Skip to main content

Hello Acumatica Community,

We have developed a customization that requires storing an API Key, but we need to ensure that generic users cannot access it. Our initial approach was to save it as a password field in the database. However, we noticed that this method still allows the key to be read as base64 from snapshot files, which can then be converted back to the actual key.

Our customers are mostly using SaaS instances from Haufe, so we're unable to modify snapshot configuration files directly. Therefore, we're looking for solutions to either:

  1. Hide or secure the key in a way that prevents it from being exposed via snapshots, or
  2. Exclude the custom table that stores the key from being included in snapshots through a customization project.

If these options aren't feasible, is there a way to manage the key externally or implement a similar secure solution like dynamic encription?

Any suggestions or insights would be greatly appreciated. Thank you!

@jwestermann17

However, we noticed that this method still allows the key to be read as base64 from snapshot files, which can then be converted back to the actual key.

I don’t  think this observation is entirely correct.

There is ‘Encryption Certificates’ page in the system. If there is an encryption certificate created, the key will not be stored as base64, instead it’ll be encrypted with the certificate. Of course, on a dev machine you likely do not have the Encryption Certificate entered and thus you see it in base64. However, the live sites are supposed to have the certificates.

 

As for excluding things from snapshots, you can customize snapshot configurations. There are snapshot configs stored in \App_Data\SnapshotConfigs in a form of xml files. You can create new ones and modify existing ones and include it into a customization package. 

 

However, I must warn you that on versions of Acumatica before 24r2 there is no ‘merge’ of customizations of snapshot configs, so you must touch the existing ones only if it’s absolutely necessary.

Starting from 24r2, there are merge rules and better structure for snapshot customization.

I don’t  think this observation is entirely correct.

There is ‘Encryption Certificates’ page in the system. If there is an encryption certificate created, the key will not be stored as base64, instead it’ll be encrypted with the certificate. Of course, on a dev machine you likely do not have the Encryption Certificate entered and thus you see it in base64. However, the live sites are supposed to have the certificates.

 

Hello,

I've reviewed the developer and live environments provided by Haufe, and I couldn't find any encryption certificates. I'm unsure if it's possible for us to create our own encryption certificate, especially on existing live instances, since we only need it for a specific field at the moment. If it is possible, I would appreciate guidance on how to implement it.

Considering that our customer instances are primarily hosted by Haufe, I assume modifying the snapshot configurations might not be a reliable solution, as they could be overwritten with future updates. We won’t be able to upgrade until mid 2025.

 

 

Here is the help article on the topic:

https://help.acumatica.com/(W(12))/Help?ScreenId=ShowWiki&pageid=c89c647d-d5ae-4360-9157-731dba978ee0

 

I think you should raise the concern with Haufe

Reply


Terms & ConditionsCookie settings