Key Rotation on Episerver Find
We at Episerver consider continuous security and data protection a core responsibility. In a dedicated effort to protect the data of our customers and our customers’ customers, we work diligently to monitor and test our products, services and offerings for any potential security threats. Our aim is to ensure your confidence in the security of our solutions, so you can continue to deliver seamless and secure experiences for your customers without worry. As such, we are releasing a new process and protocol specific to Episerver Find customers which will require a regular cadence of rotating authentication keys on an annual basis.
In order to adhere to this new process, customers on the Digital Experience Platform need do nothing – your environments will be automatically updated periodically with new keys. If you are connecting to your indices from elsewhere using a direct connection string, or if you are a managed services customer or an on-premise customer, please reach out to Technical Support Services at email@example.com in order to initiate your key rotation.
We will require that all existing Find keys are rotated within the next 90 days, or by May 3, 2020. On or before that date, all existing Find keys will be disabled, which will negatively impact your site if you have not rotated your keys before then.
After that period, we will require that all Find keys are rotated annually.
Should you have any questions or concerns, please do not hesitate to contact us at firstname.lastname@example.org or your local support representative.
Does this apply to the paid development license as well?
Yes it does - all indexes are required to abide by the key rotation policy. Thanks for the question!
Just to clarify how this will be managed on an ongoing basis. I'm assuming each key issued will have a maximum lifespan of 12 months and can be renewed from x days prior to expiry (rather than there being one day per year which all Episerver devs will come to dread, where all keys are expired in a mass purge). I take it there will be email reminders sent in the time running up to a key expiring each year?
The project I am working on are running Find server on-premise (EPiServer Find Virtual Appliance Raw). I have been in contact with Episerver support to clarify how the key rotation will affect these installations. This is the latest response where it is stated that the change described in this blogpost will not affect EPiServer Find Virtual Appliance Raw installations:
EPiServer Find Virtual Appliance Raw is the unmanaged on-premise version of EPiServer Find.
Since the VA server is hosted by your own, it does not communicate with our Episerver Find servers/clusters. For that reason, the key will not be rotated. Only DXP users or VA server (not RAW) are affected by this.
How will this be managed for customer running commerce on DXC with old mediachase.search.config pointing to Find index?
For CMS it is correct to assume key changes will be automatically managed by app service config and DXC team?