Credential management via REST API
AVAILABLE IN 9.8.0 AND LATER
In a VFC system, numerous entities exist containing credential-type data. The endpoints covered in this article allow changing the credentials programmatically. With the following functionality, a custom integrator application can be implemented to rotate passwords of the different entities from a common password vault solution. With this approach, common technical accounts' password leakage or sharing can be prevented. This article introduces how these credentials can be managed via the v1 REST API in the following sections. To get generic information about REST API usage, please visit the Use the REST API article.
- 1 User credentials
- 2 Active Directory Synchronization Profile credentials
- 3 Storage Target credentials
- 4 Import Source credentials
- 5 Server Configuration
- 5.1 Server configuration examples
- 5.1.1 Use case: There are differences between the central database and the local registry
- 5.1.2 Use case: Individual server configuration modification
- 5.1.3 Use case: Multiple server configuration modifications with a configuration profile
- 5.1.4 Use case: Configure a newly installed VFC server based on the configuration of another existing server
- 5.1 Server configuration examples
For the applications that manage credentials in the system, the following actions are required:
Listing entities: to identify the existing entities. The sensitive passwords are stored in an encrypted format in the database. With the API neither the plain nor the encrypted password cannot be retrieved.
Retrieve one entity by ID: to fetch the latest public values of an entity. Similar to the listing action the sensitive properties cannot be retrieved.
Modify properties of an entity: to actually change the credentials such as the password. Not every property of an entity can be updated. The allowed properties are listed in the REST API documentation site for every update endpoint. The modification action can be achieved with the PATCH HTTP method. This method allows the client to send only the changed properties to the server.
Verify the password change: send the known plain password to the system and retrieve a true or false value based on the sent plain password matching with the currently stored value. After a certain number of failed verification attempts the system blocks the API user from further requests to prevent password guessing.
The following sections cover descriptions and examples of how credential management can be achieved for different entities.