Globus Connect Server Node New Secret

Name

globus-connect-server node new-secret - Rotate the node’s client secret

Synopsis

globus-connect-server node new-secret [OPTIONS]…​

Description

The globus-connect-server node new-secret command replaces the endpoint node’s client secret with a secret specific to the node. The client secret is used by GCS services on the node to authenticate to Globus services. Rotating the node’s client secret can aid in the replacement of lost or exposed client secrets.

When a node is first configured with globus-connect-server node setup, the node’s client secret is set to the secret stored in the endpoint’s deployment key. This will result in all nodes in the endpoint sharing the same client secret. Running globus-connect-server node new-secret will replace the shared secret with a node-specific secret.

Subsequent runs of globus-connect-server node new-secret on the same node will delete any previously-registered secrets for the node after allocating a new node secret.

If a node-specific secret is accidentally deleted, the GCS services on the node will not be functional. Run globus-connect-server node setup with the deployment key to recover the node.

This command must be run as root. The secret rotation only affects the local node, all other nodes will remain unchanged.

The client secret is independent of the node’s encryption key which is already specific to the node.

Note
When the node’s client secret is rotated, the GCS Manager and GCS Manager Assistant processes must be restarted for the change to take effect. If the node was previously using the deployment key’s shared client secret installed by globus-connect-server node setup, the node will be operational and continue to use the shared secret until services are restarted. If the node has a node-specific client secret prior to running globus-connect-server node new-secret, the previous node-specific client secret will be deleted leaving the node non-operational until services are restarted. Due to this, globus-connect-server node new-secret will prompt for confirmation prior to rotating a node-specific client secret in order to alert the admin to the likely forced downtime caused by the operation.

Options

-h, --help

Show help message and exit.

--version

Show the version and exit.

--agree-to-delete-previous-secret

Avoid prompting before replacing the node specific client secret. See the Note above for details.

Example

This example rotates the local node’s client secret. Since this is a subsequent secret rotation for this node and the previous node secret will be deleted resulting in the GCS services becoming non-operational until restarted, the admin is prompted for confirmation and advised to restart the GCS services.

$ sudo -E ./globus-connect-server node new-secret
This node's current secret will be deleted. The GCS services on this
node will not be operational until the GCS manager and assistant are
restarted. You can skip this prompt with the --agree-to-delete-
previous-secret option. Do you want to continue? [y/N]: y

The GCS manager and assistant must be restarted. If those services are
currently running, they will be non-functional until restarted.

HISTORY

The globus-connect-server node new-secret command was added in Globus Connect Server v5.4.80.