Changing the data encryption key for IBM OpenPages for IBM Cloud Pak for Data
You can change the encryption key that is used to encrypt data in IBM® OpenPages® for IBM Cloud Pak for Data.
Before you begin
- You are familiar with encryption keys and how to manage them.
- You know how to use the OpenPages GRC REST API or you have experience with other REST APIs.
- You can log in to the OpenPages application as a super administrator, such as OpenPagesAdministrator.
- You can log in to Red Hat® OpenShift® as a project administrator.
About this task
Backing up the current encryption key
Back up your current encryption key.
Procedure
Backing up OpenPages
Back up your OpenPages instance.
About this task
You can do an online backup or an offline backup. For more information, see .
Decrypting data with the current encryption key
After you complete the backups, decrypt the data by using the current encryption key so that you can encrypt the data later with a new key.
Before you begin
To do this task, the application pods must be in a Running state and their readiness status must be Ready.
About this task
https://<op_app_server>:<op_port>/grc/api/configuration/decryptWithExternalKey
https PUT
request to the path by using an HTTPS client.
You can use a curl
command, for
example:curl -k --location --request PUT --header 'Content-Type: application/json' --header 'Accept: application/json' -u <op_super_user>:<op_super_user_password> 'https://<op_app_server>:<op_port>/grc/api/configuration/decryptWithExternalKey'
The API response includes the process ID of the decryption long running process, for example
{"processId":"2927"}
curl
command:- The
-u
parameter requires an OpenPages username and password. This user must be an OpenPages super administrator, such as OpenPagesAdministrator. - The
-k
parameter allows connections to SSL sites without trusted certificates. This parameter is not needed if you replaced the default certificates with your own certificate authority (CA)-signed certificates.
https://<op_app_server>:<op_port>/grc/api/processes/<process_Id>
You can call the API by using your browser or by using an HTTPS client to send a
GET
request.
curl -k --location -u <op_super_user>:<op_super_user_password> --header 'Content-Type: application/json' --header 'Accept: application/json' --request GET 'https://<op_app_server>:<op_port>/ grc/api/processes/<process_Id>'
In the response, the status attribute indicates whether the process is finished or still in
progress. You can repeat the check as needed. The process is complete when the status value is
STATUS_FINISHED_SUCCESS
.
The decryption process can take time, depending on the data volume. It takes longer especially if you have many file attachment records.
https://<op_app_server>:<op_port>/grc/api/processes/<process_Id>/logs
Generating a new secret key
Generate a new encryption key.
About this task
IBM OpenPages for IBM Cloud Pak for Datauses AES256 for data encryption. The key must be 256 bits (32 bytes) in length and it must be encoded with base64. The key must meet these requirements so it can be stored in a Kubernetes secret.
To generate a new random key, you can use a random generation tool or you can use
openssl
. The openssl
command is available on the OpenPages application server pod:
Procedure
Updating Red Hat OpenShift with the new key
Update the Kubernetes Secret in Red Hat OpenShift with the new key value.
Procedure
Restarting the application servers
Restart the application server pods and scale up to the number of replicas you want to use.
Procedure
Encrypting data with the new key
You are now ready to encrypt the data with the new encryption key.
Before you begin
To do this task, the application pods must be in a Running state and their readiness status must be Ready.
About this task
https://<op_app_server>:<op_port>/grc/api/configuration/encryptWithExternalKey
https PUT
request to this path by using an HTTPS
client. You can use a curl
command, for
example:curl -k --location --request PUT --header 'Content-Type: application/json' --header 'Accept: application/json' -u <super user>:<password> --cookie-jar cookie-jar.txt --cookie cookie-jar.txt 'https://<op_app_server>:<op_port>/grc/api/configuration/encryptWithExternalKey'
The API response includes the process ID of the encryption long running process, for example
{"processId":"2928"}
curl
command:- The
-u
parameter requires an OpenPages username and password. This user must be an OpenPages super administrator, such as OpenPagesAdministrator. - The
-k
parameter allows connections to SSL sites without trusted certificates. This parameter is not needed if you replaced the default certificates with your own certificate authority (CA)-signed certificates.
https://<op_app_server>:<op_port>/grc/api/processes/<process_Id>
You can call the API by using your browser or by using an HTTPS client to send a
GET
request.
curl -k --location -u <op_super_user>:<op_super_user_password> --header 'Content-Type: application/json' --header 'Accept: application/json' --cookie-jar cookie-jar.txt --cookie cookie-jar.txt --request GET 'https://<op_app_server>:<op_port>/ grc/api/processes/<process_Id>'
In the response, the status attribute indicates whether the process is finished or still in
progress. You can repeat the check as needed. The process is complete when the status value is
STATUS_FINISHED_SUCCESS
.
The encryption process can take time, depending on the data volume, especially if you have many file attachment records.
https://<op_app_server>:<op_port>/grc/api/processes/<process_Id>/logs
Restarting the application servers again
Restart the application server pods again.