Connection Properties

The TIBCO Scribe® API uses an extra layer of security between the REST Client and the API to minimize the risk that Connection credentials are ever vulnerable to exposure. The Connections endpoint uses the following additional security safeguards:

  • Encrypting all Connection properties that contain sensitive Connection information to ensure that no part of the Connection credentials is transmitted in clear text when reading, creating, or updating a Connection with the API.
  • Designating one or more Connection properties, such as Password, as secured properties.

TIBCO Scribe® encrypts secured properties internally and obfuscates the values in the TIBCO Scribe® interface. The TIBCO Scribe® API never returns these property values.

Each TIBCO Scribe® Connector uses specific properties to make a Connection. These properties are given in the API Considerations section of the Help topic for each Connector. The Help also provides the data type for each property, whether it is required, whether it is secured, and usage information. To find the Help topic for a specific Connector, see the Connections topic in the TIBCO Scribe® Help Center.

TIBCO Scribe® uses the Advanced Encryption Standard (AES) symmetric-key encryption algorithm, which is supported by languages that are commonly used to create REST clients, such as .NET, Java, and JavaScript. AES is a symmetric encryption algorithm: decryption is a reversal of the encryption steps, consuming the same key, salt, and IV values. You must have your Organization’s API cryptographic token to encrypt Connection properties. To find the API cryptographic token, on the Organization page in TIBCO Scribe®, click the Security tab. Your API cryptographic token is the Event Solution Access Token at the bottom of the tab. See Setting Security Options in the TIBCO Scribe® Help for more information. In addition to the cryptographic token, you must supply the API encryption salt value: ac103458-fcb6-41d3-94r0-43d25b4f4ff4

Sample Connection Property Encryption Code

Samples of encryption code that you can use for Connection property encryption are available in the TIBCO Scribe® Success Community. Select the link for the sample you want to access:

GET Operations

When you read a Connection with a GET operation, all non-blank property values are encrypted and must be properly decrypted to be used. When you create or update a Connection, you must encrypt each value in the properties dictionary, including any secured properties. Secured properties are always returned with blank values.

The AES algorithm should be implemented with:

  • A 16-bit, randomly generated initialization vector
  • A 256-bit PBKDF2 password derivation of your API Access Token key using HMAC-SHA1 at 1000 iterations
  • A 128-bit block size
  • The TIBCO Scribe® API salt value: ac103458-fcb6-41d3-94r0-43d25b4f4ff4
  • PKCS #7 padding
  • A UTF-8-encoded version of your Connection property value

POST And PUT Operations

When you POST or PUT data, the encrypted value must be base 64-encoded and appended to the base 64-encoded random initialization vector.

To encrypt a Connection property value:

  1. Convert the plain text Connection value to UTF-8 encoding.
  2. Generate a random array of 16 bytes. This is the Initialization Vector (IV) for the AES symmetric-key algorithm.
  3. Generate a 1000 iteration-derived key from the API Access Token key and TIBCO Scribe® API salt value using the Password-Based Key Derivation Function 2 (PBKDF2) standard with Hash-based Message Authentication Code calculated with Standard Encryption Algorithm 1 (HMAC-SHA1).
  4. Encrypt the UTF-8-encoded Connection property value with the AES algorithm using a key size of 256, a block size of 128, and PKCS7 padding.
  5. Convert both the IV value and the encrypted Connection property value to Base 64-encoded text strings.
  6. Append the Base 64-encrypted text string to the Base 64 IV text string.

See

Special Properties