Securely storing credentials for external systems used in a production

Question

Question

Kari Vatjus-Anttila · Feb 23, 2023

Hello,

I need a way to securely store credentials in IRIS that are used to access third-party APIs. These credentials include different clientId/secret pairs that I don't want to expose. While I know that it's possible to define Production Credentials in Ens.Config.Credentials, I understand that they are stored in plain text.

Does anyone have an idea of how to securely store credentials in IRIS? For your information, I am using IRIS with docker-compose and I am wondering if using HashiCorp Vault together with IRIS could be the solution. Has anyone used Vault before with their IRIS installations? If yes, could you provide an example of how to use Vault and how to programmatically access secrets stored in Vault via IRIS?

Any ideas?

Best regards, Kari

Discussion (5)2

Log in or sign up to continue

score 0 · Answer 1 · 2023-02-23T20:50:31-05:00

Hi Kari,

this really depends on the authentication options of the 3rd party api.

If the 3rd party api only accept e.g. username/paswords then it will never be more secure even if you use a password vault, as the password needs to be cleartext to be provided to the 3rd party.

Different story if the api accepts e.g OAUTH based keys/hashes.
refer to : OAuth 2.0 Client | InterSystems IRIS Data Platform 2022.3

Best Regards

Timo

score 0 · Answer 2 · 2023-03-27T13:10:17-04:00

You can create X.509 Credential Sets in an intersystems IRIS namespace, then access the credential set in a production.

Several pre-built adaptors like the HTTP Inbound Adapter use this approach.

Here is documentation on creating InterSystems IRIS Credential Sets

score 0 · Answer 3 · 2024-05-21T06:33:30-04:00

Hi @Kari Vatjus-Anttila

I was wondering if since this question you ended up using Vault for this purpose somehow? or what other alternative you used?

score 0 · Answer 4 · 2024-05-21T14:48:02-04:00

Hi @Tani Frankel

I ended up using Data Element Encryption (https://docs.intersystems.com/irislatest/csp/docbook/DocBook.UI.Page.cls...) together with Production Credentials to store my secrets for 3rd party APIs securely, because in my use case that was way more easier than dealing with password vaults.

I encrypt my secrets using the data element encryption key I created (and activated), and then add them to Production Credentials encrypted.

When I need to use the credentials e.g. in a HTTP Operation, I just get the credentials I want and decrypt them with the same key just before sending the request.

I implemented a simple class which handles these tasks for me so I can just call Encrypt() and Decrypt() to get my ciphertext / plaintext when needed.

Let me know if you need more assistance with this approach.

Br, Kari

score 0 · Answer 5 · 2024-05-22T01:42:09-04:00

Thank you Kari
I guess with a custom approach, you could also utilize for example the Vault REST API and use that when you want to access these kinds of credentials.