security.cfg file keeps getting corrupted - need to find way to notify if this file gets changed

Document ID : KB000117227
Last Modified Date : 08/11/2018
Show Technical Document Details
Issue:
We have had a number of incidents where somehow the security.cfg file becomes changed or corrupted or *something* happens that erases all of the groups and permissions we have set up in it. When this propagates to the other hubs we lose all settings. There is a KB out there that shows how to replace and/or restore the security.cfg file, but it has never worked for our environment. Regardless. What we need is a way to be notified if this file changes so we can get out ahead of the issue, restore the config file manually (as we have had to do the last several times this has happened) before this starts to impede our alarming. thank you!
Environment:
- UIM 8.5.1
- hub v7.93
Cause:
hub security.cfg file corruption is usually caused by competing security updates or something going wrong in transit.
Resolution:
For notification of security.cfg file changes, you could probably setup dirscan or logmon to check the file information and send an alert based on the result.

Make sure you are on the latest hub v7.93 and you also may want to implement this solution (see below).

* By default, changes to security.cfg are propagated from any hub. Two configuration keys affect this behavior:

o Set secure_callbacks_from_primary_hub_only in security.cfg. Default: no

- When the key is set to yes:
The primary hub propagates security changes to ALL hubs in the domain.
- When this value is set to no, a hub only propagates security changes to nearby hubs. Nearby hubs are hubs that are one level away.

When the key-> secure_callbacks_from_primary_hub_only is disabled, the primary hub propagates the change to all other hubs before disabling it in itself.

This value is changed with the hubsec_setup_put callback.

***This value is changed with the hubsec_setup_put callback.***

To adjust this value you  will use the probe utility.  Here are the steps:
 
1. Select the hub probe and press Ctrl-P to open the Probe utility
2. Select the hubsec_setup_put callback
3. Set the key to:
    secure_callbacks_from_primary_hub_only
4. Set the value to:
     yes
5. Press the green arrow to execute the callback

User-added image

Open your security.cfg file and you should see the new setting at the top of the file under the setup section.

Here is an example of the top portion of the security.cfg file after making such a change.

<setup>
   version = 1000
   expire = 21600
   ignore_ip = no
   auth_mode = 0
   signature = 5z50iZ37sV2+YPASQzg==
   domain = <my_cool_domain>
   trusted_ips =
   secure_callbacks_from_primary_hub_only = yes
</setup>

Note that the following configuration is recommended for ALL domains:

Set secure_callbacks_from_primary_hub_only to yes.   
Set security_config_propagation to no (using the same method)

This combination ensures that security updates propagate from the primary hub only.
Security updates propagate to all the hubs in the domain, regardless of the proximity to the primary hub.

Set security_config_propagation in hub.cfg. Default: yes

- When the key is set to yes, a hub can propagate updates to security.cfg to all other hubs in the domain.
- When the key is set to no, the hub cannot propagate updates that it receives.
- The Primary hub ignores the value of this key, and propagates updates even when the key is set to no.
- This value must be explicitly set in each hub.cfg file. Restart the hub for the change to take effect.
Additional Information:
The information above is documented.
https://docops.ca.com/ca-unified-infrastructure-management-probes/ga/en/alphabetical-probe-articles/hub/hub-release-notes