Troubleshooting API key rotation issues
Monitor policy is not created in BMC Helix Operations Management
Symptom
The Policy for rotated API key push policy is not created in BMC Helix Operations Management.
Scope
This issue occurs because the API key rotation is not enabled in BMC Helix Portal.
Workaround
Enable API key rotation in BMC Helix Portal by performing the following steps:
- Log in to BMC Helix Portal and select User Access > Users and keys.
- On the Access keys tab, locate the key with Key type as API and Key name in the tenant_id@timestamp format.
- Select Actions > Key details.
- Click Edit schedule.
- Clear the Disable rotation check box and specify the Rotation interval and the Key grace period
- Click Confirm.
- Wait for a few seconds and verify that the Policy for rotated API key push policy is created.
Perform the following steps to verify:- Log in to BMC Helix Operations Management and Configuration > Monitor Policies.
- Verify that the Policy for rotated API key push policy is listed.
PATROL Agents use a static API key
Symptom
PATROL Agents in a tenant use the static API key even if API key rotation is enabled on the BMC Helix Operations Management tenant.
Scope
This issue occurs on PATROL Agents that have a version earlier than 23.1.
Workaround
Restart the PATROL Agents to use the rotated API key.
For information about restarting PATROL Agents, see the following topics:
PATROL Agent fails to connect to BMC Helix Operations Management
Symptom
PATROL Agents fail to connect to BMC Helix Operations Management.
Scope
This issue can occur in one of the following situations:
- The rotated API key push to PATROL Agents fails.
- PATROL Agents that have versions earlier to 23.1 do not restart within the grace period.
- PATROL Agents are not connected when the API key rotates and the grace period expires.
Workaround 1
If the rotated API key push to PATROL Agents fails, perform the following steps:
- Log in to BMC Helix Operations Management and select Configuration > Agents.
- From the the device action menu, click Show History for Applied Configurations.
- Assess the Status column and use the normal debugging steps for determining the reason for failure of the monitor policy push.
After you debug the issue and reapply the policy, the rotated API key is pushed to PATROL Agents.
Workaround 2
If the PATROL Agent version is not compatible or the PATROL Agents were not connected when the API key rotated, manually apply the API key by performing the following steps:
- Log in to BMC Helix Operations Management and select Administration > Repository.
- Click Copy API Key to copy the current API key to the clipboard.
- Go to the computer where the PATROL Agent is hosted.
- Go to the following location:
(Linux): /opt/bmc/Patrol_Agent/Patrol3/Linux-2-6-x86-64-nptl/bin - Run the pconfig command to manually set the API key that you copied in Step 2 in the pconfig variable.
The variable has the following details:- Name: /SecureStore/mca/tenant/apiKey
- Operation: REPLACE
- Value: API key value copied to the clipboard
For more information about modifying pconfig variables, see Using the pconfig utility to modify PATROL Agent configuration variables.
- Restart the PATROL Agent.
Data ingestion and third-party integration issues
Symptom
The device, metric, or event ingestion from PATROL Agents and third-party integrations fail.
Scope
This issue occurs because the integration between the following components uses an old API key:
- BMC Helix Operations Management and PATROL Agents
- BMC Helix Operations Management and third-party applications
However, the key has rotated and the grace period has expired.
Workaround
Perform the following steps:
- Log in to BMC Helix Operations Management and select Administration > Repository.
- Click Copy API Key to copy the current API key to the clipboard.
- Update the API key that you copied in the integration.