The CA API Gateway has a built-in feature to encrypt request and response messages that have been audited. This document will explain how to use that feature set.
Several security protocol standards (such as PCI-DSS) require that personally identifiable information be encrypted or secured. This ensures that operators or administrators with privileged superuser access are not permitted to see confidential data that is outside the scope of their privileges. The Gateway is capable of supporting these standards through the Gateway's Audit Message Filter policy. This policy allows an administrator to craft a policy that will modify any request or response messages that may contain PII. This policy is capable of changing the saved messages in many other facets but the scope of this article focuses on encrypting the saved messages.
Log in to the Gateway via the Policy Manager as an administrative user and select the Create Policy task. The following dialog will be presented. Select Internal User Policy for the Policy Type and choose audit-message-filter for the Policy Tag. Name the policy as desired. The name of this policy is cosmetic.
The following default policy will be created. This policy will encrypt the entire XML message. The policy can be customized to encrypt specific elements or attributes. This article will focus on encrypting the entire message. Please note that the (Non-SOAP) Encrypt XML Element assertion must be modified to select a recipient certificate. This certificate should be the certificate of the entity capable of decrypting the message.
An example request where the request messages was being audited is displayed below. Note that the Invoke Audit Viewer Policy button is disabled.
Invocation of the audit viewer policy is not permitted by default--even for administrative users. The Invoke Audit Viewer Policy role must be manually added to each individual or group that is permitted to view unencrypted audit messages. An example role assignment is displayed below. Please review the Policy Manager User Manual for more details on adding users or groups to existing roles.
The Invoke Audit Viewer Policy button will be enabled for an authorized user once an authorized user or group is added to the following role. The authorized user must be logged in to the Policy Manager in order to invoke the audit viewer policy.
Attachments: