How to restore your ConfigHub access after the 2024.R1.0 upgrade?
The 2024.R1.0 release introduces some major security improvements in ConfigHub and the way you can access ConfigHub.
2023.R4.0 | 2024.R1.0 | |
|---|---|---|
Password | Edge Manager and ConfigHub share the same password | Edge Manager and ConfigHub have a different password |
Recovery | No self-service option to recover a lost ConfigHub password | ConfigHub password can be reset via Edge Manager |
'admin' user type | 'admin' user is a regular user who can log in in TrendHub, create work, can be linked to external IDPs (LDAP/SAML), can be deleted, ... | 'admin' user is a dedicated system user who can still log in in TrendHub but cannot be linked anymore to external IDPs (LDAP/SAML) and cannot be deleted. |
2FA | No 2FA | Mandatory 2FA for 'admin' user login in ConfigHub. |
ConfigHub access | Only 1 login for ConfigHub | Any TrendMiner user can be granted access to ConfigHub |
What will happen during the upgrade to 2024.R1.0
An 'admin' user will be created if it did not exist already before the upgrade
If the 'admin' user already existed and was linked to an external IDP (LDAP/SAML) this user will be unlinked and will become a local user.
The password of the 'admin' user will be reset to a strong generated password. On first login, the user will be required to change the password and configure 2FA. This implies that your existing ConfigHub password will no longer allow you to log in in ConfigHub. The old password will still work to access Edge Manager.
How to regain ConfigHub access after the upgrade
Log in in Edge Manager with your old ConfigHub/Edge Manager password
Navigate to 'ConfigHub recovery'
Click 'Generate new password'. This will show a recovery password. Copy the password.
Open the ConfigHub login page.
Warning
Please note that the url
https://<hostname>/confighub/loginwill not longer work after the upgrade. In case you have bookmarked this url, please update it tohttps://<hostname>/confighub
Log in with user 'admin' and the newly generated password you copied from Edge Manager.
In case you see an error "ConfigHub - Access denied" this might be because you already logged in with your personal account in TrendHub and your account does not have ConfigHub access permissions yet. If this occurs, please go back to TrendHub and log out and navigate back to ConfigHub to retry.
Configure 2FA for access to ConfigHub with the 'admin' user.
Important
If you have multiple TrendMiner installation for which you manage the 2FA admin access scanning a second 2FA code might overwrite the first one.
Some authenticators (e.g. Google Authenticator) allow you to edit the name of the entry. We would advise you to rename the authenticator entries to meaningful names, e.g. 'Trendminer: admin - Production' and 'Trendminer: admin - Test' for clarity and to avoid accidentally overwriting entries.
Install or open an authenticator app (FreeOTP, Google Authenticator, Microsoft Authenticator)
Scan the QR code shown to add the 'TrendMiner: admin' entry to the authenticator app
Enter the generated one-time code as generated by the authenticator app
Enter a device name (free to choose), E.g. "John's phone"
Choose a new ConfigHub password which meets the listed requirements.
Assign the 'System admin' role to all TrendMiner users who need access to ConfigHub, including yourself.
Notes
It will no longer be possible to link the 'admin' user to an external IDP. This is done to ensure the ConfigHub access remains under control of TrendMiner and ConfigHub access cannot get lost. The 'admin' user will always have the 'system admin' role, cannot be deleted and it's password can always be recovered via Edge Manager.
We advise to not use the 'admin' user to access ConfigHub for your regular access but to assign the 'system admin' role to named TrendMiner users (including yourself). There is no functional difference between the hardcoded admin user and users with the 'system admin' role. The hardcoded admin user can be used in case of issues with the external IDP or in case you are locked out of ConfigHub.
If the admin user had saved work before the upgrade this saved work will remain available after the upgrade. We do however not advise to use the hardcoded admin user as a standard user.