Message level security in serverless integration

Image by TheDigitalWay from Pixabay

In today’s world the business is relying heavily on our digital infrastructure to maintain both the economic and social fabric of our society. This comes with greater responsibility for the enterprise IT team to ensure the security of data at rest and in transit. Enterprise follows different security compliance like GDPR to ensure maximum security for the data and infrastructure.

When it comes to security in integration world the security of data in transit is vital. In some of the business domains such as Banks, Medical & Pharma, Defence etc where sensitive data flows across different systems the criticality is multifold. Transport level security and message level security are the most common security levels enforced when services are integrated between client and server or between server to server. Multiple intermediary systems could exist between two end points when integrated. In such cases message level encryption (MLE) ensure that the content is encrypted during the intermediate hops where the traffic itself might be un-encrypted before it reaches the target system.

In this article we will learn how to achieve message level encryption using AES 256 bit algorithm in a serverless integration flow using Kumologica. For those who are new to Kumologica I would recommend to go through our articles and youtube videos to get an insight. Kumologica is one of the early players in this space which brings the benefits of the low-code integration capability of traditional integration to the new world of Serverless.

Use case

In this use case we are having a credit card processing service which is going to invoke an internal credit card verification service. Since this is an intra service communication there is not TLS security enabled. The message content flowing between credit card processing service and verification service has to be encrypted using AES 256 bit encryption.

Pre-requisite

1. Kumologica designer installed in your machine. https://kumologica.com/download.html
2. https://www.allkeysgenerator.com/

Implementation

The implementation of the service only focusing on the message encryption mechanism and not on any functional logic related to Credit card processing or verification.

CreditCard Verification Service

Credit card verification flow

Steps:

1. Open Kumologica Designer, click the Home button and choose Create New Kumologica Project.
2. Enter name (for example CreditCardVerificationService), select directory for project.
3. press Create Button.
4. Drag and drop EventListener node to the canvas the provide the following configuration.

Event Source : Amazon API gateway
Verb : POST
URL : /credit/verify

5. Add Encrypt node from the Security category and provide the following configuration and wire the node to the EventListener node.

Mode : Decrypt
Algorithm : AES
Secret Key : z$C&F)H@McQfTjWnZr4u7x!A%D*G-KaN

Note: you can generate your own AES 256 key from the following link https://www.allkeysgenerator.com/.

6. Add a Logger node and wire with the Encrypt node. Provide the following configuration . This node will print the payload after decrypting.

Message :  'Decrypted data ' & msg.payload

7. Add EventListener End node and wire with the Encrypt node. Provide the following configuration.

Status Code : 200
Content-Type : application/json
Payload : {"status" : "verified"}

CreditCard Processing Service

Credit card processing service flow

Steps:

1. Open Kumologica Designer, click the Home button and choose Create New Kumologica Project.
2. Enter name (for example CreditCardProcessingService), select directory for project.
3. press Create Button.
4. Drag and drop EventListener node to the canvas the provide the following configuration.

Event Source : Amazon API gateway
Verb : POST
URL : /credit/process

5. Add Set-Property node the canvas and wire it EventListener node.

Note: This node is emulating the payload which will be send to credit card verification service.

Set : msg.payload
To : { "type" : "platinum", "creditcardno" : 3839304839928, "micr" : 0039, "fname" : "Tony"}

6. Add Encrypt node from the Security category and provide the following configuration and wire the node to the Set-Property node.

Mode : Encrypt
Algorithm : AES
Secret Key : z$C&F)H@McQfTjWnZr4u7x!A%D*G-KaN

Note: you can generate your own AES 256 key from the following link https://www.allkeysgenerator.com/.

7. Add a Logger node to print the encrypted data. Provide the following configuration.

Message : 'Encrypted data ' & msg.payload

8. Add the HTTP Req node to canvas and provide the following configuration. Wire the node to the Encrypt node.

Method : POST
URL : <<URL of the Credit card verification service after deployment>>
Return : a Parsed JSON Object

9. Add EventListener End node and wire with the HTTP Req node. Provide the following configuration.

Status Code : 200
Content-Type : application/json
Payload : msg.payload

Deployment

1. Select CLOUD tab on the right panel of Kumologica designer, select your AWS Profile.
2. Set the Memory to 512mb and Timeout as 20 seconds.
3. Go to “Trigger” section under cloud tab and select the Amazon API Gateway trigger.

API trigger setting

Conclusion

This article has shown how easy to implement message level security using encryption node in Kumologica Designer.

Remember Kumologica is totally free to download and use. Go ahead and give it a try, we would love to hear your feedback.