Uploaded image for project: 'OpenDJ'
  1. OpenDJ
  2. OPENDJ-7397

import of the symmetric key fails after adding 7.0.0 to old topology with confidentiality enabled


    • Type: Bug
    • Status: Done
    • Priority: Critical
    • Resolution: Not a defect
    • Affects Version/s: 7.0.0
    • Fix Version/s: Not applicable
    • Component/s: replication, upgrade
    • Labels:
    • Story Points:


      Found with 7.0.0-M2020-10.5 and automated job which encrypts database, indexes and changelog.

      The error I can see in the output of start-ds:

      [26/Jul/2020:03:58:06 +0000] category=CORE severity=ERROR msgID=654 msg=An error occurred in the trust store synchronization 
      thread: LdapException: Other: CryptoManager failed to import the symmetric key entry "ds-cfg-key-id=b45cbbea-c277-4246-83c7-
      9f67023221ec,cn=secret keys,cn=admin data" because it could not obtain a symmetric key attribute value that can be decoded by this 
      instance (LdapException.java:255 LdapException.java:145 LdapException.java:114 LdapException.java:91 CryptoManagerSync.java:177 
      CryptoManagerSync.java:119 CryptoManagerSync.java:109 DirectoryServer.java:1494 StartDs.java:329 DirectoryServer.java:3599)

      Test to reproduce:
      1. add following to config.cfg in the framework:

      database_encrypted = True
      changelog_encrypted = True
      indexes_encrypted = True

      2. run cmd:

      python3 run-pybot.py -v -s replication_group3.mixedTopologies -t add_dsrs_into_existing_dsrs_dsrs_topology DJ

      Test steps:

      1.  Configure 2 old servers (version 6.5.4-SNAPSHOT rev. b7d5af8fb87d1c78177c091f4d5101c982988097)

      2.  For both instances:

      2.1.  Export data

      2.2.  Encrypt indexes and db on both instances

      2.3.  Re-import data

      3. Configure 3rd instance 7.0.0-M2020-10.5 

       setup -h openam.example.com -p 1391 -D "cn=myself" -w password --adminConnectorPort 4446 -Z 1638 --profile ds-user-data --set ds-user-data/baseDn:dc=com --set ds-user-data/addBaseEntry:false --acceptLicense --monitorUserDn uid=Monitor --monitorUserPassword password --serverId "dj3_rt1_dsrs" --deploymentKey AI1QLGYmsSzDRjKDmQZu7l9sAD10aA5CBVN1bkVDC24LTccCYcFwGw --deploymentKeyPassword keypassword --replicationPort 8991 

      4.    Export data from 3rd instance

      5.    Encrypt db, indexes and changelog

      6.    Import the data (in fact 0 data imported)

      7.    Configure replication between 1st and 2nd servers (6.5.4)

      8.    In replication-server set confidentiality to enabled (6.5.4)

      9.  Initialize the DSRS-DSRS topo (6.5.4)

      10.  On 7.0.0 server make changes to be compatible with 6.5.4

      11.  Add the 7.0.0 to topo with cmd:


       dsrepl add-local-server-to-pre-7-0-topology -h openam.example.com -p 4444 -D "cn=admin,cn=Administrators,cn=admin data" -w "password" -X --baseDn "dc=com"


      12.  On 7.0.0 run: dsrepl clear-changelog

      13.  Start 7.0.0 -> above error in the output

      Maybe related to: https://bugster.forgerock.org/jira/browse/OPENDJ-7323




            • Assignee:
              ondrej.fuchsik Ondrej Fuchsik
              ondrej.fuchsik Ondrej Fuchsik
              Dev Assignee:
              Ondrej Fuchsik
            • Votes:
              0 Vote for this issue
              1 Start watching this issue


              • Created: