Actions on User Key/Host Key Inventory

Provision Key

You can provision a SSH key (user key, private key or key pair) to target hosts with optional vault integration. For provisioning a key, see Provision a Key.

Modify

You can modify the user key details and tags.

Table 2. Field description for Modify Key
Field	Description
Key details
*Key Group	Select key group from the dropdown list. Note: A key is linked to a key group, and this key group is further connected to a policy. Based on the selection of the key group, it is determined if the key needs a work order approval. The key is also checked for compliance with the key policy associated with the key group.
*Key Name	A unique name of the key to facilitate easy identification.
*Key Type	Indicates the type of key. In this case, it is a User Key.
*Algorithm	Select the cryptographic algorithm used for the key.
*Bit length	Specify the bit length for the key.
Comment	Enter remarks specific to the key.
Tags
Tags	Select tags from the list. Note: Based on the selected tags, corresponding tag labels will be displayed, allowing you to further refine your tag selections.
* - Mandatory fields

To modify the tags associated with a key, click the icon next to the key, and update the tag details as needed.

Change status

Users with RW permission can change the status of a key to Managed or Monitored.

Export

You can export the user or host key details from their respective inventory in .csv or .xlsx format.

Download

You can download a key pair, private key, public key, or ssh certificate from the key inventories. Additionally, you can choose to download only the private key, only the public key, or both.

Upload User SSH key

Note: This field appears only for User Key Inventory.

Table 3. Field description for Upload SSH key section
Field	Description
*Key File	Click Search icon to browse for the file.
*Key Group	Select key group from the dropdown list. Note: A key is linked to a key group, and this key group is further connected to a policy. Based on the selection of the key group, it is determined if the key needs a work order approval. The key is also checked for compliance with the key policy associated with the key group.
*Key Name	Enter a unique name for the key to facilitate easy identification.
Passphrase	Enter a passphrase
Confirm Passphrase	Enter the passphrase again to confirm.
*Validity	Select validity from the dropdown list. This determines the duration for which the key is valid.
Comment	Enter remarks specific to the key.
Note: Fields indicated with red asterisk (*) symbol are mandatory.

Revoke

Note: This field appears only for User Key Inventory.

Users with RW permission can revoke certificates that are associated with keys that have a private key and key pair (public + private). If the selection has even one key that is a public key, then revoke is disabled.

Rotate

Users with RW permission can rotate selected user keys or host keys based on the rotation configuration outlined in their corresponding key policies. Keys selected for rotation are automatically backed up and stored in a secure encrypted format in the Recently Rotated Keys. The details of backup are available in the audit log. On successful completion of backup, a message appears in the audit log, Backup completed for the <key type> for action <action> with name <key name> with fingerprint <key fingerprint> with group name <key group name> by the user <user name>.

On selecting keys for rotation, a confirmation message appears. On confirming, the rotate operation is triggered via workflow. To check the status and reports, go to Automation > Service Request > All and select your request from All requests.

Note: If any of the selected keys or their file paths are missing, the workflow will skip those keys and continue processing the remaining rotations without failure. The skipped keys will be listed in the Report stage of the workflow with the status Skipped - Missing.

The newly rotated key adheres to the following naming convention: KEYTYPE_TIMESTAMP, where key type denotes the encryption algorithm of the key while timestamp is when you have rotated the key in the yyyyMMdd_HHmmss_SSS_counter format where:

yyyy denotes the year
MM denotes the month
dd denotes the date
HH denotes the hours
mm denotes the minutes
ss denotes the seconds
SSS denotes the milliseconds
counter denotes the number of keys being rotated

For example, ECDSA_20230908_123456_789_1 implies that the rotated key follows the ECDSA algorithm and was generated on September 8, 2023, at 12:34:56.789 GMT.

Upon successful rotation of the key, the Comments field is updated.

Important:

Best practices before rotating host keys:

Note: The following points are applicable when the Enable Global Known hosts option is enabled under

(Menu) icon > SSH+ > Administration > Advanced Settings. Enabling this option may have implications for your network.

If the global known host file is not present, then AppViewX will create one in the root folder by including all public keys from users in the global known host file.
Prior to host key rotation, update the global known host file.
The old public key is deleted and the new key is replaced in the global known host file.

Best practices before rotating user keys:

Note: The following points are applicable when the Enable Global Authorized keys option is enabled under

(Menu) icon > SSH+ > Administration > Advanced Settings. Enabling this option may have implications for your network.

If the global authorized key file is not present, then AppViewX will create one in the root folder for each login user with privileged user permission.
Prior to user key rotation, update the global authorized key file.
The old public key is deleted and the new key is replaced in the global authorized key file.

CAUTION: Rotating keys can result in access loss and authentication problems if AppViewX does not have access to all the infrastructure information. Proceed with caution and ensure proper backup and alternative authentication methods are in place.

Delete

Users with RW permission can:

Delete from Endpoints: Deletes the keys from the host endpoints. Keys selected for deletion from endpoints are automatically backed up and stored in a secure encrypted format in the database. The details of backup are available in the audit log. On successful completion of backup, a message appears in the audit log, Backup completed for the <key type> for action <action> with name <key name> with fingerprint <key fingerprint> with group name <key group name> by the user <user name>.
Note:
- If you try deleting keys from hosts with only one key, then a warning message about the potential service disruption is displayed.
- On selecting keys for deletion from endpoints, a confirmation message appears. On confirming, the delete operation is triggered via workflow. To check the status and reports, go to Automation > Service Request and select your request from All requests.
- If any of the selected keys or their file paths are missing, the workflow will skip those keys and continue processing the remaining deletions without failure. The skipped keys will be listed in the Report stage of the workflow with the status Skipped - Missing.
Delete from Inventory: Deletes the keys from the AppViewX inventory and not from the actual hosts.

Upload Bulk Tags

Bulk upload tags using one of the following options:

File Upload: Upload a file containing the list of tags and key fingerprints. For a quick update, download the template, fill in the required fingerprints and tags, and import the updated file.
Based on Key Group: Select a key group, choose the required tags from the list, provide their values, and update. This allows you to apply tag updates to all keys associated with the selected key group.
Download failed status: After completing the tag import in the bulk upload popup, you can download a list of the keys that failed to upload. This enables you to review the errors, correct them, and re-upload the updated data.

For tag mapping, see Managing Tags.