Salesforce Security Guide

Clouds with binary code floating aboveCloud with binary code floating above

No Results

Search Tips:

  • Please consider misspellings
  • Try different search keywords
Salesforce Security Guide
Salesforce Security Basics
Authenticate Users
Give Users Access to Data
Share Objects and Fields
Strengthen Your Data’s Security with Shield Platform Encryption
What You Can Encrypt
Platform Encryption Q&A
How Encryption Works
Set Up Your Encryption Policy
Filter Encrypted Data with Deterministic Encryption
Key Management and Rotation
Work with Salesforce Key Material
Get Statistics About Your Encryption Coverage
Synchronize Your Data Encryption
Work with External Key Material
Bring Your Own Key (BYOK)
External Key Management
Cache-Only Key Service
How Cache-Only Keys Works
Prerequisites and Terminology for Cache-Only Keys
Optimize Security Using Named Credentials and Cache-Only Keys
Create and Assemble Your Key Material
Add Replay Detection for Cache-Only Keys
Check Your Cache-Only Key Connection
Destroy a Cache-Only Key
Reactivate a Cache-Only Key
Considerations for Cache-Only Keys
Troubleshoot Cache-Only Keys
Configure Your Cache-Only Key Callout Connection
Shield Platform Encryption Customizations
Encryption Trade-Offs
Audit and Monitor Your Organization’s Security
Real-Time Event Monitoring
Security Guidelines for Apex and Visualforce Development
API End-of-Life Policy
PDF

Add Replay Detection for Cache-Only Keys

Replay detection protects your cache-only keys if a callout is fraudulently intercepted. When enabled, replay detection inserts an autogenerated, unique marker called a RequestIdentifier into every callout. The RequestIdentifier includes the key identifier, a nonce generated for that callout instance, and the nonce required from the endpoint. The RequestIdentifier serves as a random, one-time identifier for each valid callout request. After you set up your key service to accept and return the RequestIdentifier, any callout with missing or mismatched RequestIdentifiers is aborted.

User Permissions Needed
To create, edit, and delete named credentials: Customize Application
To allow cache-only keys with BYOK: Customize Application

AND

Manage Encryption Keys
To generate, destroy, export, import, upload, and configure tenant secrets and customer-supplied key material: Manage Encryption Keys
  1. Update your key service to extract the nonce generated for the callout instance from the RequestIdentifier. Here’s what the nonce looks like.
    e5ab58fd2ced013f2a46d5c8144dd439
  2. Echo this nonce in the JWE protected header, along with the algorithm used to encrypt the content encryption key, the algorithm used to encrypt the data encryption key, and the unique ID of the cache-only key. Here’s an example. 
    {"alg":"RSA-OAEP","enc":"A256GCM","kid":"982c375b-f46b-4423-8c2d-4d1a69152a0b","jti":"e5ab58fd2ced013f2a46d5c8144dd439"}
  3. From Setup, in the Quick Find box, enter Encryption Settings, and then click Encryption Settings.
  4. In the Advanced Encryption Settings section, turn on Enable Replay Detection for Cache-Only Keys.
    You can also enable replay detection programmatically. For more information, see EncryptionKeySettings in the Metadata API Developer Guide.
    From now on, every callout to an external key service includes a unique RequestIdentifier.

If you enable replay detection but don’t return the nonce with your cache-only key material, Salesforce aborts the callout connection and displays a POTENTIAL_REPLAY_ATTACK_DETECTED error.

Warning