UpPrevious Next
Sheriff CSMā¢
Reset the Sheriff API Key
Starting from version 5.2.5, Sheriff CSM and Sheriff VigilanteĀ® offer the option to reset the Sheriff API key from the Sheriff Setup menu.
This option is available in all version 5.2.5 appliances by connecting through SSH and selecting
System preferences > Reset Sheriff API key:
What Is the Reset Sheriff API Key Option for?
In Sheriff CSM version 5.2.4 and previous releases, Sheriff includes the API key in the configuration backups in clear text. If the backup was downloaded and stored in an insecure location, it could be used to SSH into Sheriff CSM as the avapi user and potentially harm the system.
In Sheriff CSM version 5.2.5 and later releases, the Sheriff API key is no longer included in the configuration backup. Since the avapi user performs many critical tasks in Sheriff CSM, we recommend that you reset the API key in every appliance if you have updated Sheriff CSM from a previous version.
Resetting the Sheriff API Key in Different Scenarios
You can reset the Sheriff API key at any stage after you have updated to Sheriff CSM version 5.2.5 or later.
On Isolated Sheriff CSM All-in-One or Sheriff CSM Standard Server
This operation is immediate. There is no need to provide root password as it is a local change.
Just select the option from the Sheriff Setup menu and select
Yes when prompted to regenerate the new Sheriff API Key.
In a Distributed Deployment with More Than One Sheriff CSM Server or Sheriff CSM Sensor (Deputy)
This operation should be executed in
all Sheriff CSM instances in order to fully reset the Sheriff API Key.
This should be executed from
bottom-up considering the deployment hierarchy, in other words, Sheriff CSM Sensors first, followed by Sheriff CSM Servers or Sheriff CSM All-in-Ones, followed by Federated Servers or Sheriff CSM Loggers.
The reasoning behind this is because choosing "Reset Sheriff API Key" will rewrite the authorized_keys file completely. Thus, after resetting API key on a Sheriff CSM Sensor, it will no longer have the corresponding Sheriff CSM Server's key, therefore the Sheriff CSM Server will not be able to communicate with the Sheriff CSM Sensor through the Sheriff API. But if you reset the Sheriff API key on the Sheriff CSM Server next, the Sheriff CSM Server sends its new key to the Sheriff CSM Sensor thus restoring the API connectivity.
Note: In distributed deployments, where you have more than one Sheriff CSM deployed, ensure that you know the password of the root user to the directly connected appliances as they are required to reset the Sheriff API keys.