Root cause Incompatibility between IBM JRE and Sun/OpenJDK JRE, or more precisely incompatibility between Sun/OpenJDK JRE and PKCS#12 format, bug#961069. Result engine certificate store is unreadable by the engine. Consequences Engine cannot decrypt encrypted fields in database, engine cannot encrypt new values. Workaround Ensure openjdk is installed as default java before performing upgrade. Fixing unusable keystore after upgrade: --- openssl pkcs12 -in /etc/pki/ovirt-engine/keys/engine.p12 -passin pass:mypass -nodes | openssl pkcs12 -export -out /tmp/engine.p12 -passout pass:mypass for f in engine.p12 apache.p12 jboss.p12; do dst=/etc/pki/ovirt-engine/keys/$f chown --reference=$dst /tmp/engine.p12 chmod --reference=$dst /tmp/engine.p12 cp -a $dst $dst.$(date +%Y%m%d%H%M%S) cp /tmp/engine.p12 $dst done rm /tmp/engine.p12 ---
I still think this should go to 3.2.z.
(In reply to Alon Bar-Lev from comment #8) > I still think this should go to 3.2.z. sorry wrong bug.
With recent switch to new engine-setup (otopi-based one), is this present in new scripts/upgrade procedure? If so, please describe verification steps. Thank you.
(In reply to Jiri Belka from comment #10) > With recent switch to new engine-setup (otopi-based one), is this present in > new scripts/upgrade procedure? If so, please describe verification steps. > Thank you. Upgrade of 3.2->3.3 does not convert java keystore into PKCS#12, so it is irrelevant. However, checking that both setup and upgrade when ibm jde 1.7 is setup as active java/javac is required in any case. Thanks!
ok, is21. # lsof -u ovirt -nc '/ovirt-engine -server/' | grep bin/java java 7440 ovirt txt REG 253,0 5152 276864 /usr/lib/jvm/java-1.7.0-openjdk-1.7.0.45.x86_64/jre/bin/java # ls -l /etc/alternatives/java lrwxrwxrwx. 1 root root 42 Oct 31 14:47 /etc/alternatives/java -> /usr/lib/jvm/jre-1.7.0-ibm.x86_64/bin/java # /usr/share/ovirt-engine/bin/java-home /usr/lib/jvm/jre-openjdk
Closing - RHEV 3.3 Released