1282823 – Unable to generate new key for external database

Bug 1282823 - Unable to generate new key for external database

Summary: Unable to generate new key for external database

Keywords:
Status:	CLOSED NOTABUG
Alias:	None
Product:	Red Hat CloudForms Management Engine
Classification:	Red Hat
Component:	Appliance
Sub Component:
Version:	5.2.0
Hardware:	x86_64
OS:	Linux
Priority:	unspecified
Severity:	high
Target Milestone:	GA
Target Release:	5.5.0
Assignee:	Keenan Brock
QA Contact:	Dave Johnson
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2015-11-17 14:26 UTC by Prasad Mukhedkar
Modified:	2019-08-15 05:51 UTC (History)
CC List:	9 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2015-11-19 05:41:26 UTC
Category:	---
Cloudforms Team:	---
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Knowledge Base (Solution)	2054683	0	None	None	None	Never

Description Prasad Mukhedkar 2015-11-17 14:26:38 UTC

Description of problem:

/etc/init.d/evmserverd fails to start due to corrupted v2_key file. Following error reported on the console while starting the evm service. 


/opt/rh/cfme-gemset/gems/ezcrypto-0.7/lib/ezcrypto.rb:468:in `final': bad decrypt (OpenSSL::Cipher::CipherError)
	from /opt/rh/cfme-gemset/gems/ezcrypto-0.7/lib/ezcrypto.rb:468:in `final'
	from /opt/rh/cfme-gemset/gems/ezcrypto-0.7/lib/ezcrypto.rb:478:in `gulp'


tried to create nee v2_key using "appliance_console_cli" but it also fails
with the same " bad decrypt" error instead of seeding the database with the new key and then treat the external database as a new connection.

Step to reproduce : 

1. Configure external database.
2. backup /var/www/miq/vmdb/certs/v2_key file to a safe place
3. stop the /etc/init.d/evmserverd service.
4. Try to create new but it fails 

#appliance_console_cli -k --hostname 10.65.210.30 --username cloudforms -p redhat.com

Comment 2 Keenan Brock 2015-11-17 15:59:46 UTC

I am confused

Comment 9 Keenan Brock 2015-11-22 04:05:13 UTC

Thanks for the followup.

To be honest, I'm not sure why the documents would suggest generating a new encryption key. Unless there is a security breach/corporate policy, customers should not be generating a new encryption key in a configured environment.

But I did see a reference to "the Velvet Underground" at the very top of the document:

https://access.redhat.com/documentation/en-US/Red_Hat_CloudForms/3.2/html/Appliance_Hardening_Guide/chap-Red_Hat_CloudForms-Security_Guide-Creating_Keys.html

> Changing the encryption key is recommended during setting up new CloudForms appliances only.

> IMPORTANT
> Red Hat does not recommend changing the encryption key for an existing appliance as the ability to decrypt the password will be lost, affecting all stored passwords in CloudForms.

NOTE: In 5.5, you can pass --legacy-key to migrate from one v2_key to another. So you will not loose provider encryption keys.

Comment 10 Keenan Brock 2015-11-22 04:15:40 UTC

Ooh, I finally understand.

There is an ssl key used to secure the http endpoint (server.cer, server.cer.key) and there is an encryption key (v2_key) used to secure the provider credentials.


The documentation is requesting you generate a server.cer and not the v2_key.

Note You need to log in before you can comment on or make changes to this bug.