NewValidation: Ensure Global AES Encryption is enabled #185
Labels
Comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
{{ message }}
(use upvote 👍 for attentions)
Validation Type
[ ] - Fault
[x] - Config
[ ] - Bug
[ ] - Other
What needs to be validated
{ "pkiExportEncryptionKey": { "attributes": { "dn": "uni/exportcryptkey", "strongEncryptionEnabled": "yes" <--- this must be "yes" } } }Why it needs to be validated
Starting from APIC 6.1(2), Global AES Encryption must be enabled before upgrading to 6.1(2) or newer version. Otherwise, the upgrade will immediately fail.
Although Global AES Encryption was not mandated prior to 6.1(2), it is a best practice to enable it so that the secure information such as passwords for routing protocol authentication, third-party controller integrations can be securely stored with encryption in the configuration backup. Without Global AES Encryption, those secure information are not stored in the backup at all.
The validations needs to flag as Upgrade Failure when Global AES Encryption is not enabled and the target version is 6.1(2) or newer. If the target version is older, it should be flagged as Manual Check Required to encourage everyone to enable it regardless.
Additional context
The requirement change of Global AES Encryption is documented here - ACI changes in behavior
The text was updated successfully, but these errors were encountered: