Changing the registration client_id and client_secret for applications

Change the registration credentials (the client_id and client_secret) for applications provided by the management subsystem.

About this task

Update the application registration client_id and client_secret by changing the Kubernetes secret containing them. The apim file-watcher detects the change and automatically updates the following secrets in the database:

  • toolkit: management-cli-cred (Customer facing)

    When you update the secret for the toolkit, users must download and install new toolkit credentials as explained in Installing the toolkit.

  • consumer-toolkit: management-ccli-cred (Customer facing)

    When you update the secret for the toolkit, users must download and install new toolkit credentials as explained in Installing the toolkit.

  • designer: management-dsgr-cred (Customer facing)

    When you update the secret for API Designer, users must download and install new credentials as explained in Installing the toolkit.

  • atm: management-atm-cred (Internal)
  • governance: management-governance-cred (Internal)
  • consumer-ui: management-cui-cred (Internal)
  • juhu: management-juhu-cred (Internal)
  • ui: management-ui-cred (Internal)

    The API Manager and Cloud Manager read the credentials from the back-end on start-up.

When you update registration credentials, the registration name that is associated with the updated secret changes. Table 1 lists the registration secrets with the default registration name and the pattern used for generating updated registration names for each secret. The new registration names follow the patterns shown in the table. The second and subsequent updates append a number to the name; for example, toolkit-application-registration, toolkit-application-registration0 and then toolkit-application-registration1.

Table 1. Secret names and the corresponding default, and new, registration names for each secret
Secret Default registration name New registration name pattern
management-cli-cred toolkit-default toolkit-application-registration*
management-ccli-cred consumer-toolkit-default consumer-toolkit-application-registration*
management-dsgr-cred designer-default designer-registration*
management-atm-cred atm-default atm-default*
management-governance-cred compliance-default compliance-default*
management-cui-cred consumer-ui-default consumer-ui-default*
management-juhu-cred juhu-default juhu-default*
management-ui-cred ui-default ui-default*

Procedure

  1. To renew an internal certificate, complete the following steps:
    1. Create a ManagementSecretRotation CR (for example, operationcr.yaml) with contents similar to the following example, and list the secrets that you want to update:
      apiVersion: management.apiconnect.ibm.com/v1beta1
      kind: ManagementSecretRotation
      metadata:
        name: rotate-credentials
      spec:
        managementCluster: management
        rotateClientIDandSecret:
          secrets:
          - management-ui-cred
          - management-cui-cred
          - management-juhu-cred
          - management-atm-cred
    2. Apply the CR by running the following command:
      kubectl create -f operationcr.yaml -n namespace

      where:

      • namespace is the namespace where you installed the management subsystem
      • operationcr.yaml is the file the contains the CR

    Applying the resource updates the credential for the specified secrets with new values.

  2. To update customer-facing credentials, complete the following steps:
    1. For each of the credential secrets, run the following command to update the client_id and client_secret:
      kubectledit secret credential_secret_name -n namespace
      where:
      • namespace is the namespace where the management subsystem is installed.
      • credential_secret_name is the name of the secret that you want to update.

      The response opens the secret in a text editor as shown in the following example:

      apiVersion: v1
      data:
        credential.json: eyAiaWQiOiAiNTY3MTYyNjYtZDE0Zi00ODZmLWI0MWYtZTE3MzZkZTg3NjE0IiwgInNlY3JldCI6ICJmYjU5MDdhNy0zMjZjLTQ4ZWYtYjQ0ZC1hMTI5ZmZkMzNiMTEiIH0=
      

      In the secret, the value of credential.json is a base64 encoded string of the following JSON format. Decode it first, modify the values of id and secret, and encode back as base64 and paste it in the secret. (Note that either id or secret or both can be updated, but if the credentials have been compromised then its recommended to update both id and secret). For example:

    2. Decode the value of credential.json.

      To decode the value, copy it from the secret in step 2a, and paste it between the quotation marks as the encoded_value in the following command:

      echo "encoded_value" | base64 --decode

      Using the value returned in step 1, the command looks like the following example:

      echo "eyAiaWQiOiAiNTY3MTYyNjYtZDE0Zi00ODZmLWI0MWYtZTE3MzZkZTg3NjE0IiwgInNlY3JldCI6ICJmYjU5MDdhNy0zMjZjLTQ4ZWYtYjQ0ZC1hMTI5ZmZkMzNiMTEiIH0=" | base64 --decode
      
      The response displays decoded values of the id and secret, as in the following example:
      { "id": "56716266-d14f-486f-b41f-e1736de87614", "secret": "fb5907a7-326c-48ef-b44d-a129ffd33b11" }
    3. Update the values of id and secret.
      You can use any string that meets the following requirements:
      • The id (it becomes client_id) must be unique across all credentials in your entire deployment.
      • The values must be enclosed in straight quotation marks. To make sure you use the correct character, create the values in a plain text editor.
    4. Encode the updated id and secret as base64 by running the following command:
      echo -n '{ "id": "new_id", "secret": "new_secret" }' | base64

      Replace new_id and new_secret with your updated values. For example:

      echo -n '{ "id": "21034840-b439-a393-4482-a948bcb39603", "secret": "43450ab9-4038-acf0-0498-793b29ade396" }' | base64
      Returns the following base640-encoded value:
      aWQ6IDIxMDM0ODQwLWI0MzktYTM5My00NDgyLWE5NDhiY2IzOTYwMywgc2VjcmV0OiA0MzQ1MGFiOS00MDM4LWFjZjAtMDQ5OC03OTNiMjlhZGUzOTY=
    5. Paste the newly coded value for credential.json into the secret.
    6. Save the secret.
      When you save the secret, the logs in the apim pods indicate that a new registration was created. For example, if the client_id changed, the display looks similar to the following messages
      2020-09-14T09:55:58.331Z bhendi:audit [ce64fd50-e4de-4cfb-baa7-7379a892b2c9] Created internal resource "Registration" 'toolkit-application-registration-0 (Toolkit Application Registration)' (id=ffc3c398-a008-403a-aa0a-218604dc99c2, url=/api/cloud/registrations/ffc3c398-a008-403a-aa0a-218604dc99c2, namespace=cloud)
      2020-09-14T09:55:58.331Z audit [ce64fd50-e4de-4cfb-baa7-7379a892b2c9] Creating a new registration for type, toolkit, with client_id: toolkit-client-id-2.
      ...
      2020-09-14T09:58:15.375Z bhendi:audit [b3edcdd8-2d55-445f-a386-5b92068bf5bd] Created internal resource "Registration" 'consumer-toolkit-application-registration (Consumer Toolkit Application Registration)' (id=3b51aba6-c365-4fc0-bc4f-371de99d2c18, url=/api/cloud/registrations/3b51aba6-c365-4fc0-bc4f-371de99d2c18, namespace=cloud)
      2020-09-14T09:58:15.375Z audit [b3edcdd8-2d55-445f-a386-5b92068bf5bd] Creating a new registration for type, consumer_toolkit, with client_id: consumer-toolkit-client-id.
      ...
      2020-09-14T10:42:40.464Z bhendi:audit [f1036cb9-a255-445f-a655-35cfb8de317c] Created internal resource "Registration" 'designer-registration (Designer Registration)' (id=c44b51a7-731d-42d4-ad93-961ebbd6f5b0, url=/api/cloud/registrations/c44b51a7-731d-42d4-ad93-961ebbd6f5b0, namespace=cloud)
      2020-09-14T10:42:40.464Z audit [f1036cb9-a255-445f-a655-35cfb8de317c] Creating a new registration for type, designer, with client_id: designer-client-id.
      ...
      2020-09-14T10:50:38.377Z bhendi:audit [28336f83-622d-4928-8b2a-3597991e3842] Created internal resource "Registration" 'test-and-monitor (Test and Monitor)' (id=a9810cc6-bb54-4ab5-be62-3833038df26e, url=/api/cloud/registrations/a9810cc6-bb54-4ab5-be62-3833038df26e, namespace=cloud)
      2020-09-14T10:50:38.377Z audit [28336f83-622d-4928-8b2a-3597991e3842] Creating a new registration for type, atm, with client_id: atm-client-id.
      ...
      2020-09-14T10:57:11.377Z bhendi:audit [490181e1-017f-49cf-83dc-58fe148ec1cb] Created internal resource "Registration" 'consumer-user-interface-registration (Consumer User Interface Registration)' (id=5be9e542-1424-4a5b-877e-dd28da898f58, url=/api/cloud/registrations/5be9e542-1424-4a5b-877e-dd28da898f58, namespace=cloud)
      2020-09-14T10:57:11.377Z audit [490181e1-017f-49cf-83dc-58fe148ec1cb] Creating a new registration for type, consumer_ui, with client_id: cui-client-id.
      ...
      2020-09-14T10:58:53.404Z bhendi:audit [298b3940-23b1-4ed5-b8a7-532af66699c5] Created internal resource "Registration" 'juhu-application-registration (Juhu Application Registration)' (id=92698052-aca0-4d06-8ad3-21ed26a13734, url=/api/cloud/registrations/92698052-aca0-4d06-8ad3-21ed26a13734, namespace=cloud)
      2020-09-14T10:58:53.404Z audit [298b3940-23b1-4ed5-b8a7-532af66699c5] Creating a new registration for type, juhu, with client_id: juhu-client-id.
      ...
      2020-09-14T11:00:52.377Z bhendi:audit [866bb70b-3bb5-4ac3-9a59-0b60ade7feb2] Created internal resource "Registration" 'user-interface-registration (User Interface Registration)' (id=bb02b3bf-5e80-4547-842e-e60f4aa1d0ce, url=/api/cloud/registrations/bb02b3bf-5e80-4547-842e-e60f4aa1d0ce, namespace=cloud)
      2020-09-14T11:00:52.377Z audit [866bb70b-3bb5-4ac3-9a59-0b60ade7feb2] Creating a new registration for type, ui, with client_id: ui-client-id.
    7. If the response shows any errors, you must correct the errors.

      When the logs show no errors, the saved values are updated in the management subsystem's database.

    8. Confirm that the new registration exists in the registrations list by running the following toolkit CLI command:
      apic --server server registrations:list

      where server is the management server endpoint URL.

    9. Verify that the updated registration is now in effect by running the following toolkit CLI command:
      apic --server server registrations:get new_registration_name --output -
      where:
      • server is the management server endpoint URL
      • new_registration_name is the new registration name (including any numeric suffix) following the patterns in Table 1.
    10. Save the old registration (refer to Table 1 to determine the previous registration's file name) in case you need it when restoring an older backup.

      Restoring a backup restores the registration credentials (client_ID, client_secret) that were in use at the time that the selected backup was created.

    11. If you updated the registration credentials for API Designer or the toolkit, inform users so they can download new credentials.

      Users can download and set up new credentials as explained in Installing the toolkit. Other credentials are updated automatically and require no actions from the user.