Manage Encryption Keys

If your API includes encrypted data source passwords and other secret information, such as connection and listener parameters of password data type, by default, 
Layer7 Live API Creator
 encrypts this information using the encryption key that 
Layer7 Live API Creator
 includes.
lac53
If your API includes encrypted data source passwords and other secret information, such as connection and listener parameters of password data type, by default, 
Layer7 Live API Creator
 encrypts this information using the encryption key that 
Layer7 Live API Creator
 includes. All TeamSpace users use this encryption key. You can prevent other TeamSpace users from decrypting your passwords and reinforce security by defining your own encryption key. 
Layer7 Live API Creator
 uses the Blowfish encryption algorithm.
Layer7 Live API Creator
 decrypts the data source passwords that you have included with your exported API using the previously defined encryption key. You can have 
Layer7 Live API Creator
 re-encrypt a data source password using the latest encryption key by changing the data source password.
Define the Encryption Key for your Secret Fields
If you have included encrypted data source passwords with an exported API (you selected the 
Encrypt data source passwords
 option when you exported your API) in your DevOps processes, define the encryption keys in the 
Layer7 Live API Creator
 instances that are involved in the deployment. 
Layer7 Live API Creator
 uses these defined encryptions keys to encrypt and decrypt data source passwords across environments. 
For more information about how to export APIs in your DevOps processes, see Import and Export APIs.
Follow these steps:
  1. Create a random string of 16 characters using letters, numbers, and punctuation (except double quotes) for encryption key. The length of your key depends on your Java cryptography settings.
    Generate the characters using a service, such as random.org.
  2. Decide on a short name for your encryption key. 
    Layer7 Live API Creator
     orders your keys alphabetically, with the last one being active. Your short names sort alphabetically after 2, or after the last key name that is already defined.
    Best Practice:
     Name your first encryption key using today's date, using the YYYMMDD format. For example, 
    EncryptionKey_20180210
    Layer7 Live API Creator
     updates the key as you migrate (or upgrade) 
    Layer7 Live API Creator
     to a newer version and as you change your key over time. You can also update your data source passwords as part of your DevOps scripts.
  3. Define your encryption key based on the container on which you have installed 
    Layer7 Live API Creator
    :
    Apache Tomcat
    Follow these steps:
    1. Create a link to a global JNDI resource by completing the following:
      • Open the 
        tomcat/apache-tomcat-<version>/conf/context.xml
         file.
      • Insert the following XML code within the 
        <Context>
         tag, save your changes, and then close the file:
        <ResourceLink name="EncryptionKey_20180210"
        global="EncryptionKey_20180210"
        type="java.lang.String"/>
    2. Create an environment entry for the encryption key by completing the following:
      • Open the 
        tomcat/apache-tomcat-<version>/conf/context/server.xml
         file.
      • Insert the following XML code within the 
        <GlobalNamingResources>
         tag, save your changes, and then close the file:
        <Environment name="EncryptionKey_20180220"
        type="java.lang.String"
        value="AbC1$3D=F45_GhI7" />
        You can include this environment entry in any section of the 
        server.xml
         file. You can define the entry at a more granular level.
    The single-user demonstration package of CA Live API Creator that is based on Jetty (demonstration package)
    Follow these steps:
    1. Open the 
      <root 
      Layer7 Live API Creator
       installation directory>/CALiveAPICreator/etc/jetty.xml
       file.
    2. Insert XML code similar to the following inside the 
      <Configure>
       tag:
      <Configure id="Server" class="org.eclipse.jetty.server.Server">
      <New class="org.eclipse.jetty.plus.jndi.EnvEntry">
      <Arg></Arg>
      <Arg>EncryptionKey_20180210</Arg>
      <Arg type="java.lang.String">AbC1$3D=F45_GhI7</Arg>
      <Arg type="boolean">true</Arg>
      </New>
      etc...
  4. If you want to update a data source password that 
    Layer7 Live API Creator
     encrypts to use this encryption key, change the data source password. Complete the following steps:
    1. Open your API in API Creator.
    2. In the Create section, click 
      Data Sources
      .
      The data source 
      Connection
       tab appears.
    3. Click the name of the data source that you want to change from the list of data sources.
    4. Enter the password in the 
      Password
       field, and then save your changes.
      For more information about the fields for data sources, see Database Connectivity.
    Layer7 Live API Creator
     re-encrypts the data source password using this encryption key.
Your encryption key is defined for the data source. The next time that you export your API, 
Layer7 Live API Creator
 encrypts the data source password using the latest encryption key.