Bug 1574623

Summary: Token-based authentication fails for Central Administration actions
Product: Red Hat CloudForms Management Engine Reporter: Tasos Papaioannou <tpapaioa>
Component: DocumentationAssignee: Red Hat CloudForms Documentation <cloudforms-docs>
Status: CLOSED WORKSFORME QA Contact: Red Hat CloudForms Documentation <cloudforms-docs>
Severity: high Docs Contact:
Priority: high    
Version: 5.8.0CC: abellott, cpelland, hhudgeon, hkataria, lavenel, mpovolny, obarenbo, tpapaioa, yrudman
Target Milestone: GA   
Target Release: cfme-future   
Hardware: All   
OS: All   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-01-02 13:13:40 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Tasos Papaioannou 2018-05-03 16:56:18 UTC 
Description of problem:

Initiating VM retirement from the global appliance fails silently. The VM doesn't start retirement, and logs show token-based authentication fails:

[----] E, [2018-05-03T12:15:55.455630 #12127:1363b38] ERROR -- : MIQ(Api::ApiController.rescue in authenticate_with_system_token) Error: can not decrypt v2_key encrypted string

Version-Release number of selected component (if applicable):

Seen on 5.8 and 5.9

How reproducible:

100%

Steps to Reproduce:
1.) Configure db replication with one global and one remote appliance.
2.) Add a RHV provider on the remote appliance.
3.) View the RHV provider on the global appliance, and initiate retiremen of one of its VM's.

Actual results:

VM doesn't retire.

Expected results:

VM retires successfully.

Additional info:
Comment 4 Yuri Rudman 2018-05-08 12:04:49 UTC 
Tasos, could you verify that the v2_key is the same on the global and remote region.
Comment 5 Tasos Papaioannou 2018-05-08 13:58:28 UTC 
No, they're not. I don't see this requirement documented for remote/global appliance configuration. According to the General Configuration guide, there is no further configuration required once database replication is set up. If that's not true, and the appliances need to be pre-configured to have the same key, then we need documented configuration steps for that.

https://access.redhat.com/documentation/en-us/red_hat_cloudforms/4.6/html-single/general_configuration/#configuring_database_replication
Comment 6 Yuri Rudman 2018-05-09 14:25:13 UTC 
There is only small Note in Documentation about requirement to have the same v2_key on all appliance (in section 4.4.2) and it does not provide any details:
 "  IMPORTANT
    All Red Hat CloudForms databases in a multi-region deployment must use the same 
    security key.
 "

To configure DB to use the same v2_key when setting-up region using appliance_console:

 - Create first region using "Create Key" when Configure Database:
        5. Configure Database -> 1) Create key
 - Create other regions using "Fetch key from remote machine" option:
        5. Configure Database -> 2) Fetch key from remote machine -> enter host name to fetch v2_key from
Comment 7 Yuri Rudman 2018-05-10 14:01:20 UTC 
There is another BZ with request to add more docs on the same topic of Centralized Administration: https://bugzilla.redhat.com/show_bug.cgi?id=1513
Comment 8 Yuri Rudman 2018-05-10 14:02:43 UTC 
correction to above BZ number: https://bugzilla.redhat.com/show_bug.cgi?id=1513042
Comment 9 Loic Avenel 2019-01-02 13:13:40 UTC 
Configuration issue.