development icon indicating copy to clipboard operation
development copied to clipboard

Published 20 hours ago verified publisher icon servicecatalog

SOAP API - handle encrypted values

Open StavrevaS opened this issue 8 years ago • 0 comments

The UDA and parameter values are not encrypted on SOAP API.

The following web methods may deal with passwords.

Custom attributes

AccountService.getUdas() AccountService.getUdasForCustomer() AccountService.saveUdas() AccountService.getUdaDefinitions() AccountService.getUdaDefinitionsForCustomer() AccountService.saveUdaDefinitions()

SubscriptionService.subscribeToService() SubscriptionService.modifySubscription() SubscriptionService.upgradeSubscription()

Service Parameters

SubscriptionService.subscribeToService() SubscriptionService.modifySubscription() SubscriptionService.upgradeSubscription() NotificationService.onModifySubscription() NotificationService.onSubscriptionModification() ServiceProvisioningService.createService() ServiceProvisioningService.activateService() ServiceProvisioningService.suspendService() ......

and a lot more method that return the VOService object which contain a list of VOParameter with potential password parameters.

Possible solutions:

  1. Accept password in clear text as input, encrypt it and save in the database. Return always some password pattern (e.g *****) as a return value for passwords. This pattern cannot be used as a valid password value by create/update operations.

  2. Implement sophisticated solution with asymmetric cryptography (there is already a separate issue #419). The OSCM can encrypt the passwords using own key and only the client with the corresponding public key can decrypt.

StavrevaS avatar Nov 17 '16 12:11 StavrevaS