[389-users] Re: How to disable attribute encryption
> > > These entries are generated at server startup (there is no way to prevent > that). So stop the server and edit the dse.ldif and remove these entries, > then start the server up and those errors will go away - well until you renew > the server cert again :-) It's worth pointing out that we do have an open issue about this: https://pagure.io/389-ds-base/issue/49525 It also may be worth us investigating disabling attr encryption in newly created instances since it's not a default-used feature IMO. > >> >> >> >> ___ >> 389-users mailing list -- >> 389-users@lists.fedoraproject.org >> >> To unsubscribe send an email to >> 389-users-le...@lists.fedoraproject.org >> >> Fedora Code of Conduct: >> https://docs.fedoraproject.org/en-US/project/code-of-conduct/ >> >> List Guidelines: >> https://fedoraproject.org/wiki/Mailing_list_guidelines >> >> List Archives: >> https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org > -- > > 389 Directory Server Development Team > > ___ > 389-users mailing list -- 389-users@lists.fedoraproject.org > To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org — Sincerely, William Brown Senior Software Engineer, 389 Directory Server SUSE Labs ___ 389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
[389-users] Re: How to disable attribute encryption
On 8/18/20 9:24 AM, Jan Tomasek wrote: On 8/18/20 3:21 PM, Mark Reynolds wrote: Looks like you are all good then... Yes, but... is it possible to prevent creating "encrypted attribute keys" and seeing in logs message: ERR - attrcrypt_cipher_init - Symmetric key failed to unwrap with the private key; Cert might have been renewed since the key is wrapped. To recover the encrypted contents, keep the wrapped symmetric key value. every time I replace LDAPS certificate? Every time you replace your server certificate you will need to delete these entries (or remove the nsSymmetricKey attribute): |dn: cn=3DES,cn=encrypted attribute keys,cn=NetscapeRoot,cn=ldbm database,cn=plugins,cn=config objectClass: top objectClass: extensibleObject cn: 3DES nsSymmetricKey:: msf+gaXDXTz4pukx557HvRoRDsQycNxv2kiJAhbfzl53gYO/DiqRNIYSjS4nl b/VhP9crRTTi0RrKMxN9AGalZwgb+lqIPozb9HvNiHeNlsxCta6nnsCiX5kKWa1zLKJowJ0iqhreW TRBZV3/mzmr09AtusCC60/FXQdkbQlSDZre0pn7GHbg2mSb1QcMWT2EHbrVPuQAWDXMWdcZBKnUWr zCR+nKkS5w7PMwoU1/RCMYN1yibtmc1k/HheyM8JBf0OHQhr2FawS2LiwF2VN56r3XlmyXSBkF/IX 01534RA/NdopD4TwxGKZBAVyQvnoRXXGwOBSlQ67IZHIoH89HQ== dn: cn=AES,cn=encrypted attribute keys,cn=NetscapeRoot,cn=ldbm database,cn=plugins,cn=config objectClass: top objectClass: extensibleObject cn: AES nsSymmetricKey:: SG4+8+Dm49nxLQiiHuv/wp96NUGBqhcWA8gATOjjrDbvZm63m00ljf3AJP0+W Nsdzt6bYlGVfbDB2+XFy2QTFhGSD9kZiM1kxYTzJ9AJgy2vLo7bGfIDcTQk2swBDAiOwcACdLNRw3 4EYxpFZsS5TbLX1+zKfs/50UPRjAt3KtdGo5uCULCndmMlcz/UqoDFDUj1POYTC746YXOy+QsbEtu PqlzExXBZGbSjTvoeGB6GmG0L6pT/hVTCmbl6HWFfILKrvdfch0qp/AoBvLNpjBZXuWgUfKtR6m6V YyOFAzKQDf7ZgvRgn0cx6DVzEgAhy1dBHcYv+6oTUUlFPzfSZQ==| These entries are generated at server startup (there is no way to prevent that). So stop the server and edit the dse.ldif and remove these entries, then start the server up and those errors will go away - well until you renew the server cert again :-) ___ 389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org -- 389 Directory Server Development Team ___ 389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
[389-users] Re: How to disable attribute encryption
On 8/18/20 3:21 PM, Mark Reynolds wrote: Looks like you are all good then... Yes, but... is it possible to prevent creating "encrypted attribute keys" and seeing in logs message: ERR - attrcrypt_cipher_init - Symmetric key failed to unwrap with the private key; Cert might have been renewed since the key is wrapped. To recover the encrypted contents, keep the wrapped symmetric key value. every time I replace LDAPS certificate? -- --- Jan Tomasek aka Semik http://www.tomasek.cz/ smime.p7s Description: S/MIME Cryptographic Signature ___ 389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
[389-users] Re: How to disable attribute encryption
On 8/18/20 9:13 AM, Jan Tomasek wrote: Hi Mark, On 8/18/20 2:56 PM, Mark Reynolds wrote: The best option would be config option to disable attribute encryption for all databases but I failed to find if it is possible. You have to delete each attribute that was configured for attribute encryption (like what you did above, but you cna also use the CLI tools): https://access.redhat.com/documentation/en-us/red_hat_directory_server/11/html/administration_guide/configuring_attribute_encryption#disabling_encryption_for_an_attribute_using_the_command_line I didn't explicitly configure any attribute for encryption. But server any way creates encryption keys. When I try: # dsconf cml3 backend attr-encrypt --list dc=cesnet,dc=cz There are no encrypted attributes for this backend Also: # ldapsearch -H ldap://localhost -D "cn=Directory Manager" -W -LLL -o ldif-wrap=no -b "cn=ldbm database,cn=plugins,cn=config" "(objectClass=nsAttributeEncryption)" Enter LDAP Password: # Looks like you are all good then... ___ 389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org -- 389 Directory Server Development Team ___ 389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
[389-users] Re: How to disable attribute encryption
Hi Mark, On 8/18/20 2:56 PM, Mark Reynolds wrote: The best option would be config option to disable attribute encryption for all databases but I failed to find if it is possible. You have to delete each attribute that was configured for attribute encryption (like what you did above, but you cna also use the CLI tools): https://access.redhat.com/documentation/en-us/red_hat_directory_server/11/html/administration_guide/configuring_attribute_encryption#disabling_encryption_for_an_attribute_using_the_command_line I didn't explicitly configure any attribute for encryption. But server any way creates encryption keys. When I try: # dsconf cml3 backend attr-encrypt --list dc=cesnet,dc=cz There are no encrypted attributes for this backend Also: # ldapsearch -H ldap://localhost -D "cn=Directory Manager" -W -LLL -o ldif-wrap=no -b "cn=ldbm database,cn=plugins,cn=config" "(objectClass=nsAttributeEncryption)" Enter LDAP Password: # -- --- Jan Tomasek aka Semik http://www.tomasek.cz/ smime.p7s Description: S/MIME Cryptographic Signature ___ 389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
[389-users] Re: How to disable attribute encryption
On 8/18/20 8:47 AM, Jan Tomasek wrote: Hello, is it possible to disable attribute encryption in 389 DS? I'm running 1.4.0.21 @ Debian Buster. After replacing TLS certificate I'm receiving errors: [18/Aug/2020:10:25:16.099482453 +0200] - ERR - attrcrypt_unwrap_key - Failed to unwrap key for cipher 3DES [18/Aug/2020:10:25:16.099670006 +0200] - ERR - attrcrypt_cipher_init - Symmetric key failed to unwrap with the private key; Cert might have been renewed since the key is wrapped. To recover the encrypted contents, keep the wrapped symmetric key value. I found: https://access.redhat.com/documentation/en-us/red_hat_directory_server/10/html/administration_guide/updating_the_tls_certificates_used_for_attribute_encryption But, I do not use any encrypted attribute so dumping and restoring database is not nice way how to deal witch such error. Just, deleting all keys and server restart works too: ldapsearch -H ldap://localhost -D "cn=Directory Manager" -W -LLL -o ldif-wrap=no -b "cn=ldbm database,cn=plugins,cn=config" "(nsSymmetricKey=*)" dn | sed "s/^$/changetype: delete\n/" | ldapmodify -H ldap://localhost -D "cn=Directory Manager" -W Enter LDAP Password: Enter LDAP Password: *** deleting entry "cn=3DES,cn=encrypted attribute keys,cn=xxx,cn=ldbm database,cn=plugins,cn=config" deleting entry "cn=AES,cn=encrypted attribute keys,cn=xxx,cn=ldbm database,cn=plugins,cn=config" deleting entry "cn=3DES,cn=encrypted attribute keys,xxx,cn=ldbm database,cn=plugins,cn=config" deleting entry "cn=AES,cn=encrypted attribute keys,xxx,cn=ldbm database,cn=plugins,cn=config" ... The best option would be config option to disable attribute encryption for all databases but I failed to find if it is possible. You have to delete each attribute that was configured for attribute encryption (like what you did above, but you cna also use the CLI tools): https://access.redhat.com/documentation/en-us/red_hat_directory_server/11/html/administration_guide/configuring_attribute_encryption#disabling_encryption_for_an_attribute_using_the_command_line HTH, Mark Thanks ___ 389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org -- 389 Directory Server Development Team ___ 389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org