Layer7 API Management

 View Only
  • 1.  decrypt graphman-client exported keys or secrets

    Posted Jan 27, 2024 06:44 AM

    Hi Team.

    I am unable to decrypt secrets and keys with the given advice at the end of graphman-client readme : 
    graphman-client/ at main · Layer7-Community/graphman-client

    GitHub remove preview
    graphman-client/ at main · Layer7-Community/graphman-client
    This repository contains a Postman collection, a Node.js CLI application, sample queries for the CLI, and GraphQL schemas for the Graphman API. - graphman-client/ at main · Layer7-Community/graphman-client
    View this on GitHub >

    the export looks like:
      "secrets": [
          "goid": "9ec005dd334796b936987ecf50932c4d",
          "name": "mikel",
          "checksum": "1121b4c3cee21859749fba3450bf0257621eb11a",
          "description": "",
          "secret": "JEw3RXYwMiSK5eLTkmpxyObHRTfmwlqpjQcwOip5MlMu7v4YPSUSaA==",
          "secretType": "PASSWORD",
          "variableReferencable": true
      "properties": {
        "defaultAction": "NEW_OR_UPDATE"

    e.g. decrypting the secret using the following command fails with the error shown

    Of course, I have used the same passphrase for the export.
    Same error occurs for the encrypted key.p12 property.
    Am I doing someting wrong ?



  • 2.  RE: decrypt graphman-client exported keys or secrets

    Broadcom Employee
    Posted Jan 29, 2024 06:43 AM

    @Michael Mueller There's a little deviation in supporting the statement specified as part of documentation.

    Graphman supports importing the secrets that are encrypted using openssl way. But, it was not the same case while exporting them. As of now, graphman exports secrets that cannot be decrypted using openssl. We did change this behaviour different from experimental build. 

    Would you still want to export the secrets in openssl decrypt friendly? 

  • 3.  RE: decrypt graphman-client exported keys or secrets

    Posted Jan 29, 2024 08:52 AM
    Edited by Michael Mueller Jan 29, 2024 08:52 AM

    Hi @Raju Gurram.


    I am coming from the understanding, that a secret is just another resource entity in a gateway, as any other.

    Hence, and due to my understanding that a repository is the single source of truth for a gateway, I am looking for the ability to maintain/change a secret in a repository, rather than directly in a gateway through Policy Manager.

    Hence, from a repository point of view, this could be understood as a rogue change, as this change of a resource ( the secret ) is not known by the repository , and might get overwritten by the repository content, if not taken care of this change differently.

  • 4.  RE: decrypt graphman-client exported keys or secrets

    Broadcom Employee
    Posted Jan 30, 2024 06:33 AM

    Thank you for your feedback. Most likely, we will reconsider this (i.e., ability to export secrets in openssl decrypt friendly).

  • 5.  RE: decrypt graphman-client exported keys or secrets

    Posted 11 days ago

    Dear team.

    Meanwhile, I think a little different about this topic. At least for secrets.
    There is no need to be able to decrypt a password, similar to other password handlings.
    This is what I understand:
    1) A secret can be set through graphman, either in clear text or encrypted by openssl.
    2) A secret can be exported from one gateway and imported to another, meaning copied between gateways.
    Taking a look at operating systems for example, I am usually not able to figure out a password as well.

    From this point of view, there is no need to have the possibility to decrypt an existing password.

    Just my opinion, as of now :)

    Best regards