For security reasons, a system operator must be able to replace the Replica or Client node keys. The key rotation operation does not require any downtime.
You can rotate all, single, or multiple Replica and Client node TLS keys with any deployment configuration.
Replica and Client node key rotation is not supported during downtime under the following scenarios:
If a Replica and Client node VM is down.
If the Concord containers are down.
Replica node is in state transfer.
Procedure
- Rotate the Client node TLS key.
- Identify the Client service UUID from the /config/generic/identifiers.env directory.
- Rotate the Client node key.
Note:
Only the Client service certificates are rotated. You can verify the Client service certificate rotation on the respective Client node hosting the Client service.
Key Rotation Type |
Command |
Rotate a Client node key. |
docker exec -it operator bash -c "./concop key-exchange execute --tls --clients <UUID>" |
Rotate multiple Client node keys. |
docker exec -it operator bash -c "./concop key-exchange execute --tls --clients <UUID1> <UUID2>" |
Rotate all the Client node keys in a Client node group. |
docker exec -it operator bash -c "./concop key-exchange execute --tls --clients" |
- Validate the Client node key rotation status.
docker exec -it operator bash -c "./concop key-exchange status --tls --clients"
- Rotate the Replica node TLS key.
Depending on your deployment configuration, you can rotate single or multiple Replica node keys.
- Identify the Replica node ID from the Concord container Docker log files or check the /config/concord/config-generated/gen-sec.* file.
- Rotate the Replica node key.
Key Rotation Type |
Command |
Rotate a Replica node key. |
docker exec -it operator bash -c "./concop key-exchange execute --tls --replicas <rid>" |
Rotate multiple Replica node keys. |
docker exec -it operator bash -c "./concop key-exchange execute --tls --replicas <rid1> <rid2>" |
