Changing the database encryption key

Replace the value of the secret that is used for encrypting database fields in the Management subsystem.

About this task

This update does not require an outage; however some operations might take longer than usual due to database locking.

Procedure

  1. Create a secret rotation CR that specifies the name of your management cluster.

    You can optionally specify the name of a secret containing the new encryption_secret.bin as shown in the following example, or you can omit it so that a new key is generated automatically.

    apiVersion: management.apiconnect.ibm.com/v1beta1
kind: ManagementSecretRotation
metadata:
  name: rotate-secret
spec:
  managementCluster: management
  rotateEncryptionSecret:
    rotate: true
    # encryptionSecret: name_of_secret
    Note: If you upgraded from V2018, the database encryption key was carried forward and is called managementUpgradeName-encryption-secret.
  2. Run the following command to apply the CR and change the secret: 
    kubectl -n namespace create -f rotate_secret.yaml
    where:
    • namespace is the namespace where you installed the Management subsystem.
    • rotate_secret.yaml is the name of the file containing the CR. Notice that the file name does not have to match the value of the name specified in the CR.
  3. Verify that the secret was generated using one of the following methods:
    • Run the kubectl get job command and verify that the results include a job for the new CR.

      The job is named based on the management cluster name and the CR name, using the following format: managementCluster-crName. For the example CR rotate-secret created for the management cluster, the job is named management-rotate-secret.

    • Look in the pod logs of the apiconnect operator and locate the record with the name that you specified in the kind field in the CR, and check its progress. For the example CR, the kind value is "ManagementSecretRotation".

      You can also use the log to verify that database tables were updated.

    If you installed API Connect on VMware and if you want to update the management encryption secret on VMware, then you can now use the apicup command to rotate the encryption secret without needing to open a support case. For a standalone installation, run the following command:
    apicup subsys rotate-secrets <stack-name> --rotate-encryption-secret
    For 2DC setup, run the following command:
    apicup subsys rotate-secrets <active-stack-name> --rotate-encryption-secret