Technical Blog Post
Abstract
Deep dive into revealObscured xpath API, UsingRevealedPasswd, UsingObscuredPasswd and their usage with protocol services
Body
IBM Sterling B2B Integrator (SB2Bi) Administrators and users do not want to hardcode values for few service parameters (passwords etc) in Business Process (BP) definitions or do not want expose in ProcessData of workflows. Obscure Data - Process Data Valuesservice can be used in such scenarios. Obscure Data - Process Data Values service holds up to five pre-configured parameter name-value pairs into process data (name can be any valid text and value is actual value that you do not want to expose in ProcessData). The values associated with each of the parameter names are masked by replacing the original content with a jumbled (obscure) text. The main purpose of this service is to help restrict access to sensitive data in process data of workflows.
Documentation link to IBM Sterling Integrator's Obscure Data - Process Data Valuesservice - Click Here
This blog is more of educational blog and make users familiar with Obscure Data - Process Data Valuesservice and how can this be integrated with protocol Begin Session services (FTP, SFTP, HTTP, C:D).
Example
An example Service instance with 3 parameters (name=value) as shown below.
(DemoHost=1.2.3.45, DemoPassword=ibmsterling, DemoWelcome=Hello How Are You?)
Here is a sample BP that has above service instance "ObscureDemo" and 2 Assign services. One for obtaining obscure values and other for clear text value.
Values stored in Obscure Data - Process Data Values service through parameter names can be accessed in BPs using
1. Regular XPATH. Output would be obscured text e.g., <path to xml node in ProcessData produced from this service>/text()
2. revealObscured XPATH function. Output would be unobscured clear/plain text. e.g., revealObscured(<path to xml node in ProcessData produced from service>)
| <process name="IBM.KK.DemoObscure"> <sequence name="demo"> <operation name="Obscure Data"> <participant name="ObscureDemo"/> <output message="outmsg"> <assign to="." from="*"></assign> </output> <input message="inmsg"> <assign to="ObsResult" from="*"></assign> </input> </operation> <operation name="Assign Service1"> <participant name="AssignService"/> <output message="AssignServiceTypeInputMessage"> <assign to="ObscureHost1" from="ObsResult/DemoHost/text()"/> <assign to="ObscurePassword1" from="ObsResult/DemoPassword/text()"/> <assign to="ObscureWelcomeMsg1" from="/ProcessData/ObsResult/DemoWelcome/text()"/> </output> <input message="in"> <assign to="." from="*"></assign> </input> </operation> <operation name="Assign Service2"> <participant name="AssignService"/> <output message="AssignServiceTypeInputMessage"> <assign to="revealHost2" from="revealObscured(/ProcessData/ObsResult/DemoHost)"/> <assign to="revealPassword2" from="revealObscured(/ProcessData/ObsResult/DemoPassword)"/> <assign to="revealWelcomeMsg2" from="revealObscured(/ProcessData/ObsResult/DemoWelcome)"/> </output> <input message="in"> <assign to="." from="*"></assign> </input> </operation> </sequence> </process> |
ProcessData from execution of businessprocess.
- name=value configurations are loaded into ProcessData with name being xml node-name and value being obscured text for the value.
- Output correspond to revealObscured XPATH calls are in clear-text.
Integrating service with Protocol services
The above example is just for introductory purpose to explain how to have clear and obscure values from the service. Now I am going to integrate this service with SFTP Client Begin Session service to provide much more meaningful use case.
Sample SFTP Client Begin Session Service snippets from SB2Bi fixpack 5.2.5.0 are given below. SFTPClientObscure is an instance of Obscure Data - Process Data Valuesservice created with 2 parameters (admin=password, steringuser=password). All these SFTP Begin Session samples are working example configurations.
<operation name="Obscure Password"> <!-- 1. UsingRevealedPasswd is set to true.--> <!-- 2. UsingRevealedPasswd is set to true.--> <!-- 3. UsingRevealedPasswd is set to true.--> |
Samples #1 through #3 are when passing clear-text password, but not hardcoded in BP def, to Begin Session service. But #4 is passing obscure password and so is not printed in ProcessData.
Few important points to be aware of from these samples.
- For the password to be masked/obscured in process data, the Obscure Data - Process Data Values service must also be used in the same business process.
- revealObscured XPATH api needs an xml node name that is produced from Obscure Data - Process Data Values service. But it need not match with RemoteUserId. #2 is good example. revealObscured is used with sterlinguser parameter when RemoteUserId=admin.
- When using obscure password like in #4, xpath used for RemotePasswd should refer to RemoteUserId. That means, The name used to store the password must be the same as the specified RemoteUserId.
- "UsingRevealedPasswd" is the flag that decides how service has to read "RemotePasswd" configuration Regular XPATH expression vs revealObscured XPATH function.
Note - #3 is good example for scenarios when userId is not known upfront but being pulled dynamically (say, load profiles from code lists) to pass to Business Process during execution and still want to integrate with Obscure service it's password substitution.
Following table captured different protocol services that explains how each of these services handle obscure vs clear-text passwords through what flag. Since it is NOT commonly named flag in each of the service and set of values for flag too differ, I would recommend pulling this flag and it's value using Graphical Process Modeler (GPM).
All these services work on similar lines as this SFTP example above.
| Service | Service parameter or Flag | Default value of Flag | RemotePasswd when flag=true/yes | RemotePasswd when flag=false/no |
|---|---|---|---|---|
| SFTP Client Begin Session* | UsingRevealedPasswd* | true | revealObscured(node) | node/text() |
| FTP Client Begin Session | UsingRevealedPasswd | false | revealObscured(node) | node/text() |
| HTTP Client Begin Session | UsingRevealedPasswd | false | revealObscured(node) | node/text() |
| Sterling Connect:Direct Server Begin Session | UsingObscuredPasswd | no | node/text() | revealObscured(node) |
* UsingRevealedPasswd parameter is added to SFTP Client Begin Session service in 5.2.5.0 and 5.1.0.4. Here is the link to APAR fix - http://www-01.ibm.com/support/docview.wss?uid=swg1IC83472
Feel free to post your comments and questions.I will be happy to answer.
Following are different troubleshooting articles related to this topic.
http://www-01.ibm.com/support/docview.wss?uid=swg21558688
http://www-01.ibm.com/support/docview.wss?uid=swg21643319
http://www-01.ibm.com/support/docview.wss?uid=swg21552729
UID
ibm11121661