<html>
  <head>
    <meta content="text/html; charset=windows-1252"
      http-equiv="Content-Type">
  </head>
  <body bgcolor="#FFFFFF" text="#000000">
    <p><br>
    </p>
    <br>
    <div class="moz-cite-prefix">On 02.08.2016 20:02, Christian Heimes
      wrote:<br>
    </div>
    <blockquote
      cite="mid:5159a7b0-7942-3a8b-ff16-94925488f303@redhat.com"
      type="cite">
      <pre wrap="">On 2016-07-19 17:03, Martin Basti wrote:
</pre>
      <blockquote type="cite">
        <pre wrap="">

On 12.07.2016 16:45, Christian Heimes wrote:
</pre>
        <blockquote type="cite">
          <pre wrap="">Custodia's server.keys file contain the private RSA keys for encrypting
and signing Custodia messages. The file was created with permission 644
and is only secured by permission 700 of the directory
/etc/ipa/custodia. The installer and upgrader ensure that the file
has 600.

The server.keys file and all keys are now removed when during
uninstallation of a server, too.

<a class="moz-txt-link-freetext" href="https://bugzilla.redhat.com/show_bug.cgi?id=1353936">https://bugzilla.redhat.com/show_bug.cgi?id=1353936</a>
<a class="moz-txt-link-freetext" href="https://fedorahosted.org/freeipa/ticket/6015">https://fedorahosted.org/freeipa/ticket/6015</a>
<a class="moz-txt-link-freetext" href="https://fedorahosted.org/freeipa/ticket/6056">https://fedorahosted.org/freeipa/ticket/6056</a>


</pre>
        </blockquote>
        <pre wrap="">NACK

ipa-server-install --uninstall doesn't work
</pre>
      </blockquote>
      <pre wrap="">
I fixed it by splitting up uninstallation into two parts:

1) the server_del plugin takes care of the LDAP entries
2) CustodiaInstance.uninstall() removes the local key file

</pre>
    </blockquote>
    <br>
    Hello,<br>
    <br>
    1)<br>
    Is expected that after removing replica, ipa server-del
    vm-012.abc.idm.lab.eng.brq.redhat.com, I have these entries in LDAP
    on master (vm-058-107)?<br>
    <br>
    # sig/vm-012.abc.idm.lab.eng.brq.redhat.com, custodia, ipa, etc,
    abc.idm.lab.en<br>
     g.brq.redhat.com<br>
    dn:
cn=sig/vm-012.abc.idm.lab.eng.brq.redhat.com,cn=custodia,cn=ipa,cn=etc,dc=<br>
     abc,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com<br>
    objectClass: nsContainer<br>
    objectClass: ipaKeyPolicy<br>
    objectClass: ipaPublicKeyObject<br>
    objectClass: groupOfPrincipals<br>
    objectClass: top<br>
    cn: sig/vm-012.abc.idm.lab.eng.brq.redhat.com<br>
    ipaKeyUsage: digitalSignature<br>
    memberPrincipal:
    <a class="moz-txt-link-abbreviated" href="mailto:host/vm-012.abc.idm.lab.eng.brq.redhat.com@ABC.IDM.LAB.ENG.BR">host/vm-012.abc.idm.lab.eng.brq.redhat.com@ABC.IDM.LAB.ENG.BR</a><br>
     Q.REDHAT.COM<br>
    ipaPublicKey::
    MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqV4NGWu8224ar3IdwlD<br>
 cOpNBjcQKY0gznMuAjlikHKxnpfzmGCf/GYxfealet64ek3RE3oLmYhITqX3NkLKw51KhuwGcEw31<br>
 hBa6YB/6uzx3tr/ruO++vk+U7Myz4eFzp7+Zryjk7ohVb3w/XhBcVbC+d9qyKGzM0OUaQgGOjy7eq<br>
 3tiI+VugfyawvAvItCwyo56R8fO1jS1uKA+NDz5ltIymE9sySpVWfTMhCDUEjy9iEMiPixtiyVbHd<br>
 g8A80H7W4fe7mTcqkKPD6sfYr2QwKh4pF7wU+RHfXsoXIu5gYNPgxdsHd/1p914EQ9U6RYTFsSEzk<br>
     DR8V2H1rJ0AiVPQIDAQAB<br>
    <br>
    # enc/vm-012.abc.idm.lab.eng.brq.redhat.com, custodia, ipa, etc,
    abc.idm.lab.en<br>
     g.brq.redhat.com<br>
    dn:
cn=enc/vm-012.abc.idm.lab.eng.brq.redhat.com,cn=custodia,cn=ipa,cn=etc,dc=<br>
     abc,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com<br>
    objectClass: nsContainer<br>
    objectClass: ipaKeyPolicy<br>
    objectClass: ipaPublicKeyObject<br>
    objectClass: groupOfPrincipals<br>
    objectClass: top<br>
    cn: enc/vm-012.abc.idm.lab.eng.brq.redhat.com<br>
    ipaKeyUsage: dataEncipherment<br>
    memberPrincipal:
    <a class="moz-txt-link-abbreviated" href="mailto:host/vm-012.abc.idm.lab.eng.brq.redhat.com@ABC.IDM.LAB.ENG.BR">host/vm-012.abc.idm.lab.eng.brq.redhat.com@ABC.IDM.LAB.ENG.BR</a><br>
     Q.REDHAT.COM<br>
    ipaPublicKey::
    MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA5vdu9LLl7Pa+cN+ivNO<br>
 eOon1BOI3bbBzYAu8+l1ch8iepKJrom4O5yYT7qhz5aYgq4Pd2kuxuvcuf3OlGTizuKlqRELbVnG0<br>
 ogWN/YAqPExS6L2hEHcyIZTiOQk19jT/ynEqayjH/OM499aE1H3vc7FD30Cy9wBQNUzYuY8pWpaWd<br>
 Jj8nbvEKLX7JYPSx5/3Bqx+tqK5ApAGutJ6lF3+9acuG6ADVwUY3hAqXcqu4Oy463LKIhdatqMv2r<br>
 j0FEFHJYPG2GTOIhFF8jee2Q7iidgPNdfbvKCYbnAkXtT73hxJWTckoupGHpUo+5b/wl8pI1Lxhyz<br>
     TIp7oPmFWMG/q1QIDAQAB<br>
    <br>
    Also see them on replica as well (which was removed from topology)<br>
    I did not find any errors in http log<br>
    <br>
    2)<br>
    I tried hard, but I cannot see relation between <a
      class="moz-txt-link-freetext"
      href="https://fedorahosted.org/freeipa/ticket/6015">https://fedorahosted.org/freeipa/ticket/6015</a>
    and <a class="moz-txt-link-freetext"
      href="https://fedorahosted.org/freeipa/ticket/6056">https://fedorahosted.org/freeipa/ticket/6056</a><br>
    IMO it should be separated into two patches, to make easier
    backports, patching and make life easier in future with git blame<br>
    <br>
    There should not be a BZ, only upstream tickets in commit<br>
    <br>
    3)<br>
    IMO ti should be 'Removing' not 'Remove', I'm not native speaker,
    but it looks more consistent with the rest of log entries<br>
    <br>
    INFO Remove Custodia keys<br>
    <br>
    4)<br>
    the same for <br>
    root_logger.info("Secure server.keys mode"), IMHO it should be
    'Securing'<br>
    <br>
    5)<br>
    What is the purpose of remove_server_keys() in KEM.py  . I see usage
    only in manual testing. Can it be reused in server.py ? Because it
    looks like duplicated code for me, but correct me if I'm wrong.<br>
    <br>
    Martin^2<br>
    <br>
    <br>
    <br>
    <a class="moz-txt-link-freetext"
      href="https://fedorahosted.org/freeipa/ticket/6056"></a>
  </body>
</html>