Community
Select to view content in your preferred language

Porta/DataStore SSH private keys in Azure Security Scan

667
2
02-12-2024 09:57 AM
PatrickMcKinney99
by
Occasional Contributor
‎02-12-2024 09:57 AM

Our organization has deployed ArcGIS Enterprise in Microsoft Azure.  One of our Microsoft Defender security findings flagged "Unverified insecure SSH private key" related to ArcGIS Portal and DataStore.  

I was tasked with learning if these files can be removed; or if they can be password protected.  The files in question are so deep in the directory structure.

Has anybody else encountered this issue?

 

C:\Program Files\ArcGIS\DataStore\framework\runtime\couchdb\ssl\key.pem
C:\Program Files\ArcGIS\DataStore\framework\runtime\ozone\compose\ozone-om-ha\.ssh\id_rsa
C:\Program Files\ArcGIS\DataStore\framework\runtime\ozone\compose\ozonescripts\.ssh\id_rsa
C:\Program Files\ArcGIS\DataStore\framework\template\nosql\ssl\key.pem
C:\Program Files\ArcGIS\Portal\framework\runtime\ds\framework\template\nosql\ssl\key.pem

0 Kudos
2 Replies
ReeseFacendini
by Esri Regular Contributor
Esri Regular Contributor
‎02-12-2024 12:46 PM

Follow this link to the ArcGIS Trust site, and fill out the form to submit a security concern to Esri. The team will review and follow up with suggestions, that won't involve removing the files or altering them in a way that could cause ArcGIS Enterprise to stop working.

0 Kudos
RandallWilliams
by Esri Regular Contributor
Esri Regular Contributor
‎02-22-2024 11:52 AM

Hi Patrick, 

Regarding these:

  • C:\Program Files\ArcGIS\DataStore\framework\runtime\couchdb\ssl\key.pem
  • C:\Program Files\ArcGIS\DataStore\framework\template\nosql\ssl\key.pem
  • C:\Program Files\ArcGIS\Portal\framework\runtime\ds\framework\template\nosql\ssl\key.pem

These aren't SSH keys. These are 1/2 of the keypair used to support TLS in these components. The certificate keypair (cert + key) is self signed. These are key that are automatically generated upon installation. They are not trusted because they are self signed and not validated up to a certificate authority. 

For these: 

  • C:\Program Files\ArcGIS\DataStore\framework\runtime\ozone\compose\ozone-om-ha\.ssh\id_rsa
  • C:\Program Files\ArcGIS\DataStore\framework\runtime\ozone\compose\ozonescripts\.ssh\id_rsa

Those keys are used to start Ozone. It's used in the Object Store. If you don't have the object store configured, you can remove it via add/remove programs, but I'd disagree that these are a risk because they are only used in local communication. If an attacker has access to these keys, then they already have local admin on your ArcGIS Enterprise installation (a much bigger problem). 

https://ozone.apache.org/docs/1.2.1/start/onprem.html

0 Kudos