Using the Audit Message Filter internal use policy fragment to encrypt saved request and response messages
search cancel

Using the Audit Message Filter internal use policy fragment to encrypt saved request and response messages

book

Article ID: 42826

calendar_today

Updated On:

Products

CA API Gateway

Issue/Introduction

The CA API Gateway has a built-in feature to encrypt request and response messages that have been audited. This document will explain how to use that feature set.

Environment

Release: 10.x 11.x 
Component: APIGTW

Cause

Several security protocol standards (such as PCI-DSS) require that personally identifiable information be encrypted or secured. This ensures that operators or administrators with privileged superuser access are not permitted to see confidential data that is outside the scope of their privileges. The Gateway is capable of supporting these standards through the Gateway's Audit Message Filter policy. This policy allows an administrator to craft a policy that will modify any request or response messages that may contain PII. This policy is capable of changing the saved messages in many other facets but the scope of this article focuses on encrypting the saved messages.

Resolution

Log in to the Gateway via the Policy Manager as an administrative user and select the Create Policy task. The following dialog will be presented. Select Internal User Policy for the Policy Type and choose audit-message-filter for the Policy Tag. Name the policy as desired. The name of this policy is cosmetic.



The following default policy will be created. This policy will encrypt the entire XML message. The policy can be customized to encrypt specific elements or attributes. This article will focus on encrypting the entire message. Please note that the (Non-SOAP) Encrypt XML Element assertion must be modified to select a recipient certificate. This certificate should be the certificate of the entity capable of decrypting the message.

Select Create Policy from the tasks menu. The following dialog will be presented. Select Internal User Policy for the Policy Type and choose audit-viewer for the Policy Tag. Name the policy as desired. The name of this policy is cosmetic.


The following default policy will be created. This policy will decrypt the entire XML message. The policy can be customized to decrypt specific elements or attributes. This article will focus on decrypting the entire message. Please note that the private key used to encrypt the original message must be stored within the Manage Private Keys key store. If this key is not present then the message cannot be decrypted by the Gateway audit viewer policy and the policy will fail.


An example request where the request messages was being audited is displayed below. Note that the Invoke Audit Viewer Policy button is disabled.


Invocation of the audit viewer policy is not permitted by default--even for administrative users. The Invoke Audit Viewer Policy role must be manually added to each individual or group that is permitted to view unencrypted audit messages. An example role assignment is displayed below. Please review the Policy Manager User Manual for more details on adding users or groups to existing roles.

The Invoke Audit Viewer Policy button will be enabled for an authorized user once an authorized user or group is added to the following role. The authorized user must be logged in to the Policy Manager in order to invoke the audit viewer policy.

Attachments:

Attachments

1558722703481000042826_sktwi1f5rjvs16wkh.jpeg get_app
1558722701670000042826_sktwi1f5rjvs16wkg.jpeg get_app
1558722699949000042826_sktwi1f5rjvs16wkf.jpeg get_app
1558722697965000042826_sktwi1f5rjvs16wke.jpeg get_app
1558534505976TEC0000001360.zip get_app