Rotating the portal intra-subsystem certificates on VMware

Use the apicup command to rotate the portal intra-subsystem certificates.

The portal's intra-subsystem certificates: portal-ca, portal-client, and portal-server, are not shown in the apicup certs list output, and cannot be updated with apicup certs set. If you want to renew these certificates, you can use the

apicup subsys
rotate-secrets

command.

Warning: The portal intra-subsystem certificates are internal certificates that are created and renewed automatically. Renewing these certificates with apicup subsys rotate-secrets is only necessary in specific failure scenarios and should be done only if advised by IBM support.

To rotate the Developer Portal subsystem secrets, certificates, or both, run the following command:

apicup subsys rotate-secrets portal

Rotate portal subsystem secrets

Usage:
  apicup subsys rotate-secrets SUBSYS [flags]

Flags:
      --certs strings              List of certificates you want to rotate (Listing an issuer will rotate any certs issued by the issuer e.g listing just portal-ca will rotate portal-ca, portal-client and portal-server)
      --encryption-secret string   Optional value to set the encryption secret to, if supplied secret exists in the env. If not supplied the rotated secret will be random.
  -h, --help                       help for rotate-secrets
      --rotate-encryption-secret   Set to true if you want to rotate the encryption secret.
      --wait                       Wait for the operation to complete or fail.
      --wait-timeout duration      Command timeout in seconds. (default 40s)

Global Flags:
      --accept-license   Deprecated. Use apicup licenses commands to work with licenses
      --debug            Enable debug logging

For example, to rotate the encryption secret to a random value run the following command:

Note: This command is applicable for both standalone and 2DC environments.

apicup subsys rotate-secrets portal --rotate-encryption-secret true

The following example rotates the encryption secret to a named secret:

Note: You first must exec into the Developer Portal OVA to create the secret. This command is applicable for 2DC environment as well and the secret must be in the active environment for 2DC setup.

apicup subsys rotate-secrets portal --rotate-encryption-secret --encryption-secret my-new-secret

The following example rotates all of the Developer Portal certificates:

apicup subsys rotate-secrets portal --certs portal-ca

The following example rotates just the server and client certificates:

apicup subsys rotate-secrets portal --certs portal-server,portal-client

To list any Developer Portal secret rotations that were created by using the rotate-secrets command:

apicup subsys list-rotate-secrets portal --timeout 30

Where:

portal is the name of your Developer Portal subsystem.
--timeout (optional) is the duration in seconds of the command timeout. Default is 40 seconds.

To delete any Developer Portal secret rotations that were created by using the rotate-secrets command:

apicup subsys delete-rotate-secret portal --rotate-secret-name secret_name --wait true --wait-timeout 80

Delete a secret rotation of the subsystem

Usage:
  apicup subsys delete-rotate-secret SUBSYS [flags]

Flags:
  -h, --help                        help for delete-rotate-secret
      --rotate-secret-name string   Value of a Portal Secret Rotation CR name to delete.
      --wait                        Wait for the operation to complete or fail.
      --wait-timeout duration       Command timeout in seconds. (default 1m0s)

Global Flags:
      --accept-license   Deprecated. Use apicup licenses commands to work with licenses
      --debug            Enable debug logging