| Author |
Message
|
| wmqstankela |
 Posted: Thu Nov 29, 2018 7:33 am Post subject: Storing password |
 |
|
Voyager
Joined: 29 Feb 2016
Posts: 94
|
Hi all,
I am using IIB v10 and I have situation where my flow need to pass some user and password to 3rd party service. I am using JCN for creating request, but I don't want to set password in plain text in my code, so I create user defined configurable service with username and password values. I manage to read this values from JCN, but when I login to web user interface i see password as plain text.
Is there any other solution to store somewhere masked credentials that could be read from Java compute node? |
|
| Back to top |
|
 |
| Vitor |
| Posted: Thu Nov 29, 2018 7:47 am Post subject: Re: Storing password |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| wmqstankela wrote: |
| I have situation where my flow need to pass some user and password to 3rd party service. |
Where in the request in the user id & password? HTTP header? WS-Security header? Somewhere in the payload body?
Where do you do the credentials from? The incoming request? Is it a static pair, i.e. the flow always users the same values
| wmqstankela wrote: |
| I am using JCN for creating request |
Why? Why not use the HTTPRequest node to do this?
Accepting that you need to form the payload in a Compute node of some kind, the HTTP Request node can propagate credentials into each of the 3 situations I name above, storing them in the same way IIB stores credentials for it's database connections and as secure.
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| wmqstankela |
| Posted: Thu Nov 29, 2018 7:58 am Post subject: |
|
|
Voyager
Joined: 29 Feb 2016
Posts: 94
|
User and pass is static and I allways use the same values. I send it in payload. Is there a way to store it somewhere in IIB like Security identity or some configurable service that can read from java, but not to store in plain text.
I know that i can store it in db, but i wonder if it is possible whitout db. |
|
| Back to top |
|
|
| Vitor |
| Posted: Thu Nov 29, 2018 8:05 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| wmqstankela wrote: |
| Is there a way to store it somewhere in IIB like Security identity or some configurable service that can read from java, but not to store in plain text. |
Yes, it's what the HTTPRequest node uses but that's not accessible to user code.
| wmqstankela wrote: |
| i wonder if it is possible whitout db. |
And if you use a database, you then have to protect the database.
If you're determined to do this with a JCN (and I still don't understand why)then the user configurable service or a database are your best bets.
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| wmqstankela |
| Posted: Thu Nov 29, 2018 8:06 am Post subject: |
|
|
Voyager
Joined: 29 Feb 2016
Posts: 94
|
|
| Back to top |
|
|
| Vitor |
| Posted: Thu Nov 29, 2018 8:09 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| wmqstankela wrote: |
| Ok, thanks Vitor! |
For the record, I think your method is wrong.
I would also doubt that any security review of your solution would be happy with plain text credentials stored in a user service, or in a db without a lot of additional access controls.
But it's your site and your solution. So go in peace with it.
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| wmqstankela |
| Posted: Fri Nov 30, 2018 2:15 am Post subject: |
|
|
Voyager
Joined: 29 Feb 2016
Posts: 94
|
| It's a little bit complicated...I will not set pass as plain text surely, that's why I am trying to find another way how to store pass so that I can read it from JCN. |
|
| Back to top |
|
|
| Vitor |
| Posted: Fri Nov 30, 2018 5:05 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| wmqstankela wrote: |
| It's a little bit complicated...I will not set pass as plain text surely, that's why I am trying to find another way how to store pass so that I can read it from JCN. |
That's what I mean (and what I keep saying); I wouldn't do this in the JCN, I'd use the HTTPRequest node.
But again, you're better placed than me to know what's best for your situation. And what your security people will or will not tolerate by way of risk.
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| wmqstankela |
| Posted: Tue Dec 04, 2018 1:56 am Post subject: |
|
|
Voyager
Joined: 29 Feb 2016
Posts: 94
|
Vitor, I have this situation. I'm searching ldap entry, using some java package. In order to do this, I need bind user and pass to provide with my search request. That's the reason why I need to store credentials somewhere on IIB and to read it from JCN.
I've used user defined configurable service, but the password is in plain text. Do you know better solution for this situation? |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Tue Dec 04, 2018 5:23 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
I thought there was a PEP node that allows you to check LDAP and would retrieve the LDAP access credentials just like IIB retrieves any other credentials it stored... 
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| wmqstankela |
| Posted: Tue Dec 04, 2018 5:43 am Post subject: |
|
|
Voyager
Joined: 29 Feb 2016
Posts: 94
|
Thanks fjb_saper for an answer!
How do you mean that PEP node will retreive LDAP access credentials? How to bind with LDAP? |
|
| Back to top |
|
|
| Vitor |
| Posted: Tue Dec 04, 2018 6:05 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| wmqstankela wrote: |
| How do you mean that PEP node will retreive LDAP access credentials? |
There's a world of difference between what you originally asked:
| wmqstankela wrote: |
| where my flow need to pass some user and password to 3rd party service |
and this:
| wmqstankela wrote: |
| I'm searching ldap entry |
For the first case, you need to use the inbuilt capabilities of the HTTPRequest node. For the second case, you need to use a PEP node as my associate correctly points out.
Note that if your 2 use cases are in some way linked (for example you need to obtain a token/credentials of some kind from LDAP and pass it to this 3rd party service) then you still don't need a JCN; you can get the HTTPRequest node to pass it directly.
| wmqstankela wrote: |
| How to bind with LDAP? |
As laid out in the instructions for the PEP node.
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| Esa |
| Posted: Wed Dec 05, 2018 4:48 am Post subject: |
|
|
Grand Master
Joined: 22 May 2008
Posts: 1387
Location: Finland
|
| Vitor wrote: |
There's a world of difference between what you originally asked:
|
No, there is not. The OP needs a password for some purpose, like opening a keyring file that is not the one owned by the integration node. Or adding a password in a non-SOAP XML file. etc. And wants to know where to store it safely. He doesn't want to put it in plaintext anywhere. So he asks advice, like would it be a good idea to encrypt it and put it in a user defined configurable service. And in that case, where to put the encryption key?
And he was told to put it in LDAP and fetch it with a SecurityPEP node. But I don't think you can do it that way. |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Wed Dec 05, 2018 5:59 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
| Esa wrote: |
| Vitor wrote: |
There's a world of difference between what you originally asked:
|
No, there is not. The OP needs a password for some purpose, like opening a keyring file that is not the one owned by the integration node. Or adding a password in a non-SOAP XML file. etc. And wants to know where to store it safely. He doesn't want to put it in plaintext anywhere. So he asks advice, like would it be a good idea to encrypt it and put it in a user defined configurable service. And in that case, where to put the encryption key?
And he was told to put it in LDAP and fetch it with a SecurityPEP node. But I don't think you can do it that way. |
Not quite. The OP said the reason he needed the userid pwd was to access the LDAP, to retrieve whatever he needed to retrieve from there.
We just suggested to use a PEP node to access the LDAP. I hope that the query passed to the PEP node will retrieve what he needs.
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| Vitor |
| Posted: Wed Dec 05, 2018 6:09 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| Esa wrote: |
| He doesn't want to put it in plaintext anywhere. So he asks advice, like would it be a good idea to encrypt it and put it in a user defined configurable service. And in that case, where to put the encryption key? |
And I told him to use the HTTPRequest node, which since v9.0.0.something does exactly what you're describing - adding credentials which are not part of the inbound message tree to the outbound request from a secure, broker maintained store.
| Esa wrote: |
| And he was told to put it in LDAP and fetch it with a SecurityPEP node. |
I don't think that's what he was told. That's certainly not what I was agreeing with. I thought he asked (and was answered) how to look something up from LDAP and use that as the credentials for the 3rd party service.
| Esa wrote: |
| But I don't think you can do it that way. |
I agree that's not the solution to the first case, but continue to assert that the HTTPRequest node is.
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
|
|
