Uploaded image for project: 'OpenDJ'
  1. OpenDJ
  2. OPENDJ-5985

Divergence of "cn=admin data" after setting up secure replication and encrypted backends

    Details

    • Type: Bug
    • Status: Open
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: 6.5.0, 5.5.2, 5.5.1, 5.5.0
    • Fix Version/s: None
    • Component/s: config
    • Labels:
    • Support Ticket IDs:

      Description

      After installing two DS instances, configuring backends with confidentiality mode and setting secure comms during replication setup the cn=admin data backend diverges with the secret key entries. A restart does not improve the issue and backends are still diverged. Reproduction steps setup node5 and node6.

      Search cn=admin data for symmetric keys. Node5 has 1 secret key entry that contains 1 symmetric key, node6 has two secret key entries, one with two entries and another with one entry.

      Node 5 after setup:

      dn: cn=admin data
      objectClass: ds-cfg-branch
      objectClass: top
      cn: admin data
      ds-sync-generation-id: 167843
      ds-sync-state: 01040168bd716512000000a07404
      entryUUID: 46e489f6-1f92-3120-990f-54a178e95b21
      
      $ bin/ldapsearch -h node5.example.com -b "cn=admin data" -D "cn=directory manager" -w password -p 1636 -Z -X ds-cfg-symmetric-key=* ds-cfg-symmetric-key
      dn: ds-cfg-key-id=189bc738-8be4-4192-82d5-b3e3221be415,cn=secret keys,cn=admin data
      ds-cfg-symmetric-key: E213DAC075E8F1EEE098643BB0EB68C9:RSA/ECB/OAEPWITHSHA-1ANDMGF1PADDING:AES:61011D2B7C48FE6FC0F5B83556D032ABB0FDFD91ECBF707F21BB266AFD68B27D491637937CD2BDD982EC95D51A06FD9BD26B36B8ADB87EC5FB7AE13F8CD781F61EDA180216A8D1287A324FD2ACDA61B53DB56B5F8D64C923CB968598BC12676147EBB98AC554554354DC3CA8E01A385F428DE66668D6FCDE9CEF5A107AB8D1026CCB62BC2702CB8891A01AB3EDA21D6FEEAAC53873BE0D741BEBFD673D801100325E9DB10A7185878434563A408D6BE49EC55DF3BD127C0A594C1C3C519AD0D7C34B93ED35A583261AFC5FB955DF2D4885ECAC7B86D38C51B5A9E229B7DB4F18882AABAE95DB78C04836F34473BC62E17E0F4FB86C21D4885164C6AE6980E84B
      

      Node6 after setup:

      dn: cn=admin data
      objectClass: ds-cfg-branch
      objectClass: top
      cn: admin data
      ds-sync-generation-id: 167843
      ds-sync-state: 01040168bd716512000000a07404
      entryUUID: 46e489f6-1f92-3120-990f-54a178e95b21
      
      $ bin/ldapsearch -h node6.example.com -b "cn=admin data" -D "cn=directory manager" -w password -p 1636 -Z -X ds-cfg-symmetric-key=* ds-cfg-symmetric-key
      dn:ds-cfg-key-id=189bc738-8be4-4192-82d5-b3e3221be415,cn=secret keys,cn=admin data
      ds-cfg-symmetric-key: E213DAC075E8F1EEE098643BB0EB68C9:RSA/ECB/OAEPWITHSHA-1ANDMGF1PADDING:AES:61011D2B7C48FE6FC0F5B83556D032ABB0FDFD91ECBF707F21BB266AFD68B27D491637937CD2BDD982EC95D51A06FD9BD26B36B8ADB87EC5FB7AE13F8CD781F61EDA180216A8D1287A324FD2ACDA61B53DB56B5F8D64C923CB968598BC12676147EBB98AC554554354DC3CA8E01A385F428DE66668D6FCDE9CEF5A107AB8D1026CCB62BC2702CB8891A01AB3EDA21D6FEEAAC53873BE0D741BEBFD673D801100325E9DB10A7185878434563A408D6BE49EC55DF3BD127C0A594C1C3C519AD0D7C34B93ED35A583261AFC5FB955DF2D4885ECAC7B86D38C51B5A9E229B7DB4F18882AABAE95DB78C04836F34473BC62E17E0F4FB86C21D4885164C6AE6980E84B
      ds-cfg-symmetric-key: C462D6DBB4D5FD05B18F291FC1B245F7:RSA/ECB/OAEPWITHSHA-1ANDMGF1PADDING:AES:3D9DFD8C04D21BE8A0B43B063D00C1E41BD5B0A87CD20B39981A97F4188F46A8655F6BEAFA610C90190F63E1088D058FF25416565BAF3558080A636A747A725E65ED5D0EB51FB9C78021F9ECDFD560200AD629F0AE8922C522B5A64F54B2462E2BCE219BE3572336A1B1A3DB15E63622C370E93FA86A501767AA334DF964089843307F2E68F94FC29718E56640CB610E0C14F97C922013FF2A4F152B640E430C3BDCCC5FA82BD0EE723DB3A01D012217092AD89CB62CA207BF7033FCAFB5569EF52BEB3DAFA67C927FFF9BD4BAA9AECB2668D6006B1B0BAA509981A9EB20B1B5067B5B1657FFC7D8062FD2B6E9673ABA6E6A3A80409B76F92D31AB5796DD43D7
      dn: ds-cfg-key-id=f6f64336-88d2-4ab7-9c5f-2a9ad8735697,cn=secret keys,cn=admin data
      ds-cfg-symmetric-key: C462D6DBB4D5FD05B18F291FC1B245F7:RSA/ECB/OAEPWITHSHA-1ANDMGF1PADDING:AES:67747F7C2D5215598F222727FE487973DEBF3DA829A32729FDB98C4114A68BD5572DE9A97D631AF0B4A95738086FE8989054BE7A1B738042A0DFEFDC304B3FD44BCBCC5B82CF43260529AFC837BA1FFBDD8C81CDCE0BC4C0D4815B6929291C3F50C980F0A11A22FFB849B181D0544AB4E59007386718A792EE7F9EFDB57A03CF9D2EAA49AFE6D4FCA6C016D3DD97DF38C27534D08EB814E87D0358815606B08E3B8EF6E76807E518D80C73B07D4D502C9F908A0DDD85F97C6188F6CEED6AD2158D91BD814680DA25783EB07406D825F4705033606F5A72859E6A6CF8574DA102B16060279C6690E0A8928396AA4A0D6B458CF473B11FA68FDC247A71421DEF9B
      

      node6 after restart

      dn: cn=admin data
      objectClass: ds-cfg-branch
      objectClass: top
      cn: admin data
      ds-sync-generation-id: 167843
      ds-sync-state: 01040168bd94665b000005e01935
      ds-sync-state: 01040168bd716512000000a07404
      entryUUID: 46e489f6-1f92-3120-990f-54a178e95b21
      
      $ bin/ldapsearch -h node6.example.com -b "cn=admin data" -D "cn=directory manager" -w password -p 1636 -Z -X ds-cfg-symmetric-key=* ds-cfg-symmetric-key
      dn: ds-cfg-key-id=189bc738-8be4-4192-82d5-b3e3221be415,cn=secret keys,cn=admin data
      ds-cfg-symmetric-key: E213DAC075E8F1EEE098643BB0EB68C9:RSA/ECB/OAEPWITHSHA-1ANDMGF1PADDING:AES:61011D2B7C48FE6FC0F5B83556D032ABB0FDFD91ECBF707F21BB266AFD68B27D491637937CD2BDD982EC95D51A06FD9BD26B36B8ADB87EC5FB7AE13F8CD781F61EDA180216A8D1287A324FD2ACDA61B53DB56B5F8D64C923CB968598BC12676147EBB98AC554554354DC3CA8E01A385F428DE66668D6FCDE9CEF5A107AB8D1026CCB62BC2702CB8891A01AB3EDA21D6FEEAAC53873BE0D741BEBFD673D801100325E9DB10A7185878434563A408D6BE49EC55DF3BD127C0A594C1C3C519AD0D7C34B93ED35A583261AFC5FB955DF2D4885ECAC7B86D38C51B5A9E229B7DB4F18882AABAE95DB78C04836F34473BC62E17E0F4FB86C21D4885164C6AE6980E84
      ds-cfg-symmetric-key: C462D6DBB4D5FD05B18F291FC1B245F7:RSA/ECB/OAEPWITHSHA-1ANDMGF1PADDING:AES:3D9DFD8C404D21BE8A0B43B063D00C1E41BD5B0A87CD20B39981A97F4188F46A8655F6BEAFA610C90190F63E1088D058FF25416565BAF3558080A636A747A725E65ED5D0EB51FB9C78021F9ECDFD560200AD629F0AE8922C522B5A64F54B2462E2BCE219BE3572336A1B1A3DB15E63622C370E93FA86A501767AA334DF964089843307F2E68F94FC29718E56640CB610E0C14F97C922013FF2A4F152B640E430C3BDCCC5FA82BD0EE723DB3A01D012217092AD89CB62CA207BF7033FCAFB5569EF52BEB3DAFA67C927FFF9BD4BAA9AECB2668D6006B1B0BAA509981A9EB20B1B5067B5B1657FFC7D8062FD2B6E9673ABA6E6A3A80409B76F92D31AB5796DD43D7
      dn: ds-cfg-key-id=f6f64336-88d2-4ab7-9c5f-2a9ad8735697,cn=secret keys,cn=admin data
      ds-cfg-symmetric-key: C462D6DBB4D5FD05B18F291FC1B245F7:RSA/ECB/OAEPWITHSHA-1ANDMGF1PADDING:AES:67747F7C2D5215598F222727FE487973DEBF3DA829A32729FDB98C4114A68BD5572DE9A97D631AF0B4A95738086FE8989054BE7A1B738042A0DFEFDC304B3FD44BCBCC5B82CF43260529AFC837BA1FFBDD8C81CDCE0BC4C0D4815B6929291C3F50C980F0A11A22FFB849B181D0544AB4E59007386718A792EE7F9EFDB57A03CF9D2EAA49AFE6D4FCA6C016D3DD97DF38C27534D08EB814E87D0358815606B08E3B8EF6E76807E518D80C73B07D4D502C9F908A0DDD85F97C6188F6CEED6AD2158D91BD814680DA25783EB07406D825F4705033606F5A72859E6A6CF8574DA102B16060279C6690E0A8928396AA4A0D6B458CF473B11FA68FDC247A71421DEF9B 
      dn: ds-cfg-key-id=ec96f387-02c9-4097-b3fe-05b0c64e9490,cn=secret keys,cn=admin data
      ds-cfg-symmetric-key: C462D6DBB4D5FD05B18F291FC1B245F7:RSA/ECB/OAEPWITHSHA-1ANDMGF1PADDING:AES:65B5C112BB0CC143C628AD1F44BD10D269235B782BF5896DA8A37923D84EAA87CA5DD9C7C15220F6260CC44C1179B5BDFCCA9E45089BE0D149372F34F049D4729DBEB8718A143C8A392908379DB5F6D2000ABFA71507EC6CE893204B6C777935A5DBE8700358F6A1A83406D612A2589682CBB61447F30744BB92DB2C38096DB04D118D4B98B2A3B575A47E488EC4DABED6008F5BD407AF120D942499596FFA9FA2A7965FF7992F75A58734C6D03B31F18DE75B7012B9E5B59A59F3E3683FECCB92EC4E6A1870389A6AB003A6DB53C3E2E40E3A03642EC51385C2D09FCC252620FCAC318165EACB96C43C73BD26463810E4FFE771557A5C3A0319F4D88D04C05Ed
      s-cfg-symmetric-key: E213DAC075E8F1EEE098643BB0EB68C9:RSA/ECB/OAEPWITHSHA-1ANDMGF1PADDING:AES:4B29C678CFD9ED243DB1D9A8A65A161EA6410DCA2B0963E6E3AB301529790146DAE1D34F73755BB6A98B15EB5030022A5AD9B749448728B9FC69C48824DF6C1B4D9B8A5B2F6276030ACB8E23E5826E6F96FA788FADD7D8FD8EF240628704D4DB20C6FE4583957D09511FC4DE9132F9882D0023402606C5BA59D3019863CD33754500FD8181B5679FC65786CF86D995899729A9CBD9AC0DCA32AC6339D4635D821F416E2B00FDF2BC8A6256120BCC3852D0A2A6348CAA52CC8BF393DB0923F3F523E9902F0753BF018AA4E8236CF824E0FEB4D32A363A1E167C09EA14929E9653D1346DB1E5FBEDC913EFBF95BF2055CE61B5C3A426F3AB4475B538A8F935C086
      

      Node5 after restart

      dn: cn=admin data
      objectClass: ds-cfg-branch
      objectClass: topcn: admin data
      ds-sync-generation-id: 167843
      ds-sync-state: 01040168bd94665b000005e01935
      ds-sync-state: 01040168bd96c3eb0000063f7404
      entryUUID: 46e489f6-1f92-3120-990f-54a178e95b21
      
      $ bin/ldapsearch -h node5.example.com -b "cn=admin data" -D "cn=directory manager" -w password -p 1636 -Z -X ds-cfg-symmetric-key=* ds-cfg-symmetric-key
      dn: ds-cfg-key-id=189bc738-8be4-4192-82d5-b3e3221be415,cn=secret keys,cn=admin data
      ds-cfg-symmetric-key: E213DAC075E8F1EEE098643BB0EB68C9:RSA/ECB/OAEPWITHSHA-1ANDMGF1PADDING:AES:61011D2B7C48FE6FC0F5B83556D032ABB0FDFD91ECBF707F21BB266AFD68B27D491637937CD2BDD982EC95D51A06FD9BD26B36B8ADB87EC5FB7AE13F8CD781F61EDA180216A8D1287A324FD2ACDA61B53DB56B5F8D64C923CB968598BC12676147EBB98AC554554354DC3CA8E01A385F428DE66668D6FCDE9CEF5A107AB8D1026CCB62BC2702CB8891A01AB3EDA21D6FEEAAC53873BE0D741BEBFD673D801100325E9DB10A7185878434563A408D6BE49EC55DF3BD127C0A594C1C3C519AD0D7C34B93ED35A583261AFC5FB955DF2D4885ECAC7B86D38C51B5A9E229B7DB4F18882AABAE95DB78C04836F34473BC62E17E0F4FB86C21D4885164C6AE6980E84B
      dn: ds-cfg-key-id=ec96f387-02c9-4097-b3fe-05b0c64e9490,cn=secret keys,cn=admin data
      ds-cfg-symmetric-key: C462D6DBB4D5FD05B18F291FC1B245F7:RSA/ECB/OAEPWITHSHA-1ANDMGF1PADDING:AES:65B5C112BB0CC143C628AD1F44BD10D269235B782BF5896DA8A37923D84EAA87CA5DD9C7C15220F6260CC44C1179B5BDFCCA9E45089BE0D149372F34F049D4729DBEB8718A143C8A392908379DB5F6D2000ABFA71507EC6CE893204B6C777935A5DBE8700358F6A1A83406D612A2589682CBB61447F30744BB92DB2C38096DB04D118D4B98B2A3B575A47E488EC4DABED6008F5BD407AF120D942499596FFA9FA2A7965FF7992F75A58734C6D03B31F18DE75B7012B9E5B59A59F3E3683FECCB92EC4E6A1870389A6AB003A6DB53C3E2E40E3A03642EC51385C2D09FCC252620FCAC318165EACB96C43C73BD26463810E4FFE771557A5C3A0319F4D88D04C05E
      ds-cfg-symmetric-key: E213DAC075E8F1EEE098643BB0EB68C9:RSA/ECB/OAEPWITHSHA-1ANDMGF1PADDING:AES:4B29C678CFD9ED243DB1D9A8A65A161EA6410DCA2B0963E6E3AB301529790146DAE1D34F73755BB6A98B15EB5030022A5AD9B749448728B9FC69C48824DF6C1B4D9B8A5B2F6276030ACB8E23E5826E6F96FA788FADD7D8FD8EF240628704D4DB20C6FE4583957D09511FC4DE9132F9882D0023402606C5BA59D3019863CD33754500FD8181B5679FC65786CF86D995899729A9CBD9AC0DCA32AC6339D4635D821F416E2B00FDF2BC8A6256120BCC3852D0A2A6348CAA52CC8BF393DB0923F3F523E9902F0753BF018AA4E8236CF824E0FEB4D32A363A1E167C09EA14929E9653D1346DB1E5FBEDC913EFBF95BF2055CE61B5C3A426F3AB4475B538A8F935C086
      

      Same key is still compromised on node6, that has not changed since setup:

      $ bin/ldapsearch -h node5.example.com -b "cn=admin data" -D "cn=directory manager" -w password -p 1636 -Z -X ds-cfg-key-compromised-time=* ds-cfg-key-compromised-time
      $ bin/ldapsearch -h node6.example.com -b "cn=admin data" -D "cn=directory manager" -w password -p 1636 -Z -X ds-cfg-key-compromised-time=* ds-cfg-key-compromised-time
      dn: ds-cfg-key-id=f6f64336-88d2-4ab7-9c5f-2a9ad8735697,cn=secret keys,cn=admin data
      ds-cfg-key-compromised-time: 19700101000000Z
      

      All steps to reproduce are in the attached file.

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                Unassigned
                Reporter:
                julie.evans Julie Evans
              • Votes:
                0 Vote for this issue
                Watchers:
                5 Start watching this issue

                Dates

                • Created:
                  Updated: