Actions on User Key/Host Key Inventory

You can perform the following actions from the Key Inventory page.

Table 1. Action description on User/Host Key Inventory page
Action Description
Provision Key You can provision a SSH key (user key, private key or key pair) to target hosts with optional vault integration. For provisioning a key, see Provision a Key.
Modify You can modify the user key details and tags.
Table 2. Field description for Modify Key
Field Description
Key details
*Key Group Select key group from the dropdown list.
Note: A key is linked to a key group, and this key group is further connected to a policy. Based on the selection of the key group, it is determined if the key needs a work order approval. The key is also checked for compliance with the key policy associated with the key group.
*Key Name A unique name of the key to facilitate easy identification.
*Key Type Indicates the type of key. In this case, it is a User Key.
*Algorithm Select the cryptographic algorithm used for the key.
*Bit length Specify the bit length for the key.
Comment Enter remarks specific to the key.
Tags
Tags Select tags from the list.
Note: Based on the selected tags, corresponding tag labels will be displayed, allowing you to further refine your tag selections.
* - Mandatory fields

To modify the tags associated with a key, click the icon next to the key, and update the tag details as needed.
Change status Users with RW permission can change the status of a key to Managed or Monitored.
Export You can export the user or host key details from their respective inventory in .csv or .xls format.
Upload User SSH key
Note: This field appears only for User Key Inventory.
Table 3. Field description for Upload SSH key section
Field Description
*Key File Click Search icon to browse for the file.
*Key Group Select key group from the dropdown list.
Note: A key is linked to a key group, and this key group is further connected to a policy. Based on the selection of the key group, it is determined if the key needs a work order approval. The key is also checked for compliance with the key policy associated with the key group.
*Key Name Enter a unique name for the key to facilitate easy identification.
Passphrase Enter a passphrase
Confirm Passphrase Enter the passphrase again to confirm.
*Validity Select validity from the dropdown list. This determines the duration for which the key is valid.
Comment Enter remarks specific to the key.
Note: Fields indicated with red asterisk (*) symbol are mandatory.
Revoke
Note: This field appears only for User Key Inventory.
Users with RW permission can revoke certificates that are associated with keys that have a private key and key pair (public + private). If the selection has even one key that is a public key, then revoke is disabled.
Rotate Users with RW permission can rotate selected user keys or host keys based on the rotation configuration outlined in their corresponding key policies. Keys selected for rotation are automatically backed up and stored in a secure encrypted format in the Recently Rotated Keys. The details of backup are available in the audit log. On successful completion of backup, a message appears in the audit log, Backup completed for the <key type> for action <action> with name <key name> with fingerprint <key fingerprint> with group name <key group name> by the user <user name>.
On selecting keys for rotation, a confirmation message appears. On confirming, the rotate operation is triggered via workflow. To check the status and reports, go to Automation > Service Request > All and select your request from All requests.
The newly rotated key adheres to the following naming convention: KEYTYPE_TIMESTAMP, where key type denotes the encryption algorithm of the key while timestamp is when you have rotated the key in the yyyyMMdd_HHmmss_SSS_counter format where:
  • yyyy denotes the year
  • MM denotes the month
  • dd denotes the date
  • HH denotes the hours
  • mm denotes the minutes
  • ss denotes the seconds
  • SSS denotes the milliseconds
  • counter denotes the number of keys being rotated
For example, ECDSA_20230908_123456_789_1 implies that the rotated key follows the ECDSA algorithm and was generated on September 8, 2023, at 12:34:56.789 GMT.

Upon successful rotation of the key, the Comments field is updated.

Important:
Best practices before rotating host keys:
Note: The following points are applicable when the Enable Global Known hosts option is enabled under (Menu) icon > SSH+ > Administration > Advanced Settings. Enabling this option may have implications for your network.
  1. If the global known host file is not present, then AppViewX will create one in the root folder by including all public keys from users in the global known host file.
  2. Prior to host key rotation, update the global known host file.
  3. The old public key is deleted and the new key is replaced in the global known host file.
Best practices before rotating user keys:
Note: The following points are applicable when the Enable Global Authorized keys option is enabled under (Menu) icon > SSH+ > Administration > Advanced Settings. Enabling this option may have implications for your network.
  1. If the global authorized key file is not present, then AppViewX will create one in the root folder for each login user with privileged user permission.
  2. Prior to user key rotation, update the global authorized key file.
  3. The old public key is deleted and the new key is replaced in the global authorized key file.
CAUTION: Rotating keys can result in access loss and authentication problems if AppViewX does not have access to all the infrastructure information. Proceed with caution and ensure proper backup and alternative authentication methods are in place.
Delete Users with RW permission can:
  • Delete from Endpoints: Deletes the keys from the host endpoints. Keys selected for deletion from endpoints are automatically backed up and stored in a secure encrypted format in the database. The details of backup are available in the audit log. On successful completion of backup, a message appears in the audit log, Backup completed for the <key type> for action <action> with name <key name> with fingerprint <key fingerprint> with group name <key group name> by the user <user name>.
    Note:
    • If you try deleting keys from hosts with only one key, then a warning message about the potential service disruption is displayed.
    • On selecting keys for deletion from endpoints, a confirmation message appears. On confirming, the delete operation is triggered via workflow. To check the status and reports, go to Automation > Service Request and select your request from All requests.
  • Delete from Inventory: Deletes the keys from the AppViewX inventory and not from the actual hosts.
Upload Bulk Tags Bulk upload tags using one of the following options:

  • File Upload: Upload a file containing the list of tags and key fingerprints. For a quick update, download the template, fill in the required fingerprints and tags, and import the updated file.

  • Based on Key Group: Select a key group, choose the required tags from the list, provide their values, and update. This allows you to apply tag updates to all keys associated with the selected key group.

  • Download failed status: After completing the tag import in the bulk upload popup, you can download a list of the keys that failed to upload. This enables you to review the errors, correct them, and re-upload the updated data.
For tag mapping, see Managing Tags.