Advanced Configurations

Advanced configuration allows you to customize the API Ops CLI for complex environments by overriding default settings and configuring additional options.

On this page:

• Encrypt password
• Configure LDAP authentication
• Enable HTTPS support
• Log4j2 properties configuration
• Hardening configurations

Encrypt password

To protect sensitive information, the API Ops tool supports encrypting passwords in the configuration files. Encrypted values prevent plain‑text credentials from being exposed during export and import operations.

API Ops supports password encryption in the following files:

• environment_config.yaml: Stores credentials for source and target environments.
• import-config.yaml: Stores credentials required for import operations.
• Configuration files generated during asset export (for example, API and app configuration files)

API Ops identifies whether a password is plain text or encrypted by using prefixes and applies encryption rules consistently:

• When you specify a password with the pwd: prefix, API Ops encrypts the value and replaces it with the enc: prefix.
• During export, API Ops tool stores sensitive values only in encrypted form.
• During import, API Ops tool uses encrypted values without exposing the original plain‑text password.

Encrypt a password with the pwd: prefix

To securely encrypt a password in the configuration file so that it is no longer stored in plain text:

1. Open the environment_config.yaml or import-config.yaml file that contains the password.

2. Locate the plain-text password value.

3. Replace the plain-text password with the pwd: prefix followed by the password. For example:

   pwd:myPlainTextPassword

4. Save the file.

5. Run the import command that processes import-config.yaml file.

When API Ops processes the environment_config.yaml or import-config.yaml file, it detects values that start with pwd:, encrypts them, and replaces them with values that use the enc: prefix.

Verify the password is encrypted

1. Open the environment_config.yaml or import-config.yaml file that contains the password.
2. Locate the password field.
3. Confirm that the password value starts with enc: prefix. For example:

   enc:ENCRYPTED_VALUE

If the value starts with enc:, the password is stored securely in encrypted form.

Configure LDAP authentication (optional)

You can configure LDAP authentication to allow the API Ops tool to authenticate with the Community Manager APIs by using LDAP credentials. Configure LDAP authentication if your organization uses LDAP-based single sign-on (SSO).

Before you begin, you must create an environment configuration file.

To configure LDAP authentication

1. Open the environment-config.yaml file.
2. In the file, locate the environment details you want to configure (for example, dev or prod).
3. Set the login type to enable LDAP-based authentication:

   loginType: "ssoLogin"

4. Specify the LDAP domain name:

   ssoDomain: "<name_of_domain>"

5. Specify the LDAP user credentials:

   tenantUserName: "<ldap-username>"
   tenantPassword: "<password>"
   

6. Save the file.

When the API Ops tool runs, it uses the specified LDAP credentials to authenticate with the Community Manager APIs.

Enable HTTPS support

To use HTTPS with client authentication, configure the keystore and trust store details in the environment configuration file. The API Ops tool reads the SSL configuration from this file when establishing a secure connection.

Configure the SSL settings

Define the following SSL properties in the environment-config.yaml file:

• sslKeystorePath = Path to the keystore file
• sslKeystorePassword = Password for the keystore
• sslTruststorePath = Path to the trust store file
• sslTruststorePassword = Password for the trust store

Example: Export APIs over HTTPS

The following example exports API configurations securely over HTTPS. The tool uses the keystore and trust store values defined in the environment configuration file for certificate validation.

/Users/Temp/ApiOps/api-ops-2026.1.0/bin/api-ops.sh command=export commandConfig=export-config.yaml baseConfigFolder=/Users/Temp/ApiOps/api-ops-2026.1.0/config environmentConfig=environment-config-https.yaml tenantUserName=administrator@atmosphere tenantPassword=Passw0rd!

Example: Import APIs over HTTPS

The following example imports API configurations securely over HTTPS with client authentication. The tool uses the keystore and trust store values defined in the environment configuration file for certificate validation.

/Users/Temp/ApiOps/api-ops-2026.1.0/bin/api-ops.sh command=import commandConfig=import-config.yaml baseConfigFolder=/Users/Temp/ApiOps/api-ops-2026.1.0/config environmentConfig=environment-config-https.yaml tenantUserName=administrator@atmosphere tenantPassword=Passw0rd!

Log4j2 properties configuration

You can use the Log4j2 properties configuration to set up logging for API operations. This configuration file sets up console and size‑based rolling file logging, defines log rollover limits, configures root and package‑specific logging levels, and writes promotion logs to a dedicated rolling file with message‑only output.

The sample log4j2.properties file is located under the config directory. You can customize this file to match your environment and logging requirements.

To troubleshoot issues, change the logging level from INFO to DEBUG by updating logger.apiops.level=info to logger.apiops.level=debug in the Log4j2 properties configuration file.

(Optional) Configure logging with a custom Log4j2

By default, API Ops uses the Log4j2 configuration file located in the config directory under the API Ops installation path at:

<API_OPS_HOME>/config/log4j2.properties

To use a custom Log4j2 configuration file, specify the file path by setting the JAVA_OPTS parameter.

Use the following command:

JAVA_OPTS="-Dlog4j2.configurationFile=<path-to-log4j2-properties>" ./api-ops.sh <arguments>

Replace:

• <path-to-log4j2-properties> with the path to your Log4j2 configuration file.
• <arguments> with any additional options required for your environment.

Example:

JAVA_OPTS="-Dlog4j2.configurationFile=<path-to-log4j2-properties>" ./Users/Temp/ApiOps/api-ops-2026.1.0/bin/api-ops.sh \
 command=export \
 commandConfig=export-config.yaml \
 baseConfigFolder=/Users/Temp/ApiOps/api-ops-2026.1.0/config \
 environmentConfig=environment-config-https.yaml \
 tenantUserName=tenant_username \
 tenantPassword=******** \
 sslKeystorePath=/Users/Temp/ApiOps/api-ops-https-keystores/client-keystore1.p12 \
 sslKeystorePassword=******** \
 sslTruststorePath=/Users/Temp/ApiOps/api-ops-https-keystores/server-truststore.p12 \
 sslTruststorePassword=********

Hardening configurations

This section covers settings and tuning parameters that you can apply to improve the hardening of API Ops. It includes:

Prevent logging of credentials

Passwords for the application, keystore, and trust store were being logged at the debug level, which can unintentionally expose sensitive information. If you enable logging at a level below INFO (such as DEBUG or TRACE), ensure that logging is restricted for specific packages that may expose confidential information.

To prevent credentials and other sensitive details from appearing in logs, configure Log4j to limit HTTP client logging. Use the following settings:

logger.spring-web.name=org.springframework.web.client ->
logger.spring-web.level=error
logger.apacheHttp.name=org.apache.hc.client5.http ->
logger.apacheHttp.level=error

These settings ensure that sensitive information does not appear in the logs.