https://netsuiteprofessionals.com logo
Join Slack
Powered by
I'm curious if/how the latest SDF protects secrets...
# sdf
s
I'm curious if/how the latest SDF protects secrets (login token/credentials) on my dev machine?
e.g. does it utilize protected storage provided by the OS (windows/mac/linux) or perhaps some java common abstraction for such?
a
Without going much in details i can say that the credentials are encrypted on your machine. Maybe @Carlos Olivares (NS DevTools PM) or @Viktor Nikulin can answer your questions/doubts in detail.
s
Thanks @Ali Syed (NS DevTools QA) I am looking for some detail as I may need to convince our security czars of its security
a
@stalbert i understand and let's wait for Carlos or viktor to respond, but if you are using tokens already then there shouldn't be any new security concerns, before you had clicache file and now its credentials file, the content might be different slightly of the file ( it's encrypted anyway) but concept/working is similar.
b
the new credentials file used by the sdf-cli authenticate command is encrypted using aes, same as the old one
it does not use any os level tools, the key is in the cli jar
the methods in the publicly available cli jar can be used to decrypt the credentials file
s
bummer
a
Ignoring the current approach. I want to highlight that the new authentication tools for system do not use basic authentication at all. Tools will no longer store user passwords. By only using tokens, it means that: • Tokens can be rejected at any point in time by the admin if there was a security breach • The admin can decide which roles are available for token-based authentication • Roles that have TBA enabled can also define permissions on what is allowed to do with such role • Tokens don't grant access to the system in the UI
Open in Slack
PreviousNext
Powered by