Changing the database encryption key
Replace the value of the secret that is used for encrypting database fields in the Management subsystem.
About this task
This update does not require an outage; however some operations might take longer than usual due to database locking.
Procedure
-
Create a secret rotation CR that specifies the name of your management cluster.
You can optionally specify the name of a secret containing the new
encryption_secret.bin
as shown in the following example, or you can omit it so that a new key is generated automatically.apiVersion: management.apiconnect.ibm.com/v1beta1 kind: ManagementSecretRotation metadata: name: rotate-secret spec: managementCluster: management rotateEncryptionSecret: rotate: true # encryptionSecret: name_of_secret
Note: If you upgraded from V2018, the database encryption key was carried forward and is calledmanagementUpgradeName-encryption-secret
. -
Run the following command to apply the CR and change the secret:
kubectl -n namespace create -f rotate_secret.yaml
where:namespace
is the namespace where you installed the Management subsystem.- rotate_secret.yaml is the name of the file containing
the CR. Notice that the file name does not have to match the value of the
name
specified in the CR.
-
Verify that the secret was generated using one of the following methods:
- Run the
kubectl get job
command and verify that the results include a job for the new CR.The job is named based on the management cluster name and the CR name, using the following format:
managementCluster-crName
. For the example CRrotate-secret
created for themanagement
cluster, the job is namedmanagement-rotate-secret
. - Look in the pod logs of the
apiconnect
operator and locate the record with the name that you specified in thekind
field in the CR, and check its progress. For the example CR, thekind
value is "ManagementSecretRotation".You can also use the log to verify that database tables were updated.
If you installed API Connect on VMware and if you want to update the management encryption secret on VMware, then you can now use theapicup
command to rotate the encryption secret without needing to open a support case. For a standalone installation, run the following command:
For 2DC setup, run the following command:apicup subsys rotate-secrets <stack-name> --rotate-encryption-secret
apicup subsys rotate-secrets <active-stack-name> --rotate-encryption-secret
- Run the