API Connect

API Connect

Join this online group to communicate across IBM product users and experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only

OVA : Enhancements to Encryption Secret Rotation for Management and Portal

By Lekshmi A M posted Mon April 28, 2025 01:25 AM

  

Are you an API Connect user managing your appliance in an OVA environment? If so, you're likely responsible for rotating encryption secrets for both the Management and Portal subsystems. This process is beneficial for bolstering the security and integrity of your API Connect environment.

In this blog post, we'll tackle the complexities of rotating encryption secrets in API Connect v10.0.8.1 and earlier versions. We'll then highlight the significant enhancements introduced in v10.0.8.2, which simplify the encryption secret rotation process for API Connect users. Regardless of whether you're managing Standalone or 2DCDR setups, or handling the Management and Portal subsystems, this post will equip you with the essential steps to effortlessly rotate encryption secrets in your API Connect appliance. Let's dive in and simplify your encryption secret rotation process!

Challenges with Management Encryption Secret Rotation in API Connect v10.0.8.1 and Earlier

In API Connect v10.0.8.1 and earlier versions, managing encryption secret rotation in the OVA environment using apicup presented several challenges. The primary issue stemmed from the fact that apicup derived secret names from their content, and the  CR field spec.encryptionSecret.secretName was immutable. This made it difficult for customers to rotate their encryption secrets without contacting IBM Support.
The process involved manually changing the management encryption secret, which would result in apicup attempting to set a new secret name with the updated encryption key in the management CR. However, due to the immutability of the secretName field, this approach was not feasible.
To address this, an "original-encryption-secret" was introduced in v10.0.8.1. This secret was automatically set to the current encryption secret if empty and remained untouched thereafter. The original-encryption-secret's hash was then used to ensure that the computed name of the encryption-secret remained consistent.

Despite these improvements, manual steps (using K8's steps) were still required to trigger the rotation using installer. These steps included:

Manual steps to be followed in 10.0.8.1 :
1. Rotate the secret using secret rotation CR:
apiVersion: management.apiconnect.ibm.com/v1beta1
kind: ManagementSecretRotation
metadata:
name: rotate-secret
spec:
managementCluster: management
rotateEncryptionSecret:
rotate: true

2. Extract the newly created secret :
kubectl get secret <mgmt_sec_name> --template='{{ index .data "encryption_secret.bin" }}'|base64 -d > secret.txt

3. Set the new secret with the help of apicup:
apicup certs set <stack-name> encryption-secret secret.txt

Whenever commands such as "apicup subsys install mgmt" is used, the management CR will continue to refer to the original encryption secret name.

Improvements in v10.0.8.2: Simplified Encryption Secret Rotation
Recognising the complexity introduced by additional Kubernetes operations for VMware users, API Connect v10.0.8.2 introduced a new apicup command to simplify encryption secret rotation across different environments and subsystems. This command can be used for both Standalone and 2DCDR setups, as well as for the Management and Portal subsystems.

Standalone
apicup subsys rotate-secrets <stack-name> --rotate-encryption-secret

2DCDR
apicup subsys rotate-secrets <active-stack-name> --rotate-encryption-secret


The above is applicable to Portal as well as Management subsystems.
For the case of portal, if user want to set encryption secret to a specific value, Create the secret in the environment (in active env for 2DC setup) and use the flag --encryption-secret.
These enhancements streamline the encryption secret rotation process, making it more accessible and user-friendly for API Connect users.

0 comments
100 views

Permalink