Skip to main content
Delphix

KBA1785 Engine Security Key Warning Message Received After Upgrade to 5.3.x

 

 

Applicable Delphix Versions

 

Major Release

All Sub Releases

5.3 5.3.0.0, 5.3.0.1

Issue

Following a Delphix Virtualization Engine upgrade to 5.3.x, an administrator may receive a warning alert pertaining to the Engine security key. The alert will read:

Description The engine's security key is -182 days old, which is longer than the recommended 180 days. 
Action Generate a new secret key via the CLI (registration -> regenerate) and re-register the engine. 
Severity WARNING 
Hostname <ENGINE NAME> 
Timestamp 2018-10-05T21:11:18.454Z

Explanation

The Delphix Engine generates a unique security key at installation. This key is used to facilitate challenge-response authentication, a currently optional security feature for Delphix Support access to an Engine, which generates a unique time-limited login challenge code for any Support engagement.  As a best-practice Delphix is currently recommending a 6-month key rotation policy for all Engines, and the Alert described is generated in response to detecting the age of a security key being older than 180 days.

Resolution

The rotation of the security key is optional, regardless of enablement of challenge-response authentication.  The alert can be dismissed if key rotation is not desired. 

However, if the security key is rotated, and challenge-response is currently used, the Engine needs to be re-registered with Delphix, which will allow Support personnel to generate the correct response codes when engaged. 

To rotate the security key, a user with sysadmin (or equivalent privileges) must login to the Engine via CLI, and rotate the key. Example below:

delphix.engine> registration
delphix.engine registration> regenerate
delphix.engine registration regenerate *> commit
    type: RegistrationInfo
    code: <REDACTED>
    registrationPortalHostname: https://register.delphix.com
    uuid: 4213f7cc-6b3f-5d0c-41b3-8b815d8a6130

The resulting code can then be used to re-register the Engine.  This process is also documented in the links provided below under External Links.

At this time, the Delphix Engine Setup web GUI  (sysadmin or equivalent login) does not allow an Engine to be re-registered online once the Engine registration status is REGISTERED.  As a result, any subsequent re-registration due to this key rotation must be done online via http://register.delphix.com.  The current security key can be viewed in the CLI using the registration option referenced above, or in the GUI by clicking View in the Registration field:

clipboard_e380491b669c2e91cecc14948a43c3ef2.png

From here, the current security key can be copied manually, or the "Copy to Clipboard" shortcut button used.

clipboard_e4900873a7d4ebe13d99b2e4d28d8228e.png

From here, the Engine can be re-registered.  Details of this process can be found in Documentation at:

https://docs.delphix.com/docs/system-installation-configuration-and-management/installation-and-initial-system-configuration/retrieving-the-delphix-engine-registration-code

Additional Information

In future versions of Delphix, the challenge-response authentication method for Support access may be enabled by default, so the currently optional registration of an Engine may be required for all installations.

There are other enhancement requests being reviewed at the time of this writing to consider automating these processes wherever possible, to minimize the work required by system administrators (sysadmin).

External Links

The following documentation links are helpful for registration and security key context:

Retrieving the Delphix Engine Registration Code

Regenerating the Delphix Engine Registration Code

 

DLPX-60780 - Sysadmin interface must allow an Engine to be re-registered

DLPX-60781 - Engine secret key rotation should be automatic, not a manual sysadmin operation