[OPENDJ-5985] Divergence of "cn=admin data" after setting up secure replication and encrypted backends Created: 05/Feb/19  Updated: 08/Nov/19

Status: Dev backlog
Project: OpenDJ
Component/s: config
Affects Version/s: 6.5.0, 5.5.2, 5.5.0, 5.5.1
Fix Version/s: None

Type: Bug Priority: Major
Reporter: Julie Evans Assignee: Unassigned
Resolution: Unresolved Votes: 0
Labels: release-notes

Attachments: Text File reproduce.txt    
Issue Links:
Relates
relates to OPENDJ-6431 Support replication of offline update... Done
Support Ticket IDs:

 Description   

After installing two DS instances, configuring backends with confidentiality mode and setting secure comms during replication setup the cn=admin data backend diverges with the secret key entries. A restart does not improve the issue and backends are still diverged. Reproduction steps setup node5 and node6.

Search cn=admin data for symmetric keys. Node5 has 1 secret key entry that contains 1 symmetric key, node6 has two secret key entries, one with two entries and another with one entry.

Node 5 after setup:

dn: cn=admin data
objectClass: ds-cfg-branch
objectClass: top
cn: admin data
ds-sync-generation-id: 167843
ds-sync-state: 01040168bd716512000000a07404
entryUUID: 46e489f6-1f92-3120-990f-54a178e95b21

$ bin/ldapsearch -h node5.example.com -b "cn=admin data" -D "cn=directory manager" -w password -p 1636 -Z -X ds-cfg-symmetric-key=* ds-cfg-symmetric-key
dn: ds-cfg-key-id=189bc738-8be4-4192-82d5-b3e3221be415,cn=secret keys,cn=admin data
ds-cfg-symmetric-key: E213DAC075E8F1EEE098643BB0EB68C9:RSA/ECB/OAEPWITHSHA-1ANDMGF1PADDING:AES:61011D2B7C48FE6FC0F5B83556D032ABB0FDFD91ECBF707F21BB266AFD68B27D491637937CD2BDD982EC95D51A06FD9BD26B36B8ADB87EC5FB7AE13F8CD781F61EDA180216A8D1287A324FD2ACDA61B53DB56B5F8D64C923CB968598BC12676147EBB98AC554554354DC3CA8E01A385F428DE66668D6FCDE9CEF5A107AB8D1026CCB62BC2702CB8891A01AB3EDA21D6FEEAAC53873BE0D741BEBFD673D801100325E9DB10A7185878434563A408D6BE49EC55DF3BD127C0A594C1C3C519AD0D7C34B93ED35A583261AFC5FB955DF2D4885ECAC7B86D38C51B5A9E229B7DB4F18882AABAE95DB78C04836F34473BC62E17E0F4FB86C21D4885164C6AE6980E84B

Node6 after setup:

dn: cn=admin data
objectClass: ds-cfg-branch
objectClass: top
cn: admin data
ds-sync-generation-id: 167843
ds-sync-state: 01040168bd716512000000a07404
entryUUID: 46e489f6-1f92-3120-990f-54a178e95b21

$ bin/ldapsearch -h node6.example.com -b "cn=admin data" -D "cn=directory manager" -w password -p 1636 -Z -X ds-cfg-symmetric-key=* ds-cfg-symmetric-key
dn:ds-cfg-key-id=189bc738-8be4-4192-82d5-b3e3221be415,cn=secret keys,cn=admin data
ds-cfg-symmetric-key: E213DAC075E8F1EEE098643BB0EB68C9:RSA/ECB/OAEPWITHSHA-1ANDMGF1PADDING:AES:61011D2B7C48FE6FC0F5B83556D032ABB0FDFD91ECBF707F21BB266AFD68B27D491637937CD2BDD982EC95D51A06FD9BD26B36B8ADB87EC5FB7AE13F8CD781F61EDA180216A8D1287A324FD2ACDA61B53DB56B5F8D64C923CB968598BC12676147EBB98AC554554354DC3CA8E01A385F428DE66668D6FCDE9CEF5A107AB8D1026CCB62BC2702CB8891A01AB3EDA21D6FEEAAC53873BE0D741BEBFD673D801100325E9DB10A7185878434563A408D6BE49EC55DF3BD127C0A594C1C3C519AD0D7C34B93ED35A583261AFC5FB955DF2D4885ECAC7B86D38C51B5A9E229B7DB4F18882AABAE95DB78C04836F34473BC62E17E0F4FB86C21D4885164C6AE6980E84B
ds-cfg-symmetric-key: C462D6DBB4D5FD05B18F291FC1B245F7:RSA/ECB/OAEPWITHSHA-1ANDMGF1PADDING:AES:3D9DFD8C04D21BE8A0B43B063D00C1E41BD5B0A87CD20B39981A97F4188F46A8655F6BEAFA610C90190F63E1088D058FF25416565BAF3558080A636A747A725E65ED5D0EB51FB9C78021F9ECDFD560200AD629F0AE8922C522B5A64F54B2462E2BCE219BE3572336A1B1A3DB15E63622C370E93FA86A501767AA334DF964089843307F2E68F94FC29718E56640CB610E0C14F97C922013FF2A4F152B640E430C3BDCCC5FA82BD0EE723DB3A01D012217092AD89CB62CA207BF7033FCAFB5569EF52BEB3DAFA67C927FFF9BD4BAA9AECB2668D6006B1B0BAA509981A9EB20B1B5067B5B1657FFC7D8062FD2B6E9673ABA6E6A3A80409B76F92D31AB5796DD43D7
dn: ds-cfg-key-id=f6f64336-88d2-4ab7-9c5f-2a9ad8735697,cn=secret keys,cn=admin data
ds-cfg-symmetric-key: C462D6DBB4D5FD05B18F291FC1B245F7:RSA/ECB/OAEPWITHSHA-1ANDMGF1PADDING:AES:67747F7C2D5215598F222727FE487973DEBF3DA829A32729FDB98C4114A68BD5572DE9A97D631AF0B4A95738086FE8989054BE7A1B738042A0DFEFDC304B3FD44BCBCC5B82CF43260529AFC837BA1FFBDD8C81CDCE0BC4C0D4815B6929291C3F50C980F0A11A22FFB849B181D0544AB4E59007386718A792EE7F9EFDB57A03CF9D2EAA49AFE6D4FCA6C016D3DD97DF38C27534D08EB814E87D0358815606B08E3B8EF6E76807E518D80C73B07D4D502C9F908A0DDD85F97C6188F6CEED6AD2158D91BD814680DA25783EB07406D825F4705033606F5A72859E6A6CF8574DA102B16060279C6690E0A8928396AA4A0D6B458CF473B11FA68FDC247A71421DEF9B

node6 after restart

dn: cn=admin data
objectClass: ds-cfg-branch
objectClass: top
cn: admin data
ds-sync-generation-id: 167843
ds-sync-state: 01040168bd94665b000005e01935
ds-sync-state: 01040168bd716512000000a07404
entryUUID: 46e489f6-1f92-3120-990f-54a178e95b21

$ bin/ldapsearch -h node6.example.com -b "cn=admin data" -D "cn=directory manager" -w password -p 1636 -Z -X ds-cfg-symmetric-key=* ds-cfg-symmetric-key
dn: ds-cfg-key-id=189bc738-8be4-4192-82d5-b3e3221be415,cn=secret keys,cn=admin data
ds-cfg-symmetric-key: E213DAC075E8F1EEE098643BB0EB68C9:RSA/ECB/OAEPWITHSHA-1ANDMGF1PADDING:AES:61011D2B7C48FE6FC0F5B83556D032ABB0FDFD91ECBF707F21BB266AFD68B27D491637937CD2BDD982EC95D51A06FD9BD26B36B8ADB87EC5FB7AE13F8CD781F61EDA180216A8D1287A324FD2ACDA61B53DB56B5F8D64C923CB968598BC12676147EBB98AC554554354DC3CA8E01A385F428DE66668D6FCDE9CEF5A107AB8D1026CCB62BC2702CB8891A01AB3EDA21D6FEEAAC53873BE0D741BEBFD673D801100325E9DB10A7185878434563A408D6BE49EC55DF3BD127C0A594C1C3C519AD0D7C34B93ED35A583261AFC5FB955DF2D4885ECAC7B86D38C51B5A9E229B7DB4F18882AABAE95DB78C04836F34473BC62E17E0F4FB86C21D4885164C6AE6980E84
ds-cfg-symmetric-key: C462D6DBB4D5FD05B18F291FC1B245F7:RSA/ECB/OAEPWITHSHA-1ANDMGF1PADDING:AES:3D9DFD8C404D21BE8A0B43B063D00C1E41BD5B0A87CD20B39981A97F4188F46A8655F6BEAFA610C90190F63E1088D058FF25416565BAF3558080A636A747A725E65ED5D0EB51FB9C78021F9ECDFD560200AD629F0AE8922C522B5A64F54B2462E2BCE219BE3572336A1B1A3DB15E63622C370E93FA86A501767AA334DF964089843307F2E68F94FC29718E56640CB610E0C14F97C922013FF2A4F152B640E430C3BDCCC5FA82BD0EE723DB3A01D012217092AD89CB62CA207BF7033FCAFB5569EF52BEB3DAFA67C927FFF9BD4BAA9AECB2668D6006B1B0BAA509981A9EB20B1B5067B5B1657FFC7D8062FD2B6E9673ABA6E6A3A80409B76F92D31AB5796DD43D7
dn: ds-cfg-key-id=f6f64336-88d2-4ab7-9c5f-2a9ad8735697,cn=secret keys,cn=admin data
ds-cfg-symmetric-key: C462D6DBB4D5FD05B18F291FC1B245F7:RSA/ECB/OAEPWITHSHA-1ANDMGF1PADDING:AES:67747F7C2D5215598F222727FE487973DEBF3DA829A32729FDB98C4114A68BD5572DE9A97D631AF0B4A95738086FE8989054BE7A1B738042A0DFEFDC304B3FD44BCBCC5B82CF43260529AFC837BA1FFBDD8C81CDCE0BC4C0D4815B6929291C3F50C980F0A11A22FFB849B181D0544AB4E59007386718A792EE7F9EFDB57A03CF9D2EAA49AFE6D4FCA6C016D3DD97DF38C27534D08EB814E87D0358815606B08E3B8EF6E76807E518D80C73B07D4D502C9F908A0DDD85F97C6188F6CEED6AD2158D91BD814680DA25783EB07406D825F4705033606F5A72859E6A6CF8574DA102B16060279C6690E0A8928396AA4A0D6B458CF473B11FA68FDC247A71421DEF9B 
dn: ds-cfg-key-id=ec96f387-02c9-4097-b3fe-05b0c64e9490,cn=secret keys,cn=admin data
ds-cfg-symmetric-key: C462D6DBB4D5FD05B18F291FC1B245F7:RSA/ECB/OAEPWITHSHA-1ANDMGF1PADDING:AES:65B5C112BB0CC143C628AD1F44BD10D269235B782BF5896DA8A37923D84EAA87CA5DD9C7C15220F6260CC44C1179B5BDFCCA9E45089BE0D149372F34F049D4729DBEB8718A143C8A392908379DB5F6D2000ABFA71507EC6CE893204B6C777935A5DBE8700358F6A1A83406D612A2589682CBB61447F30744BB92DB2C38096DB04D118D4B98B2A3B575A47E488EC4DABED6008F5BD407AF120D942499596FFA9FA2A7965FF7992F75A58734C6D03B31F18DE75B7012B9E5B59A59F3E3683FECCB92EC4E6A1870389A6AB003A6DB53C3E2E40E3A03642EC51385C2D09FCC252620FCAC318165EACB96C43C73BD26463810E4FFE771557A5C3A0319F4D88D04C05Ed
s-cfg-symmetric-key: E213DAC075E8F1EEE098643BB0EB68C9:RSA/ECB/OAEPWITHSHA-1ANDMGF1PADDING:AES:4B29C678CFD9ED243DB1D9A8A65A161EA6410DCA2B0963E6E3AB301529790146DAE1D34F73755BB6A98B15EB5030022A5AD9B749448728B9FC69C48824DF6C1B4D9B8A5B2F6276030ACB8E23E5826E6F96FA788FADD7D8FD8EF240628704D4DB20C6FE4583957D09511FC4DE9132F9882D0023402606C5BA59D3019863CD33754500FD8181B5679FC65786CF86D995899729A9CBD9AC0DCA32AC6339D4635D821F416E2B00FDF2BC8A6256120BCC3852D0A2A6348CAA52CC8BF393DB0923F3F523E9902F0753BF018AA4E8236CF824E0FEB4D32A363A1E167C09EA14929E9653D1346DB1E5FBEDC913EFBF95BF2055CE61B5C3A426F3AB4475B538A8F935C086

Node5 after restart

dn: cn=admin data
objectClass: ds-cfg-branch
objectClass: topcn: admin data
ds-sync-generation-id: 167843
ds-sync-state: 01040168bd94665b000005e01935
ds-sync-state: 01040168bd96c3eb0000063f7404
entryUUID: 46e489f6-1f92-3120-990f-54a178e95b21

$ bin/ldapsearch -h node5.example.com -b "cn=admin data" -D "cn=directory manager" -w password -p 1636 -Z -X ds-cfg-symmetric-key=* ds-cfg-symmetric-key
dn: ds-cfg-key-id=189bc738-8be4-4192-82d5-b3e3221be415,cn=secret keys,cn=admin data
ds-cfg-symmetric-key: E213DAC075E8F1EEE098643BB0EB68C9:RSA/ECB/OAEPWITHSHA-1ANDMGF1PADDING:AES:61011D2B7C48FE6FC0F5B83556D032ABB0FDFD91ECBF707F21BB266AFD68B27D491637937CD2BDD982EC95D51A06FD9BD26B36B8ADB87EC5FB7AE13F8CD781F61EDA180216A8D1287A324FD2ACDA61B53DB56B5F8D64C923CB968598BC12676147EBB98AC554554354DC3CA8E01A385F428DE66668D6FCDE9CEF5A107AB8D1026CCB62BC2702CB8891A01AB3EDA21D6FEEAAC53873BE0D741BEBFD673D801100325E9DB10A7185878434563A408D6BE49EC55DF3BD127C0A594C1C3C519AD0D7C34B93ED35A583261AFC5FB955DF2D4885ECAC7B86D38C51B5A9E229B7DB4F18882AABAE95DB78C04836F34473BC62E17E0F4FB86C21D4885164C6AE6980E84B
dn: ds-cfg-key-id=ec96f387-02c9-4097-b3fe-05b0c64e9490,cn=secret keys,cn=admin data
ds-cfg-symmetric-key: C462D6DBB4D5FD05B18F291FC1B245F7:RSA/ECB/OAEPWITHSHA-1ANDMGF1PADDING:AES:65B5C112BB0CC143C628AD1F44BD10D269235B782BF5896DA8A37923D84EAA87CA5DD9C7C15220F6260CC44C1179B5BDFCCA9E45089BE0D149372F34F049D4729DBEB8718A143C8A392908379DB5F6D2000ABFA71507EC6CE893204B6C777935A5DBE8700358F6A1A83406D612A2589682CBB61447F30744BB92DB2C38096DB04D118D4B98B2A3B575A47E488EC4DABED6008F5BD407AF120D942499596FFA9FA2A7965FF7992F75A58734C6D03B31F18DE75B7012B9E5B59A59F3E3683FECCB92EC4E6A1870389A6AB003A6DB53C3E2E40E3A03642EC51385C2D09FCC252620FCAC318165EACB96C43C73BD26463810E4FFE771557A5C3A0319F4D88D04C05E
ds-cfg-symmetric-key: E213DAC075E8F1EEE098643BB0EB68C9:RSA/ECB/OAEPWITHSHA-1ANDMGF1PADDING:AES:4B29C678CFD9ED243DB1D9A8A65A161EA6410DCA2B0963E6E3AB301529790146DAE1D34F73755BB6A98B15EB5030022A5AD9B749448728B9FC69C48824DF6C1B4D9B8A5B2F6276030ACB8E23E5826E6F96FA788FADD7D8FD8EF240628704D4DB20C6FE4583957D09511FC4DE9132F9882D0023402606C5BA59D3019863CD33754500FD8181B5679FC65786CF86D995899729A9CBD9AC0DCA32AC6339D4635D821F416E2B00FDF2BC8A6256120BCC3852D0A2A6348CAA52CC8BF393DB0923F3F523E9902F0753BF018AA4E8236CF824E0FEB4D32A363A1E167C09EA14929E9653D1346DB1E5FBEDC913EFBF95BF2055CE61B5C3A426F3AB4475B538A8F935C086

Same key is still compromised on node6, that has not changed since setup:

$ bin/ldapsearch -h node5.example.com -b "cn=admin data" -D "cn=directory manager" -w password -p 1636 -Z -X ds-cfg-key-compromised-time=* ds-cfg-key-compromised-time
$ bin/ldapsearch -h node6.example.com -b "cn=admin data" -D "cn=directory manager" -w password -p 1636 -Z -X ds-cfg-key-compromised-time=* ds-cfg-key-compromised-time
dn: ds-cfg-key-id=f6f64336-88d2-4ab7-9c5f-2a9ad8735697,cn=secret keys,cn=admin data
ds-cfg-key-compromised-time: 19700101000000Z

All steps to reproduce are in the attached file.



 Comments   
Comment by Matthew Swift [ 04/Sep/19 ]

OPENDJ-6431 solves the issue for some other use cases.

The reported problem is benign and we have no plans to fix it. To avoid the situation, avoid setting up the server with a single base entry. Instead setup the server with an empty backend.

Generated at Tue Dec 01 17:29:51 UTC 2020 using Jira 7.13.12#713012-sha1:6e07c38070d5191bbf7353952ed38f111754533a.