Should you have reason to need to replace your API keys (for example, if you have lost
your key), Guardium® Insights provides a master key rotation
script.
Before you begin
In addition, the script requires support for oc
commands.
To access the script files, download the Guardium Insights tar file, as described in Installing IBM Guardium Insights. After unpacking the archive, locate
these files.
- /inventory/install/files/pre-install/preInstall_secretList.csv
- /inventory/install/files/support/rotate_secrets_helper.sh
- /inventory/install/files/support/rotateSecrets.sh
Make the two .sh files executable with the chmod +x
command.
Procedure
- Ensure that you are logged in to your OpenShift® cluster. Use this command to log in:
cloudctl login -a <ICP_hostname> -u <openshift_username> -p <openshift_password> --skip-ssl-validation
where
<ICP_hostname>
is your Cloud Private server, for example https://cp-console.apps.myserver.com
<openshift_username>
is your OpenShift user name
<openshift_password>
is your OpenShift password
- When prompted, choose your Guardium Insights
OpenShift namespace.
Tip: You can check the list of namespaces currently deployed on the cluster by running
this command:
kubectl get namespace
If you specify the incorrect namespace
when prompted, you can correct the namespace by issuing this
command:
oc project <guardium_insights_namespace>
- Get the list of all secrets by issuing this command:
oc get secrets
In the list of secrets that are returned, these are the secrets that will be encrypted by the
rotateSecrets.sh tool:
Table 1. Guardium Insights key secrets
Secret |
Credential |
ibm-ticketing-keystore |
_TICKETING_KEYSTORE_PASSWORD |
data-encryption-password |
_DATA_ENCRYPTION_PASSWORD |
insights-gcm-aad |
_GCM_AAD |
insights-tenant-user-secret |
_TENANT_USER_SECRET |
insights-api-password |
_ENCRYPTION_PASSWORD |
insights-fetch |
_FETCH_KEYSTORE_PASSWORD |
insights-fetch |
_FETCH_TRUSTSTORE_PASSWORD |
insights-uc |
_UNIVERSAL_CONNECTOR_KEYSTORE_PASSWORD |
Tip:
- To see the details for a particular secret, issue the command
oc get secret -oyaml
<secret>
, where <secret>
is the secret that you are interested
in.
- To see the master key details, issue the command
oc get secret -oyaml
insights-master-key
.
- Run the script as follows:
./rotateSecrets.sh -i preinstall_secretList.csv -n staging -k <your_key>
where <your_key>
is a new master key that you choose.
Note: Issuing ./rotateSecrets.sh -h
will provide help for the script.