Enabling encrypted LUR user data sync
Enable sensitive data (passwords) of members belonging to a LUR configured for a catalog to be synced between the source cluster and the target cluster.
About this task
An LUR ( Local User Registry) can be configured with a JWKS (JSON Web Key Set) to enable the encryption and decryption of sensitive user data. The JWKS is added to the organization in the target API Connect cluster, which contains the LUR that is configured with the target catalog. The JWKS is then added to the LUR that is configured with the target catalog. Next, the public key of the JWKS is added to the corresponding LUR in the source cluster. Once configured, subsequent runs of the Config Sync will retrieve the encrypted user data from the source and sync it with the target.
Procedure
Configure a JWKS for the target LUR:
Provide the target LUR's JWK public key to the corresponding LUR in the source deployment:
Results
The LUR in your source catalog is now configured to encrypt sensitive user data, and the LUR in your target catalog is configured to both encrypt and decrypt the sensitive data.
The next time that you run Config Sync, the sensitive data (passwords) of users in the LUR will be synced from the source to the target to enable consumer org members to log into the target cluster using the same password.
What to do next
(Optional) Configure support for sensitive data with a reverse sync:
Changes made in a target catalog can be synced back to the source by swapping the configuration so that the original source catalog is the designated target and the original target is the designated source. This process is known as a reverse sync. If you want to enable the sensitive user data to be synced as part of a reverse sync scenario, create a new JWKS in the source API Connect deployment and use the same public/private key pair as the JWKS in the target deployment. Then, edit the LUR that is configured with the source catalog and select the JWKS in the Key set for data import field.