Contents
By default, API Gateway configuration data is stored unencrypted. However, you can encrypt certain sensitive information, such as passwords and private keys, using a passphrase. When the passphrase has been set (and the data has been encrypted with it), you must enter the passphrase when connecting to the API Gateway with the Policy Studio, or when the API Gateway is starting up, so that the encrypted data can be decrypted. This passphrase is set at the API Gateway group level.
Warning | |
---|---|
It is crucial that you remember the passphrase when you change it. Failure to remember the passphrase results in the loss of private key data. |
This topic describes how to specify the group passphrase when connecting to the API Gateway with the Policy Studio, in your API Gateway configuration file, or when the API Gateway is starting up. It also describes how to change the group passphrase when it has been set initially.
You can use the the Policy Studio topology view to set the group passphrase to encrypt the data. This is the table displayed when you connect to the Admin Node Manager. To change the passphrase, right-click the API Gateway group name in the table (for example, QuickStart Group), and select Change Passphrase.
Complete the following fields on the Change Group Passphrase dialog:
Old Passphrase:
Enter the old passphrase that you wish to change in this field. Alternatively, you can leave this field blank if you are setting the passphrase for the first time.
New Passphrase:
Enter the new passphrase.
Confirm New Passphrase:
Re-enter the new passphrase to confirm it.
When you have set the encryption passphrase for the API Gateway configuration data, you must specify this passphrase every time that you connect to the API Gateway in the Policy Studio. You can enter it in the Passphrase field of the Open File dialog, which is displayed when connecting to a configuration file. Alternatively, you can enter it in the Enter Passphrase dialog, which is displayed before editing an active server configuration.
Note | |
---|---|
The different roles of the Passphrase and the Password fields are as follows: |
Passphrase | Used to decrypt sensitive data (for example, private keys) that have already been encrypted. Not required by default, and only needed if you have set the group passphrase in Policy Studio. |
Password | Used to authenticate to the API Gateway's management interface using HTTP basic authentication when opening a connection to a server. Required by default. |
For the API Gateway to read (decrypt) encrypted data from its configuration, it must be primed with the passphrase key. You can do this using the Policy Studio, as explained in the previous section. You can also specify the passphrase directly in a configuration file, or prompt for it at startup.
Specifying the Node Manager Passphrase in a Configuration File
You can specify a passphrase directly in the Node Manager's configuration file. Open the following file in your API Gateway installation:
INSTALL_DIR/system/conf/nodemanager.xml
This file contains values for general system settings, such as the server name and trace level, and also (if required) the passphrase key to use to decrypt encrypted API Gateway configuration data.
Typically, the passphrase is only entered directly in the file if the server must
be started as a Windows service or UNIX daemon. In this case, the administrator
cannot enter the passphrase manually when the server is starting. To avoid this,
you must enter the passphrase in the configuration file. You should specify the
passphrase as the value of the secret
attribute as follows,
where "myPassphrase"
is the encryption passphrase:
secret="myPassphrase"
Specifying the API Gateway Passphrase in a Configuration File
You can also specify the passphrase for individual API Gateway instances created using the
managedomain
script. To do this, specify the secret
attribute in the service.xml
file for your API Gateway instance. For
example:
INSTALL_DIR/groups/group-id/instance-id/conf/service.xml
Prompting for the Passphrase on Server Startup
If you do not wish to specify the passphrase directly in the Node Manager or API Gateway
configuration file, and do not need to start as a Windows service or UNIX daemon, you
can configure the Node Manager or API Gateway to prompt the administrator for the
passphrase on the command line when starting up. To do this, enter the
"(prompt)"
special value for the secret
attribute as follows:
secret="(prompt)"
Important | |
---|---|
If you use this option, you must take care to remember the encryption passphrase. Failure to use the correct passphrase results in loss of private key data, and may prevent the API Gateway from functioning correctly. |
For more details, see the Oracle API Gateway Installation and Configuration Guide.