Credential Vault for API Monitoring

Credential Vault securely stores the credentials used in Synthetic API monitoring jobs. When you create a job with a synthetic script or API monitoring script, you can add a credential, such as a username and password, to log in to an application and inject a reference to the stored credential into the script. When the job runs, the API monitoring script uses that reference to retrieve the credentials stored in the Credential Vault.

Add Synthetic Credentials

In Credential Vault, you can add credentials one-by-one or import multiple credentials.

Syntax Rules

This table describes credential syntax rules used for creating credentials and adding credentials to the API monitoring scripts:

ElementRule

Keys

  • 1-100 characters

  • Alphanumeric characters, hyphens, and underscores only

  • Keys must be unique per EUM account

Values

  • 5000 characters

  • Any non-control, printable UTF-16 characters

Credential key name (used in synthetic scripts) 
"<%key%>"

Add a Single Credential

Note: If you want to use a combination of credentials, such as a username and password combination, you must create two separate credentials: one credential for the username and one for the password.

To add a single credential for a sample email:

  1. Go to Gear Icon > Tools > Manage Synthetic Credentials.
  2. Click Add.
  3. Enter a key and value. Make sure you follow syntax rules.
  4. (Optional) Select an associated application. When you search for credentials in the API monitoring script, associated credentials are suggested first.

Import Multiple Credentials

You can add multiple credentials at once using the Import button.

To add multiple credentials for sample emails and passwords:

  1. Go to Gear Icon > Tools > Manage Synthetic Credentials.

  2. Click Import.

  3. Copy and paste credentials or type them line by line. Make sure you follow syntax rules.

Note: The maximum number of credentials that can be imported at once is 250.You cannot add associated applications to imported credentials. After importing, you must edit each credential individually to add the associated application.
Example
email_key=user123@email.com
password_key=Password123
email_key=user456@email.com
password_key=Password456

Use Credentials in an API Monitoring Script

You can retrieve a credential value by inserting the corresponding credential key in a script. Credentials associated with a specific application appear first when you start typing the key in the script.

To create an API monitoring job:

  1. Go to User Experience > API Monitoring > Jobs > Add.
  2. Add your API monitoring script. See Write Your First Script.
  3. Enter the credential key using the syntax "<%key%>"
    API Monitoring Script
    var response = await client.get("https://authenticate-me-api.com", {
headers: {
api_token: <%api_token%>
}
});

Store the Certificate Authority Content in the Synthetic Credential Vault

To store the Certificate Authority (CA) content in the Synthetic Credential Vault:

  1. Override the default trusted CA certificate by using the Advanced HTTPS API of the got client:
    1. Configure the certificateAuthority option. This stores the CA certificate .pem file contents in the certificate_authority_pem file.
    2. Specify the following string in the script:
      var response = await client.get("https://authenticate-me-api.com", {
https: {
certificateAuthority: %certificate_authority_pem%
}
});
  2. Export the CA certificate of a website or URL. When you export, ensure that you select the root CA. For example, when you export the CA certificate of www.google.com, select GTS Root R1 before exporting.This exports the certificate in the .pem file format.
  3. Update the API monitoring script with the content of the exported .pem file. You must add the \n\ delimiter at the end of each line of the certificate content:
    Example CA Certificate
    const assert = require("assert");
const cert = '-----BEGIN CERTIFICATE-----\n\
MIIDrzCCApegAwIBAgIQCDvgVpBCRrGhdWrJWZHHSjANBgkqhkiG9w0BAQUFADBh\n\
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3\n\
d3cuZGlnaWNlcnQuY29tMSAwHgYDVQQDExdEaWdpQ2VydCBHbG9iYWwgUm9vdCBD\n\
QTAeFw0wNjExMTAwMDAwMDBaFw0zMTExMTAwMDAwMDBaMGExCzAJBgNVBAYTAlVT\n\
MRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsTEHd3dy5kaWdpY2VydC5j\n\
b20xIDAeBgNVBAMTF0RpZ2lDZXJ0IEdsb2JhbCBSb290IENBMIIBIjANBgkqhkiG\n\
9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4jvhEXLeqKTTo1eqUKKPC3eQyaKl7hLOllsB\n\
CSDMAZOnTjC3U/dDxGkAV53ijSLdhwZAAIEJzs4bg7/fzTtxRuLWZscFs3YnFo97\n\
nh6Vfe63SKMI2tavegw5BmV/Sl0fvBf4q77uKNd0f3p4mVmFaG5cIzJLv07A6Fpt\n\
43C/dxC//AH2hdmoRBBYMql1GNXRor5H4idq9Joz+EkIYIvUX7Q6hL+hqkpMfT7P\n\
T19sdl6gSzeRntwi5m3OFBqOasv+zbMUZBfHWymeMr/y7vrTC0LUq7dBMtoM1O/4\n\
gdW7jVg/tRvoSSiicNoxBN33shbyTApOB6jtSj1etX+jkMOvJwIDAQABo2MwYTAO\n\
BgNVHQ8BAf8EBAMCAYYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUA95QNVbR\n\
TLtm8KPiGxvDl7I90VUwHwYDVR0jBBgwFoAUA95QNVbRTLtm8KPiGxvDl7I90VUw\n\
DQYJKoZIhvcNAQEFBQADggEBAMucN6pIExIK+t1EnE9SsPTfrgT1eXkIoyQY/Esr\n\
hMAtudXH/vTBH1jLuG2cenTnmCmrEbXjcKChzUyImZOMkXDiqw8cvpOp/2PV5Adg\n\
06O/nVsJ8dWO41P0jmP6P6fbtGbfYmbW0W5BjfIttep3Sp+dWOIrWcBAI+0tKIJF\n\
PnlUkiaY4IBIqDfv8NZ5YBberOgOzW6sRBc4L0na4UU+Krk2U886UAb3LujEV0ls\n\
YSEY1QSteDwsOoBrp+uvFRTp2InBuThs4pFsiv9kuXclVzDAGySj4dzp30d8tbQk\n\
CAUw7C29C79Fv1C5qfPrmAESrciIxpg0X40KPMbp1ZWVbd4=\n\
-----END CERTIFICATE-----';
(async () => {
var response = await client.get("https://synthetic.api.appdynamics.com/version", {
https: {
certificateAuthority: cert
}
});
assert.equal(response.statusCode, 200);
assert.equal(response.statusMessage, "OK");
})()

User Permissions

In the Controller Administration UI, you can configure roles and groups with Account-level. You can add roles and groups to users based on the requirement. The Manage Credential Vault permission allows you to manage access control of the Credential Vault.

PermissionPrivileges

Manage Credential Vault

  • Manage all users
  • Add, edit, and delete credentials
  • View both keys and values of stored credentials
  • View users, timestamps, and associated applications columns
View Credential Vault
  • View keys of stored credentials
  • View users and timestamps columns
Manage Self Credential Vault

When the administrator assigns this permission to users, they can add, edit, and view the credentials they create.

When the administrator sets the synthetic.self.credentialvault.disabled flag to true,users can view the credential value. If it is set to false, Value column is hidden.

To create a role with the Manage Credential Vault:

  1. Go to the gear icon > Administration > Roles.
  2. Under Roles, click Create.
  3. Add a role name.
  4. Under Account, click Add+.
  5. Select one of the following permissions based on the role that you are creating:
    • Manage Credential Vault
    • View Credential Vault
  6. Under User and Groups with this Role, add users and/or groups.