_________________
Best regards
Rui Madaleno |
|
| Back to top |
|
|
| Pats21 |
| Posted: Mon Apr 24, 2017 3:26 am Post subject: |
|
|
Disciple
Joined: 08 Sep 2006
Posts: 154
|
Thank You Vitor and Rui Madaleno for your inputs.
Regards,
Pats ... |
|
| Back to top |
|
|
|
|
|
| |
|
Page 1 of 1 |
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
|
|
