Central Config API Authentication
APIs in the Central Config can be accessed only by known users by authenticating the API call. The API Header will pass the API Key which will be authenticated and passed by the Central Config server. This prevents un-authorised users from accessing the APIs.
Install/upgrade Ivanti Service Manager System Configuration Wizard
On installing or upgrading the Service Manager System Configuration Wizard, the API Key is auto-generated in the Central Config DB. This key is used to to authenticate the API calls to the Central Config Server. However, the following should be monitored while installing/upgrading.
Verify the webconfig file
Once the installation/upgradation is complete, verify the webconfig file has the following:
•In the config section:
<section name="CentralConfigApiKey" type="System.Configuration.NameValueSectionHandler" />
•In the new protected section:
<CentralConfigApiKey> <add key="CentralConfigApiKey" value="" /> </CentralConfigApiKey>
Verify the appsettings.json file
Once the installation/upgradation is complete, verify that the appsettings.json file has the following:
"central-config-api-key": "CAEFXXXX8C847D5XXXX698D8XXXXXX"
Update for Teams Bot Service
If you have installed Teams Bot Service, update the CentralConfigApiKey value in appsetting file. from C:\inetpub\TeamBotService/appsettings.json. Get the CentralConfigApiKey from the Central Config DB table (Frs_data_api_key).
Updates if Service Manager System Configuration Wizard and Service Manager Reporting Wizard are installed on different machines
If the Service Manager System Configuration Wizard and Service Manager Reporting Wizard are installed on different machines, update the Centralconfig api key when installing the Reporting Wizard as shown in the below image. Get the CentralConfigApiKey from the Central Config DB table (Frs_data_api_key).
Updating the CentralConfigAPIKey
In case you wish to update/change the CentralConfigAPIKey, do so by following the below steps:
1.Stop all services that are referencing the centralconfig.
2. Log in to Service Manager with Admin credentials and open the Configuration console.
3.Select Security Controls > CentralCofigAPIKeyGroup and note down the description .
4.Delete the existing CentralConfigAPIKey and recreate a new key inside the CentralConfigAPiKeyGroup as shown in the below image.
5.Once the Key is created in the CentralConfig tenants, re-run the System Configuration Wizard to update the webconfig and appconfig files.
6.Restart your machine.
The CentralConfigAPIKey should be unique, duplicate/multiple keys will break the feature.
Disabling the Centralconfig API Key Feature
Once the installation/upgradation is complete, verify the centralConfig appsettings.json file has: property “DisableApiKeyValidation”:”false” which need to be change to “True” as “DisableApiKeyValidation”:”true”.
1.Log in to the application with Admin credentials and open the Configuration console.
2.Select Security Controls > API Key and delete the CentralConfigAPIKey.
Ensure you Delete and not De-activate to disable.
Impacted webconfig file list:
|
AppDomains |
Configuration Files |
| AppServer | Web.config |
| WorkFlow | WorkflowService.exe.config |
| Excalation | EscalationService.exe.config |
|
|
EmailWindowsServiceapp.exe.config |
|
bulkupload |
KMBulkUploadTool.exe.config |
|
integrationserver |
IntegrationServiceHost.exe.config |
|
systemconfigwizard |
ServerConfigurationWizard.exe.config |
|
release tool |
ReleaseTool.exe.config |
|
Frsloggingservice |
FRSLoggingService.exe.config |
|
metric |
HEAT.MetricsServer.exe.config |
|
message queue |
MessageQueueServiceHost.exe.config |
|
License service |
LicenseServerWindowsService.exe.config |
|
report provinising |
reportserver\ReportProvisioning.exe.config |
|
Neurons |
appsettings |
|
Teams Bot Service |
appsettings |
|
DynamicWebServices |
web.config |
|
OpsConsole |
web.config |
|
FrsSurvey |
web.config |
|
FrsSurveyProxy |
web.config |
|
IM |
IMServer\IMServices\AssetProcessor\Web.config |
| IM |
IMServer\IMServices\DiscoProcessor\Web.config |
| IM |
IMServer\IMServices\DiscoUtils\Web.config |
| IM |
IMServer\IMServices\IMReadOnlyDataService\Web.config |
| IM |
IMServer\IMServices\TaskProcessor\Web.config |
| IM |
IMServer\WebServices\ClientTransportProcessor\Web.config |
|
reports |
C:\Program Files\Microsoft SQL Server\MSRS12.MSSQLSERVER\Reporting Services \ReportServer\Web.config |
Impacted appsettings.json file of the appdomain
|
AppDomain |
| CCF |
| Appserver |
| EmailService |
| EscalationService |
| FRSSurvey |
| FRSSurveyProxy |
| InboundWebService |
| IntegrationServer |
| KMImportTool |
| LicenseManager |
| LoggingService |
| MessageQueue |
| MetricsServer |
| OpsConsole |
| ReleaseTool |
| SystemConfigurationWizard |
| WorkflowService |
| Reportserver |
| IMServer - IMServices |
| AssetProcessor |
| DiscoProcessor |
| DiscoUtils |
| IMReadOnlyDataService |
| IvantiCloudDataProcessor |
| TaskProcessor |
| WebServices - AgentTaskWs |
Custom Installation of SCW
When customers try to install the Configuration Server in one machine and other components in another machine, user has to copy the Central Config API Key from Configuration Server and update the key in the Central Configuration Settings page as show in the following image.
Sample image of Custom Installation of SCW
