Modifying the secret key used to secure user credentials used by Topology Manager

Topology Manager stores a number of credentials in its database. To prevent a person with access to the database from being able to access all your environments, these credentials are secured using a secret key. Because the default secret key is hardcoded and can become known, RWS recommends that, before setting up your implementation of Tridion Sites, you replace the default secret key with a custom secret key.

About this task

The Topology Manager database contains the following administrator-level credentials:
  • For each Content Manager environment, one set of credentials to access the Core Service
  • For each Content Delivery, one set of credentials to access the Discovery Service (this user must assume the cm role, and defaults to cmuser)
The secret key to secure these credentials is located (in encrypted form) in the Web.config file of your Topology Manager. If you want to replace the default secret key with your own secret key (which RWS recommends), note the following:
  • Create and use your custom key before doing any decryption or encryption on this file, and before the first server in your implementation comes in use. Otherwise, you will find yourself unable to decrypt data that was encrypted with the default key.
  • Be sure to use your custom key across all scaled-out instances of Topology Manager. Otherwise, one Topology Manager instance will be unable to decrypt data encrypted on another instance.

Procedure

  1. For safety, back up your Topology Manager database.
  2. Access your Content Manager server or, in a scaled-out setup, one of your Content Manager servers.
  3. Go to the root location of the Topology Manager web application.
  4. Decrypt the section you want to edit by running the following command:
    c:\Windows\Microsoft.NET\FRAMEWORKFOLDER\VERSIONFOLDER\aspnet_regiis.exe -pdf "topologyManagerEncryption" "TRIDION_HOMETopologyManager\web"
    where:
    • FRAMEWORKFOLDER is either Framework or Framework64
    • VERSIONFOLDER is the .NET version, for example, v4.0.30319
    • TRIDION_HOME is the value of the TRIDION_HOME environment variable

    If running this command yields the error message The current key is incorrect. Check the entered current key or decrypt a web.config file, then either the file is already decrypted, or it was encrypted with a different key than the one currently stored in the Topology Manager database.

  5. Open Web.config for viewing.
  6. Find the topologyManagerEncryption section and inside it, find the current value of the encryption key. Temporarily copy-paste this value to some text document.
  7. Close Web.config
  8. Go to the following subfolder of %TRIDION_HOME%: bin\PowerShellModules\Tridion.TopologyManager.Server.Automation\.
  9. Run the following command:
    Set-TtmEncryptionKey -CurrentEncryptionKey CURRKEY -NewEncryptionKey NEWKEY -TtmWebConfigPath PATH
    where:
    • CURRKEY is the current encryption key, which you just copy-pasted from Web.config
    • NEWKEY is the new encryption key you want to use
    • PATH is the full or relative path to the folder that contains Web.config
  10. Encrypt the section you edited by running the following command:
    c:\Windows\Microsoft.NET\FRAMEWORKFOLDER\VERSIONFOLDER\aspnet_regiis.exe -pef "topologyManagerEncryption" "TRIDION_HOMETopologyManager\web"
  11. In a scaled-out setup, access every other Content Manager server and for each one, do the following:
    1. Decrypt the Web.config file in the Topology Manager web application root folder, as in step 4.
    2. Open Web.config for editing.
    3. Change the value of the key attribute of the topologyManagerEncryption element to the new key you specified as a value for -NewEncryptionKey when you ran the script.
    4. Save and close Web.config.
    5. Encrypt Web.config file as in step 9 above.