Audit-Viewer Key deceased

book

Article ID: 196612

calendar_today

Updated On:

Products

CA API Gateway API SECURITY CA API Gateway Precision API Monitoring Module for API Gateway (Layer 7) CA API Gateway Enterprise Service Manager (Layer 7) STARTER PACK-7 CA Microgateway

Issue/Introduction

We are usin the audit viewer key to decrypt/encrypt audits.

The key is almost deceased, so they have to use a new key.

Documentation says:

However, once a key ceases to be the audit viewer key, it is recommended that you delete it, to prevent unauthorized users from decrypting audit records that were encrypted with that key.

https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-api-management/api-gateway/9-4/security-configuration-in-policy-manager/tasks-menu-security-options/manage-private-keys/private-key-properties.html

But they have the following questions, how can they keep looking at the old audits, after deleting this key.

Will all audits will be encrypted with the new key, when the new key is added?

Or will the old audits be unusable because they are encrypted with the old key?

 

Environment

Release : 9.4

Component : API GATEWAY

Resolution

If you remove the old key you can not decrypt the encrypted messages which were encrypted with this key , the new key will be used for new messages only.