Uploaded image for project: 'OpenDJ'
  1. OpenDJ
  2. OPENDJ-7427

Creating new ads-certificates can result in a symmetric key only existing on one server


    • Type: Bug
    • Status: Dev backlog
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: 6.5.3
    • Fix Version/s: None
    • Component/s: replication
    • Labels:


      Two DJ instances have confidentiality enabled on a backend which is subsequently replicated. This works fine.

      The customer has a requirement to replace the ads-certificate to one signed by an external CA. I'll attach the script I used, but in brief we do this using:

      keytool -certreq -alias ads-certificate [...]
      keytool -keyclone -alias ads-certificate -destalias ads-certificate-old [...]

      Then we sign the CSR generated by the certreq. Then import the cert:

      keytool -import -trustcacerts -alias ca-cert [...]
      keytool -import -trustcacerts -alias ads-certificate [...]

      We then create a new instance key in the server using ldapmodify and the keyid of the new cert:

      dn: dn: ds-cfg-key-id=$keyid,cn=instance keys,cn=admin data
      changetype: add
      objectclass: top
      objectclass: ds-cfg-instance-key
      ds-cfg-key-id: $keyid
      ds-cfg-public-key-certificate;binary:< file://$PWD/$dj/ads.crt
      dn: cn=$host:$port,cn=servers,cn=admin data
      changetype: modify
      replace: ds-cfg-key-id
      ds-cfg-key-id: $keyid

      This is as per the documentation in the admin guide. However when we restart this server we discover that the old instance key has more symmetric keys on the restarted server than in the other replicated servers. This causes the other servers to log when they startup that they can't import the symmetric key:

      category=CORE severity=ERROR msgID=654 msg=An error occurred in the trust store synchronization thread: LdapException: Other: CryptoManager failed to import the symmetric key entry "ds-cfg-key-id=c5f28bf9-27ed-4989-8068-1e182d0fcc2b,cn=secret keys,cn=admin data" because it could not obtain a symmetric key attribute value that can be decoded by this instance (LdapException.java:253 LdapException.java:143 LdapException.java:112 LdapException.java:89 CryptoManagerSync.java:221 CryptoManagerSync.java:160 CryptoManagerSync.java:150 DirectoryServer.java:1385 DirectoryServer.java:4089)

      Doing an ldifdiff of the two admin-backend.ldif files shows this symmetric key is present on server 1 but not server 2.

      The error seems benign, in that the servers work OK and can read/write data in the confidential backend.

      As a workaround, it is possible to use ldapmodify to manually copy the missing ds-cfg-symmetric-key to another server. This works, and the servers do not log an error on startup.




            • Assignee:
              cjr Chris Ridd
            • Votes:
              0 Vote for this issue
              2 Start watching this issue


              • Created: