|
1 | 1 | --- |
2 | 2 | title: Azure Operator Nexus credential rotation |
3 | | -description: Instructions on Credential Rotation Lifecycle Management requests. |
| 3 | +description: Describes the credential rotation lifecycle including automated rotation & requests for a manual rotation. |
4 | 4 | ms.service: azure-operator-nexus |
5 | 5 | ms.custom: template-how-to |
6 | 6 | ms.topic: how-to |
7 | | -ms.date: 01/29/2024 |
8 | | -author: sbatchu0108 |
9 | | -ms.author: sbatchu |
| 7 | +ms.date: 03/19/2024 |
| 8 | +author: eak13 |
| 9 | +ms.author: ekarandjeff |
10 | 10 | --- |
11 | 11 |
|
12 | | -# Credential rotation management for on-premises devices |
| 12 | +# Credential rotation management for Operator Nexus on-premises devices |
13 | 13 |
|
14 | | -This document provides an overview of the credential rotation support request that needs to be raised for requesting credential rotation on the nexus instance. |
| 14 | +This article describes the Operator Nexus credential rotation lifecycle including automated rotation & requests for manual rotation. |
15 | 15 |
|
16 | 16 | ## Prerequisites |
17 | 17 |
|
18 | 18 | - Target cluster and fabric must be in running and healthy state. |
| 19 | +- Platform credential updates are written to a user provided key vault, if provided. Users provide key vault information on the Cluster resource during Cluster create or update. |
| 20 | + - For more information on adding key vault information to the Cluster, see [Create and provision a Cluster](howto-configure-cluster.md). |
| 21 | + - The Cluster update command allows users to add or change key vault information. |
| 22 | + - For information on configuring the key vault to receive credential rotation updates, see [Setting up Key Vault for Managed Credential Rotation](how-to-credential-manager-key-vault.md). |
19 | 23 |
|
20 | | -## Create support request |
| 24 | +> [!IMPORTANT] |
| 25 | +> A key vault must be provided on the Cluster, otherwise credentials will not be retrievable. Microsoft Support does not have access to the credentials. |
21 | 26 |
|
22 | | -Raise credential rotation request by [contacting support](https://portal.azure.com/?#blade/Microsoft_Azure_Support/HelpAndSupportBlade). Below details are required in order to perform the credential rotation on the required target instance: |
23 | | - - Type of credential that needs to be rotated. Specify if the request is for fabric device or BMC or Storage or Console User or for all four types. |
24 | | - - Provide Tenant ID. |
25 | | - - Provide Subscription ID. |
26 | | - - Provide Resource Group Name in which the target cluster or fabric resides based on type of credential that needs to be rotated. |
27 | | - - Provide Target Cluster or Fabric Name based on type of credential that needs to be rotated. |
28 | | - - Provide Target Cluster or Fabric ARM ID based on type of credential that needs to be rotated. |
29 | | - - Provide Customer Key Vault ID to which rotated credentials of target cluster instance needs to be updated. |
| 27 | +## Rotating credentials |
| 28 | + |
| 29 | +The Operator Nexus Platform offers a managed credential rotation process that automatically rotates the following credentials: |
| 30 | + |
| 31 | +- Baseboard Management Controller (BMC) |
| 32 | +- Pure Storage Array Administrator |
| 33 | +- Console User for emergency access |
| 34 | + |
| 35 | +When a new Cluster is created, the credentials are automatically rotated during deployment. The managed credential process then automatically rotates these credentials every 60 days. The updated credentials are written to the key vault associated with the Cluster resource. The last rotation timestamps are currently not visible to users, but is a planned enhancement to the Operator Nexus Platform. |
| 36 | + |
| 37 | +> [!NOTE] |
| 38 | +> The introduction of this capability enables auto-rotation for existing instances. If the BMC, Storage Administrator or Console User credentials have not been rotated within the last 60 days, they will be rotated at the time of upgrade. |
| 39 | +
|
| 40 | +Operator Nexus also provides a service for preemptive rotation of the above Platform credentials. This service is available to customers upon request through a support ticket. Credential rotation for Operator Nexus Fabric devices also requires a support ticket. Instructions for generating a support request are described in the next section. |
| 41 | + |
| 42 | +## Create a support request |
| 43 | + |
| 44 | +Users raise credential rotation requests by [contacting support](https://portal.azure.com/?#blade/Microsoft_Azure_Support/HelpAndSupportBlade). These details are required in order to perform the credential rotation on the requested target instance: |
| 45 | + |
| 46 | +- Type of credential that needs to be rotated. Specify if the request is for a fabric device, BMC, Storage Admin, Console User or for all four types. |
| 47 | +- Provide Tenant ID. |
| 48 | +- Provide Subscription ID. |
| 49 | +- Provide Resource Group Name in which the target cluster or fabric resides based on type of credential that needs to be rotated. |
| 50 | +- Provide Target Cluster or Fabric Name based on type of credential that needs to be rotated. |
| 51 | +- Provide Target Cluster or Fabric Azure Resource Manager (ARM) ID based on type of credential that needs to be rotated. |
| 52 | +- Provide the Customer Key Vault ID where rotated credentials are written. Only applies to Operator Nexus Fabric devices. BMC, Pure Admin & Console User credential rotations use the key vault provided on the Cluster. |
30 | 53 |
|
31 | 54 | For more information about Support plans, see [Azure Support plans](https://azure.microsoft.com/support/plans/response/). |
0 commit comments