Hello,
is it possible to disable attribute encryption in 389 DS? I'm running 1.4.0.21 @ Debian Buster.
After replacing TLS certificate I'm receiving errors:
[18/Aug/2020:10:25:16.099482453 +0200] - ERR - attrcrypt_unwrap_key - Failed to unwrap key for cipher 3DES [18/Aug/2020:10:25:16.099670006 +0200] - ERR - attrcrypt_cipher_init - Symmetric key failed to unwrap with the private key; Cert might have been renewed since the key is wrapped. To recover the encrypted contents, keep the wrapped symmetric key value.
I found: https://access.redhat.com/documentation/en-us/red_hat_directory_server/10/ht...
But, I do not use any encrypted attribute so dumping and restoring database is not nice way how to deal witch such error.
Just, deleting all keys and server restart works too:
ldapsearch -H ldap://localhost -D "cn=Directory Manager" -W -LLL -o ldif-wrap=no -b "cn=ldbm database,cn=plugins,cn=config" "(nsSymmetricKey=*)" dn | sed "s/^$/changetype: delete\n/" | ldapmodify -H ldap://localhost -D "cn=Directory Manager" -W Enter LDAP Password: Enter LDAP Password: *** deleting entry "cn=3DES,cn=encrypted attribute keys,cn=xxx,cn=ldbm database,cn=plugins,cn=config" deleting entry "cn=AES,cn=encrypted attribute keys,cn=xxx,cn=ldbm database,cn=plugins,cn=config" deleting entry "cn=3DES,cn=encrypted attribute keys,xxx,cn=ldbm database,cn=plugins,cn=config" deleting entry "cn=AES,cn=encrypted attribute keys,xxx,cn=ldbm database,cn=plugins,cn=config" ...
The best option would be config option to disable attribute encryption for all databases but I failed to find if it is possible.
Thanks
On 8/18/20 8:47 AM, Jan Tomasek wrote:
Hello,
is it possible to disable attribute encryption in 389 DS? I'm running 1.4.0.21 @ Debian Buster.
After replacing TLS certificate I'm receiving errors:
[18/Aug/2020:10:25:16.099482453 +0200] - ERR - attrcrypt_unwrap_key - Failed to unwrap key for cipher 3DES [18/Aug/2020:10:25:16.099670006 +0200] - ERR - attrcrypt_cipher_init
- Symmetric key failed to unwrap with the private key; Cert might
have been renewed since the key is wrapped. To recover the encrypted contents, keep the wrapped symmetric key value.
I found: https://access.redhat.com/documentation/en-us/red_hat_directory_server/10/ht...
But, I do not use any encrypted attribute so dumping and restoring database is not nice way how to deal witch such error.
Just, deleting all keys and server restart works too:
ldapsearch -H ldap://localhost -D "cn=Directory Manager" -W -LLL -o ldif-wrap=no -b "cn=ldbm database,cn=plugins,cn=config" "(nsSymmetricKey=*)" dn | sed "s/^$/changetype: delete\n/" | ldapmodify -H ldap://localhost -D "cn=Directory Manager" -W Enter LDAP Password: Enter LDAP Password:
deleting entry "cn=3DES,cn=encrypted attribute keys,cn=xxx,cn=ldbm database,cn=plugins,cn=config" deleting entry "cn=AES,cn=encrypted attribute keys,cn=xxx,cn=ldbm database,cn=plugins,cn=config" deleting entry "cn=3DES,cn=encrypted attribute keys,xxx,cn=ldbm database,cn=plugins,cn=config" deleting entry "cn=AES,cn=encrypted attribute keys,xxx,cn=ldbm database,cn=plugins,cn=config" ...
The best option would be config option to disable attribute encryption for all databases but I failed to find if it is possible.
You have to delete each attribute that was configured for attribute encryption (like what you did above, but you cna also use the CLI tools):
https://access.redhat.com/documentation/en-us/red_hat_directory_server/11/ht...
HTH,
Mark
Thanks
389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject....
Hi Mark,
On 8/18/20 2:56 PM, Mark Reynolds wrote:
The best option would be config option to disable attribute encryption for all databases but I failed to find if it is possible.
You have to delete each attribute that was configured for attribute encryption (like what you did above, but you cna also use the CLI tools):
https://access.redhat.com/documentation/en-us/red_hat_directory_server/11/ht...
I didn't explicitly configure any attribute for encryption. But server any way creates encryption keys.
When I try:
# dsconf cml3 backend attr-encrypt --list dc=cesnet,dc=cz There are no encrypted attributes for this backend
Also:
# ldapsearch -H ldap://localhost -D "cn=Directory Manager" -W -LLL -o ldif-wrap=no -b "cn=ldbm database,cn=plugins,cn=config" "(objectClass=nsAttributeEncryption)" Enter LDAP Password: #
On 8/18/20 9:13 AM, Jan Tomasek wrote:
Hi Mark,
On 8/18/20 2:56 PM, Mark Reynolds wrote:
The best option would be config option to disable attribute encryption for all databases but I failed to find if it is possible.
You have to delete each attribute that was configured for attribute encryption (like what you did above, but you cna also use the CLI tools):
https://access.redhat.com/documentation/en-us/red_hat_directory_server/11/ht...
I didn't explicitly configure any attribute for encryption. But server any way creates encryption keys.
When I try:
# dsconf cml3 backend attr-encrypt --list dc=cesnet,dc=cz There are no encrypted attributes for this backend
Also:
# ldapsearch -H ldap://localhost -D "cn=Directory Manager" -W -LLL -o ldif-wrap=no -b "cn=ldbm database,cn=plugins,cn=config" "(objectClass=nsAttributeEncryption)" Enter LDAP Password: #
Looks like you are all good then...
389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject....
On 8/18/20 3:21 PM, Mark Reynolds wrote:
Looks like you are all good then...
Yes, but... is it possible to prevent creating "encrypted attribute keys" and seeing in logs message:
ERR - attrcrypt_cipher_init - Symmetric key failed to unwrap with the private key; Cert might have been renewed since the key is wrapped. To recover the encrypted contents, keep the wrapped symmetric key value.
every time I replace LDAPS certificate?
On 8/18/20 9:24 AM, Jan Tomasek wrote:
On 8/18/20 3:21 PM, Mark Reynolds wrote:
Looks like you are all good then...
Yes, but... is it possible to prevent creating "encrypted attribute keys" and seeing in logs message:
ERR - attrcrypt_cipher_init - Symmetric key failed to unwrap with the private key; Cert might have been renewed since the key is wrapped. To recover the encrypted contents, keep the wrapped symmetric key value.
every time I replace LDAPS certificate?
Every time you replace your server certificate you will need to delete these entries (or remove the nsSymmetricKey attribute):
|dn: cn=3DES,cn=encrypted attribute keys,cn=NetscapeRoot,cn=ldbm database,cn=plugins,cn=config objectClass: top objectClass: extensibleObject cn: 3DES nsSymmetricKey:: msf+gaXDXTz4pukx557HvRoRDsQycNxv2kiJAhbfzl53gYO/DiqRNIYSjS4nl b/VhP9crRTTi0RrKMxN9AGalZwgb+lqIPozb9HvNiHeNlsxCta6nnsCiX5kKWa1zLKJowJ0iqhreW TRBZV3/mzmr09AtusCC60/FXQdkbQlSDZre0pn7GHbg2mSb1QcMWT2EHbrVPuQAWDXMWdcZBKnUWr zCR+nKkS5w7PMwoU1/RCMYN1yibtmc1k/HheyM8JBf0OHQhr2FawS2LiwF2VN56r3XlmyXSBkF/IX 01534RA/NdopD4TwxGKZBAVyQvnoRXXGwOBSlQ67IZHIoH89HQ== dn: cn=AES,cn=encrypted attribute keys,cn=NetscapeRoot,cn=ldbm database,cn=plugins,cn=config objectClass: top objectClass: extensibleObject cn: AES nsSymmetricKey:: SG4+8+Dm49nxLQiiHuv/wp96NUGBqhcWA8gATOjjrDbvZm63m00ljf3AJP0+W Nsdzt6bYlGVfbDB2+XFy2QTFhGSD9kZiM1kxYTzJ9AJgy2vLo7bGfIDcTQk2swBDAiOwcACdLNRw3 4EYxpFZsS5TbLX1+zKfs/50UPRjAt3KtdGo5uCULCndmMlcz/UqoDFDUj1POYTC746YXOy+QsbEtu PqlzExXBZGbSjTvoeGB6GmG0L6pT/hVTCmbl6HWFfILKrvdfch0qp/AoBvLNpjBZXuWgUfKtR6m6V YyOFAzKQDf7ZgvRgn0cx6DVzEgAhy1dBHcYv+6oTUUlFPzfSZQ==|
These entries are generated at server startup (there is no way to prevent that). So stop the server and edit the dse.ldif and remove these entries, then start the server up and those errors will go away - well until you renew the server cert again :-)
389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject....
These entries are generated at server startup (there is no way to prevent that). So stop the server and edit the dse.ldif and remove these entries, then start the server up and those errors will go away - well until you renew the server cert again :-)
It's worth pointing out that we do have an open issue about this:
https://pagure.io/389-ds-base/issue/49525
It also may be worth us investigating disabling attr encryption in newly created instances since it's not a default-used feature IMO.
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject....
--
389 Directory Server Development Team
389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject....
— Sincerely,
William Brown
Senior Software Engineer, 389 Directory Server SUSE Labs
389-users@lists.fedoraproject.org