[OPENDJ-6824] Cannot import symmetric keys on older servers in a mixed version topology Created: 27/Nov/19  Updated: 31/Jan/20  Resolved: 31/Jan/20

Status: Done
Project: OpenDJ
Component/s: upgrade
Affects Version/s: 7.0.0
Fix Version/s: 7.0.0

Type: Bug Priority: Major
Reporter: Fabio Pistolesi Assignee: Ondrej Fuchsik
Resolution: Fixed Votes: 0
Labels: Verified

Issue Links:
is caused by OPENDJ-5949 Review default security parameters (u... Done
Epic Link: Mixed Topology
Story Points: 2
Dev Assignee: Gaetan Boismal [X] (Inactive)
QA Assignee: Ondrej Fuchsik


Upgrading instances with confidentiality enabled using default parameters to 7.0 makes upgraded instances to generate GCM keys (the new default) instead of backward compatible CBC keys.

In a mixed topology, older servers will replicate the key, but will print error messages about not being able to import it:

[27/Nov/2019:17:28:39 +0100] category=org.opends.server.crypto.CryptoManagerSync severity=ERROR msgID=-1 msg=Failed to import key entry: CryptoManager cannot initialize Cipher: InvalidAlgorithmParameterException(Unsupported parameter: javax.crypto.spec.IvParameterSpec@ec2166)


Comment by Ludovic Poitou [ 27/Nov/19 ]

We will probably need to document that when setting a new DS 7.0 to join a 6.5 there are specific settings to properly configure. 

Comment by Matthew Swift [ 27/Nov/19 ]

Shouldn't the upgraded instance continue to use the same type of keys that were used in 6.5? 

For new 7.0 servers joining a 6.5 topology it might be a good idea to have a specific profile for this containing all the required compatibility settings (pwd storage schemes being another).


Comment by Ludovic Poitou [ 27/Nov/19 ]

Server ID and Group ID being numbers is another one.

Comment by Fabio Pistolesi [ 27/Nov/19 ]

Changed to bug as it is a problem right now. The wider approach discussed in the comments probably warrants an issue in epic "Support 7.0 / 6.5 mixed topologies" (OPENDJ-6346) ?

Comment by Matthew Swift [ 27/Nov/19 ]

I agree Fabio


Comment by Fabio Pistolesi [ 28/Nov/19 ]

Gaetan Boismal [X] just reminded me the profile settings were discussed in OPENDJ-6577, in which the decision was to build a new tool to introduce a new 7.0 server in previous version of the topology, not a profile.

However, I did not find an issue covering the tool, I will create one.

Comment by Gaetan Boismal [X] (Inactive) [ 05/Dec/19 ]

Post dev status

Bug as been solved as follows:
When an instance to upgrade was using default security settings (i.e not written in config.ldif but only in XML configuration files), write default in config.ldif during upgrade so that the once upgraded, the instance does not use 7.0.0 (or later) default security settings.
Thus upgraded instances continue to produce CBC keys, and we do not have anymore the crypto manager error related in bug description.

See attached PR and commit message for more details.

Comment by Ondrej Fuchsik [ 31/Jan/20 ]

Verified with 7.0.0-SNAPSHOT rev. 4aa0794a606.

Generated at Mon Mar 01 10:46:54 UTC 2021 using Jira 7.13.12#713012-sha1:6e07c38070d5191bbf7353952ed38f111754533a.