November Happy Hour will be moved to Thursday December 5th.

Aniel Sud
Feb 3, 2020
  10699
(0 votes)

Key Rotation on Episerver Find

We at Episerver consider continuous security and data protection a core responsibility. In a dedicated effort to protect the data of our customers and our customers’ customers, we work diligently to monitor and test our products, services and offerings for any potential security threats. Our aim is to ensure your confidence in the security of our solutions, so you can continue to deliver seamless and secure experiences for your customers without worry.  As such, we are releasing a new process and protocol specific to Episerver Find customers which will require a regular cadence of rotating authentication keys on an annual basis.

In order to adhere to this new process, customers on the Digital Experience Platform need do nothing – your environments will be automatically updated periodically with new keys. If you are connecting to your indices from elsewhere using a direct connection string, or if you are a managed services customer or an on-premise customer, please reach out to Technical Support Services at support@episerver.com in order to initiate your key rotation.

We will require that all existing Find keys are rotated within the next 90 days, or by May 3, 2020. On or before that date, all existing Find keys will be disabled, which will negatively impact your site if you have not rotated your keys before then.

After that period, we will require that all Find keys are rotated annually.

Should you have any questions or concerns, please do not hesitate to contact us at security@episerver.com or your local support representative.

Feb 03, 2020

Comments

Per Atle Holvik
Per Atle Holvik Feb 4, 2020 11:01 AM

Hi Aniel,

Does this apply to the paid development license as well?

Aniel Sud
Aniel Sud Feb 4, 2020 02:39 PM

Yes it does - all indexes are required to abide by the key rotation policy. Thanks for the question!

Paul Gruffydd
Paul Gruffydd Feb 4, 2020 04:45 PM

Hi Aniel,

Just to clarify how this will be managed on an ongoing basis. I'm assuming each key issued will have a maximum lifespan of 12 months and can be renewed from x days prior to expiry (rather than there being one day per year which all Episerver devs will come to dread, where all keys are expired in a mass purge). I take it there will be email reminders sent in the time running up to a key expiring each year?

Lars Bodahl
Lars Bodahl Feb 11, 2020 11:49 AM

The project I am working on are running Find server on-premise (EPiServer Find Virtual Appliance Raw). I have been in contact with Episerver support to clarify how the key rotation will affect these installations. This is the latest response where it is stated that the change described in this blogpost will not affect EPiServer Find Virtual Appliance Raw installations: 

EPiServer Find Virtual Appliance Raw is the unmanaged on-premise version of EPiServer Find. 

Since the VA server is hosted by your own, it does not communicate with our Episerver Find servers/clusters. For that reason, the key will not be rotated. Only DXP users or VA server (not RAW) are affected by this.

Gregoire Bodson
Gregoire Bodson Feb 12, 2020 01:20 PM

Hi,

How will this be managed for customer running commerce on DXC with old mediachase.search.config pointing to Find index?

For CMS it is correct to assume key changes will be automatically managed by app service config and DXC team?

Please login to comment.
Latest blogs
AsyncHelper can be considered harmful

.NET developers have been in the transition to move from synchronous APIs to asynchronous API. That was boosted a lot by await/async keyword of C#...

Quan Mai | Dec 4, 2024 | Syndicated blog

The search for dictionary key

Recently I helped to chase down a ghost (and you might be surprised to know that I, for most part, spend hours to be a ghostbuster, it could be fun...

Quan Mai | Dec 4, 2024 | Syndicated blog

Shared optimizely cart between non-optimizley front end site

E-commerce ecosystems often demand a seamless shopping experience where users can shop across multiple sites using a single cart. Sharing a cart...

PuneetGarg | Dec 3, 2024

CMS Core 12.22.0 delisted from Nuget feed

We have decided to delist version 12.22.0 of the CMS Core packages from our Nuget feed, following the discovery of a bug that affects rendering of...

Magnus Rahl | Dec 3, 2024