Thursday, November 25, 2021

[389-users] Disable attribute encryption

Hi all,


Is there a way to either permanently disable attribute encryption, or to have the symmetric keys generated from an alternate RSA private key to that used for
TLS (given by cn=RSA,cn=encryption,cn=config)? I may be missing something, but this seems to be completely tied to TLS.


We don't use attribute encryption at all presently, and the process we use for rolling certtificates is basically a re-key. This results in the following error
messages;


[25/Nov/2021:06:32:33.562508644 +0000] - ERR - attrcrypt_unwrap_key - Failed to unwrap key for cipher AES
[25/Nov/2021:06:32:33.564813203 +0000] - ERR - attrcrypt_cipher_init - Symmetric key failed to unwrap with the private key; Cert might have been renewed since
the key is wrapped. To recover the encrypted contents, keep the wrapped symmetric key value.
[25/Nov/2021:06:32:33.931422579 +0000] - ERR - attrcrypt_unwrap_key - Failed to unwrap key for cipher 3DES
[25/Nov/2021:06:32:33.935241033 +0000] - ERR - attrcrypt_cipher_init - Symmetric key failed to unwrap with the private key; Cert might have been renewed since
the key is wrapped. To recover the encrypted contents, keep the wrapped symmetric key value.
[25/Nov/2021:06:32:33.937228742 +0000] - ERR - attrcrypt_init - All prepared ciphers are not available. Please disable attribute encryption.


I realise we could delete the encrypted attribute keys entries as part of our renewal process & have them regenerated, but that seems pretty hackish. The
message implies attribute encryption can be disabled ("Please disable attribute encryption."), yet the only way I see to do this is to disable TLS via nsslapd-
security. Can someone confirm?


Thanks,
Grant

_______________________________________________
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)