Skip to main content

Encryption Key Transfer Process

This guide is intended to assist a Server administrator with proactively transferring Alteryx Server encryption keys when moving Alteryx Server to a new host (on-premises or cloud), and in other cases where your infrastructure changes.

The encryption key transfer process allows you to run workflows which use encrypted assets, such as DCM connections and Server data connections.

Note

This functionality is only available on the following versions:

  • 2021.4.2 Patch 11+

  • 2022.1 Patch 9+

  • 2022.3 Patch 6+

  • 2023.1 Patch 2+

  • 2023.2 GA and all patches

  • All versions newer than 2023.2

Prerequisites

  • Access to the original controller/host.

  • Target machine must have identical version of Alteryx Server installed.

  • System Administrator rights on the target and original Server.

  • Access to all shared credentials used for running workflows including, the service account (if not Local System), the Run As user, and any workflow credentials.

  • Controller Token from the original Server and port number if different than the default port.

  • AlteryxService must be running on the original host.

Step 1: Know the Original Host Details

#

Step

Details

1.1

Get Original Host Controller Token

Copy Controller Token from Alteryx System Settings > Controller > General > Token section

or run the following command as an admin from Command Prompt or Powershell:

{Install Directory}\Alteryx\bin>.\AlteryxService.exe getserversecret

Default is C:\Program Files\Alteryx\bin> .\AlteryxService.exe getserversecret

1.2

Get Original Host Details

Non-TLS Enabled: Get IP address or FQDN or Hostname of the original host and port number if any, other than default port.

TLS Enabled: Get IP address or FQDN of the original host and port number if any, other than default port.

Note

“TLS-Enabled” refers only to the Server’s internal cluster-level service connections, not to the Server UI URL accessed by end-users. TLS-Enabled Service Layer is only available on Alteryx Server versions 2022.3 and newer, where the setting can be found in Alteryx System Settings > Controller > General > Communication > Enable Controller SSL/TLS. For more information, visit the Controller help page.

Step 2: Know the Target Host Details

#

Step

Details

2.1

Get AlteryxService.exe Path

{Install Directory}\Alteryx\> .\AlteryxService.exe

Default is C:\Program Files\Alteryx\bin> .\AlteryxService.exe

Step 3: Prepare and Execute Command

The following steps are all performed on the target host.

#

Step

Details

3.1

Command

transferdcmesecret

3.2

Prepare Command

Note

Path is gathered in step 2.1 {Install Directory}\Alteryx\bin> .\AlteryxService.exe.

Non-TLS Enabled

With default port:

{Install Directory}\Alteryx\bin> .\AlteryxService.exe transferdcmesecret=<IP Address | Hostname | FQDN>:<port number>,<Unencrypted Controller Token From Step 1.1>

Note: Port number is optional for default.

Example: C:\Program Files\Alteryx\bin>.\AlteryxService.exe transferdcmesecret=172.x.2x.2xx,81d73a13f264c4b5b43d6e28e9419dc8861d1091ffc46f23f5afaabaaaaab

With specified port number:

{Install Directory}\Alteryx\bin> .\AlteryxService.exe transferdcmesecret=<IP Address | Hostname | FQDN>:<port number>,<Unencrypted Controller Token From Step 1.1>

Example: C:\Program Files\Alteryx\bin>.\AlteryxService.exe transferdcmesecret=172.x.2x.2xx:81,81d73a13f264c4b5b43d6e28e9419dc8861d1091ffc46f23f5afaabaaaaab

TLS Enabled

Note

“TLS-Enabled” refers only to the Server’s internal cluster-level service connections, not to the Server UI URL accessed by end-users. TLS-Enabled Service Layer is only available on Alteryx Server versions 2022.3 and newer, where the setting can be found in Alteryx System Settings > Controller > General > Communication > Enable Controller SSL/TLS. For more information, visit the Controller help page.

With default port:

{Install Directory}\Alteryx\bin> .\AlteryxService.exe transferdcmesecret=<https://IP Address | FQDN>:<optional port number>,<Unencrypted Controller Token From Step 1.1>

Note: Port number is optional for default. It is mandatory for non-default.

Example: C:\Program Files\Alteryx\bin>.\AlteryxService.exe transferdcmesecret=https://172.x.2x.2xx,81d73a13f264c4b5b43d6e28e9419dc8861d1091ffc46f23f5afaabaaaaab

With specified port number:

{Install Directory}\Alteryx\bin> .\AlteryxService.exe transferdcmesecret=<https://IP Address | FQDN>:<port number>,<Unencrypted Controller Token From Step 1.1>

Example: C:\Program Files\Alteryx\bin>.\AlteryxService.exe transferdcmesecret=https://172.x.2x.2xx:443,81d73a13f264c4b5b43d6e28e9419dc8861d1091ffc46f23f5afaabaaaaab

3.3

Execute the Command

Open Command Prompt or PowerShell window in admin mode and run the command from step 2.1.

Note

If you see any errors on the console window, please refer to the Known Error Messages table.

Known Error Messages

Error Message

Cause

Invalid parameters. Could not retrieve original key.

Incorrect Controller Token from Original host.

Failed to get server address, server <servername>: No such host is known.

Incorrect or communication issues with specified IP Address/Hostname/FQDN.

Failed to connect to server <servername>, port <xxxx>: No connection could be made because the target machine actively refused it.

Incorrect port number.

Step 4: Start or Restart AlteryxService After Encryption Key Transfer

Note

If you're performing this process as part of the Host Recovery Guide, skip this step as the AlteryxService will be restarted at the end of the host recovery.

#

Step

Details

4.1

Start or Restart AlteryxService

Go to Task Manager Service, select AlteryxService and then select Start or Restart.