Bug 187953

Summary: attrcrypt error messages after configuring SSL
Product: Red Hat Directory Server Reporter: Alex Stuck <stucky101>
Component: Doc-administration-guideAssignee: Deon Ballard <dlackey>
Status: CLOSED CURRENTRELEASE QA Contact: Content Services Development <ecs-dev-list>
Severity: low Docs Contact:
Priority: medium    
Version: 8.0CC: rmeggins, ulf.weltman
Target Milestone: DS8.1Keywords: Documentation
Target Release: ---   
Hardware: i386   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-05-01 21:46:16 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 152373, 249650    

Description Alex Stuck 2006-04-04 20:47:38 UTC 
Description of problem: When you first enable ssl and restart the server
everything is fine. If you change the server cert however you get an error in
the log related to attribute encryption.

Version-Release number of selected component (if applicable): 1.0.2


How reproducible: 100%

Steps to Reproduce:
1. Install fds rpm 1.0.2
2. Use a certdb that has 2 server certs in it: Server-Cert and Server-Cert2
3. enable ssl
4. restart fds
5. change "Certificate" from "Server-Cert" to "Server-Cert2" via console
6. restart fds

instead of steps 5 and 6 you can also do this:

1. stop fds
2. edit dse.ldif so nsSSLPersonality points to Server-Cert2
3. start fds

the effect is the same.
  
Actual results:
Apr  4 13:00:35 smtp1 logger: [04/Apr/2006:13:00:34 -0700] -
Fedora-Directory/1.0.2 B2006.060.1928 starting up
Apr  4 13:00:35 smtp1 logger: [04/Apr/2006:13:00:34 -0700] -
attrcrypt_unwrap_key: failed to unwrap key for cipher AES
Apr  4 13:00:35 smtp1 logger: [04/Apr/2006:13:00:34 -0700] - Failed to retrieve
key for cipher AES in attrcrypt_cipher_init
Apr  4 13:00:35 smtp1 logger: [04/Apr/2006:13:00:34 -0700] - Failed to
initialize cipher AES in attrcrypt_init
Apr  4 13:00:35 smtp1 logger: [04/Apr/2006:13:00:34 -0700] -
attrcrypt_unwrap_key: failed to unwrap key for cipher AES
Apr  4 13:00:35 smtp1 logger: [04/Apr/2006:13:00:34 -0700] - Failed to retrieve
key for cipher AES in attrcrypt_cipher_init
Apr  4 13:00:35 smtp1 logger: [04/Apr/2006:13:00:34 -0700] - Failed to
initialize cipher AES in attrcrypt_init
Apr  4 13:00:35 smtp1 logger: [04/Apr/2006:13:00:34 -0700] - slapd started. 
Listening on All Interfaces port 389 for LDAP requests
Apr  4 13:00:35 smtp1 logger: [04/Apr/2006:13:00:34 -0700] - Listening on All
Interfaces port 636 for LDAPS requests

Expected results:
Apr  4 12:58:41 smtp1 logger: [04/Apr/2006:12:58:40 -0700] -
Fedora-Directory/1.0.2 B2006.060.1928 starting up
Apr  4 12:58:41 smtp1 logger: [04/Apr/2006:12:58:40 -0700] - slapd started. 
Listening on All Interfaces port 389 for LDAP requests
Apr  4 12:58:41 smtp1 logger: [04/Apr/2006:12:58:40 -0700] - Listening on All
Interfaces port 636 for LDAPS requests

Additional info:
Comment 1 Rich Megginson 2006-04-04 20:52:31 UTC 
I think we just need to figure out where the attrcrypt keys are stored and
provide instructions about how to remove them.
Comment 2 Ulf Weltman 2006-04-06 22:58:00 UTC 
Shut down the server instance, make a backup of dse.ldif in case something goes
wrong or you discover you had attributes encrypted with the old key, and then
remove the entries containing the nssymmetrickey attribute from dse.ldif.  The
entries' DNs will be of this form:
dn: cn={cipher},cn=encrypted attribute keys,cn={backend},cn=ldbm
database,cn=plugins,cn=config
Comment 3 Chandrasekar Kannan 2007-08-05 23:00:31 UTC 
low pri doc bug
Comment 7 Rich Megginson 2009-01-14 16:59:41 UTC 
We need to add this documentation to the admin guide, in the SSL setup section, and in the attrcrypt section.
Comment 8 Deon Ballard 2009-05-01 21:46:16 UTC 
Added in two places:
* http://www.redhat.com/docs/manuals/dir-server/8.1/admin/Configuring_Directory_Databases-Creating_and_Maintaining_Databases.html#attr-encryption-errors
* http://www.redhat.com/docs/manuals/dir-server/8.1/admin/ssl-and-attr-encryption.html

Closing.