For security reasons, a system operator must be able to replace the Replica or Client node keys. The key rotation operation does not require any downtime.
You can rotate all, single, or multiple Replica and Client node TLS keys with any deployment configuration.
Replica and Client node key rotation is not supported during downtime under the following scenarios:
If a Replica and Client node VM is down.
If the Concord containers are down.
Replica node is in state transfer.
Procedure
- Rotate the Client node TLS key.
- Identify the Client service UUID from the /config/generic/identifiers.env directory.
- Rotate the Client node key.
Key Rotation Type |
Command |
Rotate a Client node key. |
sudo docker exec -it operator bash -c "./concop key-exchange execute --tls --clients <UUID>" |
Rotate multiple Client node keys. |
sudo docker exec -it operator bash -c "./concop key-exchange execute --tls --clients <UUID1> <UUID2>" |
Rotate all the Client node keys in a Client node group. |
sudo docker exec -it operator bash -c "./concop key-exchange execute --tls --clients" |
- Validate the Client node key rotation status.
sudo docker exec -it operator bash -c "./concop key-exchange status --tls --clients"
- Rotate the Replica node TLS key.
Depending on your deployment configuration, you can rotate single or multiple Replica node keys.
- Identify the Replica node ID from the Concord container Docker log files or check the /config/concord/config-generated/gen-sec.* file.
- Rotate the Replica node key.
Key Rotation Type |
Command |
Rotate a Replica node key. |
sudo docker exec -it operator bash -c "./concop key-exchange execute --tls --replicas <rid>" |
Rotate multiple Replica node keys. |
sudo docker exec -it operator bash -c "./concop key-exchange execute --tls --replicas <rid1> <rid2>" |
