Skip to main content

Credentials Migration

Device credentials in the Forward Platform are securely managed and encrypted, with different storage methods depending on whether the deployment is using the updated or legacy collectors.

Updated Collectors (Post-24.10)

For newer collectors, collection secrets are encrypted using AES-256 and securely stored in the cloud within fwd.app. Collectors installed on-premises do not store collection secrets locally; instead, they maintain only an encryption key, which is used to decrypt the collection secrets during collection. This makes the collector nearly stateless and allows for easy restoration if needed.

Credential Recovery for Updated Collectors

If you need to restore or migrate the Forward Collector:

  1. Reinstall the collector as outlined in the Installation Guide.
  2. During installation, use the same encryption key that was set during the initial installation. This key will allow the collector to access the collection secrets stored in fwd.app without any additional migration steps.

With the new collectors, there’s no need to back up collection secrets locally since they are securely stored in the cloud.

Legacy Collectors

For legacy collectors, collection secrets are encrypted and stored locally on the Forward Collector in the conf/private sub-directory in the installation path. The following instructions are for migrating collection secrets from legacy collectors.

tip

The default installation path varies by client platform:

  • Linux: /usr/local/fwd/ or /opt/fwd/ (depending on the Linux OS type and version)
  • MacOS: /Applications/Forward Networks Collector/
  • Windows:
    • 64 bits: C:\Program Files\Forward Networks Collector\
    • 32 bits: (legacy): C:\Program Files (x86)\Forward Networks Collector\

If you uninstall the Forward Collector on a legacy system, all locally stored credentials, secrets, and encryption keys will be permanently lost unless they are manually backed up.

If you want to run the latest Forward Collector, you can update it following the instructions in the Update page. The update process will preserve all the collection secrets.

If you need to install a new Forward Collector and you want to migrate the collection secrets from the old collector to a new one, you can follow the procedure below. The examples are based on a MacOS client but it's easy to translate the steps for Windows or Linux clients.

  1. Save conf/private directory content to any location outside of the installation path
mkdir ~/tmp
cp -r /Applications/Forward\ Networks\ Collector/conf/private ~/tmp

  1. (optional) Uninstall the old collector

  2. (optional) Delete the old collector account by opening the collector drop-down menu and clicking on the garbage can icon next to the collector.

Delete Collector

  1. Install the new collector if you haven't already done so

  2. Copy the old conf/private directory to the new installation

cp -r ~/tmp/private /Applications/Forward\ Networks\ Collector/conf/
  1. Select the new collector as the collector for the network by opening the Collector drop-down menu and selecting the newly added collector

Select Collector

  1. Verify that the collector is connected to the Forward platform by checking the collector Status. It should show connected in green

Collector Connected

  1. run a single Connectivity Test to ensure that the new collector can still connect to devices and that it is using the copied-over collection secrets.