Red Hat Bugzilla – Bug 961081
pki upgrade 3.1->3.2 produces unusable PKCS#12 keystore if ibm jre is installed as default
Last modified: 2016-02-10 14:19:05 EST
Incompatibility between IBM JRE and Sun/OpenJDK JRE, or more precisely incompatibility between Sun/OpenJDK JRE and PKCS#12 format, bug#961069.
engine certificate store is unreadable by the engine.
Engine cannot decrypt encrypted fields in database, engine cannot encrypt new values.
Ensure openjdk is installed as default java before performing upgrade.
Fixing unusable keystore after upgrade:
openssl pkcs12 -in /etc/pki/ovirt-engine/keys/engine.p12 -passin pass:mypass -nodes | openssl pkcs12 -export -out /tmp/engine.p12 -passout pass:mypass
for f in engine.p12 apache.p12 jboss.p12; do
chown --reference=$dst /tmp/engine.p12
chmod --reference=$dst /tmp/engine.p12
cp -a $dst $dst.$(date +%Y%m%d%H%M%S)
cp /tmp/engine.p12 $dst
I still think this should go to 3.2.z.
(In reply to Alon Bar-Lev from comment #8)
> I still think this should go to 3.2.z.
sorry wrong bug.
With recent switch to new engine-setup (otopi-based one), is this present in new scripts/upgrade procedure? If so, please describe verification steps. Thank you.
(In reply to Jiri Belka from comment #10)
> With recent switch to new engine-setup (otopi-based one), is this present in
> new scripts/upgrade procedure? If so, please describe verification steps.
> Thank you.
Upgrade of 3.2->3.3 does not convert java keystore into PKCS#12, so it is irrelevant.
However, checking that both setup and upgrade when ibm jde 1.7 is setup as active java/javac is required in any case.
# lsof -u ovirt -nc '/ovirt-engine -server/' | grep bin/java
java 7440 ovirt txt REG 253,0 5152 276864 /usr/lib/jvm/java-1.7.0-openjdk-18.104.22.168.x86_64/jre/bin/java
# ls -l /etc/alternatives/java
lrwxrwxrwx. 1 root root 42 Oct 31 14:47 /etc/alternatives/java -> /usr/lib/jvm/jre-1.7.0-ibm.x86_64/bin/java
Closing - RHEV 3.3 Released