Bug 961081 - pki upgrade 3.1->3.2 produces unusable PKCS#12 keystore if ibm jre is installed as default
pki upgrade 3.1->3.2 produces unusable PKCS#12 keystore if ibm jre is install...
Status: CLOSED CURRENTRELEASE
Product: Red Hat Enterprise Virtualization Manager
Classification: Red Hat
Component: ovirt-engine-setup (Show other bugs)
3.2.0
Unspecified Unspecified
high Severity unspecified
: ---
: 3.3.0
Assigned To: Alon Bar-Lev
Jiri Belka
infra
: Triaged
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2013-05-08 14:29 EDT by Alon Bar-Lev
Modified: 2016-02-10 14:19 EST (History)
8 users (show)

See Also:
Fixed In Version: is1
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2014-01-21 17:19:06 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: Infra
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
oVirt gerrit 14602 None None None Never

  None (edit)
Description Alon Bar-Lev 2013-05-08 14:29:09 EDT
Root cause

Incompatibility between IBM JRE and Sun/OpenJDK JRE, or more precisely incompatibility between Sun/OpenJDK JRE and PKCS#12 format, bug#961069.

Result

engine certificate store is unreadable by the engine.

Consequences

Engine cannot decrypt encrypted fields in database, engine cannot encrypt new values.

Workaround

Ensure openjdk is installed as default java before performing upgrade.

Fixing unusable keystore after upgrade:
---
openssl pkcs12 -in /etc/pki/ovirt-engine/keys/engine.p12 -passin pass:mypass -nodes | openssl pkcs12 -export -out /tmp/engine.p12 -passout pass:mypass
for f in engine.p12 apache.p12 jboss.p12; do
    dst=/etc/pki/ovirt-engine/keys/$f
    chown --reference=$dst /tmp/engine.p12
    chmod --reference=$dst /tmp/engine.p12
    cp -a $dst $dst.$(date +%Y%m%d%H%M%S)
    cp /tmp/engine.p12 $dst
done
rm /tmp/engine.p12
---
Comment 8 Alon Bar-Lev 2013-08-01 15:13:16 EDT
I still think this should go to 3.2.z.
Comment 9 Alon Bar-Lev 2013-08-01 15:15:34 EDT
(In reply to Alon Bar-Lev from comment #8)
> I still think this should go to 3.2.z.

sorry wrong bug.
Comment 10 Jiri Belka 2013-10-31 06:56:12 EDT
With recent switch to new engine-setup (otopi-based one), is this present in new scripts/upgrade procedure? If so, please describe verification steps. Thank you.
Comment 11 Alon Bar-Lev 2013-10-31 07:06:06 EDT
(In reply to Jiri Belka from comment #10)
> With recent switch to new engine-setup (otopi-based one), is this present in
> new scripts/upgrade procedure? If so, please describe verification steps.
> Thank you.

Upgrade of 3.2->3.3 does not convert java keystore into PKCS#12, so it is irrelevant.

However, checking that both setup and upgrade when ibm jde 1.7 is setup as active java/javac is required in any case.

Thanks!
Comment 12 Jiri Belka 2013-10-31 10:24:36 EDT
ok, is21.

# lsof -u ovirt -nc '/ovirt-engine -server/' | grep bin/java
java      7440 ovirt  txt    REG              253,0     5152 276864 /usr/lib/jvm/java-1.7.0-openjdk-1.7.0.45.x86_64/jre/bin/java
# ls -l /etc/alternatives/java
lrwxrwxrwx. 1 root root 42 Oct 31 14:47 /etc/alternatives/java -> /usr/lib/jvm/jre-1.7.0-ibm.x86_64/bin/java
# /usr/share/ovirt-engine/bin/java-home 
/usr/lib/jvm/jre-openjdk
Comment 13 Itamar Heim 2014-01-21 17:19:06 EST
Closing - RHEV 3.3 Released
Comment 14 Itamar Heim 2014-01-21 17:25:19 EST
Closing - RHEV 3.3 Released

Note You need to log in before you can comment on or make changes to this bug.