About recovering VSatellites using the Recovery wizard
Table of Contents
Expand all | Collapse all
-
- Activate Next-Generation Trust Security
-
-
- Configure AWS connection
- Configure Azure Key Vault connection
-
- Workload Identity Federation authentication
- Workload Identity Federation - Azure Identity Provider authentication
- Next-Gen Trust Security Generated Key authentication
- User permissions
- Workload Identity Federation authentication
- Next-Gen Trust Security Generated Key authentication
- User permissions
- Supported OIDC claims
-
-
-
-
- Create an F5 BIG-IP LTM machine
- Create a Microsoft Azure Private Key Vault machine
- Create a Microsoft IIS machine
- Create a Microsoft Windows (PowerShell) machine
- Create a Microsoft SQL Server machine
- Create a Common KeyStore machine
- Create a Citrix ADC machine
- Create an Imperva WAF machine
- Create a VMware NSX Advanced Load Balancer (AVI) machine
- Create an A10 Thunder ADC machine
- Create a Cloudflare machine
- Create Kemp Virtual LoadMaster machine
- Create a Palo Alto Panorama machine
-
- Provision to an F5 BIG-IP LTM
- Provision to a Microsoft Azure Private Key Vault
- Provision to Microsoft IIS
- Provision to Microsoft Windows (PowerShell)
- Provision to Microsoft SQL Server
- Provision to a Common KeyStore
- Provision to a Citrix ADC
- Provision to an Imperva WAF
- Provision to VMware NSX Advanced Load Balancer (AVI)
- Provision to an A10 Thunder ADC
- Provision to Cloudflare
- Provision to a Kemp Virtual LoadMaster
- Provision to Palo Alto Panorama
-
-
- 47-Day Validity Readiness TLS Certificates dashboard
- About the Certificate Inventory
- Managing certificate lifecycle settings
- Reissuing certificates in Next-Gen Trust Security
- Downloading certificates, certificate chains, and keystores
- Retiring, recovering, and deleting certificates
- Finding certificates in the certificate inventory
- Importing certificates from a CA using EJBCA
- Notification Center overview
- Domain-based validation for external emails
- Managing user accounts
- Troubleshooting
About recovering VSatellites using the Recovery wizard
You can use the Recovery wizard in Next-Gen Trust Security to restore VSatellites that are in a Lost Connection state. This can help you recover individual nodes or rebuild your VSatellite infrastructure, depending on how many VSatellites are affected.
Warning (Not supported for HSM-protected DEK):The Recovery wizard is not supported for VSatellites deployed with HSM-protected DEK.
This feature applies only to VSatellites using software-based DEK protection. If your tenant uses HSM-protected DEK, recovery requires restoring HSM connectivity and verifying that the original DEK still exists in the configured HSM partition.
The Recovery wizard supports two use cases:
- Disaster recovery, when all of your VSatellites are lost and you need to manually restore trust using a backed-up DEK.
- Node reinstallation, when you lose one or more VSatellites but still have at least one active VSatellite remaining in your environment.
In both scenarios, the wizard guides you through running the appropriate recovery commands using the vsatctl CLI.
Features and benefits
- Recover option for unreachable VSatellitesYou can access the Recover menu item from the elipsis menu for each VSatellite that is in a Lost Connection state to begin the recovery process. You can also find a Recover button in the Drawer View of a lost VSatellite.
- Step-by-step recovery wizard The Recovery wizard walks you through the process in three steps: 1. Download the required vsatctl binary and review system requirements. 2. Run a preflight validation command to confirm your environment is ready. 3. Run the recovery command using the passphrase and recovery code provided by the wizard.
- Automatic vs. manual DEK handling
- If at least one VSatellite is still active, the DEK is managed for you and doesn't need to be supplied.
- If all VSatellites are lost, you must supply the path to the previously backed-up DEK during the recovery process.
- Secure recovery validationYou can test the restored VSatellite connection before finishing the process to make sure recovery was successful.
Audience and use cases
This feature is designed for platform and security administrators responsible for maintaining VSatellites.
Use the Recovery wizard in the following situations:
- Disaster recoveryUse this flow when all VSatellites are in a Lost Connection state. You'll need to:
- Deploy new VSatellites
- Provide that path to a previously exported DEK file, your backup DEK
- Provide the passphrase a recovery code (the recovery code is provided for you during the recovery process)
- Node reinstallationUse this flow when one or more VSatellites are lost but others remain active. You'll:
- Reinstall the missing VSatellites
- Provide a recovery code (the recovery code is provided for you during the recovery process)
- Skip supplying a DEK file (it's handled automatically)
Requirements
- For disaster recovery, you need a previously exported DEK file and its passphrase.
- For both use cases, meet the following requirements:
- The vsatctl CLI must be available on the host performing the recovery.
- Use the recovery code provided by the wizard.
- Review the system requirements for installing new VSatellites.