Encryption Key Transfer Process
This guide is intended to assist a Server administrator with proactively transferring Alteryx Server encryption keys when moving Alteryx Server to a new host (on-premises or cloud), and in other cases where your infrastructure changes.
The encryption key transfer process allows you to run workflows which use encrypted assets, such as DCM connections and Server data connections.
Note
This functionality is only available on the following versions:
2021.4.2 Patch 11+
2022.1 Patch 9+
2022.3 Patch 6+
2023.1 Patch 2+
2023.2 GA+
Prerequisites
Access to the original controller/host.
Target machine must have identical version of Alteryx Server installed.
System Administrator rights on the target and original Server.
Access to all shared credentials used for running workflows including, the service account (if not Local System), the Run As user, and any workflow credentials.
Controller Token from the original Server and port number if different than the default port.
AlteryxService must be running on the original host.
Step 1: Know the Original Host Details
# | Step | Details |
|---|---|---|
1.1 | Get Original Host Controller Token | Copy Controller Token from Alteryx System Settings > Controller > General > Token section or run the following command as an admin from Command Prompt or Powershell: {Install Directory}\Alteryx\bin>.\AlteryxService.exe getserversecret Default is C:\Program Files\Alteryx\bin> .\AlteryxService.exe getserversecret |
1.2 | Get Original Host Details | Non-TLS Enabled: Get IP address or FQDN or Hostname of the original host and port number if any, other than default port. TLS Enabled: Get IP address or FQDN of the original host and port number if any, other than default port. Note “TLS-Enabled” refers only to the Server’s internal cluster-level service connections, not to the Server UI URL accessed by end-users. TLS-Enabled Service Layer is only available on Alteryx Server versions 2022.3 and newer, where the setting can be found in Alteryx System Settings > Controller > General > Communication > Enable Controller SSL/TLS. For more information, visit the Controller help page. |
Step 2: Know the Target Host Details
# | Step | Details |
|---|---|---|
2.1 | Get AlteryxService.exe Path | {Install Directory}\Alteryx\> .\AlteryxService.exe Default is C:\Program Files\Alteryx\bin> .\AlteryxService.exe |
Step 3: Prepare and Execute Command
The following steps are all performed on the target host.
# | Step | Details |
|---|---|---|
3.1 | Command | transferdcmesecret |
3.2 | Prepare Command | Note Path is gathered in step 2.1 {Install Directory}\Alteryx\bin> .\AlteryxService.exe. Non-TLS Enabled With default port: {Install Directory}\Alteryx\bin> .\AlteryxService.exe transferdcmesecret=<IP Address | Hostname | FQDN>:<port number>,<Unencrypted Controller Token From Step 1.1> Note: Port number is optional for default. Example: C:\Program Files\Alteryx\bin>.\AlteryxService.exe transferdcmesecret=172.x.2x.2xx,81d73a13f264c4b5b43d6e28e9419dc8861d1091ffc46f23f5afaabaaaaab With specified port number: {Install Directory}\Alteryx\bin> .\AlteryxService.exe transferdcmesecret=<IP Address | Hostname | FQDN>:<port number>,<Unencrypted Controller Token From Step 1.1> Example: C:\Program Files\Alteryx\bin>.\AlteryxService.exe transferdcmesecret=172.x.2x.2xx:81,81d73a13f264c4b5b43d6e28e9419dc8861d1091ffc46f23f5afaabaaaaab TLS Enabled Note “TLS-Enabled” refers only to the Server’s internal cluster-level service connections, not to the Server UI URL accessed by end-users. TLS-Enabled Service Layer is only available on Alteryx Server versions 2022.3 and newer, where the setting can be found in Alteryx System Settings > Controller > General > Communication > Enable Controller SSL/TLS. For more information, visit the Controller help page. With default port: {Install Directory}\Alteryx\bin> .\AlteryxService.exe transferdcmesecret=<https://IP Address | FQDN>:<optional port number>,<Unencrypted Controller Token From Step 1.1> Note: Port number is optional for default. It is mandatory for non-default. Example: C:\Program Files\Alteryx\bin>.\AlteryxService.exe transferdcmesecret=https://172.x.2x.2xx,81d73a13f264c4b5b43d6e28e9419dc8861d1091ffc46f23f5afaabaaaaab With specified port number: {Install Directory}\Alteryx\bin> .\AlteryxService.exe transferdcmesecret=<https://IP Address | FQDN>:<port number>,<Unencrypted Controller Token From Step 1.1> Example: C:\Program Files\Alteryx\bin>.\AlteryxService.exe transferdcmesecret=https://172.x.2x.2xx:443,81d73a13f264c4b5b43d6e28e9419dc8861d1091ffc46f23f5afaabaaaaab |
3.3 | Execute the Command | Open Command Prompt or PowerShell window in admin mode and run the command from step 2.1. |
Note
If you see any errors on the console window, please refer to the Known Error Messages table.
Known Error Messages
Error Message | Cause |
|---|---|
Invalid parameters. Could not retrieve original key. | Incorrect Controller Token from Original host. |
Failed to get server address, server <servername>: No such host is known. | Incorrect or communication issues with specified IP Address/Hostname/FQDN. |
Failed to connect to server <servername>, port <xxxx>: No connection could be made because the target machine actively refused it. | Incorrect port number. |
Step 4: Start or Restart AlteryxService After Encryption Key Transfer
Note
If you're performing this process as part of the Host Recovery Guide, skip this step as the AlteryxService will be restarted at the end of the host recovery.
# | Step | Details |
|---|---|---|
4.1 | Start or Restart AlteryxService | Go to Task Manager > Service, select AlteryxService and then select Start or Restart. |