Credentials Manager for ZebraTester
Function
Credentials Manager is an Apica ZebraTester plugin that extends the functionality of secure storage and retrieval of credentials or passwords using Apica’s ASM API.
It’s using, but is not limited to, a combination of AES/ECB/PKCS5Padding and RSA 512bit Key Pair as its current encryption algorithm.
The transformation AES/ECB/PKCS5Padding tells the getInstance method to instantiate the Cipher object as an AES cipher with ECB mode of operation and PKCS5 padding scheme.
It can support different types of encryption algorithms.
After retrieving the encrypted username/password from API, the plugin will decrypt data to be used in the ZebraTester script.
To store the username/password to the Apica ASM servers, run the JAR plugin from the command line and pass the necessary parameters as we’ll describe below.
Use Cases
Use Credentials Manager when:
You are doing ASM monitoring and
You need to pass username/password (or any key/value combinations) in the script but do not want the text string to be stored and transmitted in cleartext.
This plug-in is not intended for Load Testing scenarios.
CyberArk or Credentials Manager?
Some companies use CyberArk to store and fetch their credentials. But if not using a CyberArk Enterprise Password Vault for this purpose, the Credentials Manager can be used to establish login monitoring, with test monitoring usernames and passwords to reasonably obfuscate the passwords.
Components
ZebraTester V5.5F or later
CredentialsManager2UtilityTool_vXX.jar
CredentialsManager2.class
Apica Synthetic Monitoring API
A Custom Dictionary is where this information is sent to/from.
Method | Route | Description |
---|---|---|
POST | Adds the ZebraTester scenario custom dictionary. | |
GET | Gets a ZebraTester scenario custom dictionary by dictionary key. A custom dictionary can contain any data used by Proxy Sniffer scripts that need to be stored separately from scripts. | |
PUT | Replaces ZebraTester scenario custom dictionary. NOTE that this will replace any existing data already in the dictionary! | |
DELETE | Delete a Proxy Sniffer scenario custom dictionary by dictionary key. |
Downloads:
The files you’ll need are available here:
Credentials Manager Utility – desktop utility for managing ASM Dictionary entries (openjdk11 or above is required)
Credentials Manager 2 ZebraTester Plugin – class file for including with ZT scripts
Credentials Manager Process Flow:
During ZebraTester script execution, this plugin will run and retrieve the encrypted credentials using Apica’s ASM API, which is encrypted at rest and during transport. The plugin will decrypt the credentials using the specified encryption algorithm and preset, unique, symmetric key (assigned or designated by the customer) and only stored in the memory during the session.
Installing the Credentials Manager Plugin
Step | Information |
---|---|
1. Mandatory: Create an Entry (a new custom dictionary) | First, create the encrypted credentials entry into Apica’s ASM API by running the jar version of the plugin from a command line to open GUI. java -jar CredentialsManager2UtilityTool_vXX.jar Key:Value pair(s) will be created as a result. Up to 50 key:value pairs can be used for a single dictionary_key as long as the value doesn’t exceed 1000 characters. Credentials Manager 2 also supports long values over 1000 characters (e.g., private keys or certs) but will reduce the number of keys:value pairs that can be stored to around 5 entries. |
2. Add the Credentials Manager plugin into ZebraTester | By adding the .class as a plugin to your ZebraTester Script and then passing in the ASM_API_Url, ASM_API_AuthTicket, dictionary_key, shared_secret, and key as an index parameter, you can fetch the encrypted value, which the plugin will decrypt at execution rather than having that value hard-coded into the script as plaintext. |
Usage & Syntax:
To retrieve encrypted credentials and decrypt to be used in the ZebraTester script.
Input Parameter | |||
---|---|---|---|
Number | Name | Mandatory? | Assign From |
1 | Apica ASM API URL | Yes | variable |
2 | Apica ASM API Auth Ticket | Yes | variable |
3 | Dictionary Key | Yes | variable |
4 | Shared Secret Key | Yes | variable |
5 | Key (of value) | Yes | variable |
6 | Proxy settings (if applicable) | No | variable |
Output Parameter | |||
Number | Name | Mandatory? | Extract To |
1 | Value (of Key) | Yes | [variable] |
CredentialsManager2UtilityTool_vXX.jar (Used from the GUI)
Function | Set-up Instructions |
---|---|
Encrypt key/value pairs like Username and Password |
|
Update key/value pairs like Username and Password |
|
Overwrite key/value pairs like Username and Password |
|
Decrypt/Retrieve keys like Password |
|
Example:
CD to a Java /bin location (we’ve used ZebraTester 7B’s java /bin directory)
Download current version of “Credentials Manager” jar (as of writing it is CredentialsManager2UtilityTool_v09.jar) and move to the /bin location you CD’ed to
Run this command:
java -jar CredentialsManager2UtilityTool_vXX.jar
Note that Apica ASM API Url ( https://api-asm1.apica.io) is the base URL only (no path like v3/scenarios/proxysniffer/dictionaries/)
Related articles
Can't find what you're looking for? Send an E-mail to support@apica.io