Hello,
i use the system.net.httpXXXX() functions in scripting to get data for a third-party REST-API. The REST-API requires authentication via username/password. Currently i add dem directly in the parameters as plain text. The script is then stored on the hard drive also in plain text. This is a security risk.
Is there a possibility of raising security?
For example, by using credentials from a user source or having your own secure storage for it.
Thanks in advance,
Gerald
Basically, no. Anyone who can get into the designer could get around anything we offered.
We might look into offering some way to integrate scripting with the secret management API we're including in 8.3.0, but it will still be basically impossible to prevent someone with access to scripting from extracting whatever secrets.
Ignition provide the credential stores which allow you to store and manage sensitive information like username and password.
@PGriffith Yes that is true, but we can protect and limit access to the Designer by user/password or SSO from an identity provider. When the passwords are stored as plain text, they are extremely easy to acquire by an attacker. Secure storage with access from the designer is in my opinion way more secure.
@johnny_harris: Which credential stores do you mean?
You can access environment variables within gateway scope. You can place credentials specific to that gateway in the SystemD environment that wraps the gateway service. Such settings will not be in the gateway's install folders and will not end up in backups. While a designer could set up a message handler to report those to designer scope, it would be as secure as secrets in typical devops orchestration systems.