Named Credentials allows OMI apps to securely access and use usernames and passwords that have been created via the in the ArchestrA IDE. The SDK provides several methods for incorporating these credentials in your app, without the need for the app to store the credential or prompt the user to enter it. This allows the app to access third-party data and applications that do not support Windows OS authentication, Active Directory, OpenID Connect, or other standard authentication methods.
Use the System Platform IDE Security Configuration dialog to create Named Credentials for use with AVEVA OMI apps. A Named Credential consists of a credential name, and a username/password combination, or domain, username and password combination. Both of these credential types (Username + Password, and Domain + Username + Password) are configurable in the ArchestrA IDE.
To add Named Credentials to a Galaxy:
- Open the Configure Security dialog from the Galaxy menu in the System Platform IDE.
Galaxy > Configure > Security - Set the Authentication Mode. You can use either:
- OS User based authentication
- OS Group based authentication
- Add and configure credentials under the Credential tab. See About Credentials in the Application Server User Guide for more information.
When a credential is saved, it is encrypted and stored in a secure location. See the Security section of the Application Server Help for more information about creating and configuring credentials.
OMI Apps execute within the context of the currently logged-in user of the OMI ViewApp. Each credential is assigned to an OS User Group. If the logged-in user is a member of the same OS group or nested group to which the credential has been assigned, the OMI App is granted access to the credential at run time. The app can access the credential, only if an OS group or nested group that the logged-in user belongs to is also the OS group with which the credential is associated.
Note: Named Credentials are created on a galaxy-wide basis. A credential can be associated with only one OS group. For the credential to be valid at run time, the logged-in user must be a member of the same group that is associated with the credential.
Recommendations
Values can be assigned to each credential property (username, password, domain) in the IDE. Within the IDE, any IDE user with permissions to modify security can see the credential details. Once you have created the credentials and closed the Configure Security dialog, the credentials are encrypted and stored securely under the assigned credential name. While credentials are encrypted and saved in a secure location, once you call the API to get the credential, the information is decrypted and sent as clear text. Therefore, to preserve the integrity and security of the credential, we recommend the following safeguards:
- Use the credential quickly and securely.
- Use the SecureString construct to hold decrypted credentials.
- Dispose the credential as soon as you have used it and flush the app.
- Never save or expose the credential values as clear text on the run-time node