Master Password Management
In the normal course of its operations API Gateway may connect to native APIs, applications, databases, and other systems such as, API Portal, CentraSite, or external entities such as Email servers and databases. API Gateway is required to provide a password to each of these systems before connecting to them. API Gateway uses this password to identify itself or authenticate to the other systems.
When you configure API Gateway to connect to an application or subsystem, for example a database, you specify the password that API Gateway must send to the database server in order to connect to it. Later, when an API Gateway user makes a request that requires the database, API Gateway sends the configured password to the database server and connects to it. In API Gateway, you would be using passwords while enforcing security related policies, while connecting to various destinations such as, API Portal, CentraSite, Email, and SNMP, while configuring the security-related aliases, configuring outbound proxy servers, and so on.
To protect these passwords API Gateway encrypts them. By default, it encrypts them using Password-Based Encryption (PBE) standard, also known as PKCS5. This encryption method requires the use of an encryption key or master password that you specify. The encrypted passwords are stored in a file. The master password is also encrypted, and by default, is stored in a file. For greater security, you can change the master password in API Gateway at regular intervals or you can configure API Gateway to prompt for the master password at server startup instead.
Points to remember regarding master password:
When the master password is updated in one node, it is not synchronized across other nodes in the cluster. The master password has to be updated manually in all the nodes.
During export or import of assets, ensure that the master password is identical across stages and on different instances of
API Gateway.