Bug 1574623 - Token-based authentication fails for Central Administration actions
Summary: Token-based authentication fails for Central Administration actions
Keywords:
Status: CLOSED WORKSFORME
Alias: None
Product: Red Hat CloudForms Management Engine
Classification: Red Hat
Component: Documentation
Version: 5.8.0
Hardware: All
OS: All
high
high
Target Milestone: GA
: cfme-future
Assignee: Red Hat CloudForms Documentation
QA Contact: Red Hat CloudForms Documentation
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-05-03 16:56 UTC by Tasos Papaioannou
Modified: 2019-01-02 13:13 UTC (History)
9 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-01-02 13:13:40 UTC
Category: ---
Cloudforms Team: ---
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)

Description Tasos Papaioannou 2018-05-03 16:56:18 UTC 
Description of problem:

Initiating VM retirement from the global appliance fails silently. The VM doesn't start retirement, and logs show token-based authentication fails:

[----] E, [2018-05-03T12:15:55.455630 #12127:1363b38] ERROR -- : MIQ(Api::ApiController.rescue in authenticate_with_system_token) Error: can not decrypt v2_key encrypted string

Version-Release number of selected component (if applicable):

Seen on 5.8 and 5.9

How reproducible:

100%

Steps to Reproduce:
1.) Configure db replication with one global and one remote appliance.
2.) Add a RHV provider on the remote appliance.
3.) View the RHV provider on the global appliance, and initiate retiremen of one of its VM's.

Actual results:

VM doesn't retire.

Expected results:

VM retires successfully.

Additional info:
Comment 4 Yuri Rudman 2018-05-08 12:04:49 UTC 
Tasos, could you verify that the v2_key is the same on the global and remote region.
Comment 5 Tasos Papaioannou 2018-05-08 13:58:28 UTC 
No, they're not. I don't see this requirement documented for remote/global appliance configuration. According to the General Configuration guide, there is no further configuration required once database replication is set up. If that's not true, and the appliances need to be pre-configured to have the same key, then we need documented configuration steps for that.

https://access.redhat.com/documentation/en-us/red_hat_cloudforms/4.6/html-single/general_configuration/#configuring_database_replication
Comment 6 Yuri Rudman 2018-05-09 14:25:13 UTC 
There is only small Note in Documentation about requirement to have the same v2_key on all appliance (in section 4.4.2) and it does not provide any details:
 "  IMPORTANT
    All Red Hat CloudForms databases in a multi-region deployment must use the same 
    security key.
 "

To configure DB to use the same v2_key when setting-up region using appliance_console:

 - Create first region using "Create Key" when Configure Database:
        5. Configure Database -> 1) Create key
 - Create other regions using "Fetch key from remote machine" option:
        5. Configure Database -> 2) Fetch key from remote machine -> enter host name to fetch v2_key from
Comment 7 Yuri Rudman 2018-05-10 14:01:20 UTC 
There is another BZ with request to add more docs on the same topic of Centralized Administration: https://bugzilla.redhat.com/show_bug.cgi?id=1513
Comment 8 Yuri Rudman 2018-05-10 14:02:43 UTC 
correction to above BZ number: https://bugzilla.redhat.com/show_bug.cgi?id=1513042
Comment 9 Loic Avenel 2019-01-02 13:13:40 UTC 
Configuration issue.
Note You need to log in before you can comment on or make changes to this bug.