Protected Request Headers collection now available for RDP Queue Bindings

amackenzie
amackenzie Member, Employee Posts: 268 Solace Employee
edited September 2022 in PubSub+ Event Broker #1

What?

Solace has introduced a new collection/list of "Protected" Request Headers that management users can manage via PubSub+ Broker Manager, SEMPv2, and CLI management interfaces.

The Protected Request Headers are exactly the same as the existing Request Headers collection that defines the REST header/value pairs defined for an RDP Queue Binding, except the values are "protected" from viewing. They are treated the same way that other "sensitive" values (like passwords) are treated in the management interfaces. That means they are masked from seeing the actual values when trying to view the header/value pair. This includes show commands in CLI and REST API responses from SEMPv2 as well as the Broker Manager list view.

Why?

Request Headers are frequently used to pass "sensitive" values on the REST request of the RDP. This can include login credentials to the target service or other values to be used by the REST endpoint.

Management users in Solace can be restricted to read-only, but they cannot be restricted from viewing specific values of specific Request Headers. In many customer deployments, the read/write management users might be able to enter and delete these sensitive values but they don't want other users to be able to see the sensitive values.

By introducing Protected Request Headers, we can now treat the sensitive values like we treat other sensitive values (e.g. passwords) in the management interfaces. So with this feature, no management user can see the values of Protected Request Headers and their values are masked (or blank) on display.

note - Protected Header values are masked in all Solace management interfaces (Broker Manager, CLI, SEMPv2) but are passed to external systems (i.e. when the request is made) in their "clear" value. This is to be expected as these external systems have no way of decrypting our protected values. API Gateways security, use of TLS for REST requests, etc. are typically used to protect these values after they leave the PubSub+ broker as dictated by your security policies.


When?

Protected Request Headers are available in PubSub+ Event Broker version 10.1.1.

more information:

  • See the "Protected Request Header" section of Configuring RDP Queue Bindings documentation.
  • There is a new SEMPv2 API for GET/SET of Protected Request Headers under the config API. `/msgVpns/{msgVpnName}/restDeliveryPoints/{restDeliveryPointName}/queueBindings/{queueBindingName}/protectedRequestHeaders/{headerName}`

Comments