To support corporate security standards, all user ids and passwords in configuration files must be encrypted. Need a method to encypt user ids and passwords to store in config files. Integration services must support encrypted user ids and passwords. For example, the VersionOne Jira integration service stores unprotected user id and password in the config file. While we can secure access to the file system, this is not enough to meet our corporate security standards.
If there are any available alternatives we can employ now, please advise.
by: Gordon G. | over a year ago | Administration
Comments
Our solution for this is to implement OAuth 2.0. With this standard, integration services and other applications that communicate with VersionOne do not need to accept or store username/password credentials.
With Spring 2013, part of the VersionOne API was protected with OAuth 2.0:
https://community.versionone.com/Developers/Developer-Library/Documentation/API/Security/Oauth_2.0_Authentication
With the Fall 2013 Release, now all API endpoints can be reached with an OAuth 2.0 Bearer Token. With that, it is now possible for all integration services to avoid storing user ids and passwords.
That said, there is a long road from this possibility to the reality that all integration services will be OAuth 2.0 enabled. With Fall 2013, the .NET API Client library has been modified to support OAuth 2.0, we still need to modify the corresponding Java library. Further, each integration needs changes to code and UI to work with OAuth. If we set ourselves to that task alone, it could take years. Therefore, please take OAuth-enablement of specific integration services as new ideas to help us prioritize.