Securely storing credentials for external systems used in a production

Question

Question

Kari Vatjus-Anttila · Feb 23, 2023

Hello,

I need a way to securely store credentials in IRIS that are used to access third-party APIs. These credentials include different clientId/secret pairs that I don't want to expose. While I know that it's possible to define Production Credentials in Ens.Config.Credentials, I understand that they are stored in plain text.

Does anyone have an idea of how to securely store credentials in IRIS? For your information, I am using IRIS with docker-compose and I am wondering if using HashiCorp Vault together with IRIS could be the solution. Has anyone used Vault before with their IRIS installations? If yes, could you provide an example of how to use Vault and how to programmatically access secrets stored in Vault via IRIS?

Any ideas?

Best regards, Kari

Discussion (2)1

Log in or sign up to continue

score 0 · Answer 1 · 2023-02-23T20:50:31-05:00

Hi Kari,

this really depends on the authentication options of the 3rd party api.

If the 3rd party api only accept e.g. username/paswords then it will never be more secure even if you use a password vault, as the password needs to be cleartext to be provided to the 3rd party.

Different story if the api accepts e.g OAUTH based keys/hashes.
refer to : OAuth 2.0 Client | InterSystems IRIS Data Platform 2022.3

Best Regards

Timo

score 0 · Answer 2 · 2023-03-27T13:10:17-04:00

You can create X.509 Credential Sets in an intersystems IRIS namespace, then access the credential set in a production.

Several pre-built adaptors like the HTTP Inbound Adapter use this approach.

Here is documentation on creating InterSystems IRIS Credential Sets