Applicable Delphix Versions
All Sub Releases
Following a Delphix Virtualization Engine upgrade to 5.3.x, an administrator may receive a warning alert pertaining to the Engine security key. The alert will read:
Description The engine's security key is -182 days old, which is longer than the recommended 180 days. Action Generate a new secret key via the CLI (registration -> regenerate) and re-register the engine. Severity WARNING Hostname <ENGINE NAME> Timestamp 2018-10-05T21:11:18.454Z
The Delphix Engine generates a unique security key at installation. This key is used to facilitate challenge-response authentication, a currently optional security feature for Delphix Support access to an Engine, which generates a unique time-limited login challenge code for any Support engagement. As a best-practice Delphix is currently recommending a 6-month key rotation policy for all Engines, and the Alert described is generated in response to detecting the age of a security key being older than 180 days.
The rotation of the security key is optional, regardless of enablement of challenge-response authentication. The alert can be dismissed if key rotation is not desired.
However, if the security key is rotated, and challenge-response is currently used, the Engine needs to be re-registered with Delphix, which will allow Support personnel to generate the correct response codes when engaged.
To rotate the security key, a user with sysadmin (or equivalent privileges) must login to the Engine via CLI, and rotate the key. Example below:
delphix.engine> registration delphix.engine registration> regenerate delphix.engine registration regenerate *> commit type: RegistrationInfo code: <REDACTED> registrationPortalHostname: https://register.delphix.com uuid: 4213f7cc-6b3f-5d0c-41b3-8b815d8a6130
The resulting code can then be used to re-register the Engine. This process is also documented in the links provided below under External Links.
At this time, the Delphix Engine Setup web GUI (sysadmin or equivalent login) does not allow an Engine to be re-registered online once the Engine registration status is REGISTERED. As a result, any subsequent re-registration due to this key rotation must be done online via http://register.delphix.com. The current security key can be viewed in the CLI using the registration option referenced above, or in the GUI by clicking View in the Registration field:
From here, the current security key can be copied manually, or the "Copy to Clipboard" shortcut button used.
From here, the Engine can be re-registered. Details of this process can be found in Documentation at:
In future versions of Delphix, the challenge-response authentication method for Support access may be enabled by default, so the currently optional registration of an Engine may be required for all installations.
There are other enhancement requests being reviewed at the time of this writing to consider automating these processes wherever possible, to minimize the work required by system administrators (sysadmin).
The following documentation links are helpful for registration and security key context:
DLPX-60780 - Sysadmin interface must allow an Engine to be re-registered
DLPX-60781 - Engine secret key rotation should be automatic, not a manual sysadmin operation