On 1/10/20 6:48 PM, Iain Morgan wrote:
Hi,
,
Yesterday, I ran up against an attribute encryption issue, and I'm
looking for advice on how to debug and resolve the issue.
For background, I have a pair of RHEL 7 servers in an MMR configuration.
Let's call them host_A and host_B. Both are running the RedHat-provided
1.3.9 RPMs of 389-ds. There is also an RHEL 6 system, host_Z, that was
set up in an MMR configuration with host_B. This setup was used to test
the transition from one generation of servers to the next one.
All had dbeen working fine, and I next tried severing the connection
between host_Z and host_B. The replication agreements were removed and a
cleanAllRUV task was initiated on host_B. All seemed to go well -- until
I restarted host_A.
After restarting host_A, I got the following in the errors log:
[09/Jan/2020:17:00:36.191870707 -0800] - ERR - attrcrypt_unwrap_key - Failed to unwrap
key for cipher AES
[09/Jan/2020:17:00:36.192310924 -0800] - ERR - attrcrypt_cipher_init - Symmetric key
failed to unwrap with the private key; Cert might have been renewed since the key is
wrapped. To recover the encrypted contents, keep the wrapped symmetric key value.
[09/Jan/2020:17:00:36.206041190 -0800] - ERR - attrcrypt_unwrap_key - Failed to unwrap
key for cipher 3DES
[09/Jan/2020:17:00:36.206478885 -0800] - ERR - attrcrypt_cipher_init - Symmetric key
failed to unwrap with the private key; Cert might have been renewed since the key is
wrapped. To recover the encrypted contents, keep the wrapped symmetric key value.
[09/Jan/2020:17:00:36.206905949 -0800] - ERR - attrcrypt_init - All prepared ciphers are
not available. Please disable attribute encryption.
No change was made to the TLS certificate, and I would not have expected
the tear-down of the replication agreements between host_Z and host_b to
be relevant here. host_B is still able to replicate to host_A, but
host_A is unable to go in the other direction.
I haven't identified anything that would account for this problem. The
system had been up from early December and had not exhibited any issues.
So, any suggestions as to how I can troubleshoot and fix this issue? The
log messages don't seem to be very helpful.
I can not explain why this has happened as replication and attribute
encryption do not touch each other, but you can reset things by
following the directions from the Admin guide here:
https://access.redhat.com/documentation/en-us/red_hat_directory_server/10...
HTH,
Mark
thanks,
--
389 Directory Server Development Team