Description of problem: When you first enable ssl and restart the server everything is fine. If you change the server cert however you get an error in the log related to attribute encryption. Version-Release number of selected component (if applicable): 1.0.2 How reproducible: 100% Steps to Reproduce: 1. Install fds rpm 1.0.2 2. Use a certdb that has 2 server certs in it: Server-Cert and Server-Cert2 3. enable ssl 4. restart fds 5. change "Certificate" from "Server-Cert" to "Server-Cert2" via console 6. restart fds instead of steps 5 and 6 you can also do this: 1. stop fds 2. edit dse.ldif so nsSSLPersonality points to Server-Cert2 3. start fds the effect is the same. Actual results: Apr 4 13:00:35 smtp1 logger: [04/Apr/2006:13:00:34 -0700] - Fedora-Directory/1.0.2 B2006.060.1928 starting up Apr 4 13:00:35 smtp1 logger: [04/Apr/2006:13:00:34 -0700] - attrcrypt_unwrap_key: failed to unwrap key for cipher AES Apr 4 13:00:35 smtp1 logger: [04/Apr/2006:13:00:34 -0700] - Failed to retrieve key for cipher AES in attrcrypt_cipher_init Apr 4 13:00:35 smtp1 logger: [04/Apr/2006:13:00:34 -0700] - Failed to initialize cipher AES in attrcrypt_init Apr 4 13:00:35 smtp1 logger: [04/Apr/2006:13:00:34 -0700] - attrcrypt_unwrap_key: failed to unwrap key for cipher AES Apr 4 13:00:35 smtp1 logger: [04/Apr/2006:13:00:34 -0700] - Failed to retrieve key for cipher AES in attrcrypt_cipher_init Apr 4 13:00:35 smtp1 logger: [04/Apr/2006:13:00:34 -0700] - Failed to initialize cipher AES in attrcrypt_init Apr 4 13:00:35 smtp1 logger: [04/Apr/2006:13:00:34 -0700] - slapd started. Listening on All Interfaces port 389 for LDAP requests Apr 4 13:00:35 smtp1 logger: [04/Apr/2006:13:00:34 -0700] - Listening on All Interfaces port 636 for LDAPS requests Expected results: Apr 4 12:58:41 smtp1 logger: [04/Apr/2006:12:58:40 -0700] - Fedora-Directory/1.0.2 B2006.060.1928 starting up Apr 4 12:58:41 smtp1 logger: [04/Apr/2006:12:58:40 -0700] - slapd started. Listening on All Interfaces port 389 for LDAP requests Apr 4 12:58:41 smtp1 logger: [04/Apr/2006:12:58:40 -0700] - Listening on All Interfaces port 636 for LDAPS requests Additional info:
I think we just need to figure out where the attrcrypt keys are stored and provide instructions about how to remove them.
Shut down the server instance, make a backup of dse.ldif in case something goes wrong or you discover you had attributes encrypted with the old key, and then remove the entries containing the nssymmetrickey attribute from dse.ldif. The entries' DNs will be of this form: dn: cn={cipher},cn=encrypted attribute keys,cn={backend},cn=ldbm database,cn=plugins,cn=config
low pri doc bug
We need to add this documentation to the admin guide, in the SSL setup section, and in the attrcrypt section.
Added in two places: * http://www.redhat.com/docs/manuals/dir-server/8.1/admin/Configuring_Directory_Databases-Creating_and_Maintaining_Databases.html#attr-encryption-errors * http://www.redhat.com/docs/manuals/dir-server/8.1/admin/ssl-and-attr-encryption.html Closing.