Manage Encryption Keys
If your API includes encrypted data source passwords and other secret information, such as connection and listener parameters of password data type, by default, encrypts this information using the encryption key that includes. All TeamSpace users use this encryption key. You can prevent other TeamSpace users from decrypting your passwords and reinforce security by defining your own encryption key. uses the Blowfish encryption algorithm.
If your API includes encrypted data source passwords and other secret information, such as connection and listener parameters of password data type, by default,
CA Live API Creatorencrypts this information using the encryption key that
CA Live API Creatorincludes. All TeamSpace users use this encryption key. You can prevent other TeamSpace users from decrypting your passwords and reinforce security by defining your own encryption key.
CA Live API Creatoruses the Blowfish encryption algorithm.
CA Live API Creatordecrypts the data source passwords that you have included with your exported API using the previously defined encryption key. You can have
CA Live API Creatorre-encrypt a data source password using the latest encryption key by changing the data source password.
Define the Encryption Key for your Data Source Passwords
If you have included encrypted data source passwords with an exported API (you selected the
Encrypt data source passwordsoption when you exported your API) in your DevOps processes, define the encryption keys in the
CA Live API Creatorinstances that are involved in the deployment.
CA Live API Creatoruses these defined encryptions keys to encrypt and decrypt data source passwords across environments.
For more information about how to export APIs in your DevOps processes, see Import and Export APIs.
Follow these steps:
- Create a random string of 16 characters using letters, numbers, and punctuation (except double quotes) for encryption key. The length of your key depends on your Java cryptography settings.
- Decide on a short name for your encryption key.CA Live API Creatororders your keys alphabetically, with the last one being active. Your short names sort alphabetically after 2, or after the last key name that is already defined.Best Practice:Name your first encryption key using today's date, using the YYYMMDD format. For example,EncryptionKey_20180210.CA Live API Creatorupdates the key as you migrate (or upgrade)CA Live API Creatorto a newer version and as you change your key over time. You can also update your data source passwords as part of your DevOps scripts.
- Define your encryption key based on the container on which you have installedCA Live API Creator:Apache TomcatFollow these steps:
The single-user demonstration package of CA Live API Creator that is based on Jetty (demonstration package)Follow these steps:
- Create a link to a global JNDI resource by completing the following:
- Open thetomcat/apache-tomcat-<version>/conf/context.xmlfile.
- Insert the following XML code within the<Context>tag, save your changes, and then close the file:<ResourceLink name="EncryptionKey_20180210"global="EncryptionKey_20180210"type="java.lang.String"/>
- Create an environment entry for the encryption key by completing the following:
- Open thetomcat/apache-tomcat-<version>/conf/context/server.xmlfile.
- Insert the following XML code within the<GlobalNamingResources>tag, save your changes, and then close the file:<Environment name="EncryptionKey_20180220"type="java.lang.String"value="AbC1$3D=F45_GhI7" />You can include this environment entry in any section of theserver.xmlfile. You can define the entry at a more granular level.
- Open the<rootfile.CA Live API Creatorinstallation directory>/CALiveAPICreator/etc/jetty.xml
- Insert XML code similar to the following inside the<Configure>tag:<Configure id="Server" class="org.eclipse.jetty.server.Server"><New class="org.eclipse.jetty.plus.jndi.EnvEntry"> <Arg></Arg> <Arg>EncryptionKey_20180210</Arg> <Arg type="java.lang.String">AbC1$3D=F45_GhI7</Arg> <Arg type="boolean">true</Arg> </New> etc...
- If you want to update a data source password thatCA Live API Creatorencrypts to use this encryption key, change the data source password. Complete the following steps:
CA Live API Creatorre-encrypts the data source password using this encryption key.
- Open your API in API Creator.
- In the Create section, clickData Sources.The data sourceConnectiontab appears.
- Click the name of the data source that you want to change from the list of data sources.
- Enter the password in thePasswordfield, and then save your changes.For more information about the fields for data sources, see Database Connectivity.
Your encryption key is defined for the data source. The next time that you export your API,
CA Live API Creatorencrypts the data source password using the latest encryption key.