Replacing API keys using master key rotation

Should you have reason to need to replace your API keys (for example, if you have lost your key), Guardium® Insights provides a master key rotation script.

Before you begin

This script is supported on machines that are configured with the appropriate hardware cluster requirements. The script must be run on machines that support OpenSSL by default. For more information:

In addition, the script requires support for oc commands.

To access the script files, download the Guardium Insights tar file, as described in Installing IBM Guardium Insights. After unpacking the archive, locate these files.

  • /inventory/install/files/pre-install/preInstall_secretList.csv
  • /inventory/install/files/support/rotate_secrets_helper.sh
  • /inventory/install/files/support/rotateSecrets.sh

Make the two .sh files executable with the chmod +x command.

Procedure

  1. Ensure that you are logged in to your OpenShift® cluster. Use this command to log in:
    cloudctl login -a <ICP_hostname> -u <openshift_username> -p <openshift_password> --skip-ssl-validation

    where

    • <ICP_hostname> is your Cloud Private server, for example https://cp-console.apps.myserver.com
    • <openshift_username> is your OpenShift user name
    • <openshift_password> is your OpenShift password
  2. When prompted, choose your Guardium Insights OpenShift namespace.
    Tip: You can check the list of namespaces currently deployed on the cluster by running this command:
    kubectl get namespace

    If you specify the incorrect namespace when prompted, you can correct the namespace by issuing this command:

    oc project <guardium_insights_namespace>
  3. Get the list of all secrets by issuing this command:
    oc get secrets

    In the list of secrets that are returned, these are the secrets that will be encrypted by the rotateSecrets.sh tool:

    Table 1. Guardium Insights key secrets
    Secret Credential
    ibm-ticketing-keystore _TICKETING_KEYSTORE_PASSWORD
    data-encryption-password _DATA_ENCRYPTION_PASSWORD
    insights-gcm-aad _GCM_AAD
    insights-tenant-user-secret _TENANT_USER_SECRET
    insights-api-password _ENCRYPTION_PASSWORD
    insights-fetch _FETCH_KEYSTORE_PASSWORD
    insights-fetch _FETCH_TRUSTSTORE_PASSWORD
    insights-uc _UNIVERSAL_CONNECTOR_KEYSTORE_PASSWORD
    Tip:
    • To see the details for a particular secret, issue the command oc get secret -oyaml <secret>, where <secret> is the secret that you are interested in.
    • To see the master key details, issue the command oc get secret -oyaml insights-master-key .
  4. Run the script as follows:
    ./rotateSecrets.sh -i preinstall_secretList.csv -n staging -k <your_key>

    where <your_key> is a new master key that you choose.

    Note: Issuing ./rotateSecrets.sh -h will provide help for the script.