Description of problem: /etc/init.d/evmserverd fails to start due to corrupted v2_key file. Following error reported on the console while starting the evm service. /opt/rh/cfme-gemset/gems/ezcrypto-0.7/lib/ezcrypto.rb:468:in `final': bad decrypt (OpenSSL::Cipher::CipherError) from /opt/rh/cfme-gemset/gems/ezcrypto-0.7/lib/ezcrypto.rb:468:in `final' from /opt/rh/cfme-gemset/gems/ezcrypto-0.7/lib/ezcrypto.rb:478:in `gulp' tried to create nee v2_key using "appliance_console_cli" but it also fails with the same " bad decrypt" error instead of seeding the database with the new key and then treat the external database as a new connection. Step to reproduce : 1. Configure external database. 2. backup /var/www/miq/vmdb/certs/v2_key file to a safe place 3. stop the /etc/init.d/evmserverd service. 4. Try to create new but it fails #appliance_console_cli -k --hostname 10.65.210.30 --username cloudforms -p redhat.com
I am confused
Thanks for the followup. To be honest, I'm not sure why the documents would suggest generating a new encryption key. Unless there is a security breach/corporate policy, customers should not be generating a new encryption key in a configured environment. But I did see a reference to "the Velvet Underground" at the very top of the document: https://access.redhat.com/documentation/en-US/Red_Hat_CloudForms/3.2/html/Appliance_Hardening_Guide/chap-Red_Hat_CloudForms-Security_Guide-Creating_Keys.html > Changing the encryption key is recommended during setting up new CloudForms appliances only. > IMPORTANT > Red Hat does not recommend changing the encryption key for an existing appliance as the ability to decrypt the password will be lost, affecting all stored passwords in CloudForms. NOTE: In 5.5, you can pass --legacy-key to migrate from one v2_key to another. So you will not loose provider encryption keys.
Ooh, I finally understand. There is an ssl key used to secure the http endpoint (server.cer, server.cer.key) and there is an encryption key (v2_key) used to secure the provider credentials. The documentation is requesting you generate a server.cer and not the v2_key.