Microsoft Dynamics 365 | Integration, Dataverse...

How to manage certificates when connecting to external API using mutual ssl?

(0) Share

Report

Posted on by JaredP

Hey team,

Looking for a way to securely connect from a D365 plugin to an API external to D365 (e.g. an APIM endpoint in the same tenant; or a truly external third party's service) using certificate-based authentication.

In our case, we need it to be synchronous, so we've chosen a plugin over power automate.

We're able to connect using a certificate with HttpClient, however we have to pass in the very sensitive certificate details (including private key + password) via the plugin registration step's "Secure config" field. While workable in the short term, it is less than ideal as it exposes sensitive data to more people than strictly necessary.

At time of writing, the "Secure environment variable" feature is still in preview and isn't supported from plugins (yet). Once GA, this will let us grab the details from Azure KeyVault using a connection reference setup once in each environemnt, which would be awesome.

Hoping someone's come across a better way to inject sensitive info into plugins in the interim?

Dynamics 365 Customer Engagement.

I have the same question (0)

All responses (2)

Answers (0)

Suggested answer

Kosenurm 85 on at

Like (0)

Report

One possible solution to securely connect from a D365 plugin to an external API using certificate-based authentication is to use Azure Key Vault to store the sensitive certificate details, including the private key and password, and retrieve them securely during runtime.

Once the "Secure environment variable" feature becomes generally available and supported from plugins, it can be used to retrieve the details from Azure Key Vault using a connection reference set up once in each environment.

In the meantime, another option could be to encrypt the sensitive information using a symmetric encryption algorithm and store the encrypted value in the "Secure config" field, and then decrypt it during runtime in the plugin code using a shared secret key or password. However, this method requires the secure storage and management of the shared secret key or password.

Was this reply helpful? Yes No
Suggested answer

JaredP 5 on at

Like (0)

Report

Thanks for your thoughts Kosenurm, however those options really just push the problem back one step.

e.g. while getting the value from Keyvault keeps the certificate secure, we then have to pass in connection details for Keyvault itself. An added problem is that if the Keyvault credentials are compromised, it then risks exposing not only the certificate, but anything else in the keyvault.

For the short term, we'll be retrieving the values from a custom dataverse "configuration" table (key value pairs). Only system administrators have access to the table, so it is almost as secure as using the secure config value in the plugin step, with the added benefit of being easier to manage when deploying (higher environments are managed by different teams).

We'll revisit when the Secure Environment Variable becomes GA (we've logged it as technical debt in the backlog).

Was this reply helpful? Yes No