Jazz Forum Welcome to the Jazz Community Forum Connect and collaborate with IBM Engineering experts and users

RTC Restful API: How to encrypt password ?

Questions
Tags
Users
Badges
Leonardo Marzo
(24964852) May 06 '13, 12:29 p.m.
 Hi, 

I´m creating some scripts in Perl that uses the RTC Restful API. I´m using this service to authenticate against RTC: https://myRtcServer:9443/jazz/authenticated/identity

My problem is that I don't want to send the password explicitly. Is it possible send an encrypted password instead? 

I would appreciate your help. 


Thanks,

1 vote

2 answers
9,254 views
1 vote

2 answers

Permanent link
sam detweiler
(12.5k6195201) May 06 '13, 12:39 p.m.
long as its over the https:// connection, all data is encrypted..

0 votes

Comments
Leonardo Marzo
May 06 '13, 3:11 p.m.

Maybe I didn't explain it properly.

Currently, my password is 'harcoded' in the script, and many users have access to it. I was looking for something similar to how the JBE works, you provide a file with the encrypted password.

I though there was a way to send the password encrypted and the the RTC server decode it properly.

Kevin Ramer
May 06 '13, 3:31 p.m.

The thing is if users have access to read/execute the script (i.e by login to the machine that stores the script), they will also have access to any methodolody you embed into the logic of encoding/decoding the credentials. 




scott herzinger
Oct 29 '13, 2:23 p.m.

We have the same need. Just posted my own question before seeing this one. It seems like a valid need, to manage authentication credentials securely, regardless of whether we're using REST directly, or through the CLI.  The scm CLI implements the needed functionality, it's just that some of us would like to use it for our own tools and utilities.

Permanent link
Oliver Siebenmarck
(1111) Oct 30 '13, 12:28 p.m.
As Kevin explained, everyone who has read/write access to the script could modify it to do whatever he likes, so hiding or encrypting the password is usually of limited use.

Still, if you want a script that is able to make authenticated REST-API calls without containing the password, there is actually to do this, albeit not elegantly.

Jazz usually tracks authenticated users via a cookie so that you do not have to send username and password with each request. If you use a secure script that takes care of authentication and then places the cookie data in a location where it can be read by your other scripts, you wouldn't need to include the password in all of your Perl scripts. Provided of course someone ran the authentication script first. 

From a security standpoint this is not really a better solution, but it might work in your context. Keep in mind though, that anyone who has access to your Perl scripts would also be able to read your login cookie and do whatever they like as an authenticated user.

Hope that helps.

0 votes

Your answer

Register or log in to post your answer.

Dashboards and work items are no longer publicly available, so some links may be invalid. We now provide similar information through other means. Learn more here.

Ask a question
Guidelines
FAQ
Search context
Follow this question

By Email: 

Once you sign in you will be able to subscribe for any updates here.

By RSS:

Answers
Answers and Comments
Question details
× 10,951
× 481
× 18

Question asked: May 06 '13, 12:29 p.m.

Question was seen: 9,254 times

Last updated: Oct 30 '13, 12:28 p.m.

Confirmation Cancel Confirm