Bug 1496224

Summary: Export changelog db fails when the changelog encryption is configured
Product: Red Hat Enterprise Linux 7 Reporter: Sankar Ramalingam <sramling>
Component: 389-ds-baseAssignee: mreynolds
Status: CLOSED NOTABUG QA Contact: Viktor Ashirov <vashirov>
Severity: urgent Docs Contact:
Priority: high    
Version: 7.4CC: lkrispen, nkinder, rmeggins
Target Milestone: rc   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-10-12 13:57:50 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Sankar Ramalingam 2017-09-26 17:08:33 UTC 
Description of problem: Exporting changelogdb files to LDIF file fails when changelog encryption is configured. 


Version-Release number of selected component (if applicable): 389-ds-base-1.3.6.1-20


How reproducible: Consistently


Steps to Reproduce:
1. Configure two master replication
2. Configure changelog encryption for master1.
Refer to the design doc - http://directory.fedoraproject.org/docs/389ds/FAQ/changelog-encryption.html
3. Add few users with password and check if changelog's unhashed#user#password attribute is encrypted in master1.
4. Check if changelog db can be backed up in ldif file.

[root@hp-dl80gen9-01 ~]# PORT=39001 ; ldapmodify -x -p $PORT -h  localhost -D "cn=Directory Manager" -w password  << EOF
dn: cn=replica,cn="dc=example,dc=com",cn=mapping tree,cn=config
changetype: modify
add: nsds5Task
nsds5Task: CL2LDIF
EOF

modifying entry "cn=replica,cn="dc=example,dc=com",cn=mapping tree,cn=config"

The task seems to be completed successfully, but the error log shows that its not.
[26/Sep/2017:12:55:56.942528576 -0400] - INFO - NSMMReplicationPlugin - replica_execute_cl2ldif_task - Beginning changelog export of replica "f381588d-a2da11e7-9f71c0b1-92fa1179"
[26/Sep/2017:12:55:56.967812915 -0400] - ERR - _back_crypt_crypto_op - Failed on cipher AES : -8190 - security library: received bad data.
[26/Sep/2017:12:55:56.984312936 -0400] - ERR - NSMMReplicationPlugin - changelog program - _cl5ReadMod - Decrypting "objectclass: 74" failed


Actual results: changelogdb backup fails.

_back_crypt_crypto_op - Failed on cipher AES : -8190 - security library: received bad data.

Expected results: Changelogdb backup should succeed.


Additional info:

[26/Sep/2017:12:55:56.942528576 -0400] - INFO - NSMMReplicationPlugin - replica_execute_cl2ldif_task - Beginning changelog export of replica "f381588d-a2da11e7-9f71c0b1-92fa1179"
[26/Sep/2017:12:55:56.967812915 -0400] - ERR - _back_crypt_crypto_op - Failed on cipher AES : -8190 - security library: received bad data.
[26/Sep/2017:12:55:56.984312936 -0400] - ERR - NSMMReplicationPlugin - changelog program - _cl5ReadMod - Decrypting "objectclass: 74" failed
[26/Sep/2017:12:55:57.000967728 -0400] - ERR - _back_crypt_crypto_op - Failed on cipher AES : -8190 - security library: received bad data.
[26/Sep/2017:12:55:57.017600832 -0400] - ERR - NSMMReplicationPlugin - changelog program - _cl5ReadMod - Decrypting "objectclass: 6c" failed
[26/Sep/2017:12:55:57.034334786 -0400] - ERR - _back_crypt_crypto_op - Digest final failed on cipher AES : -8190 - security library: received bad data.
[26/Sep/2017:12:55:57.051018299 -0400] - ERR - NSMMReplicationPlugin - changelog program - _cl5ReadMod - Decrypting "objectclass: 65" failed
[26/Sep/2017:12:55:57.067695660 -0400] - ERR - _back_crypt_crypto_op - Failed on cipher AES : -8190 - security library: received bad data.
[26/Sep/2017:12:55:57.084378182 -0400] - ERR - NSMMReplicationPlugin - changelog program - _cl5ReadMod - Decrypting "cn: 72" failed
[26/Sep/2017:12:55:57.101079754 -0400] - ERR - _back_crypt_crypto_op - Failed on cipher AES : -8190 - security library: received bad data.
[26/Sep/2017:12:55:57.117722180 -0400] - ERR - NSMMReplicationPlugin - changelog program - _cl5ReadMod - Decrypting "creatorsName: 63" failed
[26/Sep/2017:12:55:57.134417392 -0400] - ERR - _back_crypt_crypto_op - Failed on cipher AES : -8190 - security library: received bad data.
[26/Sep/2017:12:55:57.151104621 -0400] - ERR - NSMMReplicationPlugin - changelog program - _cl5ReadMod - Decrypting "modifiersName: 63" failed
[26/Sep/2017:12:55:57.167759978 -0400] - ERR - _back_crypt_crypto_op - Failed on cipher AES : -8190 - security library: received bad data.
[26/Sep/2017:12:55:57.184462149 -0400] - ERR - NSMMReplicationPlugin - changelog program - _cl5ReadMod - Decrypting "createTimestamp: 32" failed
[26/Sep/2017:12:55:57.201114768 -0400] - ERR - _back_crypt_crypto_op - Failed on cipher AES : -8190 - security library: received bad data.
[26/Sep/2017:12:55:57.217826947 -0400] - ERR - NSMMReplicationPlugin - changelog program - _cl5ReadMod - Decrypting "modifyTimestamp: 32" failed
[26/Sep/2017:12:55:57.234502694 -0400] - ERR - _back_crypt_crypto_op - Failed on cipher AES : -8190 - security library: received bad data.
[26/Sep/2017:12:55:57.251205311 -0400] - ERR - NSMMReplicationPlugin - changelog program - _cl5ReadMod - Decrypting "nsUniqueId: 66" failed
[26/Sep/2017:12:55:57.267852859 -0400] - ERR - _back_crypt_crypto_op - Failed on cipher AES : -8190 - security library: received bad data.
[26/Sep/2017:12:55:57.284515297 -0400] - ERR - NSMMReplicationPlugin - changelog program - _cl5ReadMod - Decrypting "parentid: 31" failed
[26/Sep/2017:12:55:57.301221071 -0400] - ERR - _back_crypt_crypto_op - Failed on cipher AES : -8190 - security library: received bad data.
[26/Sep/2017:12:55:57.317887280 -0400] - ERR - NSMMReplicationPlugin - changelog program - _cl5ReadMod - Decrypting "entryid: 31" failed
[26/Sep/2017:12:55:57.334584638 -0400] - ERR - _back_crypt_crypto_op - Failed on cipher AES : -8190 - security library: received bad data.
[26/Sep/2017:12:55:57.351246749 -0400] - ERR - NSMMReplicationPlugin - changelog program - _cl5ReadMod - Decrypting "entrydn: 63" failed
[26/Sep/2017:12:55:57.367920123 -0400] - ERR - slapi_mods2entry - Add_values for type nsUniqueId failed (rc: 16)
Comment 2 Sankar Ramalingam 2017-09-26 17:32:53 UTC 
Additional details to reproduce the problem:

Setup: 2 master replication setup
Steps:
1. Stop the server instance and edit /etc/dirsrv/slapd-master1/dse.ldif file.
2. Add "nsslapd-encryptionalgorithm: AES" under cn=changelog5,cn=config entry.
3. Start the server instance.
4. Add user entry with password to master1
5. Check if unhashed#user#password attribute is encrypted by doing dbscan -f
/usr/bin/dbscan -f /var/lib/dirsrv/slapd-master1/changelogdb/xyz.db

You can see that the changelog entry for newly added user is encrypted.
6. Now, try to take the changelog db backup.
[root@hp-dl80gen9-01 ~]# PORT=39001 ; ldapmodify -x -p $PORT -h  localhost -D "cn=Directory Manager" -w password  << EOF
dn: cn=replica,cn="dc=example,dc=com",cn=mapping tree,cn=config
changetype: modify
add: nsds5Task
nsds5Task: CL2LDIF
EOF

7. Changelog db backup fails and that can be observed from error logs.

NSS packages present on the test machine.

[root@hp-dl80gen9-01 ~]# rpm -qa |grep -i nss-
nss-softokn-freebl-3.28.3-8.el7_4.x86_64
nss-softokn-3.28.3-8.el7_4.x86_64
nss-pem-1.0.3-4.el7.x86_64
python-nss-0.16.0-3.el7.x86_64
mod_nss-1.0.14-10.el7_4.1.x86_64
nss-util-3.28.4-3.el7.x86_64
nss-debuginfo-3.28.4-14.el7_4.x86_64
nss-sysinit-3.28.4-14.el7_4.x86_64
nss-tools-3.28.4-14.el7_4.x86_64
nss-3.28.4-14.el7_4.x86_64
Comment 3 Ludwig 2017-09-26 18:01:26 UTC 
do you already have entries in the changelog when you enable encryption ?

you cannot have a mix of encrypted and clear entries in the changelog.
Comment 4 Sankar Ramalingam 2017-09-27 12:48:38 UTC 
(In reply to Ludwig from comment #3)
> do you already have entries in the changelog when you enable encryption ?
> 
> you cannot have a mix of encrypted and clear entries in the changelog.
Yes, I have mix of encrypted and cleartext entries in changelog. It is present since, I used replication topology from lib389 - topology_m2.
Comment 5 Ludwig 2017-09-27 13:20:07 UTC 
this does not work. if you enable encryption after having enries in the changelog you need to reinit the changelog. you could eitehr:
- reimport the database via ldif 
- reinit the server from another server
- try to 
-- export cl to ldif
-- enable cl encryption
-- reimport the cl