Fedora directory users - Sep 2008 - Encryption works, but odd entries in the error log on startup.

I had setup encryption on one of my test fds servers (1.1.2),  generated a 
CAcert and a Server-Cert and turned on encryption.  It all worked fine.  I 
shut down fds,  removed the Server-Cert and created a new Server-Cert with a 
few Subject Alt Name entries.  I didn''t import a p12 cert,  I just used
certutil to create a new cert in the database.

I restarted the server and tested with ldapsearch -ZZ and it all still worked.

When I had a look in the log recently,  I noticed these entries everytime i 
restart the service.

[11/Sep/2008:15:11:18 +0000] - Fedora-Directory/1.1.2 B2008.253.1749 starting 
up
[11/Sep/2008:15:11:19 +0000] - attrcrypt_unwrap_key: failed to unwrap key for 
cipher AES
[11/Sep/2008:15:11:19 +0000] - Failed to retrieve key for cipher AES in 
attrcrypt_cipher_init
[11/Sep/2008:15:11:19 +0000] - Failed to initialize cipher AES in 
attrcrypt_init
[11/Sep/2008:15:11:19 +0000] - attrcrypt_unwrap_key: failed to unwrap key for 
cipher AES
[11/Sep/2008:15:11:19 +0000] - Failed to retrieve key for cipher AES in 
attrcrypt_cipher_init
[11/Sep/2008:15:11:19 +0000] - Failed to initialize cipher AES in 
attrcrypt_init
[11/Sep/2008:15:11:19 +0000] - slapd started.  Listening on All Interfaces 
port 389 for LDAP requests
[11/Sep/2008:15:11:19 +0000] - Listening on All Interfaces port 636 for LDAPS 
requests

Looking back to when I first turned on encryption,  I see

[10/Sep/2008:19:41:20 +0000] - Fedora-Directory/1.1.2 B2008.253.1749 starting 
up
[10/Sep/2008:19:41:20 +0000] - No symmetric key found for cipher AES in 
backend userRoot, attempting to create one...
[10/Sep/2008:19:41:20 +0000] - Key for cipher AES successfully generated and 
stored
[10/Sep/2008:19:41:20 +0000] - No symmetric key found for cipher 3DES in 
backend userRoot, attempting to create one...
[10/Sep/2008:19:41:20 +0000] - Key for cipher 3DES successfully generated and 
stored
[10/Sep/2008:19:41:20 +0000] - No symmetric key found for cipher AES in 
backend NetscapeRoot, attempting to create one...
[10/Sep/2008:19:41:20 +0000] - Key for cipher AES successfully generated and 
stored
[10/Sep/2008:19:41:20 +0000] - No symmetric key found for cipher 3DES in 
backend NetscapeRoot, attempting to create one...
[10/Sep/2008:19:41:20 +0000] - Key for cipher 3DES successfully generated and 
stored
[10/Sep/2008:19:41:20 +0000] - slapd started.  Listening on All Interfaces 
port 389 for LDAP requests
[10/Sep/2008:19:41:20 +0000] - Listening on All Interfaces port 636 for LDAPS 
requests

So I''m wondering if I need to somehow reinit some of the encryption
keys?  Or
maybe I missed a step for replacing a Server-Cert?  But from the docs it 
looks like a straight forward turn off fds, remove old cert,  create/import 
new cert (with same name), restart fds.

Ryan

Ryan Braun [ADS] wrote:
> I had setup encryption on one of my test fds servers (1.1.2),  generated a 
> CAcert and a Server-Cert and turned on encryption.  It all worked fine.  I 
> shut down fds,  removed the Server-Cert and created a new Server-Cert with
a
> few Subject Alt Name entries.  I didn''t import a p12 cert,  I just
used
> certutil to create a new cert in the database.
>
> I restarted the server and tested with ldapsearch -ZZ and it all still
worked.
>
> When I had a look in the log recently,  I noticed these entries everytime i
> restart the service.
>
> [11/Sep/2008:15:11:18 +0000] - Fedora-Directory/1.1.2 B2008.253.1749
starting
> up
> [11/Sep/2008:15:11:19 +0000] - attrcrypt_unwrap_key: failed to unwrap key
for
> cipher AES
> [11/Sep/2008:15:11:19 +0000] - Failed to retrieve key for cipher AES in 
> attrcrypt_cipher_init
> [11/Sep/2008:15:11:19 +0000] - Failed to initialize cipher AES in 
> attrcrypt_init
> [11/Sep/2008:15:11:19 +0000] - attrcrypt_unwrap_key: failed to unwrap key
for
> cipher AES
> [11/Sep/2008:15:11:19 +0000] - Failed to retrieve key for cipher AES in 
> attrcrypt_cipher_init
> [11/Sep/2008:15:11:19 +0000] - Failed to initialize cipher AES in 
> attrcrypt_init
> [11/Sep/2008:15:11:19 +0000] - slapd started.  Listening on All Interfaces 
> port 389 for LDAP requests
> [11/Sep/2008:15:11:19 +0000] - Listening on All Interfaces port 636 for
LDAPS
> requests
>
> Looking back to when I first turned on encryption,  I see
>
> [10/Sep/2008:19:41:20 +0000] - Fedora-Directory/1.1.2 B2008.253.1749
starting
> up
> [10/Sep/2008:19:41:20 +0000] - No symmetric key found for cipher AES in 
> backend userRoot, attempting to create one...
> [10/Sep/2008:19:41:20 +0000] - Key for cipher AES successfully generated
and
> stored
> [10/Sep/2008:19:41:20 +0000] - No symmetric key found for cipher 3DES in 
> backend userRoot, attempting to create one...
> [10/Sep/2008:19:41:20 +0000] - Key for cipher 3DES successfully generated
and
> stored
> [10/Sep/2008:19:41:20 +0000] - No symmetric key found for cipher AES in 
> backend NetscapeRoot, attempting to create one...
> [10/Sep/2008:19:41:20 +0000] - Key for cipher AES successfully generated
and
> stored
> [10/Sep/2008:19:41:20 +0000] - No symmetric key found for cipher 3DES in 
> backend NetscapeRoot, attempting to create one...
> [10/Sep/2008:19:41:20 +0000] - Key for cipher 3DES successfully generated
and
> stored
> [10/Sep/2008:19:41:20 +0000] - slapd started.  Listening on All Interfaces 
> port 389 for LDAP requests
> [10/Sep/2008:19:41:20 +0000] - Listening on All Interfaces port 636 for
LDAPS
> requests
>
> So I''m wondering if I need to somehow reinit some of the
encryption keys?  Or
> maybe I missed a step for replacing a Server-Cert?  But from the docs it 
> looks like a straight forward turn off fds, remove old cert,  create/import
> new cert (with same name), restart fds.
>   
Unfortunately, those keys were encrypted with the old key/cert.  But as 
long as you don''t want to use reversible attribute encryption, you can 
ignore those messages.
> Ryan
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>

On Thursday 11 September 2008 15:44, Rich Megginson
wrote:
> > So I''m wondering if I need to somehow reinit some of the
encryption keys?
> >  Or maybe I missed a step for replacing a Server-Cert?  But from the
docs
> > it looks like a straight forward turn off fds, remove old cert, 
> > create/import new cert (with same name), restart fds.
>
> Unfortunately, those keys were encrypted with the old key/cert.  But as
> long as you don''t want to use reversible attribute encryption, you
can
> ignore those messages.
For the sake of argument and potential future issues ( I don''t know
enough
about how the whole encryption system works unfortunately ),  lets say I did 
want to use reversible attribute encryption :)

Ryan

Ryan Braun [ADS] wrote:
> On Thursday 11 September 2008 15:44, Rich Megginson wrote:
>   
>>> So I''m wondering if I need to somehow reinit some of the
encryption keys?
>>>  Or maybe I missed a step for replacing a Server-Cert?  But from
the docs
>>> it looks like a straight forward turn off fds, remove old cert, 
>>> create/import new cert (with same name), restart fds.
>>>       
>> Unfortunately, those keys were encrypted with the old key/cert.  But as
>> long as you don''t want to use reversible attribute encryption,
you can
>> ignore those messages.
>>     
>
> For the sake of argument and potential future issues ( I don''t
know enough
> about how the whole encryption system works unfortunately ),  lets say I
did
> want to use reversible attribute encryption :)
>   
I think reversible attribute encryption creates some config entries 
under the parent database entry in dse.ldif (cn=config) - I think you 
just have to remove those entries.  Of course, if you do this, and you 
have used reversible attribute encryption, your encrypted attribute 
values will be lost forever.
> Ryan
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>