536217 – (RHQ-591) Can't seamless upgrade an agent/lay down a new agent, if you had previously been configured SSL communication

Bug 536217 (RHQ-591) - Can't seamless upgrade an agent/lay down a new agent, if you had previously been configured SSL communication

Summary: Can't seamless upgrade an agent/lay down a new agent, if you had previously b...

Keywords:
Status:	CLOSED NEXTRELEASE
Alias:	RHQ-591
Product:	RHQ Project
Classification:	Other
Component:	Agent
Sub Component:
Version:	1.0
Hardware:	All
OS:	All
Priority:	medium
Severity:	medium
Target Milestone:	---
Target Release:	---
Assignee:	John Mazzitelli
QA Contact:
Docs Contact:
URL:	http://jira.rhq-project.org/browse/RH...
Whiteboard:
Depends On:	RHQ-617
Blocks:	RHQ-110
TreeView+	depends on / blocked

Reported:	2008-06-17 23:44 UTC by Charles Crouch
Modified:	2015-02-01 23:25 UTC (History)
CC List:	1 user (show)
Fixed In Version:	1.2
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description Charles Crouch 2008-06-17 23:44:00 UTC

If you setup an agent and server to use SSL encryption, then shut the agent down, unzip an entirely new agent and start it up the agent will fail to start with the following:

Failed to start the agent
java.lang.RuntimeException: Failed to create keystore [Command Response: isSuccessful=[tr
; cmd-in-response=[true]; config=[{}]; params=[{arguments=[Ljava.lang.String;@153f67e, pr
a\jdk1.5.0_13\jre\bin, captureOutput=false, waitForExit=30000, programExecutable=keytool.
exception was null <<]] with arguments [[-genkey, -alias, rhq, -dname, CN=RHQ, OU=RedHat,
usr\tmp\ftp-JBossOn\agent2\jon-agent-2.0.0.GA\data\keystore.dat, -storepass, rhqpwd, -key
ty, 36500]]
        at org.rhq.enterprise.communications.util.SecurityUtil.createKeyStore(SecurityUti
        at org.rhq.enterprise.agent.AgentMain.createServerRemoteCommunicator(AgentMain.ja
        at org.rhq.enterprise.agent.AgentMain.createClientCommandSender(AgentMain.java:14
        at org.rhq.enterprise.agent.AgentMain.startCommServices(AgentMain.java:1272)
        at org.rhq.enterprise.agent.AgentMain.start(AgentMain.java:409)
        at org.rhq.enterprise.agent.AgentMain.main(AgentMain.java:297)

The problem is that we're trying to get the keytool to create a brand new keystore in the ./data directory but that directory doesn't exist yet in a fresh agent install

Comment 1 Charles Crouch 2008-06-17 23:45:42 UTC

Workaround:
1) mkdir ./data when unzipping the new agent
2) start the new agent with --clean and re-enter your settings

Comment 2 Charles Crouch 2008-06-17 23:48:59 UTC

Fix would be to add something like the following to SecurityUtil.createKeyStore

      File keystoreFolder = keystore.getParentFile();
        // if the keystore is living in a folder, e.g. ./data, make sure it exists 
        // before we ask keytool to write to it 
        if (keystoreFolder != null && !keystoreFolder.exists()) {
            boolean canCreateFolder= keystoreFolder.mkdirs();
            if (!canCreateFolder) {
                throw new RuntimeException("Folder which keystore is to be written to [" + keystoreFolder
                    + "] does not exist and cannot be created.");
            }
        }

Comment 3 Charles Crouch 2008-06-18 13:59:30 UTC

Thinking about this further, this is not just an upgrade issue. If you tried to configure SSL between server and agent when you were setting up a new agent for the very first time then you would hit this problem too (no ./data directory)

Comment 4 Charles Crouch 2008-06-19 17:00:52 UTC

Well actually you wouldn't hit this on first install, because you would have no preferences it would be the same as doing --clean, so a new ./data directory would get created for you before the keytool needed it.

Comment 5 Charles Crouch 2008-06-23 19:33:48 UTC

The upgrade scripts specified in RHQ-617 should do as another workaround for this issue.

Comment 6 Joseph Marques 2008-07-19 20:05:16 UTC

charles, if the upgrade scripts go away in 1.1, what are the remaining available work-arounds?  what if the agent, as part of its startup process, created the data dir before anything else had a chance to read/write files from/to it -- would that be enough?  this way, even if the user needs to (or accidentally) deletes the data dir, when the agent starts up / is restarted things should "just work"?

Comment 7 Charles Crouch 2008-07-21 14:51:56 UTC

Thats pretty much what my comment above (http://jira.rhq-project.org/browse/RHQ-591?focusedCommentId=11356#action_11356) was aimed at, making sure the directory exists before it gets written too. We could do it in SecurityUtil.createKeyStore or elsewhere during agent startup.

Comment 8 John Mazzitelli 2008-12-15 17:06:05 UTC

svn rev 2397 adds charle's code in SecurityUtil.

But there is something else we need to do.  In the new agent-auto-update stuff, we need to transfer over the keystores to the newly updated agent. Leaving this issue open so I remember to add the necessary code in the update stuff to do this.

Comment 9 John Mazzitelli 2008-12-15 18:12:48 UTC

Added this to the agent update script so any data/*truststore* and data/*keystore* files get copied over to the newly updated agent. This requires people either put their key/truststores in the data/ directory with "keystore" or "truststore" in the filenames or store them in a directory outside of the agent install directories.

+      <!-- make sure we retain any SSL keystores or truststores that we can find -->
+      <echo>Copy existing keystore and truststore files from the old agent to the new agent</echo>
+      <copy todir="${_update.tmp.dir}/rhq-agent/data"
+            failonerror="false">
+         <fileset dir="${rhq.agent.update.update-agent-dir}/data">
+            <include name="*keystore*"/>
+            <include name="*truststore*"/>
+         </fileset>
+      </copy>

Comment 10 Red Hat Bugzilla 2009-11-10 21:12:34 UTC

This bug was previously known as http://jira.rhq-project.org/browse/RHQ-591

Note You need to log in before you can comment on or make changes to this bug.