Upgrading instances with confidentiality enabled using default parameters to 7.0 makes upgraded instances to generate GCM keys (the new default) instead of backward compatible CBC keys.
In a mixed topology, older servers will replicate the key, but will print error messages about not being able to import it:
[27/Nov/2019:17:28:39 +0100] category=org.opends.server.crypto.CryptoManagerSync severity=ERROR msgID=-1 msg=Failed to import key entry: CryptoManager cannot initialize Cipher: InvalidAlgorithmParameterException(Unsupported parameter: javax.crypto.spec.IvParameterSpec@ec2166)
- is caused by
-
OPENDJ-5949 Review default security parameters (use PBKDF2, stronger cryptomanager settings, etc)
-
- Done
-