DocumentationCommerceCommerce Intelligence User Guide

SSH host key verification ssh-host-keys

Last update: June 12, 2026

CREATED FOR:

  • Intermediate
  • Beginner
  • User
  • Admin
  • Developer

Commerce Intelligence uses strict SSH host key verification for encrypted (SSH tunnel) database connections, including MySQL, MongoDB, and PostgreSQL.

During Save & Test, the system enrolls the SSH bastion host keys for your connection and stores them securely per connection. After enrollment, replication and tunneling only succeed when the live bastion host keys match the enrolled keys.

This model improves security by blocking man-in-the-middle attacks and unexpected host changes. It also means that host key rotation, missing trust material, or infrastructure changes can surface as SSH host key errors on the connection instead of generic tunnel failures.

NOTE
Admin means a user with Admin permissions on your Commerce Intelligence account, not your Adobe org console unless stated otherwise. Only Admins can run Refresh SSH Host Keys. If you do not see this control, ask an Admin on your account to run the refresh or contact Adobe Support.

You do not edit, upload, or manage known_hosts files. Enrollment and refresh run on Adobe infrastructure assigned to your account.

IMPORTANT
Host key rotation requires an Admin to run Refresh SSH Host Keys. If bastion host keys changed or the bastion identity changed (hostname, IP, or port), running Save & Test again or re-saving the connection does not update enrolled keys. The connection can keep failing until an Admin refreshes the host keys.

Save & Test save-and-test

Save & Test performs initial SSH host key enrollment only. It is conservative by design and does not rotate or overwrite keys that are already enrolled for the connection.

Enrolled host key state
What Save & Test does
The host keys are not yet enrolled
Save & Test scans the bastion host and port, enrolls the host keys, and stores them for this connection.
The host keys are already enrolled
Save & Test skips enrollment. It does not overwrite, rotate, or delete existing enrolled keys, even if live bastion keys no longer match.
The enrolled keys are missing, empty, or invalid
Save & Test does not repair invalid trust material by itself. An Admin must run Refresh SSH Host Keys or contact Support if errors continue

After a successful first enrollment, later Save & Test runs validate credentials and connection settings but leave enrolled SSH host keys unchanged.

Refresh SSH Host Keys refresh-ssh-host-keys

Refresh SSH Host Keys updates enrolled SSH host keys when the bastion has changed or when trust material must be repaired. An Admin starts the refresh from the connection in Data > Connections.

The refresh runs asynchronously on Adobe infrastructure assigned to your account. Commerce Intelligence returns after the refresh is queued. It does not run the scan on your workstation.

A refresh rewrites enrolled host keys only when one of these conditions is true:

  • Enrolled host keys are missing
  • Enrolled host keys are empty
  • Enrolled host keys cannot be read
  • Enrolled host keys fail validation
  • A new scan returns different host key lines than the enrolled keys
  • Fingerprints from the scan and enrolled keys do not match

If enrolled keys are current and valid, the refresh completes without changing them.

TIP
Run Refresh SSH Host Keys after your team rotates SSH host keys on the bastion, changes the bastion hostname or IP, or replaces the SSH endpoint. Wait a few minutes, then run Save & Test to confirm the connection.

Account migration migration

You do not trigger account migration. Adobe performs data-server moves during maintenance or scaling and copies enrolled SSH host keys so strict verification continues to work after the move.

After Adobe notifies you that migration is complete:

  1. Run Save & Test to confirm the connection. Enrollment should be skipped if keys were copied successfully.
  2. If SSH host key errors persist, ask an Admin to run Refresh SSH Host Keys, wait a few minutes, then run Save & Test again.
  3. Contact Adobe Support if errors continue after Save & Test and up to two Refresh SSH Host Keys attempts.

SSH host key error messages ssh-host-key-errors

Connection status shows a single user-friendly SSH host key message. Raw OpenSSH errors are not shown in the dashboard.

The following table maps common messages to likely causes and typical next steps.

Message or status
What it means
Possible causes
Typical next step
SSH host key verification failed
The bastion host key does not match enrolled keys, or trust material is unusable
SSH host keys rotated on the bastion; bastion hostname, IP, or port changed; enrolled keys missing, empty, invalid, or unreadable
Confirm Remote Address and SSH Port. Ask your infrastructure team whether bastion host keys changed. Ask an Admin to run Refresh SSH Host Keys, wait a few minutes, then run Save & Test.
SSH host keys could not be enrolled
Save & Test could not scan or store bastion host keys
Bastion unreachable from Adobe infrastructure; DNS failure; firewall blocks Commerce Intelligence IP addresses; wrong Remote Address or SSH Port; host key scan failure on the bastion
Verify firewall allowlisting using the Commerce Intelligence IP addresses on the database credentials page. Confirm the bastion accepts SSH on the configured port. Correct connection fields and run Save & Test again.
SSH host keys are missing or invalid
Strict verification blocked the tunnel because enrolled trust material is absent or corrupt
First connection never completed enrollment; prior refresh failed; migration did not copy keys; issue on Adobe infrastructure
Ask an Admin to run Refresh SSH Host Keys, then Save & Test. Contact Support if the error persists.
Refresh SSH host keys could not be completed
The refresh did not update enrolled keys
Network, DNS, or scan failure during refresh; issue on Adobe infrastructure
Wait several minutes. Ask an Admin to run Refresh SSH Host Keys again (second attempt if the first failed). Confirm bastion reachability and allowlisting. Contact Support if the connection still fails after two refresh attempts and Save & Test.

Troubleshooting checklist troubleshooting

  1. Confirm Remote Address, SSH Port, and Linux user settings match your bastion settings.
  2. Confirm your firewall allows the Commerce Intelligence IP addresses shown on your database credentials page.
  3. Ask your infrastructure team whether SSH host keys on the bastion changed recently.
  4. Run Save & Test to validate settings and enroll keys if none exist yet.
  5. Ask an Admin to run Refresh SSH Host Keys, wait a few minutes, then run Save & Test again. If the first refresh does not resolve the error, repeat this step.
  6. If the connection still shows an SSH host key error after two refresh attempts, click Contact Support on the connection page (or your account support channel).

When to contact Adobe Support contact-support

Contact support when:

  • SSH host key errors continue after an Admin runs Refresh SSH Host Keys twice and Save & Test still fails
  • Refresh SSH Host Keys never completes or the connection status does not change after 15–30 minutes
  • Errors began immediately after Adobe notified you of account migration or data server maintenance
  • Bastion settings and firewall allowlisting are correct, your team has not rotated host keys, and you still cannot connect
  • You need an Admin to run Refresh SSH Host Keys but no Admin is available on the account

Include the connection name, approximate time of the last Save & Test or refresh attempt, and whether bastion host keys changed recently. Do not send private keys or passphrases.

recommendation-more-help
commerce-business-intelligence-help-mbi