Overview
As part of the API hub connector integration, metadata upload for API proxy and sharedflow bundles are synchronized to API Hub. These bundles may contain Personally identifiable information (PII) or other sensitive data within policy configurations. This feature allows you to mask identified PII fields before the bundles are uploaded to API hub, ensuring data privacy and compliance for your Edge for Private Cloud environment.
Masking approach
PII masking is applied using XPath expressions to target specific elements within the XML-formatted policy configurations inside the bundles. The feature is divided into two parts.
Default masks
Apigee Edge for Private Cloud includes a pre-defined, built-in list of XPath expressions (called default masks) that automatically target fields known to be potential PII sources across various policies.
Potential PII sources and default masks
The following table lists the policies and elements for which default masking is applied:
| Policy Name | Sensitive Element | Default Mask XPath | Rationale |
|---|---|---|---|
BasicAuthentication |
Hardcoded Username | //BasicAuthentication/User |
Directly stores clear-text user identity. |
BasicAuthentication |
Hardcoded Password | //BasicAuthentication/Password |
Directly stores clear-text password. |
GenerateJWT |
Symmetric Key (Secret) | //GenerateJWT/SecretKey/Value |
Hardcoded symmetric encryption/signing key. |
GenerateJWT |
Private Key | //GenerateJWT/PrivateKey/Value |
PEM-encoded private key for asymmetric signing. |
GenerateJWT |
Private Key Password | //GenerateJWT/PrivateKey/Password |
Password to decrypt the private key. |
GenerateJWS |
Symmetric Key (Secret) | //GenerateJWS/SecretKey/Value |
Hardcoded symmetric encryption/signing key. |
GenerateJWS |
Private Key | //GenerateJWS/PrivateKey/Value |
PEM-encoded private key for asymmetric signing. |
GenerateJWS |
Private Key Password | //GenerateJWS/PrivateKey/Password |
Password to decrypt the private key. |
VerifyJWT |
Symmetric Key (Secret) | //VerifyJWT/SecretKey/Value |
Hardcoded symmetric key for verification. |
VerifyJWS |
Symmetric Key (Secret) | //VerifyJWS/SecretKey/Value |
Hardcoded symmetric key for verification. |
HMAC |
Shared Secret Key | //HMAC/SecretKey |
Hardcoded secret key for HMAC calculation. |
KeyValueMapOperations |
Hardcoded Value (Put) | //KeyValueMapOperations/Put/Value |
Hardcoded secret being written to the KVM. |
ServiceCallout |
Basic Auth Username | //ServiceCallout//Authentication/BasicAuth/UserName |
Hardcoded username for backend authentication. |
ServiceCallout |
Basic Auth Password** | //ServiceCallout//Authentication/BasicAuth/Password |
Hardcoded password for backend authentication. |
SAMLAssertion |
Private Key Value | //SAMLAssertion//PrivateKey/Value |
Private key for decryption/signing. |
SAMLAssertion |
Private Key Password | //SAMLAssertion//PrivateKey/Password |
Password to decrypt the private key. |
Custom masks
For fields that you identify as PII but are not covered by the default masks (such as custom configuration in policies), you can provide your own list of XPath expressions (custom masks).
Custom masks are managed by updating a configuration property in the uapim-connector.properties file on your Edge for Private Cloud system.
Configuring custom masks
To add custom masking paths, update the conf_uapim_connector.uapim.mask.xpaths property in the connector configuration file:
- Configuration file path:
/opt/apigee/customer/application/uapim-connector.properties - Property:
conf_uapim_connector.uapim.mask.xpaths
The property accepts a comma-separated list of XPath expressions targeting the specific elements whose values you wish to mask.
Example configuration
To mask a custom variable value and a statistic field, you would set the property as follows:
conf_uapim_connector.uapim.mask.xpaths=//StatisticsCollector/Statistics/Statistic[@name='caller'],//StatisticsCollector/Statistics/Statistic[@name='location'],//AssignMessage/AssignVariable[Name='password']/Value
| XPath Expression | Element Masked | Purpose |
|---|---|---|
//StatisticsCollector/Statistics/Statistic[@name='caller'] |
Statistic value (where name='caller') | Masks sensitive caller identity. |
//AssignMessage/AssignVariable[Name='password']/Value |
AssignVariable Value (where Name='password') | Masks hardcoded password values. |
Masked policies
The value of the targeted elements will be masked. This masked content is uploaded to API hub.
Example Policy 1 (StatisticsCollector - Masked):
<StatisticsCollector name="publishPurchaseDetails"> <Statistics> <Statistic name="caller" type="string">****</Statistic> <Statistic name="location" type="string">****</Statistic> </Statistics> </StatisticsCollector>