<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<p><br>
</p>
<br>
<div class="moz-cite-prefix">On 02.08.2016 20:02, Christian Heimes
wrote:<br>
</div>
<blockquote
cite="mid:5159a7b0-7942-3a8b-ff16-94925488f303@redhat.com"
type="cite">
<pre wrap="">On 2016-07-19 17:03, Martin Basti wrote:
</pre>
<blockquote type="cite">
<pre wrap="">
On 12.07.2016 16:45, Christian Heimes wrote:
</pre>
<blockquote type="cite">
<pre wrap="">Custodia's server.keys file contain the private RSA keys for encrypting
and signing Custodia messages. The file was created with permission 644
and is only secured by permission 700 of the directory
/etc/ipa/custodia. The installer and upgrader ensure that the file
has 600.
The server.keys file and all keys are now removed when during
uninstallation of a server, too.
<a class="moz-txt-link-freetext" href="https://bugzilla.redhat.com/show_bug.cgi?id=1353936">https://bugzilla.redhat.com/show_bug.cgi?id=1353936</a>
<a class="moz-txt-link-freetext" href="https://fedorahosted.org/freeipa/ticket/6015">https://fedorahosted.org/freeipa/ticket/6015</a>
<a class="moz-txt-link-freetext" href="https://fedorahosted.org/freeipa/ticket/6056">https://fedorahosted.org/freeipa/ticket/6056</a>
</pre>
</blockquote>
<pre wrap="">NACK
ipa-server-install --uninstall doesn't work
</pre>
</blockquote>
<pre wrap="">
I fixed it by splitting up uninstallation into two parts:
1) the server_del plugin takes care of the LDAP entries
2) CustodiaInstance.uninstall() removes the local key file
</pre>
</blockquote>
<br>
Hello,<br>
<br>
1)<br>
Is expected that after removing replica, ipa server-del
vm-012.abc.idm.lab.eng.brq.redhat.com, I have these entries in LDAP
on master (vm-058-107)?<br>
<br>
# sig/vm-012.abc.idm.lab.eng.brq.redhat.com, custodia, ipa, etc,
abc.idm.lab.en<br>
g.brq.redhat.com<br>
dn:
cn=sig/vm-012.abc.idm.lab.eng.brq.redhat.com,cn=custodia,cn=ipa,cn=etc,dc=<br>
abc,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com<br>
objectClass: nsContainer<br>
objectClass: ipaKeyPolicy<br>
objectClass: ipaPublicKeyObject<br>
objectClass: groupOfPrincipals<br>
objectClass: top<br>
cn: sig/vm-012.abc.idm.lab.eng.brq.redhat.com<br>
ipaKeyUsage: digitalSignature<br>
memberPrincipal:
<a class="moz-txt-link-abbreviated" href="mailto:host/vm-012.abc.idm.lab.eng.brq.redhat.com@ABC.IDM.LAB.ENG.BR">host/vm-012.abc.idm.lab.eng.brq.redhat.com@ABC.IDM.LAB.ENG.BR</a><br>
Q.REDHAT.COM<br>
ipaPublicKey::
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqV4NGWu8224ar3IdwlD<br>
cOpNBjcQKY0gznMuAjlikHKxnpfzmGCf/GYxfealet64ek3RE3oLmYhITqX3NkLKw51KhuwGcEw31<br>
hBa6YB/6uzx3tr/ruO++vk+U7Myz4eFzp7+Zryjk7ohVb3w/XhBcVbC+d9qyKGzM0OUaQgGOjy7eq<br>
3tiI+VugfyawvAvItCwyo56R8fO1jS1uKA+NDz5ltIymE9sySpVWfTMhCDUEjy9iEMiPixtiyVbHd<br>
g8A80H7W4fe7mTcqkKPD6sfYr2QwKh4pF7wU+RHfXsoXIu5gYNPgxdsHd/1p914EQ9U6RYTFsSEzk<br>
DR8V2H1rJ0AiVPQIDAQAB<br>
<br>
# enc/vm-012.abc.idm.lab.eng.brq.redhat.com, custodia, ipa, etc,
abc.idm.lab.en<br>
g.brq.redhat.com<br>
dn:
cn=enc/vm-012.abc.idm.lab.eng.brq.redhat.com,cn=custodia,cn=ipa,cn=etc,dc=<br>
abc,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com<br>
objectClass: nsContainer<br>
objectClass: ipaKeyPolicy<br>
objectClass: ipaPublicKeyObject<br>
objectClass: groupOfPrincipals<br>
objectClass: top<br>
cn: enc/vm-012.abc.idm.lab.eng.brq.redhat.com<br>
ipaKeyUsage: dataEncipherment<br>
memberPrincipal:
<a class="moz-txt-link-abbreviated" href="mailto:host/vm-012.abc.idm.lab.eng.brq.redhat.com@ABC.IDM.LAB.ENG.BR">host/vm-012.abc.idm.lab.eng.brq.redhat.com@ABC.IDM.LAB.ENG.BR</a><br>
Q.REDHAT.COM<br>
ipaPublicKey::
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA5vdu9LLl7Pa+cN+ivNO<br>
eOon1BOI3bbBzYAu8+l1ch8iepKJrom4O5yYT7qhz5aYgq4Pd2kuxuvcuf3OlGTizuKlqRELbVnG0<br>
ogWN/YAqPExS6L2hEHcyIZTiOQk19jT/ynEqayjH/OM499aE1H3vc7FD30Cy9wBQNUzYuY8pWpaWd<br>
Jj8nbvEKLX7JYPSx5/3Bqx+tqK5ApAGutJ6lF3+9acuG6ADVwUY3hAqXcqu4Oy463LKIhdatqMv2r<br>
j0FEFHJYPG2GTOIhFF8jee2Q7iidgPNdfbvKCYbnAkXtT73hxJWTckoupGHpUo+5b/wl8pI1Lxhyz<br>
TIp7oPmFWMG/q1QIDAQAB<br>
<br>
Also see them on replica as well (which was removed from topology)<br>
I did not find any errors in http log<br>
<br>
2)<br>
I tried hard, but I cannot see relation between <a
class="moz-txt-link-freetext"
href="https://fedorahosted.org/freeipa/ticket/6015">https://fedorahosted.org/freeipa/ticket/6015</a>
and <a class="moz-txt-link-freetext"
href="https://fedorahosted.org/freeipa/ticket/6056">https://fedorahosted.org/freeipa/ticket/6056</a><br>
IMO it should be separated into two patches, to make easier
backports, patching and make life easier in future with git blame<br>
<br>
There should not be a BZ, only upstream tickets in commit<br>
<br>
3)<br>
IMO ti should be 'Removing' not 'Remove', I'm not native speaker,
but it looks more consistent with the rest of log entries<br>
<br>
INFO Remove Custodia keys<br>
<br>
4)<br>
the same for <br>
root_logger.info("Secure server.keys mode"), IMHO it should be
'Securing'<br>
<br>
5)<br>
What is the purpose of remove_server_keys() in KEM.py . I see usage
only in manual testing. Can it be reused in server.py ? Because it
looks like duplicated code for me, but correct me if I'm wrong.<br>
<br>
Martin^2<br>
<br>
<br>
<br>
<a class="moz-txt-link-freetext"
href="https://fedorahosted.org/freeipa/ticket/6056"></a>
</body>
</html>