Certificate and password management for System Administrators

[amra]

Is your feature request related to a problem? Please describe. I need to store client certificates for accessing other services in simple manner.

Describe the solution you'd like APIML should provide a service like Hashicorp Vault, where I can store certificates and passwords securely.

Benefits

• Centralized solution, each service doesn't have to implement storage on its own.
• Security
• Administration. Update using unified service is simpler.
• Extensibility.
  • e.g. service for certificate verification and maintenance

Describe alternatives you've considered Keep everything as it is and store everything locally.

[balhar-jakub]

I am trying to rephrase the request above, please let me know, whether I understand it correctly. This may be also relevant to you @jalel01 as this is a larger-scale effort.

Problem statement:

Services must use certificates to secure the traffic with TLS. The certificates expire usually yearly. It's costly and manual to manage the certificates on a per-service basis. As the size of the services ecosystem grows, it's going to be even more difficult and error-prone bringing additional operational overhead.

The goal

Make it easier for System Administrator to manage and operate all the services that are extending the API Mediation Layer including the API Mediation Layer itself.

Potential solution using the API Mediation Layer

The API Mediation Layer plays key role in the API ecosystem that is being created on top of the z/OS services delivered by IBM as well as key vendors such as Broadcom, Rocket, BMC and others. Through the conformance program the API Mediation Layer standardizes the expectations from the services providing APIs within the ecosystem. It also provides shared services across the ecosystem.

For the automation of the management

The onboarded services should be able to delegate the functionality of certificate management to the API Mediation Layer, that would then call the company-wide CAs and provide the certificate for the specific service. Ideally this will be managed as part of the installation of the API, for which the API Mediation Layer also provides tooling.

For the manual management

The System administrator should be able to easily validate for every service whether the service has valid certificate, what certificate it is (Alos where it is) and what is the expiry date for the certificate.

When the system administrator logs into the system, the information about the certificates expiring soon must be well visible. Possibly even notifying the user.

The System administrator should be able to generate new certificate with key details for the specific service directly from the UI.

The System administrator should be able to push the automatic certificate management even to the services that doesn't require this via the metadata.

The functionality mentioned above is visible only to those with relevant privileges.

Open questions

• How do we integrate with the existing services within the companies?
  • This contains how do we actually use the Certificate Authority that's valid for the company