IX Appliance RSA Private Key Displayed in HCX Manager app.log

search cancel

book

calendar_today

VMware HCX

When reviewing HCX Manager logs found in </common/logs/admin/app.log> , the "RSA private key" for the IX appliance is seen.
If HCX Manager is configured to send log messaging to syslog server, this key will be stored on syslog server.

HCX 4.11.x

Starting in 4.11.x the RSA private key for a given IX appliance is shown in the HCX Manager </common/logs/admin/app.log> only during appliance redeployment.
- This is done as part of the Appliance Configuration which is reported in appliance framework log.
When IX is initially deployed this self signed private key is created and is passed to HCX Manager. This is done on each HCX Manager/IX appliance respectively.
This key is very specific to the IX server. If an inbound connection attempts to use this self signed KEY from a server other than IX appliance, the connection will be denied as it is not a trusted session.

Resolution:

Workaround:

Download and copy the attached file <update-log-config.tar> to HCX Manager.
Extract the tar file: <tar -xf update-log-config.tar>
- The file update-log-config.sh should now be present in the current directory.
Make script executable: <chmod +x update-log-config.sh>
switch to root user: <su>
Execute script: <sh update-log-config.sh>
Redeploy the service-mesh to update the keys in-use by IX appliances.

NOTE:

4.11.3 will remove the Wan-Opt (WO) functionality. Users who wish to retain the use of WO appliance can remain on HCX 4.11.2 and implement the script attached to this SR.
This scripts function is to adjust logging as such that HCX Manager will not send these log lines containing appliance private key to syslog.
If this script is implemented on builds 4.11.0 or 4.11.1 then an upgrade to 4.11.2 occurs, this workaround will have to be implemented again.

update-log-config.tar get_app

thumb_up Yes

thumb_down No