Bug 1282823
Summary: | Unable to generate new key for external database | ||
---|---|---|---|
Product: | Red Hat CloudForms Management Engine | Reporter: | Prasad Mukhedkar <pmukhedk> |
Component: | Appliance | Assignee: | Keenan Brock <kbrock> |
Status: | CLOSED NOTABUG | QA Contact: | Dave Johnson <dajohnso> |
Severity: | high | Docs Contact: | |
Priority: | unspecified | ||
Version: | 5.2.0 | CC: | abellott, gtanzill, jdeubel, jhardy, jocarter, kbrock, ngupta, obarenbo, pmukhedk |
Target Milestone: | GA | ||
Target Release: | 5.5.0 | ||
Hardware: | x86_64 | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2015-11-19 05:41:26 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Prasad Mukhedkar
2015-11-17 14:26:38 UTC
I am confused Thanks for the followup. To be honest, I'm not sure why the documents would suggest generating a new encryption key. Unless there is a security breach/corporate policy, customers should not be generating a new encryption key in a configured environment. But I did see a reference to "the Velvet Underground" at the very top of the document: https://access.redhat.com/documentation/en-US/Red_Hat_CloudForms/3.2/html/Appliance_Hardening_Guide/chap-Red_Hat_CloudForms-Security_Guide-Creating_Keys.html > Changing the encryption key is recommended during setting up new CloudForms appliances only. > IMPORTANT > Red Hat does not recommend changing the encryption key for an existing appliance as the ability to decrypt the password will be lost, affecting all stored passwords in CloudForms. NOTE: In 5.5, you can pass --legacy-key to migrate from one v2_key to another. So you will not loose provider encryption keys. Ooh, I finally understand. There is an ssl key used to secure the http endpoint (server.cer, server.cer.key) and there is an encryption key (v2_key) used to secure the provider credentials. The documentation is requesting you generate a server.cer and not the v2_key. |