NBS-HUB Session Token Renewal

Description:

The NBS automatically renews its Hub Security Session Token every 24 hours (the minimum renewal period).

The Security Session Token must be stored securely.
The Security Session Token must be renewed automatically every 24 hours.
- A failure to renew the token should be logged in such away that Operations can monitor failures and alert team members for manual remediation easily.

Issues and workarounds:

Desync between EU HUB and NBS Guide

Description:

This guide will detail how to resync the NBS to the EU HUB by manually triggering a new session token renewal request.

As an example in this guide the NBS used is NBS Bulgaria IQE. Any reference to 'bg', 'iqe1' - will need to be changed to the relative market code and environment (iqe1 or prod).

Pre-requisites:

Ticket raised detailing issue
2nd support engineer to review changes (note: mistakes here can be costly)
Permissions
- Access to the EFPIA subscription
  - Read access of administration database document of NBS admin org session token document
- Access to the NBS subscription
  - Write access of config db
  - Write access of storage account blob store - nbsconfig
  - Read access to application insights

Steps:

Navigate to EFPIA subscription > cosmosDb > hub2e32administrationdb > query by OrganisationId to find the Security Session Token document for that National System.
1. SELECT * FROM c WHERE c.OrganisationId = xxx
  1. Where xxx = OrganisationId integer (to find out the organisation ID follow step 2.c)
  2. Also here is the country code page link if required to get the Country Code NBS Onboarding and Market List
2. Copy SessionToken value to somewhere secure (do NOT share value or keep record of it, once used later for purpose of this guide DELETE FROM LOCAL MACHINE).
Navigate to nbs subscription > cosmosDb > nbsbgiqe1-config-document-db > query by id
1. SELECT * FROM c WHERE c.id = 'nbs.HubSessionToken' and open document
2. OR from the document list click on the 'nbs.HubSessionToken'
3. Check the session token and when it was last updated, also keep note of the username (organisation ID of the market).
4. Take session token from step 1.b and replace "Password" in the NBS Hub Session Token document and then click on the "update" document.
Navigate to storage accounts > nbsbgiqe1appdata > containers (search 'nbsconfig') > scheduler/Solidsoft.Emvs.Nbs.Scheduler.CommonJobs.xml (view/edit)
1. Find 'SecuritySessionTokenCronTrigger'.
  1. Copy current cron expression
    <cron-expression>0 0 1 * * ?</cron-expression>
  2. Edit cron expression to trigger in 2 minutes after the file has been saved.
    1. The current trigger is to run at 1 am UTC every day.
      0 0 1 * * ?
      Second(0th) Minute(0th) Hour(1st) DayOfMonth(* every day) Month (* every month)
    2. For example if you wanted to make trigger the job to run at 12:11 pm (BST) the cron value would need to be:
      0 11 11 * * ?
      Note the 2nd 11 is because the CRON value needs to be UTC.
2. Save document
3. Go to Service Fabric→Applications →Solidsoft.Emvs.Nbs.NbsScheduler.Services ->Restart the nodes under fabric:/Solidsoft.Emvs.Nbs.NbsScheduler.Services/Solidsoft.Emvs.Nbs.Scheduler.CommonJobs
4. From app insights make a query to view whether the session token value has been updated
  1. traces
    
    | where customDimensions.component=="TestSecuritySessionTokenJob"
    | sort by timestamp asc
  2. The change is also visible from both subscriptions SessionToken config files (step 1.a and 2.a). If both values are the same then the update was successful.
5. Reverse step 3a, 3b, and 3c to restore original session token renewal at 1 am each day.
Update ticket and set to resolved if intersystem connectivity is restored and requests aren't failing from S4's.