On 02.08.2016 20:02, Christian Heimes wrote:
On 2016-07-19 17:03, Martin Basti wrote:

On 12.07.2016 16:45, Christian Heimes wrote:
Custodia's server.keys file contain the private RSA keys for encrypting
and signing Custodia messages. The file was created with permission 644
and is only secured by permission 700 of the directory
/etc/ipa/custodia. The installer and upgrader ensure that the file
has 600.

The server.keys file and all keys are now removed when during
uninstallation of a server, too.

https://bugzilla.redhat.com/show_bug.cgi?id=1353936
https://fedorahosted.org/freeipa/ticket/6015
https://fedorahosted.org/freeipa/ticket/6056


NACK

ipa-server-install --uninstall doesn't work
I fixed it by splitting up uninstallation into two parts:

1) the server_del plugin takes care of the LDAP entries
2) CustodiaInstance.uninstall() removes the local key file


Hello,

1)
Is expected that after removing replica, ipa server-del vm-012.abc.idm.lab.eng.brq.redhat.com, I have these entries in LDAP on master (vm-058-107)?

# sig/vm-012.abc.idm.lab.eng.brq.redhat.com, custodia, ipa, etc, abc.idm.lab.en
 g.brq.redhat.com
dn: cn=sig/vm-012.abc.idm.lab.eng.brq.redhat.com,cn=custodia,cn=ipa,cn=etc,dc=
 abc,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com
objectClass: nsContainer
objectClass: ipaKeyPolicy
objectClass: ipaPublicKeyObject
objectClass: groupOfPrincipals
objectClass: top
cn: sig/vm-012.abc.idm.lab.eng.brq.redhat.com
ipaKeyUsage: digitalSignature
memberPrincipal: host/vm-012.abc.idm.lab.eng.brq.redhat....@abc.idm.lab.eng.br
 Q.REDHAT.COM
ipaPublicKey:: MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqV4NGWu8224ar3IdwlD
 cOpNBjcQKY0gznMuAjlikHKxnpfzmGCf/GYxfealet64ek3RE3oLmYhITqX3NkLKw51KhuwGcEw31
 hBa6YB/6uzx3tr/ruO++vk+U7Myz4eFzp7+Zryjk7ohVb3w/XhBcVbC+d9qyKGzM0OUaQgGOjy7eq
 3tiI+VugfyawvAvItCwyo56R8fO1jS1uKA+NDz5ltIymE9sySpVWfTMhCDUEjy9iEMiPixtiyVbHd
 g8A80H7W4fe7mTcqkKPD6sfYr2QwKh4pF7wU+RHfXsoXIu5gYNPgxdsHd/1p914EQ9U6RYTFsSEzk
 DR8V2H1rJ0AiVPQIDAQAB

# enc/vm-012.abc.idm.lab.eng.brq.redhat.com, custodia, ipa, etc, abc.idm.lab.en
 g.brq.redhat.com
dn: cn=enc/vm-012.abc.idm.lab.eng.brq.redhat.com,cn=custodia,cn=ipa,cn=etc,dc=
 abc,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com
objectClass: nsContainer
objectClass: ipaKeyPolicy
objectClass: ipaPublicKeyObject
objectClass: groupOfPrincipals
objectClass: top
cn: enc/vm-012.abc.idm.lab.eng.brq.redhat.com
ipaKeyUsage: dataEncipherment
memberPrincipal: host/vm-012.abc.idm.lab.eng.brq.redhat....@abc.idm.lab.eng.br
 Q.REDHAT.COM
ipaPublicKey:: MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA5vdu9LLl7Pa+cN+ivNO
 eOon1BOI3bbBzYAu8+l1ch8iepKJrom4O5yYT7qhz5aYgq4Pd2kuxuvcuf3OlGTizuKlqRELbVnG0
 ogWN/YAqPExS6L2hEHcyIZTiOQk19jT/ynEqayjH/OM499aE1H3vc7FD30Cy9wBQNUzYuY8pWpaWd
 Jj8nbvEKLX7JYPSx5/3Bqx+tqK5ApAGutJ6lF3+9acuG6ADVwUY3hAqXcqu4Oy463LKIhdatqMv2r
 j0FEFHJYPG2GTOIhFF8jee2Q7iidgPNdfbvKCYbnAkXtT73hxJWTckoupGHpUo+5b/wl8pI1Lxhyz
 TIp7oPmFWMG/q1QIDAQAB

Also see them on replica as well (which was removed from topology)
I did not find any errors in http log

2)
I tried hard, but I cannot see relation between https://fedorahosted.org/freeipa/ticket/6015 and https://fedorahosted.org/freeipa/ticket/6056 IMO it should be separated into two patches, to make easier backports, patching and make life easier in future with git blame

There should not be a BZ, only upstream tickets in commit

3)
IMO ti should be 'Removing' not 'Remove', I'm not native speaker, but it looks more consistent with the rest of log entries

INFO Remove Custodia keys

4)
the same for
root_logger.info("Secure server.keys mode"), IMHO it should be 'Securing'

5)
What is the purpose of remove_server_keys() in KEM.py . I see usage only in manual testing. Can it be reused in server.py ? Because it looks like duplicated code for me, but correct me if I'm wrong.

Martin^2



-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to