security.cfg file keeps getting corrupted - need to find a way to notify if this file gets changed
Article ID: 117227
Updated On:
Products
Issue/Introduction
We have had a number of incidents where somehow the security.cfg file becomes changed or corrupted or *something* happens that erases all of the groups and permissions we have set up in it.
When this propagates to the other hubs we lose all settings. There is a existing KB which shows how to replace and/or restore the security.cfg file, but it has never worked for our environment.
What we need is a way to be notified if this file changes so we can get out ahead of the issue, restore the config file manually (as we have had to do the last several times this has happened) before this starts to impede our alarming.
Environment
- UIM 8.5.1
- hub v7.93
Cause
- hub security.cfg file corruption is usually caused by competing security updates or something going wrong in transit.
Resolution
For notification of security.cfg file changes, you could probably setup dirscan or logmon to check the file information and send an alert based on the result.
Make sure you are on the latest hub v7.93 or higher and you also may want to implement this solution (see below).
By default, changes to security.cfg are propagated from any hub. Two configuration keys affect this behavior:
1. Set secure_callbacks_from_primary_hub_only in the hub security.cfg. Default: no
- When the key is set to yes: the primary hub propagates security changes to ALL hubs in the domain.
- When this value is set to no, a hub only propagates security changes to nearby hubs. Nearby hubs are hubs that are one level away.
When the key-> secure_callbacks_from_primary_hub_only is disabled, the primary hub propagates the change to all other hubs before disabling it in itself.
This value is changed with the hubsec_setup_put callback.
To adjust this value you will use the probe utility. Here are the steps:
1. Select the hub probe and press Ctrl-P to open the Probe utility
2. Select the hubsec_setup_put callback
3. Set the key to:
secure_callbacks_from_primary_hub_only
4. Set the value to:
yes
5. Press the green arrow to execute the callback
Open your security.cfg file and you should see the new setting at the top of the file under the setup section.
Here is an example of the top portion of the security.cfg file after making such a change.
<setup>
version = 1000
expire = 21600
ignore_ip = no
auth_mode = 0
signature = <example/encrypted string>
domain = <example_domain>
trusted_ips =
secure_callbacks_from_primary_hub_only = yes
</setup>
Note that the following configuration is recommended for ALL domains:
Set secure_callbacks_from_primary_hub_only to yes.
2. Set security_config_propagation to no (via same method above or you can use Raw configure mode)
***This combination ensures that security updates propagate from the primary hub only.***
Security updates propagate to all the hubs in the domain, regardless of the proximity to the primary hub.
Set security_config_propagation in hub.cfg. Default: yes
- When the key is set to yes, a hub can propagate updates to security.cfg to all other hubs in the domain.
- When the key is set to no, the hub cannot propagate updates that it receives.
- Note that the Primary hub ignores the value of this key, and propagates updates even when the key is set to no.
- This value must be explicitly set in each hub.cfg file. Restart the hub for the change to take effect.
Additional Information
Feedback
