Determine Security for Migrations
This topic provides some best practices to help you determine the security to use for migrations.
gateway83
This topic provides some best practices to help you determine the security to use for migrations.
Step 1: Determine Authentication Method
To secure communications between the GMU computer and your
API Gateway
s, determine an authentication method:- Mutual Authentication
- Basic Authentication, with encoded password
- Basic Authentication, with plain text password (not recommended)
Use encodePassword Command to Protect Passwords
For convenience, GMU provides the
encodePassword
command to generate encoded passwords. This is useful for both mutual and basic authentication. You can read passwords from files using the format: @file:path/to/file
Example: Generate an encoded password
$ ./GatewayMigrationUtility.sh encodePassword --password passwordToEncode?
Mutual Authentication
Best Practices icon
Mutual authentication is implemented by passing the pkcs12 file (certificate and private key) using the
--clientCert
argument. Example
: Pass the pkcs12 file for mutual authentication
./GatewayMigrationUtility.sh migrateOut --host gatewayhost --all --clientCert sourceGatewayAdminCert.p12 --dest all.xml --encryptUsingClusterPassphrase
Note the following details about implementing mutual authentication:
- The pkcs12 file must contain the private key and certificate
- The pkcs12 file may or may not be password protected
- If the pkcs12 file is password protected, use the-x,--password, or--plaintextPasswordarguments to specify the password
- If the pkcs12 file is not password protected, do not include a password argument
- Do not specify a username when using mutual authentication; the user is identified by the certificate
- The certificate must be associated with the migration Administrators user on theAPI Gateway
- If using the Internal Identity Provider, the certificate Common Name (CN) must be the same as the user login
For instructions on configuring mutual authentication, see
Configure GMU and Gateways for Migration
.Basic Authentication
Basic authentication uses the
--password
or --plaintextPassword
arguments. Although more secure than using plaintext passwords for authentication, malicious users can still decode encoded passwords.
Example: Basic authentication with encoded password
?$ ./GatewayMigrationUtility.sh browse -h gatewayhost --username gmuAdmin --password YHPv0Fp28Gk.OIKd0JZCygbLzjk9OOFvtQ
Step 2: Safely Migrate Policy Passwords and Other Secrets
Best_Practice_GMU2
Policies and entities can contain passwords that are secure (using Managed Stored Passwords), or can contain passwords that are nonsecure (stored as plaintext). The best practice is to encrypt passwords in the bundle by specifying one of the following encryption arguments:
- --encryptUsingClusterPassphrase
- --encryptionPassphrase
Example: Export a bundle using --encryptUsingClusterPassphrase
Use this option only if the source and target Gateways have the same cluster passphrase.
$ ./GatewayMigrationUtility.sh migrateOut --argFile commonarguments.properties --all --encryptUsingClusterPassphrase --dest bundles/mygateway-all.xml
Example: Export a bundle using --encryptionPassphrase
$ ./GatewayMigrationUtility.sh migrateOut --argFile commonarguments.properties --all --encryptionPassphrase @file:encrypt.txt --dest bundles/mygateway-all.xml