Friday, January 10, 2020

[389-users] Re: Attribute encryption issue

On 1/10/20 6:48 PM, Iain Morgan wrote:
> Hi,
> ,
> Yesterday, I ran up against an attribute encryption issue, and I'm
> looking for advice on how to debug and resolve the issue.
> For background, I have a pair of RHEL 7 servers in an MMR configuration.
> Let's call them host_A and host_B. Both are running the RedHat-provided
> 1.3.9 RPMs of 389-ds. There is also an RHEL 6 system, host_Z, that was
> set up in an MMR configuration with host_B. This setup was used to test
> the transition from one generation of servers to the next one.
> All had dbeen working fine, and I next tried severing the connection
> between host_Z and host_B. The replication agreements were removed and a
> cleanAllRUV task was initiated on host_B. All seemed to go well -- until
> I restarted host_A.
> After restarting host_A, I got the following in the errors log:
> [09/Jan/2020:17:00:36.191870707 -0800] - ERR - attrcrypt_unwrap_key - Failed to unwrap key for cipher AES
> [09/Jan/2020:17:00:36.192310924 -0800] - ERR - attrcrypt_cipher_init - Symmetric key failed to unwrap with the private key; Cert might have been renewed since the key is wrapped. To recover the encrypted contents, keep the wrapped symmetric key value.
> [09/Jan/2020:17:00:36.206041190 -0800] - ERR - attrcrypt_unwrap_key - Failed to unwrap key for cipher 3DES
> [09/Jan/2020:17:00:36.206478885 -0800] - ERR - attrcrypt_cipher_init - Symmetric key failed to unwrap with the private key; Cert might have been renewed since the key is wrapped. To recover the encrypted contents, keep the wrapped symmetric key value.
> [09/Jan/2020:17:00:36.206905949 -0800] - ERR - attrcrypt_init - All prepared ciphers are not available. Please disable attribute encryption.
> No change was made to the TLS certificate, and I would not have expected
> the tear-down of the replication agreements between host_Z and host_b to
> be relevant here. host_B is still able to replicate to host_A, but
> host_A is unable to go in the other direction.
> I haven't identified anything that would account for this problem. The
> system had been up from early December and had not exhibited any issues.
> So, any suggestions as to how I can troubleshoot and fix this issue? The
> log messages don't seem to be very helpful.

I can not explain why this has happened as replication and attribute
encryption do not touch each other, but you can reset things by
following the directions from the Admin guide here:



> thanks,

389 Directory Server Development Team
389-users mailing list --
To unsubscribe send an email to
Fedora Code of Conduct:
List Guidelines:
List Archives:

No comments:

Post a Comment