Integration Server 11.1 | Microservices Runtime Guide | Using Configuration Variables Templates with Microservices Runtime | Editing a Configuration Variables Template | Encrypting Values for the Variables Template
 
Encrypting Values for the Variables Template
You may want your configuration variables template to use encrypted values for sensitive data such as passwords. Microservices Runtime provides a way to generate an encrypted value which can then be placed in the template. During encryption, Microservices Runtime uses AES to encrypt the values for configuration variables, in particular AES/ECB/PKCS5Padding.
The key for encrypting and subsequently decrypting values can be one of the following:
*The default Microservices Runtime encryption key.
Note:
The default encryption key included with Microservices Runtime is the same for all Microservices Runtimes. As a result, any Microservices Runtime that uses the default encryption key can decrypt an encrypted value from any configuration variables file produced by a Microservices Runtime that encrypted the value using the default encryption key. This is a security vulnerability.
*The configuration variables encryption key. Microservices Runtime provides two ways to pass in a configuration variables encryption key:
*The SAG_IS_CONFIG_VARIABLES_ENC_KEY environment variable can be set when starting a Docker container for Microservices Runtime.
*The configvarsencryptionkey switch that can be set when starting an on-premise Microservices Runtime from the command line.
The configuration variables encryption key must be a 16, 24, or 32 character String. If an invalid encryption key is supplied, the SAG_IS_CONFIG_VARIABLES_ENC_KEY environment variable is null, or the configvarsencryptionkey switch is null, Microservices Runtime uses the default Microservices Runtime encryption key for decrypting and encrypting values for configuration variables.
*The master password. When watt.server.configVariables.useMasterKey is set to true and the master password is a 16, 24, or 32 character String, Microservices Runtime uses the master password for encrypting and decrypting values in a configuration variables template.
If watt.server.configVariables.useMasterKey is set to true and the master password is not a 16, 24, or 32 character String, Microservices Runtime uses a configuration variables encryption key set by the SAG_IS_CONFIG_VARIABLES_ENC_KEY environment variable or the configvarsencryptionkey startup switch. If a configuration variables encryption key is not set, Microservices Runtime falls back to the default encryption key for encrypting and encrypting configuration variables.
Microservices Runtime uses the provided encryption key to encrypt a configuration variable value. Additionally, Microservices Runtime uses the provided key to decrypt any encrypted values when applying a configuration variables template at start up. To successfully decrypt encrypted values in the configuration variables template, theMicroservices Runtime applying the file must use the same encryption key as the Microservices Runtime used to create the template. If the keys are not the same, the Microservices Runtime applying the template writes a message to the configuration variables log stating that the variable value could not be decrypted and identifying the mismatched encryption keys as the reason.
Microservices Runtime writes the following message to the configuration variables log when the Microservices Runtime will use the default encryption key instead of a supplied key: Default encryption key for Integration Server will be used for configuration variable encryption and decryption.
When a Docker image is created for Microservices Runtime using the Docker script is_container.bat/sh, the script bundles the secret key used to encrypt the values with the image, allowing the encrypted values from one instance to be decrypted and reused in another that uses the same encryption key.
Instead of encrypting values, you can use Kubernetes Secrets for confidential data such as passwords. For more information about Kubernetes Secrets, see Using a Kubernetes Secret with a Configuration Variables Template.
When you generate a configuration variables template, Microservices Runtime replaces any passwords and any secret global variables with ****** .
IBM recommends that you encrypt all passwords and other sensitive data in your configuration variables templates.
To encrypt a value
1. Open the Microservices Runtime Administrator for the Microservices Runtime that you want to use to generate an encrypted value.
2. Go to Microservices > Configuration variables.
3. Click Generate Encrypted Configuration Variables.
4. In the Value field, enter the value that you want encrypted.
By default, Microservices Runtime Administrator masks any characters that you enter in the Value field. Click the Show Value check box if you want Microservices Runtime Administrator to display the characters in clear text.
5. Click Encrypt.
Microservices Runtime encrypts the value and displays the encrypted value in the Encrypted Value field.
6. Click Copy to copy the encrypted value to the clipboard.
7. Open the configuration variables template to which you want to add the encrypted value, locate the key for which you want to use the value, and then paste the copied value into the template.
8. Repeat steps 4 –7 for each value you want to encrypt.