[Fedora-directory-users] Problem with AES
Richard Megginson
rmeggins at redhat.com
Tue Oct 30 18:45:23 UTC 2007
Andreas Kekkou wrote:
> Both names are exactly the same.
>
> Richard Megginson wrote:
>> Andreas Kekkou wrote:
>>> Hi Richard,
>>>
>>> Nothing has changed. Executing the command you have suggested on
>>> both servers I get the same output:
>>>
>>> [root at serverA alias]# ../shared/bin/certutil -L -P slapd-serverA- -d .
>>> serverA-cert u,u,u
>>> Computer Science Department CA CT,,
>>>
>>> [root at serverB alias]# ../shared/bin/certutil -L -P slapd-serverB- -d .
>>> serverB-cert u,u,u
>>> Computer Science Department CA CT,,
>>>
>>> Is there anything else I have to check?
>> grep -i personality /opt/fedora-ds/slapd-instancename/config/dse.ldif
>>
>> The personality name should match with the server cert name in your
>> certdb.
>>>
>>> Cheers.
>>>
>>> Andreas
>>>
>>> Richard Megginson wrote:
>>>> Andreas Kekkou wrote:
>>>>> Hi all,
>>>>>
>>>>> I'm running FDS in multi-master mode with two servers. Both
>>>>> servers are configured with TLS support. One of the servers logs
>>>>> the following error:
>>>>>
>>>>> [25/Oct/2007:08:50:55 +0300] - attrcrypt_unwrap_key: failed to
>>>>> unwrap key for cipher AES
>>>>> [25/Oct/2007:08:50:55 +0300] - Failed to retrieve key for cipher
>>>>> AES in attrcrypt_cipher_init
>>>>> [25/Oct/2007:08:50:55 +0300] - Failed to initialize cipher AES in
>>>>> attrcrypt_init
>>>>> [25/Oct/2007:08:50:55 +0300] - attrcrypt_unwrap_key: failed to
>>>>> unwrap key for cipher AES
>>>>> [25/Oct/2007:08:50:55 +0300] - Failed to retrieve key for cipher
>>>>> AES in attrcrypt_cipher_init
>>>>> [25/Oct/2007:08:50:55 +0300] - Failed to initialize cipher AES in
>>>>> attrcrypt_init
>>>>> [25/Oct/2007:08:50:57 +0300] - slapd started. Listening on All
>>>>> Interfaces port 389 for LDAP requests
>>>>> [25/Oct/2007:08:50:57 +0300] - Listening on All Interfaces port
>>>>> 636 for LDAPS requests
>>>>>
>>>>> Both servers seems to work just fine. Any ideas how this can be
>>>>> resolved?
>>>> Has your SSL/TLS configuration changed at all? Have you acquired a
>>>> new cert or renewed an existing cert?
>>>> cd /opt/fedora-ds/alias
>>>> ../shared/bin/certutil -L -P slapd-instance- -d .
I'm not sure. If you are not using attribute encryption, and do not
have any encrypted attribute values, you can simply remove the offending
attributes:
shutdown the server
edit dse.ldif - remove the entry cn=AES, cn=encrypted attribute keys,
cn=userRoot, cn=ldbm database, cn=plugins, cn=config
and cn=AES, cn=encrypted attribute keys, cn=NetscapeRoot, n=ldbm
database, cn=plugins, cn=config
then restart the server
>>>>>
>>>>> Thanks,
>>>>>
>>>>> Andreas
>>>>> --
>>>>> Fedora-directory-users mailing list
>>>>> Fedora-directory-users at redhat.com
>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>>
>>>>
>>>> ------------------------------------------------------------------------
>>>>
>>>>
>>>> --
>>>> Fedora-directory-users mailing list
>>>> Fedora-directory-users at redhat.com
>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>
>>> --
>>> Fedora-directory-users mailing list
>>> Fedora-directory-users at redhat.com
>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>
>>
>> ------------------------------------------------------------------------
>>
>> --
>> Fedora-directory-users mailing list
>> Fedora-directory-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/fedora-directory-users/attachments/20071030/4013c0e8/attachment.bin>
More information about the Fedora-directory-users
mailing list