Ryan Braun [ADS] wrote: > I had setup encryption on one of my test fds servers (1.1.2), generated a > CAcert and a Server-Cert and turned on encryption. It all worked fine. I > shut down fds, removed the Server-Cert and created a new Server-Cert with a > few Subject Alt Name entries. I didn't import a p12 cert, I just used > certutil to create a new cert in the database. > > I restarted the server and tested with ldapsearch -ZZ and it all still worked. > > When I had a look in the log recently, I noticed these entries everytime i > restart the service. > > [11/Sep/2008:15:11:18 +0000] - Fedora-Directory/1.1.2 B2008.253.1749 starting > up > [11/Sep/2008:15:11:19 +0000] - attrcrypt_unwrap_key: failed to unwrap key for > cipher AES > [11/Sep/2008:15:11:19 +0000] - Failed to retrieve key for cipher AES in > attrcrypt_cipher_init > [11/Sep/2008:15:11:19 +0000] - Failed to initialize cipher AES in > attrcrypt_init > [11/Sep/2008:15:11:19 +0000] - attrcrypt_unwrap_key: failed to unwrap key for > cipher AES > [11/Sep/2008:15:11:19 +0000] - Failed to retrieve key for cipher AES in > attrcrypt_cipher_init > [11/Sep/2008:15:11:19 +0000] - Failed to initialize cipher AES in > attrcrypt_init > [11/Sep/2008:15:11:19 +0000] - slapd started. Listening on All Interfaces > port 389 for LDAP requests > [11/Sep/2008:15:11:19 +0000] - Listening on All Interfaces port 636 for LDAPS > requests > > Looking back to when I first turned on encryption, I see > > [10/Sep/2008:19:41:20 +0000] - Fedora-Directory/1.1.2 B2008.253.1749 starting > up > [10/Sep/2008:19:41:20 +0000] - No symmetric key found for cipher AES in > backend userRoot, attempting to create one... > [10/Sep/2008:19:41:20 +0000] - Key for cipher AES successfully generated and > stored > [10/Sep/2008:19:41:20 +0000] - No symmetric key found for cipher 3DES in > backend userRoot, attempting to create one... > [10/Sep/2008:19:41:20 +0000] - Key for cipher 3DES successfully generated and > stored > [10/Sep/2008:19:41:20 +0000] - No symmetric key found for cipher AES in > backend NetscapeRoot, attempting to create one... > [10/Sep/2008:19:41:20 +0000] - Key for cipher AES successfully generated and > stored > [10/Sep/2008:19:41:20 +0000] - No symmetric key found for cipher 3DES in > backend NetscapeRoot, attempting to create one... > [10/Sep/2008:19:41:20 +0000] - Key for cipher 3DES successfully generated and > stored > [10/Sep/2008:19:41:20 +0000] - slapd started. Listening on All Interfaces > port 389 for LDAP requests > [10/Sep/2008:19:41:20 +0000] - Listening on All Interfaces port 636 for LDAPS > requests > > So I'm wondering if I need to somehow reinit some of the encryption keys? Or > maybe I missed a step for replacing a Server-Cert? But from the docs it > looks like a straight forward turn off fds, remove old cert, create/import > new cert (with same name), restart fds. > Unfortunately, those keys were encrypted with the old key/cert. But as long as you don't want to use reversible attribute encryption, you can ignore those messages. > Ryan > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.fedoraproject.org/pipermail/389-users/attachments/20080911/11acdad4/attachment.bin
