cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SIC Password and API keys are stored in a plain text file

Go to solution
Vidyak
New Contributor II

‎04-21-2023 05:37 PM

Hi 

We are evaluating the SIC tool for integration and noticed that API keys and DB passwords are stored unencrypted in plain text files. This is becoming a huge security concern as this way of storing credentials is going to case sensitive data leaks. Not sure if this is already identified by any other client and if it is in the roadmap of fixes? Did any of the clients report this issue?

Thanks

Vidya Kadiyala

CN Rail

Labels:
2 ACCEPTED SOLUTIONS

Go to solution
Ryan_Berry
New Contributor III
In response to mithun_laha

Tuesday

Hello @mithun_laha ,

   Can you provide a brief example of what calls you're making in your code?  Is it the remote BR that is returning this failure?  

View solution in original post

Go to solution
Nikpowar97
Contributor
In response to mithun_laha

Tuesday

Hey @mithun_laha ,

Did u set up WinSCP to connect to the SFTP server on the client environment where the SFTP server can be accessed remotely on the OS Cloud App?

you might have created a Direct Connection with your SFTP details like port number and host name to access the Smart Integration Connecter page. (System Pane)
u are using the Smart integration function to get stored information like SFTP password, user name, etc.
using the ApiLibrary.GetSmartIntegrationConfigValue("Key as String to get the password value").

and u are using a  BRApi.Utilities.ExecRemoteGatewayBusinessRule to retrieve the results.
As per my understanding,

A database connection additionally with the Direct connection needs to setup to connect OS Cloud app Client Environment.If you notice and try to compile your smart integration function. it will ask for a database gateway connection to compile your code.
In your 
BRApi.Utilities.ExecRemoteGatewayBusinessRule function u need to mention the database connection name as the remotehostname to get details from the direct connection on the remote client environment.

Dim remoteResults As RemoteRequestResultDto = BRApi.Utilities.ExecRemoteGatewayBusinessRule(si,smartintegrationBRName,Nothing,database connection gateway name, function name in Smart integration Function BR name,String.Empty,False,600)

If you have followed these steps and still facing an issue please check by hardcoding the credentials in the WinSCP session in your extensibility rules to check your connection. (I hope u have used the WinSCP.dll in the referenced assemblies). OR if you have issues connecting with the Smart integration function please check the SIC logs.

I am not an expert at this but I have connected to Amazon S3 using a direct connection before. a similar approach should work here.







View solution in original post

0 Kudos
11 REPLIES 11

Go to solution
JackLacava
Honored Contributor

‎04-24-2023 05:48 AM

The Smart Integration Connector is very new, some things might be a bit undocumented.

In this particular case, I suspect that the team meant for something like classic .Net .config encryption  to be used on your server, but I would strongly encourage you to contact Support and/or file an enhancement on IdeaStream.

0 Kudos

Go to solution
Nikpowar97
Contributor

‎05-19-2023 01:44 PM - edited ‎06-12-2023 02:35 AM

NOTE: The solution below is as per my understanding and knowledge trough documentations provided. The information may not be 100% correct. So, please reach out to OS if needed. 

I think the credentials can be stored inside the SIC local gateway settings as a key value pair. The setting name(key) can be passed in a Smart Integration functions (OS version 7.4.1) BR and to retrieve the setting value(value). 

Let's same setting name = Password

Setting value = "Password@123"

Nikpowar97_0-1684517467471.png

Smart Integration Functions ( Applications> Tools>Business Rules> Smart Integration function)

(Compile the BR by choosing the gateway) - SIC guide has similar rule in C#

Imports System
Imports System.Collections.Generic
Imports System.Data
Imports System.Data.Common
Imports System.Globalization
Imports System.IO
Imports System.Linq
Namespace OneStream.BusinessRule.SmartIntegrationFunction.GetPassword
Public Class MainClass
Public Shared Function RunOperation() As String
Dim password As String = OneStreamgatewayservice.APIlibrary.getsmartintegrationconfigvalue("Password")
Return password
End Function
End Class
End Namespace

Once this is done the same function can be called inside any BR (Example a connecter rule to password in the Uri of API endpoint ) using newly introduced Remote Brapis.

Nikpowar97_1-1684517842228.png

Here in case highlighed in blue: 

Dim objRemoteRequestResultDto As RemoteRequestResultDto = BRApi.Utilities.ExecRemoteGatewayBusinessRule(si, brName, functionArguments, remoteHost, functionName)

 

Pass the Smart integration function here and rest of the code can be reference through the SIC guide.

However, I think the password can still be error-logged. (Just a conjecture).

Alternatively we can store password in a Transformations lookup and restrict access to specific user group. 

the same can be retrieved using,

Dim sValue As String = BRApi.Utilities.TransformText(si, sourceText, transformationLookupGroup, usePassThroughIfLookupNotFound)

 

or Use Brapi.Utilities.EncryptText (please check the exact Package) to encrypt. Log it using Brapi.Errorlog.logmessage to get the encrypted text. use t Brapi.Utilities.DecryptText to pass the encrypted text.

 

Go to solution
Mark_vB
New Contributor

‎06-26-2023 07:42 AM

The one way to overcome this is to give a domain account access to the DB and then run the "OneStream Smart Integration Connector Gateway" service using the same domain account. You can then leave the user credentials out of the connection string.

0 Kudos

Go to solution
Ryan_Berry
New Contributor III
In response to Mark_vB

‎08-04-2023 09:47 AM

This is in fact a supported scenario to help with this situation.  The option for the connection string you would use is called 'integrated security' and would allow the user-account the SIC service is running under to be used as the credential.

 

This unfortunately isn't supported by all database providers such as AS400 connections.  This has always been something we have thought about but were not sure the best approach that would be acceptable by customers.  For instance, encrypting the contents of a database connection string would require some sort of key also be stored to 'unencrypt' the contents.  The challenge here is that while the database credentials would be encrypted, keys that are needed to decrypt would also need to be stored someplace such as the config file.   Alternatively, if we were to store these credentials inside a key vault, we would need to store credentials for that in some location which could also defeat the purpose.  

 

Would it be acceptable to have one side of the encryption key stored inside the SIC configuration file that we would then use to encrypt/decrypt the credentials stored?  This path seems to be the best approach, but still involves some level of data leakage with respect to the actual key used to decrypt also being stored.  I'm curious about the community's feedback as we work to enhance and refine the SIC capabilities.  Thanks in advance!

0 Kudos

Go to solution
Grant
New Contributor

‎08-21-2023 01:03 AM

Our client is wanting to use a Windows Service account for SQL database access in which case relying on SQL integrated security will be the only option. For the integrated security to work though does the Service account have to be logged into the SIC Local Gateway server or can you just run the OneStream SIC service as the Service user?

0 Kudos

Go to solution
Ryan_Berry
New Contributor III
In response to Grant

‎08-21-2023 08:15 AM

You can simply run the windows service under an appropriate active directory user account and any connection to a relational database with a connection string using integrated or trusted security.  

Here's an example sql server connection string you would use after setting up the service to run under a specific user

Server=myServerAddress;Database=myDataBase;Trusted_Connection=True

 

This is a supported approach to authenticating to data sources with sic. 

 

Go to solution
mithun_laha
New Contributor III

Tuesday

I am trying to connect in SFTP. I did create a smart integration function and calling it from extensibility rules but getting the issue as HostName is not set. ObjectResultValue is null or empty. 

0 Kudos

Go to solution
Ryan_Berry
New Contributor III
In response to mithun_laha

Tuesday

Hello @mithun_laha ,

   Can you provide a brief example of what calls you're making in your code?  Is it the remote BR that is returning this failure?  

Go to solution
Nikpowar97
Contributor
In response to mithun_laha

Tuesday

Hey @mithun_laha ,

Did u set up WinSCP to connect to the SFTP server on the client environment where the SFTP server can be accessed remotely on the OS Cloud App?

you might have created a Direct Connection with your SFTP details like port number and host name to access the Smart Integration Connecter page. (System Pane)
u are using the Smart integration function to get stored information like SFTP password, user name, etc.
using the ApiLibrary.GetSmartIntegrationConfigValue("Key as String to get the password value").

and u are using a  BRApi.Utilities.ExecRemoteGatewayBusinessRule to retrieve the results.
As per my understanding,

A database connection additionally with the Direct connection needs to setup to connect OS Cloud app Client Environment.If you notice and try to compile your smart integration function. it will ask for a database gateway connection to compile your code.
In your 
BRApi.Utilities.ExecRemoteGatewayBusinessRule function u need to mention the database connection name as the remotehostname to get details from the direct connection on the remote client environment.

Dim remoteResults As RemoteRequestResultDto = BRApi.Utilities.ExecRemoteGatewayBusinessRule(si,smartintegrationBRName,Nothing,database connection gateway name, function name in Smart integration Function BR name,String.Empty,False,600)

If you have followed these steps and still facing an issue please check by hardcoding the credentials in the WinSCP session in your extensibility rules to check your connection. (I hope u have used the WinSCP.dll in the referenced assemblies). OR if you have issues connecting with the Smart integration function please check the SIC logs.

I am not an expert at this but I have connected to Amazon S3 using a direct connection before. a similar approach should work here.







0 Kudos

Go to solution
mithun_laha
New Contributor III
In response to Nikpowar97

Tuesday

Hello,

Your assumption is correct. I am using SFTP with WinScp. I have a existing database connection in SIC. Can I use that in BRApi.Utilities.ExecRemoteGatewayBusinessRule

0 Kudos

Go to solution
mithun_laha
New Contributor III

Tuesday

I am not sure if the remote BR is giving issue.  I tried print the output of the remote BR but didn't get anything. 

0 Kudos
Please sign in! Vidyak
Community Resources
Training and Documentation
Additional Resources