Aniel Sud
Feb 3, 2020
  9970
(0 votes)

Key Rotation on Episerver Find

We at Episerver consider continuous security and data protection a core responsibility. In a dedicated effort to protect the data of our customers and our customers’ customers, we work diligently to monitor and test our products, services and offerings for any potential security threats. Our aim is to ensure your confidence in the security of our solutions, so you can continue to deliver seamless and secure experiences for your customers without worry.  As such, we are releasing a new process and protocol specific to Episerver Find customers which will require a regular cadence of rotating authentication keys on an annual basis.

In order to adhere to this new process, customers on the Digital Experience Platform need do nothing – your environments will be automatically updated periodically with new keys. If you are connecting to your indices from elsewhere using a direct connection string, or if you are a managed services customer or an on-premise customer, please reach out to Technical Support Services at support@episerver.com in order to initiate your key rotation.

We will require that all existing Find keys are rotated within the next 90 days, or by May 3, 2020. On or before that date, all existing Find keys will be disabled, which will negatively impact your site if you have not rotated your keys before then.

After that period, we will require that all Find keys are rotated annually.

Should you have any questions or concerns, please do not hesitate to contact us at security@episerver.com or your local support representative.

Feb 03, 2020

Comments

Per Atle Holvik
Per Atle Holvik Feb 4, 2020 11:01 AM

Hi Aniel,

Does this apply to the paid development license as well?

Aniel Sud
Aniel Sud Feb 4, 2020 02:39 PM

Yes it does - all indexes are required to abide by the key rotation policy. Thanks for the question!

Paul Gruffydd
Paul Gruffydd Feb 4, 2020 04:45 PM

Hi Aniel,

Just to clarify how this will be managed on an ongoing basis. I'm assuming each key issued will have a maximum lifespan of 12 months and can be renewed from x days prior to expiry (rather than there being one day per year which all Episerver devs will come to dread, where all keys are expired in a mass purge). I take it there will be email reminders sent in the time running up to a key expiring each year?

Lars Bodahl
Lars Bodahl Feb 11, 2020 11:49 AM

The project I am working on are running Find server on-premise (EPiServer Find Virtual Appliance Raw). I have been in contact with Episerver support to clarify how the key rotation will affect these installations. This is the latest response where it is stated that the change described in this blogpost will not affect EPiServer Find Virtual Appliance Raw installations: 

EPiServer Find Virtual Appliance Raw is the unmanaged on-premise version of EPiServer Find. 

Since the VA server is hosted by your own, it does not communicate with our Episerver Find servers/clusters. For that reason, the key will not be rotated. Only DXP users or VA server (not RAW) are affected by this.

Gregoire Bodson
Gregoire Bodson Feb 12, 2020 01:20 PM

Hi,

How will this be managed for customer running commerce on DXC with old mediachase.search.config pointing to Find index?

For CMS it is correct to assume key changes will be automatically managed by app service config and DXC team?

Please login to comment.
Latest blogs
Zombie Properties want to Eat Your Brains

It’s a story as old as time. You work hard to build a great site. You have all the right properties – with descriptive names – that the content...

Joe Mayberry | Mar 29, 2023 | Syndicated blog

Optimizely finally releases new and improved list properties!

For years, the Generic PropertyList has been widely used, despite it being unsupported. Today a better option is released!

Tomas Hensrud Gulla | Mar 28, 2023 | Syndicated blog

Official List property support

Introduction Until now users were able to store list properties in three ways: Store simple types (int, string, DateTime, double) as native...

Bartosz Sekula | Mar 28, 2023

New dashboard implemented in CMS UI 12.18.0

As part of the CMS UI 12.18.0 release , a new dashboard has been added as a ‘one stop shop’ to enable editors to access all of their content items,...

Matthew Slim | Mar 28, 2023

How to Merge Anonymous Carts When a Customer Logs In with Optimizely Commerce 14

In e-commerce, it is common for users to browse a site anonymously, adding items to their cart without creating an account. Later, when the user...

Francisco Quintanilla | Mar 27, 2023

How to Write an xUnit Test to Verify Unique Content Type Guids in Content Management

When developing an Optimizely CMS solution, it is important to ensure that each content type has a unique GUID. If two or more content types share...

Minesh Shah (Netcel) | Mar 27, 2023