Bug 961081

Summary: pki upgrade 3.1->3.2 produces unusable PKCS#12 keystore if ibm jre is installed as default
Product: Red Hat Enterprise Virtualization Manager Reporter: Alon Bar-Lev <alonbl>
Component: ovirt-engine-setupAssignee: Alon Bar-Lev <alonbl>
Status: CLOSED CURRENTRELEASE QA Contact: Jiri Belka <jbelka>
Severity: unspecified Docs Contact:
Priority: high    
Version: 3.2.0CC: acathrow, alonbl, bazulay, dhuff, iheim, jkt, oramraz, Rhev-m-bugs
Target Milestone: ---Keywords: Triaged
Target Release: 3.3.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard: infra
Fixed In Version: is1 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-01-21 22:19:06 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: Infra RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Alon Bar-Lev 2013-05-08 18:29:09 UTC 
Root cause

Incompatibility between IBM JRE and Sun/OpenJDK JRE, or more precisely incompatibility between Sun/OpenJDK JRE and PKCS#12 format, bug#961069.

Result

engine certificate store is unreadable by the engine.

Consequences

Engine cannot decrypt encrypted fields in database, engine cannot encrypt new values.

Workaround

Ensure openjdk is installed as default java before performing upgrade.

Fixing unusable keystore after upgrade:
---
openssl pkcs12 -in /etc/pki/ovirt-engine/keys/engine.p12 -passin pass:mypass -nodes | openssl pkcs12 -export -out /tmp/engine.p12 -passout pass:mypass
for f in engine.p12 apache.p12 jboss.p12; do
    dst=/etc/pki/ovirt-engine/keys/$f
    chown --reference=$dst /tmp/engine.p12
    chmod --reference=$dst /tmp/engine.p12
    cp -a $dst $dst.$(date +%Y%m%d%H%M%S)
    cp /tmp/engine.p12 $dst
done
rm /tmp/engine.p12
---
Comment 8 Alon Bar-Lev 2013-08-01 19:13:16 UTC 
I still think this should go to 3.2.z.
Comment 9 Alon Bar-Lev 2013-08-01 19:15:34 UTC 
(In reply to Alon Bar-Lev from comment #8)
> I still think this should go to 3.2.z.

sorry wrong bug.
Comment 10 Jiri Belka 2013-10-31 10:56:12 UTC 
With recent switch to new engine-setup (otopi-based one), is this present in new scripts/upgrade procedure? If so, please describe verification steps. Thank you.
Comment 11 Alon Bar-Lev 2013-10-31 11:06:06 UTC 
(In reply to Jiri Belka from comment #10)
> With recent switch to new engine-setup (otopi-based one), is this present in
> new scripts/upgrade procedure? If so, please describe verification steps.
> Thank you.

Upgrade of 3.2->3.3 does not convert java keystore into PKCS#12, so it is irrelevant.

However, checking that both setup and upgrade when ibm jde 1.7 is setup as active java/javac is required in any case.

Thanks!
Comment 12 Jiri Belka 2013-10-31 14:24:36 UTC 
ok, is21.

# lsof -u ovirt -nc '/ovirt-engine -server/' | grep bin/java
java      7440 ovirt  txt    REG              253,0     5152 276864 /usr/lib/jvm/java-1.7.0-openjdk-1.7.0.45.x86_64/jre/bin/java
# ls -l /etc/alternatives/java
lrwxrwxrwx. 1 root root 42 Oct 31 14:47 /etc/alternatives/java -> /usr/lib/jvm/jre-1.7.0-ibm.x86_64/bin/java
# /usr/share/ovirt-engine/bin/java-home 
/usr/lib/jvm/jre-openjdk
Comment 13 Itamar Heim 2014-01-21 22:19:06 UTC 
Closing - RHEV 3.3 Released
Comment 14 Itamar Heim 2014-01-21 22:25:19 UTC 
Closing - RHEV 3.3 Released