Outline

The EdgeConfiguration service (ECS) utilizes sets of credentials to modify Akamai Configurations (aka Akamai Properties), operate on edge caches and read traffic/billing data regardless in which environment the service is running.

Currently two different Akamai APIs (OPEN & CCU) are utilized, resulting in two different sets of credentials.

Issue

The current state of how Akamai Configs are organized and handled does not allow to restrict access to prod-related configs to a particular set of credentials, meaning that the same set of credentials is used in all our environments. Additionally, as required by the security squad, a secure solution needs to be found to store prod credentials outside of WCH as Box does not seem to provide enough security.

See also defect 147425 (https://swgjazz.ibm.com:8003/jazz/web/projects/Digital%20Experience#action=com.ibm.team.workitem.viewWorkItem&id=147425)

Suggested Approach

See https://github.ibm.com/DX/squad-publishing/blob/master/Separating%20Akamai%20OPEN%20and%20CCU%20API%20Credentials%20-%20prod%20vs%20nonprod.pptx The solution requires us to work together with Akamai and discuss on how to best tackle this issue to not cause any downtime on prod and at most only a minimal downtime of stage/shared. Additionally some further investigation on our end is required to find the correct place to store these credentials outside of WCH.