Blocking the retrieval of credentials stored in an IBM ACE Vaults
Here in this blog, we will learn how to block the retrieval of credentials stored in IBM ACE Vaults.
Introduction
The introduction of the “–vault-options no-export” parameter in ACE 12.0.12.0 represents a significant enhancement to the App Connect Enterprise (ACE) vault technology. This enhancement addresses concerns about unauthorized access to sensitive credentials stored within the vault. Previously, a product administrator with local command console access and possession of the vault key could retrieve named records from the vault and display them on the screen using the mqsivault command with a decode option.
However, with the addition of “–vault-options no-export” during vault creation, administrators now have finer control over credential retrieval and display. This enhancement allows administrators to restrict access, ensuring that only authorized personnel can view and manage sensitive credentials. By implementing this feature, organizations can strengthen their overall security measures within ACE environments, aligning with industry best practices for safeguarding sensitive information.
Vault Key Configuration:
Create an external directory vault
We can create a vault for the integration node and an independent integration server.
mqsivault –ext-vault-dir C:\Users\user\IBM\ACET12\workspace12.0.12\TEST_EXT_DIR_VAULT3 –ext-vault-key store vault –create –vault-options no-export
Command to add a credential to the external directory vault
Mqsicredentials allows us to store ODBC, SMTP, FTP, and SFTP credentials, among other things.
mqsicredentials –ext-vault-dir C:\Users\user\IBM\ACET12\workspace12.0.12\TEST_EXT_DIR_VAULT3 –ext-vault-key store vault –create –credential-type odbc –credential-name test –username system –password xxxx78
Retrieve credentials:
By using the below command, we can retrieve the credentials from the external directory. But we are using “–vault-options no-export” which cannot be displayed due to vault options.
mqsivault –ext-vault-dir C:\Users\user\IBM\ACET12\workspace12.0.12\TEST_EXT_DIR_VAULT3 –ext-vault-key storevault –decode credentials/odbc/test
Through this enhancement, organizations can mitigate the risk of data breaches and unauthorized access, thereby enhancing the integrity and confidentiality of their systems and data assets. With greater control over vault access, administrators can confidently manage and protect sensitive credentials, ultimately improving the overall security posture of their ACE deployment.
