Revoking or replacing the usage metering API key

You can revoke the API key for usage metering and generate a new key.

Important: If you generate a new usage metering API key, then you must update your Liberty and WebSphere Application Server server configurations to use the new API key.

About this task

The product supports one usage metering API key. You can revoke the usage metering API key and generate a new one by deleting the secret and the service account that is associated with it. Use the Red Hat OpenShift console or CLI (oc) commands to delete the service account.

The service account name uses the WebSphereSecure_CR_name-metering-apis-sa naming convention, where WebSphereSecure_CR_name is the WebSphereSecure custom resource name.

The token that is used for the usage metering API key is encrypted with an AES key. The operator generates and stores this key inside a secret named WebSphereSecure_CR_name-crypto. Deleting this secret causes a new encryption key to be generated, and also changes the usage metering API key. Recall that if you change the usage metering API key, you must update your Liberty and WebSphere Application Server server configurations to use the new API key.

Procedure

  • Generate a usage metering API key with the Red Hat OpenShift console.
    1. Optional: To generate a new encryption key and change the usage metering API key, delete the AES key that is used to encrypt the token for the usage metering API key.
      1. Click Workloads > Secrets.
      2. In the search field, type crypto.
      3. Select the secret with the name WebSphereSecure_CR_name-crypto (where WebSphereSecure_CR_name is the name of the WebSphereSecure custom resource).
      4. Click Actions > Delete Secret.
    2. Click User Management > Service Account.
    3. From the list of service accounts, find the usage metering service account.
      You can filter the list of service accounts by entering metering-apis-sa into the search field.
    4. Delete the service account. Click Actions > Delete ServiceAccount.
  • Generate a usage metering API key with the Red Hat OpenShift CLI.
    1. Optional: Get the usage metering service account name. 
      oc get serviceaccount | grep metering-apis-sa
    2. Optional: To generate a new encryption key and change the usage metering API key, delete the AES key that is used to encrypt the token for the usage metering API key.

      Replace WebSphereSecure_CR_name with the name of the WebSphereSecure custom resource and then run the delete command.

      oc delete secret WebSphereSecure_CR_name-crypto

      The following example shows the command when the WebSphereSecure custom resource name is wsa-secure.

      oc delete secret wsa-secure-crypto
    3. Delete the service account.

      Replace WebSphereSecure_CR_name with the name of the WebSphereSecure custom resource and then run the delete command.

      oc delete serviceaccount WebSphereSecure_CR_name-metering-apis-sa

      The following example shows the command when the WebSphereSecure custom resource name is wsa-secure and the service account name is wsa-secure-metering-apis-sa.

      oc delete serviceaccount wsa-secure-metering-apis-sa

Results

After successful deletion of the service account, the serviceaccount "WebSphereSecure_CR_name-metering-apis-sa" deleted message is shown and the operator generates a new service account with the same name.

A new encrypted token value is generated in the WebSphereSecure_CR_name-metering-apis-encrypted-tokens secret.