Configuring each account type

Learn more about the configuration of the account types used within the Digibee Integration Platform.

There are different types of accounts, such as AWS V4, Basic, Public Key, Secret Key, OAuth 2, and API Key, and it is highlighted that they can be configured and stored with the Store Account connector without interrupting execution. Below you will learn how to configure each of these Accounts.

Accounts accept values that have up to 10,000 characters.

Accounts type

Account type
Description
Fields/Parameters

API Key

API Key storage for endpoints that need an API Key.

  • URL-PARAM-NAME: name of the query parameter in which the set API Key will be used

  • API-KEY: API Key value

Basic

User/password authentication.

  • USERNAME: User's name

  • PASSWORD: User's password

Custom Auth Header

Custom authentication header for specific endpoints.

  • HEADER-NAME: Header name

  • HEADER-VALUE: Header value

OAuth Bearer

Storage for OAuth-type tokens, the token will be assigned to the "Authorization" parameter in the request header.

  • TOKEN: OAuth token

Private Key

Storage for private keys.

  • KEY: Private key

  • PASSPHRASE: Private key password

Public Key

Storage for public keys.

  • KEY: Public key

OAuth 2

Authorization via OAuth pattern that is commonly used to allow Internet users to login to other websites using their accounts with Google, Microsoft, etc., without revealing their passwords.

OAuth gives them a "delegated secure access" to server resources on the name of the resource owner.

  • PROVIDER: OAuth provider

  • SCOPES: OAuth access scopes

Certificate Chain

Chain of certificates for endpoints that need 2-way SSL authentication or client certificates. (The certificate chain must be provided in the correct order and pem format.)

  • CHAIN: complete chain of certificates

  • PASSWORD: Private key password (if needed)

Secret Key

Used for encryption connectors.

  • KEY: Secret key

Google Key

Service key for Google APIs.

Kerberos

Keytab storage for Kerberos authentication.

  • KEYTAB: Base64 of Keytab file

  • PRINCIPAL: User associated with the Keytab (e.g., user@DOMAIN)

AWS V4

For AWS service access.

  • SERVICE-NAME: Service to be accessed (e.g., S3, SQS)

  • ACCESS-KEY: AWS access key

  • SECRET-KEY: AWS secret key

  • SESSION-TOKEN: AWS session token (when using temporary credentials)

  • REGION: Execution region

OAuth Provider

Authorization via the OAuth pattern that is usually used to log in to web applications. It can only be used for the Salesforce connector.

  • CLIENT-ID: the identifier associated with an application

  • CLIENT-SECRET: the secret associated with an application

SMTP Auth and Props

For Mail Connector, providing SMTP server access data to send emails.

  • HOST: SMTP server host name

  • PORT: SMTP server access port

  • USERNAME: User's email

  • PASSWORD: Email password

  • STARTTLS_ENABLE: "true" or "false" for SSL access

  • AUTH: Email server authentication type

NTLM

NTLM (NT Lan Manager) is a suite of Microsoft security protocols for authentication, integrity and confidentiality which can be accessed via the SOAP V3 connector. Alert: A vulnerability in NTLM was found due to outdated encryption (DES, RC4), exposing systems to attacks such as brute force and Pass-the-Hash. Digibee suggests you to disable NTLM, adopt secure protocols such as Kerberos, and enforce stronger security policies.

  • USERNAME: User's name

  • PASSWORD: User's password

  • DOMAIN (optional): Domain name

  • HOSTNAME (optional): Host name

AWS Role

Used to specify an AWS role to be assumed by a user configured in an AWS V4 account.

The AWS Role account can currently only be used in the DynamoDB connector.

  • ROLE-ARN: The Amazon Resource Name of the role.

  • ROLE-SESSION-NAME: The name that identifies the assume role session.

  • EXTERNAL-ID: An optional identifier required for cross-account operations to assume the role.

Azure Key

Used to connect to Azure Key Vault services on Microsoft Azure.

All keys can be found in the Default Directory within the App Registrations section. The CLIENT-ID and TENANT-ID are available on the app Overview, while the CLIENT-SECRET is within Certificates & secrets.

  • CLIENT-SECRET: The client secret.

  • CLIENT-ID: The Application (client) ID.

  • TENANT-ID: The Directory (tenant) ID linked to the Azure Default Directory.

Information and examples

We have some important information about some accounts and some examples, see below:

Information

AWS Role

The AWS Role account grants an AWS user temporary access to a specific role created in AWS. To use this feature, an AWS V4 account must be configured.

Once both account types are configured correctly, they can be used together in connectors that support the assume role feature.

Currently, only the DynamoDB connector supports this feature.

Example:

Suppose you are using the DynamoDB connector and you want a specific user to access a database to retrieve some data. You don’t want this user to always have access to this database or to perform any other operations on it. In this case, you can configure a role in AWS and allow the user to temporarily assume this role to retrieve the necessary data from the database.

To achieve this, select the AWS V4 account you want to use in the DynamoDB connector and activate the Use Assume Role parameter on the Authentication tab. When this option is active, you can select the AWS Role account that grants the user permission to perform the desired operation.

Within AWS, you must configure the AWS users who can access the role. If this configuration is not set correctly, the user of the selected AWS V4 account won’t be able to assume the role, even if both the AWS V4 and AWS Role accounts are selected in the connector.

OAuth 2

Important: We support the following providers:

  • Microsoft: the "offline_access" scope is mandatory to use it in Digibee Integration Platform. It is important to remember that this provider accepts only personal accounts.

  • Google.

  • Mercado Livre.

API Key

Important: The following providers set an expiration period for their authentication tokens. For this reason, it is necessary to update the configurations of your Accounts at the end of every period.

  • Microsoft: Every 3 months

  • Google: Every 6 months

  • Mercado Livre: Every 6 months

Certificate Chain

To convert your key, you can do it through OpenSSL via the command line, e.g: openssl pkcs12 -in mycert_xpto.p12 -out myapp.pem

Examples

Private Key

-----BEGIN RSA PRIVATE KEY-----
MIICWwIBAAKBgF2duc4+xxNKlMO9bUud4bzGnuATkQVX3bM/gzxISrgw7B1AzJwA
OT5UChBoIKfmISaaVVY9+/fTpI1szihSqTyemdHnbC+FcDzoK3p53C5ZJ4pL7s+G
Y7vGEa2Z/6JVder6dwJaaOtwf+DfZYiWQjvh8tfAVjVdONE/XZSxOOofAgMBAAEC
-----END RSA PRIVATE KEY-----

Public Key

-----BEGIN PUBLIC KEY-----
MIGeMA0GCSqGSIb3DQEBAQUAA4GMADCBiAKBgF2duc4+xxNKlMO9bUud4bzGnuAT
kQVX3bM/gzxISrgw7B1AzJwAOT5UChBoIKfmISaaVVY9+/fTpI1szihSqTyemdHn
-----END PUBLIC KEY-----

Certificate Chain

-----BEGIN CERTIFICATE-----
MIIEUTCCAzmgAwIBAgIBATANBgkqhkiG9w0BAQUFADBSMQswCQYDVQQGEwJVUzEj
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIEUTCCAAGVDSHVEbjhdbhjsjeiejAQUFADBSMQswCQYDVQQGEwJVUzEj
-----END CERTIFICATE-----
-----BEGIN RSA PRIVATE KEY-----
MIICWwIBAAKBgF2duc4+xxNKlMO9bUud4bzGnuATkQVX3bM/gzxISrgw7B1AzJwA
-----END RSA PRIVATE KEY-----

Google Key

{
"type": "service_account",
"project_id": "project_id",
"private_key_id": "dfdsfrfr43r43r4refbcceceabf8055a12a",
"private_key": "-----BEGIN PRIVATE KEY-----\n-----END PRIVATE KEY-----\n",
"client_email": "user@DOMAIN.iam.gserviceaccount.com",
"client_id": "123456576788888899",
"auth_uri": "https://accounts.google.com/o/oauth2/auth",
"token_uri": "https://accounts.google.com/o/oauth2/token",
"auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
"client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/storage%40project.iam.gserviceaccount.com"
}

Last updated