Bug 187953 - attrcrypt error messages after configuring SSL
attrcrypt error messages after configuring SSL
Status: CLOSED CURRENTRELEASE
Product: Red Hat Directory Server
Classification: Red Hat
Component: Doc-administration-guide (Show other bugs)
8.0
i386 Linux
medium Severity low
: DS8.1
: ---
Assigned To: Deon Ballard
Content Services Development
: Documentation
Depends On:
Blocks: 152373 249650
  Show dependency treegraph
 
Reported: 2006-04-04 16:47 EDT by Alex Stuck
Modified: 2009-08-19 23:37 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-05-01 17:46:16 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Alex Stuck 2006-04-04 16:47:38 EDT
Description of problem: When you first enable ssl and restart the server
everything is fine. If you change the server cert however you get an error in
the log related to attribute encryption.

Version-Release number of selected component (if applicable): 1.0.2


How reproducible: 100%

Steps to Reproduce:
1. Install fds rpm 1.0.2
2. Use a certdb that has 2 server certs in it: Server-Cert and Server-Cert2
3. enable ssl
4. restart fds
5. change "Certificate" from "Server-Cert" to "Server-Cert2" via console
6. restart fds

instead of steps 5 and 6 you can also do this:

1. stop fds
2. edit dse.ldif so nsSSLPersonality points to Server-Cert2
3. start fds

the effect is the same.
  
Actual results:
Apr  4 13:00:35 smtp1 logger: [04/Apr/2006:13:00:34 -0700] -
Fedora-Directory/1.0.2 B2006.060.1928 starting up
Apr  4 13:00:35 smtp1 logger: [04/Apr/2006:13:00:34 -0700] -
attrcrypt_unwrap_key: failed to unwrap key for cipher AES
Apr  4 13:00:35 smtp1 logger: [04/Apr/2006:13:00:34 -0700] - Failed to retrieve
key for cipher AES in attrcrypt_cipher_init
Apr  4 13:00:35 smtp1 logger: [04/Apr/2006:13:00:34 -0700] - Failed to
initialize cipher AES in attrcrypt_init
Apr  4 13:00:35 smtp1 logger: [04/Apr/2006:13:00:34 -0700] -
attrcrypt_unwrap_key: failed to unwrap key for cipher AES
Apr  4 13:00:35 smtp1 logger: [04/Apr/2006:13:00:34 -0700] - Failed to retrieve
key for cipher AES in attrcrypt_cipher_init
Apr  4 13:00:35 smtp1 logger: [04/Apr/2006:13:00:34 -0700] - Failed to
initialize cipher AES in attrcrypt_init
Apr  4 13:00:35 smtp1 logger: [04/Apr/2006:13:00:34 -0700] - slapd started. 
Listening on All Interfaces port 389 for LDAP requests
Apr  4 13:00:35 smtp1 logger: [04/Apr/2006:13:00:34 -0700] - Listening on All
Interfaces port 636 for LDAPS requests

Expected results:
Apr  4 12:58:41 smtp1 logger: [04/Apr/2006:12:58:40 -0700] -
Fedora-Directory/1.0.2 B2006.060.1928 starting up
Apr  4 12:58:41 smtp1 logger: [04/Apr/2006:12:58:40 -0700] - slapd started. 
Listening on All Interfaces port 389 for LDAP requests
Apr  4 12:58:41 smtp1 logger: [04/Apr/2006:12:58:40 -0700] - Listening on All
Interfaces port 636 for LDAPS requests

Additional info:
Comment 1 Rich Megginson 2006-04-04 16:52:31 EDT
I think we just need to figure out where the attrcrypt keys are stored and
provide instructions about how to remove them.
Comment 2 Ulf Weltman 2006-04-06 18:58:00 EDT
Shut down the server instance, make a backup of dse.ldif in case something goes
wrong or you discover you had attributes encrypted with the old key, and then
remove the entries containing the nssymmetrickey attribute from dse.ldif.  The
entries' DNs will be of this form:
dn: cn={cipher},cn=encrypted attribute keys,cn={backend},cn=ldbm
database,cn=plugins,cn=config
Comment 3 Chandrasekar Kannan 2007-08-05 19:00:31 EDT
low pri doc bug
Comment 7 Rich Megginson 2009-01-14 11:59:41 EST
We need to add this documentation to the admin guide, in the SSL setup section, and in the attrcrypt section.

Note You need to log in before you can comment on or make changes to this bug.