[Fedora-directory-users] Encryption works, but odd entries in the error log on startup.

Rich Megginson rmeggins at redhat.com
Thu Sep 11 15:44:41 UTC 2008 

Ryan Braun [ADS] wrote:
> I had setup encryption on one of my test fds servers (1.1.2),  generated a 
> CAcert and a Server-Cert and turned on encryption.  It all worked fine.  I 
> shut down fds,  removed the Server-Cert and created a new Server-Cert with a 
> few Subject Alt Name entries.  I didn't import a p12 cert,  I just used 
> certutil to create a new cert in the database.
>
> I restarted the server and tested with ldapsearch -ZZ and it all still worked.
>
> When I had a look in the log recently,  I noticed these entries everytime i 
> restart the service.
>
> [11/Sep/2008:15:11:18 +0000] - Fedora-Directory/1.1.2 B2008.253.1749 starting 
> up
> [11/Sep/2008:15:11:19 +0000] - attrcrypt_unwrap_key: failed to unwrap key for 
> cipher AES
> [11/Sep/2008:15:11:19 +0000] - Failed to retrieve key for cipher AES in 
> attrcrypt_cipher_init
> [11/Sep/2008:15:11:19 +0000] - Failed to initialize cipher AES in 
> attrcrypt_init
> [11/Sep/2008:15:11:19 +0000] - attrcrypt_unwrap_key: failed to unwrap key for 
> cipher AES
> [11/Sep/2008:15:11:19 +0000] - Failed to retrieve key for cipher AES in 
> attrcrypt_cipher_init
> [11/Sep/2008:15:11:19 +0000] - Failed to initialize cipher AES in 
> attrcrypt_init
> [11/Sep/2008:15:11:19 +0000] - slapd started.  Listening on All Interfaces 
> port 389 for LDAP requests
> [11/Sep/2008:15:11:19 +0000] - Listening on All Interfaces port 636 for LDAPS 
> requests
>
> Looking back to when I first turned on encryption,  I see
>
> [10/Sep/2008:19:41:20 +0000] - Fedora-Directory/1.1.2 B2008.253.1749 starting 
> up
> [10/Sep/2008:19:41:20 +0000] - No symmetric key found for cipher AES in 
> backend userRoot, attempting to create one...
> [10/Sep/2008:19:41:20 +0000] - Key for cipher AES successfully generated and 
> stored
> [10/Sep/2008:19:41:20 +0000] - No symmetric key found for cipher 3DES in 
> backend userRoot, attempting to create one...
> [10/Sep/2008:19:41:20 +0000] - Key for cipher 3DES successfully generated and 
> stored
> [10/Sep/2008:19:41:20 +0000] - No symmetric key found for cipher AES in 
> backend NetscapeRoot, attempting to create one...
> [10/Sep/2008:19:41:20 +0000] - Key for cipher AES successfully generated and 
> stored
> [10/Sep/2008:19:41:20 +0000] - No symmetric key found for cipher 3DES in 
> backend NetscapeRoot, attempting to create one...
> [10/Sep/2008:19:41:20 +0000] - Key for cipher 3DES successfully generated and 
> stored
> [10/Sep/2008:19:41:20 +0000] - slapd started.  Listening on All Interfaces 
> port 389 for LDAP requests
> [10/Sep/2008:19:41:20 +0000] - Listening on All Interfaces port 636 for LDAPS 
> requests
>
> So I'm wondering if I need to somehow reinit some of the encryption keys?  Or 
> maybe I missed a step for replacing a Server-Cert?  But from the docs it 
> looks like a straight forward turn off fds, remove old cert,  create/import 
> new cert (with same name), restart fds.
>   
Unfortunately, those keys were encrypted with the old key/cert.  But as 
long as you don't want to use reversible attribute encryption, you can 
ignore those messages.
> Ryan
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>   

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3258 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/fedora-directory-users/attachments/20080911/11acdad4/attachment.bin>

More information about the Fedora-directory-users mailing list