Skip to content

Configure payload encryption

In the Onegini Token Server admin console it is possible to enable payload encryption for a certain application version. The Onegini Security Proxy is responsible for enforcing payload encryption when enabled. To be able to enforce payload encryption the Onegini Security Proxy needs to be aware of the settings configured in the Onegini Token Server admin console. For this purpose the payload encryption policy is used.

The Onegini Security Proxy only enforces payload encryption for Token Server and Resource Gateway endpoints. It therefore acts as a reverse proxy.

Configure payload encryption policy fetching

The payload encryption policy is used to determine if payload encryption is required for the used application version. To fetch the payload encryption policy a connection with the Token Server should be configured.

The endpoint uses basic authentication. The required username and password should be in line with the values configured in the Onegini Token Server . The API client for the security proxy MUST be valid for the Payload encryption policy API. To configure these values set SECURITY_PROXY_TOKEN_SERVER_API_CLIENT_ID as the client id and SECURITY_PROXY_TOKEN_SERVER_API_CLIENT_SECRET as the client secret.

Note: We advise to encrypt the value for SECURITY_PROXY_TOKEN_SERVER_API_CLIENT_SECRET

To limit the communication with the Onegini Token Server the payload encryption policy can be cached. By default the policies are cached for 5 minutes for maximum 1000 application instances. To adapt the duration use: SECURITY_PROXY_ENGINE_ENCRYPTION_POLICY_CACHE_TTL and set the maximum number of stored policies via SECURITY_PROXY_ENGINE_ENCRYPTION_POLICY_CACHE_MAX_SIZE.

Configure payload encryption session timeout

A handshake is a relatively resource intensive and time consuming operation compared to other operations. For that reason a mobile client only has to perform a payload encryption handshake once every session. The session are stored in a cache storage. By specifying the SECURITY_PROXY_ENGINE_SESSION_KEYS_CACHE_TTL the maximum time a session can last can be configured in minutes. By default, this session timeout is set to 30 minutes.