Engine Security Key Warning Message Received After Upgrade to 5.3.x (KBA1785)
KBA
KBA#1785Applicable Delphix Versions
This article applies to the following versions of the Delphix Engine:
Major Release |
Sub Releases |
5.3 | 5.3.0.0, 5.3.0.1, 5.3.0.2, 5.3.0.3, 5.3.1.0, 5.3.1.1, 5.3.2.0, 5.3.3.0, 5.3.3.1 |
Troubleshooting Engine Security Key Warning
Following a Delphix Virtualization Engine upgrade to any of the versions referenced above, an administrator may receive a warning alert pertaining to the Engine security key. The alert will read:
Description The engine's security key is -182 days old, which is longer than the recommended 180 days. Action Generate a new secret key via the CLI (registration -> regenerate) and re-register the engine. Severity WARNING Hostname <ENGINE NAME> Timestamp 2018-10-05T21:11:18.454Z
Explanation
The Delphix Engine generates a unique security key at installation. This key is used to facilitate challenge-response authentication, a currently optional security feature for Delphix Support access to an Engine, which generates a unique time-limited login challenge code for any Support engagement. As a best-practice Delphix is currently recommending a 6-month key rotation policy for all Engines, and the Alert described is generated in response to detecting the age of a security key being older than 180 days.
Resolution
In Delphix 5.3.4.0 and later, this warning is no longer generated, though the steps below are provided for reference, as some environments will want to rotate the security to align with existing policies.
The rotation of the security key is optional, regardless of enablement of challenge-response authentication. The alert can be dismissed if key rotation is not desired.
However, if the security key is rotated, and challenge-response is currently used, the Engine needs to be re-registered with Delphix, which will allow Support personnel to generate the correct response codes when engaged.
To rotate the security key, a user with sysadmin (or equivalent privileges) must login to the Engine via CLI, and rotate the key. Example below:
delphix.engine> registration delphix.engine registration> regenerate delphix.engine registration regenerate *> commit type: RegistrationInfo code: <REDACTED> registrationPortalHostname: https://register.delphix.com uuid: 4213f7cc-6b3f-5d0c-41b3-8b815d8a6130
The resulting code can then be used to re-register the Engine. This process is also documented in the links provided below under Related articles.
At this time, the Delphix Engine Setup web GUI (sysadmin or equivalent login) does not allow an Engine to be re-registered, once the Engine registration status is REGISTERED. As a result, any subsequent re-registration due to this key rotation must be done via http://register.delphix.com. The current security key can be viewed in the CLI using the registration option referenced above, or in the GUI by clicking View in the Registration field:
From here, the current security key can be copied manually, or the "Copy to Clipboard" shortcut button used.
From here, the Engine can be re-registered. Details of this process can be found in Documentation at:
Additional Information
Beginning in Delphix release 5.3.4.0, the challenge-response authentication method for Support access will be enabled by default, so the currently optional registration of an Engine may be required for all installations to enable Support access.