Forum Discussion
Vidyak
3 years agoNew Contributor II
SIC Password and API keys are stored in a plain text file
Hi We are evaluating the SIC tool for integration and noticed that API keys and DB passwords are stored unencrypted in plain text files. This is becoming a huge security concern as this way of stor...
- 1 year ago
Hello mithun_laha ,
Can you provide a brief example of what calls you're making in your code? Is it the remote BR that is returning this failure?
- 1 year ago
Hey mithun_laha ,
Did u set up WinSCP to connect to the SFTP server on the client environment where the SFTP server can be accessed remotely on the OS Cloud App?
you might have created a Direct Connection with your SFTP details like port number and host name to access the Smart Integration Connecter page. (System Pane)
u are using the Smart integration function to get stored information like SFTP password, user name, etc.
using the ApiLibrary.GetSmartIntegrationConfigValue("Key as String to get the password value").
and u are using a BRApi.Utilities.ExecRemoteGatewayBusinessRule to retrieve the results.
As per my understanding,A database connection additionally with the Direct connection needs to setup to connect OS Cloud app Client Environment.If you notice and try to compile your smart integration function. it will ask for a database gateway connection to compile your code.
In your
BRApi.Utilities.ExecRemoteGatewayBusinessRule function u need to mention the database connection name as the remotehostname to get details from the direct connection on the remote client environment.
Dim remoteResults As RemoteRequestResultDto = BRApi.Utilities.ExecRemoteGatewayBusinessRule(si,smartintegrationBRName,Nothing,database connection gateway name, function name in Smart integration Function BR name,String.Empty,False,600)
If you have followed these steps and still facing an issue please check by hardcoding the credentials in the WinSCP session in your extensibility rules to check your connection. (I hope u have used the WinSCP.dll in the referenced assemblies). OR if you have issues connecting with the Smart integration function please check the SIC logs.
I am not an expert at this but I have connected to Amazon S3 using a direct connection before. a similar approach should work here.
Mark_vB
3 years agoNew Contributor II
The one way to overcome this is to give a domain account access to the DB and then run the "OneStream Smart Integration Connector Gateway" service using the same domain account. You can then leave the user credentials out of the connection string.
- Ryan_Berry2 years ago
OneStream Employee
This is in fact a supported scenario to help with this situation. The option for the connection string you would use is called 'integrated security' and would allow the user-account the SIC service is running under to be used as the credential.
This unfortunately isn't supported by all database providers such as AS400 connections. This has always been something we have thought about but were not sure the best approach that would be acceptable by customers. For instance, encrypting the contents of a database connection string would require some sort of key also be stored to 'unencrypt' the contents. The challenge here is that while the database credentials would be encrypted, keys that are needed to decrypt would also need to be stored someplace such as the config file. Alternatively, if we were to store these credentials inside a key vault, we would need to store credentials for that in some location which could also defeat the purpose.
Would it be acceptable to have one side of the encryption key stored inside the SIC configuration file that we would then use to encrypt/decrypt the credentials stored? This path seems to be the best approach, but still involves some level of data leakage with respect to the actual key used to decrypt also being stored. I'm curious about the community's feedback as we work to enhance and refine the SIC capabilities. Thanks in advance!
Related Content
- 1 year ago
- 2 years ago
- 2 years ago
- 2 years ago