Enabling encrypted LUR user data sync

Enable sensitive data (passwords) of members belonging to a LUR configured for a catalog to be synced between the source cluster and the target cluster.

About this task

An LUR ( Local User Registry) can be configured with a JWKS (JSON Web Key Set) to enable the encryption and decryption of sensitive user data. The JWKS is added to the organization in the target API Connect cluster, which contains the LUR that is configured with the target catalog. The JWKS is then added to the LUR that is configured with the target catalog. Next, the public key of the JWKS is added to the corresponding LUR in the source cluster. Once configured, subsequent runs of the Config Sync will retrieve the encrypted user data from the source and sync it with the target.

Note: Encrypted user data is synced only when the both the source and target API Connect clusters are deployed on 10.0.8.0 or later.

Procedure

Configure a JWKS for the target LUR:

  1. In the target deployment, log in to API Manager using the API Connect provider organization that owns the target catalog (where the LUR is defined).

  2. Click Resources icon > Crypto Material.

  3. On the crypto page, look in the JWK Set section and click Create.

  4. On the Create JWK Set page, either provide an existing JWK Set or generate a new one:
    • To use an existing set, complete the following steps:
      1. Provide a name for the JWKS in the Key set title field.

      2. Enter the values into the JWK private key and JWK public key fields.
        Note: Ensure that both the public and private keys include a kid property with the same uuid value; for example:
        "kid":"1facd4b7-4dac-409f-949c-9f0cb2f98689",
      3. Save a copy of the keys:
        • You will use the JWK public key later in this task.
        • If you plan to perform a reverse sync (see What to do next) between the target catalog and the source catalog, you will use the JWK private key to complete that task.
      4. Click Save.
    • To generate a JWKS, complete the following steps:
      1. Provide a name for the JWKS in the Key set title field.

      2. Click Generate to populate the JWK private key and JWK public key fields.

      3. Save a copy of the keys:
        • You will use the JWK public key later in this task.
        • If you plan to perform a reverse sync (see What to do next) between the target catalog and the source catalog, you will use the JWK private key to complete that task.
      4. Click Save.
  5. On the Resources page, navigate to the Local User Registry that is configured with the target catalog by clicking User registries and then selecting the appropriate registry.

  6. On the Edit local user registry page, locate the Additional Support section.

  7. In the Key set for data import field, select the JWKS that you created for this LUR.

  8. In the JWK public key for data export field, paste the JWK public key that you used for creating the JWK Set.

  9. Click Save.

Provide the target LUR's JWK public key to the corresponding LUR in the source deployment:

  1. In the source deployment, log in to API Manager using the API Connect provider organization that owns the source catalog (where the LUR is defined).

  2. Click Resources icon > User registries and then select the LUR that corresponds to the LUR you worked with in the target deployment.

  3. In the JWK public key for data export field, paste the JWK public key that you used for creating the JWK Set.

  4. Click Save.

Results

The LUR in your source catalog is now configured to encrypt sensitive user data, and the LUR in your target catalog is configured to both encrypt and decrypt the sensitive data.

The next time that you run Config Sync, the sensitive data (passwords) of users in the LUR will be synced from the source to the target to enable consumer org members to log into the target cluster using the same password.

What to do next

(Optional) Configure support for sensitive data with a reverse sync:

Changes made in a target catalog can be synced back to the source by swapping the configuration so that the original source catalog is the designated target and the original target is the designated source. This process is known as a reverse sync. If you want to enable the sensitive user data to be synced as part of a reverse sync scenario, create a new JWKS in the source API Connect deployment and use the same public/private key pair as the JWKS in the target deployment. Then, edit the LUR that is configured with the source catalog and select the JWKS in the Key set for data import field.