Security Best Practices¶

Credential Storage Security¶

File Permissions¶

The configuration directory is protected with strict POSIX permissions:

Directory (~/.config/f5xc/): 0700 (user read/write/execute only)
Profile files: 0600 (user read/write only)

No group or other users can access your credentials. The system automatically:

Creates directories with correct permissions
Detects and corrects insecure permissions
Warns if improper permissions are detected

Plaintext Storage¶

Credentials are stored in plaintext JSON. This is the same approach used by:

AWS CLI (.aws/credentials)
kubectl (~/.kube/config)
Cloud SDKs (gcloud, az, etc.)

Security relies on file system protection, not encryption. Secure your system:

Use Full-Disk Encryption
macOS: Enable FileVault
Linux: Use LUKS or dm-crypt
Windows: Enable BitLocker
Minimize Credential Exposure
Never commit credentials to version control
Never share credentials via email/chat
Never display credentials in logs or output
Use .gitignore to protect config files
Restrict File Access

# Verify directory permissions
ls -la ~/.config/f5xc
# Should show: drwx------ (700)

# Verify profile file permissions
ls -la ~/.config/f5xc/profiles/
# Should show: -rw------- (600) for each profile

Credential Management¶

API Token Security¶

API tokens are:

Long-lived credentials with full tenant access
Should be treated like passwords
Cannot be revoked at the token level (must revoke and re-issue)

Best Practices:

Create tokens with minimal scope if your XC Console supports scoped tokens
Rotate tokens regularly (quarterly or as part of security policy)
Revoke old tokens immediately after rotating
Never share tokens with untrusted parties
Never include tokens in error messages or logs

P12 Certificate Security¶

P12 certificates are:

Used for mutual TLS (mTLS) authentication
Password-protected private key + certificate
More secure than API tokens for automated integrations

Best Practices:

Use strong passwords for P12 certificates (16+ characters, mixed case/numbers/symbols)
Store passwords separately from the certificate file
Restrict certificate file access: chmod 400 certificate.p12
Use certificate rotation policies
Enable certificate expiration monitoring

Environment Variable Security¶

When using environment variables:

Do not add them to shell profile files (.bashrc, .zshrc, etc.)
Use temporary session variables: export F5XC_API_TOKEN=xxx && command
Clear history: history -c
Use CI/CD secrets management instead of hardcoding

CI/CD Integration¶

GitHub Actions¶

Use GitHub Secrets for credentials:

env:
  F5XC_API_URL: ${{ secrets.F5XC_API_URL }}
  F5XC_API_TOKEN: ${{ secrets.F5XC_API_TOKEN }}

Never:

Hardcode credentials in workflows
Log secrets in output
Pass secrets as command arguments

GitLab CI¶

Use CI/CD variables (masked and protected):

F5XC_API_URL:
  value: "https://tenant.console.ves.volterra.io"
  protected: true
  masked: false

F5XC_API_TOKEN:
  value: "your-token"
  protected: true
  masked: true

Jenkins¶

Use Jenkins Credentials Plugin:

withCredentials([string(credentialsId: 'f5xc-token', variable: 'F5XC_API_TOKEN')]) {
  // Build step
}

Authentication Methods¶

API Token (Default)¶

Pros:

Simplest to use
Immediate activation
Easy to manage in profiles

Cons:

Long-lived credentials
No client certificate verification
Full tenant access unless scoped

Use Cases:

Development and testing
Single-tenant environments
Automated tasks with limited scope

P12 Certificate (mTLS)¶

Pros:

Mutual authentication (both client and server verified)
Private key stays local
Better for production integrations
Can be rotated more frequently

Cons:

More setup complexity
Requires certificate management infrastructure
Password required for key

Use Cases:

Production automation
Multi-tenant environments
High-security requirements
Regulatory compliance needs

Profile Security¶

Securing Profile Files¶

Never commit ~/.config/f5xc/ to version control
Add to .gitignore:

.config/f5xc/

Never copy profile files between machines
Use the f5xc-api-configure-auth MCP tool on each machine to create profiles

Profile Isolation¶

Each profile represents one credential set
Use profiles to isolate different environments:
production - Production tenant
staging - Staging environment
development - Development/test
demo - Demo/sandbox tenant
Default profile selection prevents accidents
Environment variable override requires explicit opt-in

Logging and Output¶

Log Levels¶

Configure logging with LOG_LEVEL:

# Minimal logging (errors only)
LOG_LEVEL=error f5xc-api-mcp

# Production logging
LOG_LEVEL=info f5xc-api-mcp

# Debug logging (includes request/response details)
LOG_LEVEL=debug f5xc-api-mcp

Credential Redaction¶

The system automatically redacts sensitive information:

API tokens shown as *** with last 4 characters
P12 passwords never logged
Full URLs shown (contains tenant name, not secrets)

Audit Logging¶

Enable comprehensive logging for audit trails:

LOG_LEVEL=info F5XC_API_TOKEN=xxx f5xc-api-mcp > audit.log 2>&1

Review logs for:

Unexpected authentication failures
API calls to sensitive operations
Profile switching events
Error conditions

Incident Response¶

Compromised Token¶

If you suspect an API token is compromised:

Immediate Actions:

# Remove the profile file
rm ~/.config/f5xc/profiles/compromised-profile.json

# Clear from environment
unset F5XC_API_TOKEN

In F5XC Console:
Revoke the compromised token
Create a new token with the same scope
Update all profiles using the old token
Review Activity:
Check audit logs for unauthorized API calls
Verify all resources are in expected state
Check for any suspicious modifications

Compromised Certificate¶

If your P12 certificate is compromised:

Immediate Actions:

# Remove the profile file
rm ~/.config/f5xc/profiles/compromised-cert.json

# Delete the certificate file securely
shred -vfz -n 10 certificate.p12

In F5XC Console:
Revoke the certificate
Issue a new certificate with different key
Update profiles with new certificate path
Review Activity:
Check which mTLS connections used the certificate
Verify timestamp of last legitimate use
Check for any suspicious API activity

File System Compromise¶

If ~/.config/f5xc/ is compromised:

Immediate Actions:

# Remove all profiles immediately
rm -rf ~/.config/f5xc/profiles/
rm ~/.config/f5xc/active_profile

Revoke All Credentials:
Revoke all API tokens in F5XC Console
Revoke all certificates
Create new tokens/certificates
Rebuild Profiles: Use the f5xc-api-configure-auth MCP tool through your AI assistant to recreate profiles.

Compliance and Auditing¶

Security Checklist¶

Audit Trail¶

Maintain audit trail of:

Profile creation and modification times
Token issuance and rotation dates
Certificate expiration dates
API calls made through each profile
Any permission errors or security warnings

Regular Reviews¶

Monthly:

Review profile list
Check for unused profiles
Verify audit logs for suspicious activity

Quarterly:

Rotate API tokens
Review certificate expiration dates
Update security procedures if needed
Audit all CI/CD integrations

Security Contacts¶

If you discover a security vulnerability in f5xc-api-mcp:

Do not open a public GitHub issue
Do contact the maintainer privately
Provide:
Description of the vulnerability
Steps to reproduce
Potential impact
Suggested remediation

Additional Resources¶

Version History¶

v3.0.0 - Profile-based configuration with secure file permissions
v2.0.x - Environment variable support
v1.x.x - Initial release