salesforce Dreamforce On-Demand
Contact Us 1-800-596-4880
  1. Homepage
  2. API Functional Monitoring
  3. API Functional Monitoring in Anypoint Monitoring

  4. Using Secrets to Mask Sensitive Information in Monitors

Using Secrets to Mask Sensitive Information in Monitors

In monitors that you run in a private location, you can mask sensitive information such as headers, token values, username and password, and body values.

To mask the header information:

  1. Configure a shared secret in Secrets Manager for the information you want to mask.

  2. Modify your monitor to use the information from Secrets Manager.

  3. Grant the monitor permission to access the secret, which creates an alias for the secret.

  4. To deploy your changes, upload the modified monitor to Functional Monitoring.

Limitations

  • Functional Monitoring works only with symmetric key shared secret types from Anypoint Secrets Monitor.

  • You can use aliases for shared secrets in a test suite only if you plan to run that test suite from a private location.

Configure a Secret in Anypoint Secret Manager

To keep sensitive information secret in tests you run from a private location, create a shared secret in Secrets Manager.

To configure a shared secret:

  1. Open a secrets group or create a new one. Create the group in the same environment that you are using in BAT CLI.

    To find out which environment you are using in BAT CLI:

    1. Run the command bat whoami.

      The output has the ID for the environment.

    2. Run the command bat environment ls to list the environments to which you have access.

    3. Match the ID from the bat whoami command with one of the environments listed.

    4. If you need to switch to the environment that your secrets group is in, run the command bat environment switch name, where name is the name of the environment.

  2. Select Shared Secret.

  3. In the Type field, select Symmetric Key.

  4. In the Key field, paste the sensitive information encoded as a Base64 string.

  5. Paste the Base64 string into the Confirm Key field.

Add the Secret to Your Monitor

Modify your monitor to use the information you configured in Secrets Manager.

To add the secret to a monitor:

  1. Create or download a monitor. See Creating Monitors or Downloading Monitors.

  2. Modify the main.dwl file to replace the sensitive information with the client ID and client secret you configured in Secrets Manager.

    In the following example, the sensitive information in headers are masked. The 'clientId-alias' and 'clientSecret-alias' are aliases for the secrets stored in Secrets Manager. See Grant Your Monitor Access to the Secret to learn how to generate the alias.

    import * from bat::BDD
import * from bat::Assertions

var cliId = secret('clientId-alias') default 'Client Not Found'
var cliSecret = secret('clientSecret-alias') default 'Secret Not Found'

suite("HTTP Monitor") in [
  it should "Assert endpoint: http://status-coder.ir-e1.cloudhub.io/status?code=200&reason=Ok"" in [
    GET `http://status-coder.ir-e1.cloudhub.io/status?code=200&reason=Ok` with {
      "headers": {
        "client_id": cliId,
        "client_secret": cliSecret
      }
    } assert [
        $.response.status mustEqual 200
    ]
  ]
]

After you modify the monitor’s main.dwl file to add the secret information to the code, grant the monitor access to the secrets you configured in Secrets Manager. See Grant Your Monitor Access to the Secret.

Grant Your Monitor Access to the Secret

After you modify your monitor to add the secret information, grant the monitor access to the secret. At runtime, BAT CLI looks up the shared secrets using the aliases.

To grant a monitor access to the secret:

  1. Copy the name of the new shared secret obtained in Configure a Secret in Anypoint Secret Manager.

  2. At a command prompt, run the bat grant command, specifying an alias for the shared secret. When you run this command, BAT CLI creates a section named secrets in your test suite’s bat.yaml file, if the section does not already exist. In that section, BAT CLI adds these indented lines:

    alias:
 secretId: "secret-ID"

    • alias: The alias that you specified in the bat grant command.

    • secret-ID: The ID of the secret within Anypoint Secrets Manager. This ID does not appear in ASM, so there is no way for someone looking in your bat.yaml file to associate the ID with any particular secret. The BAT CLI uses this ID to look up the secret that you associated with the alias.

Deploy the Updated Monitor

After completing the prior procedures, upload your monitor as documented in Upload a Monitor.