[Fedora-directory-users] Encryption works, but odd entries in the error log on startup.
Rich Megginson
rmeggins at redhat.com
Thu Sep 11 15:44:41 UTC 2008
Ryan Braun [ADS] wrote:
> I had setup encryption on one of my test fds servers (1.1.2), generated a
> CAcert and a Server-Cert and turned on encryption. It all worked fine. I
> shut down fds, removed the Server-Cert and created a new Server-Cert with a
> few Subject Alt Name entries. I didn't import a p12 cert, I just used
> certutil to create a new cert in the database.
>
> I restarted the server and tested with ldapsearch -ZZ and it all still worked.
>
> When I had a look in the log recently, I noticed these entries everytime i
> restart the service.
>
> [11/Sep/2008:15:11:18 +0000] - Fedora-Directory/1.1.2 B2008.253.1749 starting
> up
> [11/Sep/2008:15:11:19 +0000] - attrcrypt_unwrap_key: failed to unwrap key for
> cipher AES
> [11/Sep/2008:15:11:19 +0000] - Failed to retrieve key for cipher AES in
> attrcrypt_cipher_init
> [11/Sep/2008:15:11:19 +0000] - Failed to initialize cipher AES in
> attrcrypt_init
> [11/Sep/2008:15:11:19 +0000] - attrcrypt_unwrap_key: failed to unwrap key for
> cipher AES
> [11/Sep/2008:15:11:19 +0000] - Failed to retrieve key for cipher AES in
> attrcrypt_cipher_init
> [11/Sep/2008:15:11:19 +0000] - Failed to initialize cipher AES in
> attrcrypt_init
> [11/Sep/2008:15:11:19 +0000] - slapd started. Listening on All Interfaces
> port 389 for LDAP requests
> [11/Sep/2008:15:11:19 +0000] - Listening on All Interfaces port 636 for LDAPS
> requests
>
> Looking back to when I first turned on encryption, I see
>
> [10/Sep/2008:19:41:20 +0000] - Fedora-Directory/1.1.2 B2008.253.1749 starting
> up
> [10/Sep/2008:19:41:20 +0000] - No symmetric key found for cipher AES in
> backend userRoot, attempting to create one...
> [10/Sep/2008:19:41:20 +0000] - Key for cipher AES successfully generated and
> stored
> [10/Sep/2008:19:41:20 +0000] - No symmetric key found for cipher 3DES in
> backend userRoot, attempting to create one...
> [10/Sep/2008:19:41:20 +0000] - Key for cipher 3DES successfully generated and
> stored
> [10/Sep/2008:19:41:20 +0000] - No symmetric key found for cipher AES in
> backend NetscapeRoot, attempting to create one...
> [10/Sep/2008:19:41:20 +0000] - Key for cipher AES successfully generated and
> stored
> [10/Sep/2008:19:41:20 +0000] - No symmetric key found for cipher 3DES in
> backend NetscapeRoot, attempting to create one...
> [10/Sep/2008:19:41:20 +0000] - Key for cipher 3DES successfully generated and
> stored
> [10/Sep/2008:19:41:20 +0000] - slapd started. Listening on All Interfaces
> port 389 for LDAP requests
> [10/Sep/2008:19:41:20 +0000] - Listening on All Interfaces port 636 for LDAPS
> requests
>
> So I'm wondering if I need to somehow reinit some of the encryption keys? Or
> maybe I missed a step for replacing a Server-Cert? But from the docs it
> looks like a straight forward turn off fds, remove old cert, create/import
> new cert (with same name), restart fds.
>
Unfortunately, those keys were encrypted with the old key/cert. But as
long as you don't want to use reversible attribute encryption, you can
ignore those messages.
> Ryan
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3258 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/fedora-directory-users/attachments/20080911/11acdad4/attachment.bin>
More information about the Fedora-directory-users
mailing list