Configure payload encryption

In the Onegini Token Server admin console it is possible to enable payload encryption for a certain application version. The Onegini Security Proxy is responsible for enforcing payload encryption when enabled. To be able to enforce payload encryption the Onegini Security Proxy needs to be aware of the settings configured in the Onegini Token Server admin console. For this purpose the payload encryption policy is used.

The Onegini Security Proxy only enforces payload encryption for Token Server and Resource Gateway endpoints. It therefore acts as a reverse proxy.

Configure payload encryption policy fetching

The payload encryption policy is used to determine if payload encryption is required for the used application version. To fetch the payload encryption policy a connection with the Token Server should be configured.

The endpoint uses basic authentication. The required username and password should be in line with the values configured in the Onegini Token Server. To configure these values set SECURITY_PROXY_ENGINE_ENCRYPTION_POLICY_USERNAME for the username and SECURITY_PROXY_ENGINE_ENCRYPTION_POLICY_PASSWORD for the password.

Note: We advise to encrypt the value for SECURITY_PROXY_ENGINE_ENCRYPTION_POLICY_PASSWORD

Optionally also the host (SECURITY_PROXY_ENGINE_ENCRYPTION_POLICY_HOST), port (SECURITY_PROXY_ENGINE_ENCRYPTION_POLICY_PORT) and uri (SECURITY_PROXY_ENGINE_ENCRYPTION_POLICY_URI) of the Onegini Token Server can be configured if the defaults are not sufficient.

To limit the communication with the Onegini Token Server the payload encryption policy can be cached. By default the policies are cached for 5 minutes for maximum 1000 application instances. To adapt the duration use: SECURITY_PROXY_ENGINE_ENCRYPTION_POLICY_CACHE_DURATION_IN_MINUTES and set the maximum number of stored policies via SECURITY_PROXY_ENGINE_ENCRYPTION_POLICY_CACHE_MAX_SIZE.

Configure payload encryption session timeout

A handshake is a relatively resource intensive and time consuming operation compared to other operations. For that reason a mobile client only has to perform a payload encryption handshake once every session. The session are stored in a cache storage. By specifying the SECURITY_PROXY_ENGINE_SESSION_KEYS_CACHE_DURATION_IN_MINUTES the maximum time a session can last can be configured in minutes. By default this session timeout is set to 30 minutes.