PROBLEM: With Generate Custom Encryption Key

fine

#1

Good morning. I consider this function broken in Fine-2.

The last know working version seems to be euwe-3 where I can go and create or fetch encryption keys successfully.

With Fine-2 as soon as I create a key or fetch a key it breaks the capability to decrypt the (MiqPassword::MiqPasswordError).

It happens rigth away after using appliance_console menu option 12) --> 1) (for the Global MIQ) and 12) --> 2) (for the remote MIQ). As soon as keys are modified I loose access to the appliance_cosole because of the above errors.

I have tried many combinations of using the tools/fix_auth.rb tool but without success. Some examples of the commands issued (from the /var/www/miq/vmdb path):

a. bundle exec ruby tools/fix_auth.rb --legacy-key=v2_key.orig (i had saved previously)
b. bundle exec ruby tools/fix_auth.rb --v2 --invalid=smartvm
c. bundle exec ruby tools/fix_auth.rb -v --v2 -p smartvm -P smartvm -i smartvm
d. bundle exec ruby tools/fix_auth.rb -v -p smartvm -P smartvm -i smartvm
e. c. bundle exec ruby tools/fix_auth.rb -v --dry-run
f. etcetrra

Still not able to get back into the appliance_console because of same error.

Tried on several instances of miq (i.e.e miq-88, miq-01, miq-02 but all running the same version)

Someone surely came across this same issue. What is the fix? Is there a fix or is this a known bug with Fine-2?

SOME OUTPUTS:

[root@miq-88a ~]# appliance_console
/opt/rubies/ruby-2.3.1/lib/ruby/gems/2.3.0/bundler/gems/manageiq-gems-pending-e0f3ea8755bf/lib/gems/pending/util/miq-password.rb:38:in `rescue in decrypt': can not decrypt v2_key encrypted string (MiqPassword::MiqPasswordError)
	from /opt/rubies/ruby-2.3.1/lib/ruby/gems/2.3.0/bundler/gems/manageiq-gems-pending-e0f3ea8755bf/lib/gems/pending/util/miq-password.rb:35:in `decrypt'
	from /opt/rubies/ruby-2.3.1/lib/ruby/gems/2.3.0/bundler/gems/manageiq-gems-pending-e0f3ea8755bf/lib/gems/pending/util/miq-password.rb:67:in `decrypt'
	from /opt/rubies/ruby-2.3.1/lib/ruby/gems/2.3.0/bundler/gems/manageiq-gems-pending-e0f3ea8755bf/lib/gems/pending/util/miq-password.rb:92:in `try_decrypt'
	from /opt/rubies/ruby-2.3.1/lib/ruby/gems/2.3.0/bundler/gems/manageiq-gems-pending-e0f3ea8755bf/lib/gems/pending/appliance_console/database_configuration.rb:186:in `block in decrypt_password'
	from /opt/rubies/ruby-2.3.1/lib/ruby/gems/2.3.0/bundler/gems/manageiq-gems-pending-e0f3ea8755bf/lib/gems/pending/appliance_console/database_configuration.rb:249:in `encrypt_decrypt_password'
	from /opt/rubies/ruby-2.3.1/lib/ruby/gems/2.3.0/bundler/gems/manageiq-gems-pending-e0f3ea8755bf/lib/gems/pending/appliance_console/database_configuration.rb:186:in `decrypt_password'
	from /opt/rubies/ruby-2.3.1/lib/ruby/gems/2.3.0/bundler/gems/manageiq-gems-pending-e0f3ea8755bf/lib/gems/pending/appliance_console/database_configuration.rb:190:in `current'
	from /opt/rubies/ruby-2.3.1/lib/ruby/gems/2.3.0/bundler/gems/manageiq-gems-pending-e0f3ea8755bf/lib/gems/pending/appliance_console/database_configuration.rb:198:in `database_host'
	from /opt/rubies/ruby-2.3.1/lib/ruby/gems/2.3.0/bundler/gems/manageiq-gems-pending-e0f3ea8755bf/lib/gems/pending/appliance_console.rb:123:in `block in <module:ApplianceConsole>'
	from /opt/rubies/ruby-2.3.1/lib/ruby/gems/2.3.0/bundler/gems/manageiq-gems-pending-e0f3ea8755bf/lib/gems/pending/appliance_console.rb:108:in `loop'
	from /opt/rubies/ruby-2.3.1/lib/ruby/gems/2.3.0/bundler/gems/manageiq-gems-pending-e0f3ea8755bf/lib/gems/pending/appliance_console.rb:108:in `<module:ApplianceConsole>'
	from /opt/rubies/ruby-2.3.1/lib/ruby/gems/2.3.0/bundler/gems/manageiq-gems-pending-e0f3ea8755bf/lib/gems/pending/appliance_console.rb:99:in `<top (required)>'
	from /usr/bin/appliance_console:10:in `require'
	from /usr/bin/appliance_console:10:in `<main>'
[root@miq-88a ~]# 
[root@miq-88a ~]# cd /var/www/miq/vmdb
[root@miq-88a vmdb]# bundle exec ruby tools/fix_auth.rb -v --v2 -p smartvm -P smartvm -i smartvm
fixing authentications.password, auth_key
  2000000000001:
    password: "v2:{Yt3wnI20ZnMTJSmwhdeXmw==}" => v2:{bzdjq238Q7dLqDpr1TzIpA==} HARDCODED
  1000000000001:
    password: "v2:{IcVhy78P0Fd59OVtww5/JA==}" => v2:{bzdjq238Q7dLqDpr1TzIpA==} HARDCODED
fixing miq_databases.registration_http_proxy_server, session_secret_token, csrf_secret_token
  88000000000001:
    session_secret_token: "v2:{JOVXz9382RVNYZ0gaZrgqrBRyTdjy5HLKsrUjbudu+l0XRKwvmBLBnin5D2TdKlRfNmX5LdHwOIjZy9VNUT0qPkoHhEnQTOqpTPaVFdyAvwjO6/0+7iipuL/NUWDagzW7U+9KR1V5j7C/83nqtozHsnJWzr7tGOoapw4iyQ2cqwYWppvMkG1WPW6K6Emr5MM}" => v2:{5yw0p/yP5qPWN6D3jQwf8rPMtEtaE2FFMzBldut6ABAJuZk8LcQNe/e//ZBSBox6r8q5EqSDW+OmyMVgvL3xvXzQX+HVZ+gGdnrAmFL/xEvBXeDWHVnk+CXEV77tlJhl3DXljAsDUARDvPIkKf8qfSz1ndiMM/KQk4ey0EdHBIRTXuGshJ4kM2vaQ/40ynhn}
    csrf_secret_token: "v2:{NDk4OcXksV+udUwdPlbnpDhJHBZcYf+TPrpJvaAWXOf2woLxYzksv9o+HMsg2DRUKB49us3SeSbxHsj/J4hpTX6ly67tSq2DQUH12AZ3Sw5IuR1W8lLkbAzj2ibhoH/Qf+E1EfrZhBS2t80mXTMPSlKmrpjjQdmxEO2nFOSktcezbEl5VzaW7ieRRdwcNtke}" => v2:{VNF/oF26CFFoORjpFt+pA9RPfPa8BRcTPq0uzwMQgoCv9hI/n8wYhp3ANDHmU63+1aDxyQeZYxm8+zKx6E5xnd1YIxp4Dg10XSI6XCVweJXXbB5vEsPmJJzFNqwk/pDX9MlxLgb+yTDSQwZ2v0Q4LcfEZ9NTxDgPXxVj2E/JfyzyvZvVGvWy3dV9Ml4WiG3f}
fixing miq_ae_values.value
  88000000001708:
    value: "v2:{bzdjq238Q7dLqDpr1TzIpA==}" (not changed)
fixing miq_ae_fields.default_value
fixing miq_requests.options
  1000000000001:
    options:
      .root_password: 
fixing miq_request_tasks.options
  1000000000003:
    options:
      .root_password: 
fixing settings_changes.value
  88000000000005:
    value: "v2:{bzdjq238Q7dLqDpr1TzIpA==}" (not changed)
  2000000000015:
    value: "v2:{bzdjq238Q7dLqDpr1TzIpA==}" (not changed)
  1000000000005:
    value: "v2:{bzdjq238Q7dLqDpr1TzIpA==}" (not changed)
[root@miq-88a vmdb]# 
[root@miq-88a vmdb]# bundle exec ruby tools/fix_auth.rb -v -p smartvm -P smartvm -i smartvm
fixing authentications.password, auth_key
  1000000000001:
    password: "v2:{IcVhy78P0Fd59OVtww5/JA==}" => v2:{bzdjq238Q7dLqDpr1TzIpA==} HARDCODED
  2000000000001:
    password: "v2:{Yt3wnI20ZnMTJSmwhdeXmw==}" => v2:{bzdjq238Q7dLqDpr1TzIpA==} HARDCODED
fixing miq_databases.registration_http_proxy_server, session_secret_token, csrf_secret_token
  88000000000001:
    session_secret_token: "v2:{5yw0p/yP5qPWN6D3jQwf8rPMtEtaE2FFMzBldut6ABAJuZk8LcQNe/e//ZBSBox6r8q5EqSDW+OmyMVgvL3xvXzQX+HVZ+gGdnrAmFL/xEvBXeDWHVnk+CXEV77tlJhl3DXljAsDUARDvPIkKf8qfSz1ndiMM/KQk4ey0EdHBIRTXuGshJ4kM2vaQ/40ynhn}" => v2:{FHlPZupjbeyjYh6/uX42xo63NII9j0emeImKgJdSM8VPYV0DbHWxsDkTwwj9XOsae+oUGq78pFWEVgIqj6DWzCrgX5Qrur62/QMn8ImnijvfFzZOpWdE8tTPF+I68ZspMqolP4pjy5jpvwfO8q0+XULy2X3F1K/aSpWqjCZ7q0AxK9dXkdbNCGTu2eGQNJ0W}
    csrf_secret_token: "v2:{VNF/oF26CFFoORjpFt+pA9RPfPa8BRcTPq0uzwMQgoCv9hI/n8wYhp3ANDHmU63+1aDxyQeZYxm8+zKx6E5xnd1YIxp4Dg10XSI6XCVweJXXbB5vEsPmJJzFNqwk/pDX9MlxLgb+yTDSQwZ2v0Q4LcfEZ9NTxDgPXxVj2E/JfyzyvZvVGvWy3dV9Ml4WiG3f}" => v2:{KKE5SQaiIL6JcVb5X2eMz529TNWeAb6NQN2g8QMRkKYaZDKDMy1iixcyHYKnFTjm+KxMeECfz4StSLbEnLK4MWbiI+xWDMPccOJAQ4TbUej2TfSZSbbTPpt2Gu4v9XKoqPFy0c4nyz+zAQJjFllX/yKOsGLPFrZ0sJVooc8qpQvwyXP7iFbfr3SLwYL38SZP}
fixing miq_ae_values.value
  88000000001708:
    value: "v2:{bzdjq238Q7dLqDpr1TzIpA==}" (not changed)
fixing miq_ae_fields.default_value
fixing miq_requests.options
  1000000000001:
    options:
      .root_password: 
fixing miq_request_tasks.options
  1000000000003:
    options:
      .root_password: 
fixing settings_changes.value
  88000000000005:
    value: "v2:{bzdjq238Q7dLqDpr1TzIpA==}" (not changed)
  2000000000015:
    value: "v2:{bzdjq238Q7dLqDpr1TzIpA==}" (not changed)
  1000000000005:
    value: "v2:{bzdjq238Q7dLqDpr1TzIpA==}" (not changed)
[root@miq-88a vmdb]# 
[root@miq-88a vmdb]# bundle exec ruby tools/fix_auth.rb -v --dry-run
fixing authentications.password, auth_key
/opt/rubies/ruby-2.3.1/lib/ruby/gems/2.3.0/bundler/gems/manageiq-gems-pending-e0f3ea8755bf/lib/gems/pending/util/miq-password.rb:38:in `rescue in decrypt': can not decrypt v2_key encrypted string (MiqPassword::MiqPasswordError)
	from /opt/rubies/ruby-2.3.1/lib/ruby/gems/2.3.0/bundler/gems/manageiq-gems-pending-e0f3ea8755bf/lib/gems/pending/util/miq-password.rb:35:in `decrypt'
	from /opt/rubies/ruby-2.3.1/lib/ruby/gems/2.3.0/bundler/gems/manageiq-gems-pending-e0f3ea8755bf/lib/gems/pending/util/miq-password.rb:54:in `rescue in recrypt'
	from /opt/rubies/ruby-2.3.1/lib/ruby/gems/2.3.0/bundler/gems/manageiq-gems-pending-e0f3ea8755bf/lib/gems/pending/util/miq-password.rb:46:in `recrypt'
	from /var/www/miq/vmdb/tools/fix_auth/auth_model.rb:33:in `recrypt'
	from /var/www/miq/vmdb/tools/fix_auth/auth_model.rb:46:in `block in fix_passwords'
	from /var/www/miq/vmdb/tools/fix_auth/auth_model.rb:44:in `each'
	from /var/www/miq/vmdb/tools/fix_auth/auth_model.rb:44:in `fix_passwords'
	from /var/www/miq/vmdb/tools/fix_auth/auth_model.rb:85:in `block in run'
	from /opt/rubies/ruby-2.3.1/lib/ruby/gems/2.3.0/gems/activerecord-5.0.3/lib/active_record/relation/delegation.rb:40:in `each'
	from /opt/rubies/ruby-2.3.1/lib/ruby/gems/2.3.0/gems/activerecord-5.0.3/lib/active_record/relation/delegation.rb:40:in `each'
	from /var/www/miq/vmdb/tools/fix_auth/auth_model.rb:84:in `run'
	from /var/www/miq/vmdb/tools/fix_auth/fix_auth.rb:65:in `block (2 levels) in fix_database_passwords'
	from /var/www/miq/vmdb/tools/fix_auth/fix_auth.rb:64:in `each'
	from /var/www/miq/vmdb/tools/fix_auth/fix_auth.rb:64:in `block in fix_database_passwords'
	from /var/www/miq/vmdb/tools/fix_auth/fix_auth.rb:61:in `each'
	from /var/www/miq/vmdb/tools/fix_auth/fix_auth.rb:61:in `fix_database_passwords'
	from /var/www/miq/vmdb/tools/fix_auth/fix_auth.rb:92:in `run'
	from /var/www/miq/vmdb/tools/fix_auth/cli.rb:37:in `run'
	from /var/www/miq/vmdb/tools/fix_auth/cli.rb:41:in `run'
	from tools/fix_auth.rb:26:in `<main>'
[root@miq-88a vmdb]#

#2

I believe this was an issue with https://github.com/ManageIQ/manageiq-gems-pending/commit/cc1e92a2 which displays additional information about the database status, but loads database.yml to do that (which attempts to decrypt the passwords in that file).

For the case where you have no v2_key, this should be fixed by https://github.com/ManageIQ/manageiq-gems-pending/pull/212 which was not backported to fine.

If you have a v2_key, but cannot decrypt the password in database.yml using it, this is the behavior I would expect.

I believe you can use fix_auth.rb with the -y option to fix the passwords in database.yml, that should get you around this issue.


ManageIQ Fine-3 HA in VMware
Issue reusing v2_key across dev and prod appliances
Should i copy /var/www/miq/vmdb/certs/v2_key on a new independant appliance?
#3

Or alternatively, if you are trying to join a region with a new appliance, my process is usually the following:

systemctl stop evmserverd
systemctl stop $APPLIANCE_PG_SERVICE
systemctl disable $APPLIANCE_PG_SERVICE

vmdb
rm -f config/database.yml certs/v2_key REGION

Then you should be able to initialize the appliance cleanly using the console to fetch a key from a remote appliance.


#4

Good day @carbonin. I really appreciate that you took the time to provide assistance into my issue.

While the steps I excuted were not exactly as you described, you provided me with enough information so I could trial & error to a resolution of my problem.

My environment is composed of single miq instances per region (for now to prove the infrastructure first) where:
a. miq-88a is region 88 (Global/Master db)
b. miq-01a is region 01 (remote)
c. miq-02a is region 02 (remote)

As stated earlier the fetching of the key (key from Global) was not working out-of-the-box with the Fine-2 version (my initial testing was performed using Euwe-3 and worked well). Hence, the following steps describe a workaround to implement a multi-region miq infrastructure.

  1. If you had set miq-01a and miq-02a as remote remote replication and miq-88a as global replication, first remove the replication subscription under the global appliance (Global miq). Note; in my case this implies each region was previously created.
  2. On all appliances you should create backups of the /var/www/miq/vmdb/certs/v2_key and the /var/www/miq/vmdb/config/database.yml files. Copy the v2_key on the miq-88a (Global) into a name representing that it is the global key before you copy it to miq-01a and miq-02a. Do the same for the database.yml file (e.g. database-miq88a.yml) and copy to the other appliances as well.
  3. Once the files are copied from the Global/miq-88a to the Remote/miq-02a, then on miq-02a do:

STEP 1: on miq-02a# appliance_console, stop the EVM server and exit the appliance_console.
STEP 1: overwrite the v2_key with the v2_key file from the global/miq-88a (i.e. in dir:/var/www/miq/vmdb/certs)
STEP 2: modify the key within the database.yml with the same key used in the global/miq-88a ((i.e. in dir:/var/www/miq/vmdb/config) Note: if you were to try to miq-02a#appliance_console at this point it would fail
STEP 3: Call /var/www/miq/vmdb/bundle exec ruby tools/fix_auth.rb -v -y . Note: The lates command would allow you back into the miq-02a#appliance_console. In addition you will observe that the region is now showing as region 0 and that the EVM Server is not running. Trying to start the EVM Server from the option menu will show and error and attempting to reset the database (to set back to the proper region number) would also fail.
STEP 4: Call /var/www/miq/vmdb/bundle exec ruby tools/fix_auth.rb -v -p smartvm -P smartvm -i smartvm
STEP 5: Call /var/www/miq/vmdb/bundle exec ruby tools/fix_auth.rb -v -y
STEP 6: Go back into the appliance_console and restart the appliance

outcome: when the appliance restart you have access to the appliance_console and this time it will show the right region number. You are now running your miq-02a appliance with the same v2_key as the miq-88a appliance as required for a multi-region infrastructure implementation.

However, you will need to re-validate the user account/password used to attach a cloud provider. If you are using LDAP authentication you will also need to re-validate that user account password.

I hope this helps.

Again, thank you @carbonin for your help.

//-----------------------------------------
Here is the copy of my ssh session (i had used another terminal to call “appliance_console”).

[pod@node0 ~]$ ssh 172.16.0.60
Warning: Permanently added '172.16.0.60' (ECDSA) to the list of known hosts.
pod@172.16.0.60's password: 
Permission denied, please try again.
pod@172.16.0.60's password: 
Permission denied, please try again.
pod@172.16.0.60's password: 
Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password).
[pod@node0 ~]$ ssh root@172.16.0.60
root@172.16.0.60's password: 
Last login: Wed Jul 19 13:57:22 2017
Welcome to the Appliance Console

For a menu, please type: appliance_console
[root@miq-02a ~]# ls
anaconda-ks.cfg  anaconda-post.log
[root@miq-02a ~]# cd /var/www/miq/vmdb
[root@miq-02a vmdb]# ls
app         certs            data           Gemfile.lock  log           README.md  vendor
AUTHORS     CHANGELOG.md     db             GUID          package.json  REGION     VERSION
bin         config           docker-assets  lib           product       spec
bower.json  config.ru        Dockerfile     LICENSE.txt   public        tmp
bundler.d   CONTRIBUTING.md  Gemfile        locale        Rakefile      tools
[root@miq-02a vmdb]# cd certs
[root@miq-02a certs]# ls
server.cer  server.cer.key  v2_key  v2_key.2017Jul25.working  v2_key.dev
[root@miq-02a certs]# mv v2_key.2017Jul25.working v2_key.2017Jul25.globalworking 
[root@miq-02a certs]# ls
server.cer  server.cer.key  v2_key  v2_key.2017Jul25.globalworking  v2_key.dev
[root@miq-02a certs]# cp v2_key v2_key.2017Jul26.miq2-working
[root@miq-02a certs]# mv v2_key.2017Jul25.globalworking v2_key.2017Jul25.miq88a-working 
[root@miq-02a certs]# ls
server.cer      v2_key                           v2_key.2017Jul26.miq2-working
server.cer.key  v2_key.2017Jul25.miq88a-working  v2_key.dev
[root@miq-02a certs]# cp Connection to 172.16.0.60 closed by remote host.
Connection to 172.16.0.60 closed.
[pod@node0 ~]$ ssh root@172.16.0.60
root@172.16.0.60's password: 
Last login: Wed Jul 26 07:34:03 2017
Welcome to the Appliance Console

For a menu, please type: appliance_console
[root@miq-02a ~]# cd /var/www/miq/vmdb/certs
[root@miq-02a certs]# ls
server.cer      v2_key                           v2_key.2017Jul26.miq2-working
server.cer.key  v2_key.2017Jul25.miq88a-working  v2_key.dev
[root@miq-02a certs]# cd ..
[root@miq-02a vmdb]# cd config
[root@miq-02a config]# ls
api.yml           default_replication_exclude_tables.yml  preinitializer.rb
application.rb    dictionary_strings.rb                   puma.rb
boot.rb           environment.rb                          routes.rb
brakeman.ignore   environments                            secrets.yml.sample
brakeman.yml      ha_admin.yml                            settings
cable.yml         human_locale_names.yaml                 settings.yml
cable.yml.sample  initializers                            yaml_strings.rb
database.pg.yml   model_attributes.rb
database.yml      permissions.tmpl.yml
[root@miq-02a config]# cp database.yml database.bckmiq02a-2017Jul25-working.yml
[root@miq-02a config]# ls
api.yml                                   environments
application.rb                            ha_admin.yml
boot.rb                                   human_locale_names.yaml
brakeman.ignore                           initializers
brakeman.yml                              model_attributes.rb
cable.yml                                 permissions.tmpl.yml
cable.yml.sample                          preinitializer.rb
database.bckmiq02a-2017Jul25-working.yml  puma.rb
database.pg.yml                           routes.rb
database.yml                              secrets.yml.sample
default_replication_exclude_tables.yml    settings
dictionary_strings.rb                     settings.yml
environment.rb                            yaml_strings.rb
[root@miq-02a config]# more database.yml
---
base:
  adapter: postgresql
  encoding: utf8
  username: root
  pool: 5
  wait_timeout: 5
  min_messages: warning
development:
  adapter: postgresql
  encoding: utf8
  username: root
  pool: 5
  wait_timeout: 5
  min_messages: notice
  database: vmdb_development
production:
  adapter: postgresql
  encoding: utf8
  username: root
  pool: 5
  wait_timeout: 5
  min_messages: warning
  database: vmdb_production
  host: localhost
  password: v2:{uN2/SJw8p8/afYycH9DD3Q==}
test:
  adapter: postgresql
  encoding: utf8
  username: root
  pool: 3
  wait_timeout: 5
  min_messages: warning
  database: vmdb_test<%= ENV['TEST_ENV_NUMBER'] %>
[root@miq-02a config]# ls
api.yml                                   environments
application.rb                            ha_admin.yml
boot.rb                                   human_locale_names.yaml
brakeman.ignore                           initializers
brakeman.yml                              model_attributes.rb
cable.yml                                 permissions.tmpl.yml
cable.yml.sample                          preinitializer.rb
database.bckmiq02a-2017Jul25-working.yml  puma.rb
database-miq88a-working-2017Jul25.yml     routes.rb
database.pg.yml                           secrets.yml.sample
database.yml                              settings
default_replication_exclude_tables.yml    settings.yml
dictionary_strings.rb                     yaml_strings.rb
environment.rb
[root@miq-02a config]# more database-miq88a-working-2017Jul25.yml 
---
base:
  adapter: postgresql
  encoding: utf8
  username: root
  pool: 5
  wait_timeout: 5
  min_messages: warning
development:
  adapter: postgresql
  encoding: utf8
  username: root
  pool: 5
  wait_timeout: 5
  min_messages: notice
  database: vmdb_development
production:
  adapter: postgresql
  encoding: utf8
  username: root
  pool: 5
  wait_timeout: 5
  min_messages: warning
  database: vmdb_production
  host: localhost
  password: v2:{4gp9ZXRNyEfXSCQyug1Aeg==}
test:
  adapter: postgresql
  encoding: utf8
  username: root
  pool: 3
  wait_timeout: 5
  min_messages: warning
  database: vmdb_test<%= ENV['TEST_ENV_NUMBER'] %>
[root@miq-02a config]# vi database.yml
[root@miq-02a config]# cd ..
[root@miq-02a vmdb]# cd certs
[root@miq-02a certs]# ls
server.cer      v2_key                           v2_key.2017Jul26.miq2-working
server.cer.key  v2_key.2017Jul25.miq88a-working  v2_key.dev
[root@miq-02a certs]# cp v2_key.2017Jul25.miq88a-working v2_key
cp: overwrite ‘v2_key’? y
[root@miq-02a certs]# more v2_key
---
:algorithm: aes-256-cbc
:key: O0NK/1CGcxPLafNoIRyNQKv72w4mCpLxIUn/E45T3+k=
[root@miq-02a certs]# cd ..
[root@miq-02a vmdb]# bundle exec ruby tools/fix_auth.rb -y
fixing /var/www/miq/vmdb/config/database.yml.yaml
[root@miq-02a vmdb]# Connection to 172.16.0.60 closed by remote host.
Connection to 172.16.0.60 closed.
[pod@node0 ~]$ ssh root@172.16.0.60
root@172.16.0.60's password: 
Last login: Wed Jul 26 07:47:14 2017
Welcome to the Appliance Console

For a menu, please type: appliance_console
[root@miq-02a ~]# journalctl -xe
Jul 26 07:48:36 miq-02a sh[2979]: /var/www/miq/vmdb/lib/vmdb/settings/walker.rb:40:in `walk_password
Jul 26 07:48:36 miq-02a sh[2979]: /var/www/miq/vmdb/lib/vmdb/settings/walker.rb:56:in `decrypt_passw
Jul 26 07:48:36 miq-02a sh[2979]: /var/www/miq/vmdb/lib/vmdb/settings.rb:69:in `decrypt_passwords!'
Jul 26 07:48:36 miq-02a sh[2979]: /var/www/miq/vmdb/lib/patches/config_patch.rb:3:in `reload!'
Jul 26 07:48:36 miq-02a sh[2979]: /var/www/miq/vmdb/lib/vmdb/settings.rb:57:in `for_resource'
Jul 26 07:48:36 miq-02a sh[2979]: /var/www/miq/vmdb/lib/vmdb/settings.rb:16:in `init'
Jul 26 07:48:36 miq-02a sh[2979]: /var/www/miq/vmdb/config/application.rb:125:in `block in <class:Ap
Jul 26 07:48:36 miq-02a sh[2979]: /var/www/miq/vmdb/config/environment.rb:5:in `<top (required)>'
Jul 26 07:48:36 miq-02a sh[2979]: OpenSSL::Cipher::CipherError: bad decrypt
Jul 26 07:48:36 miq-02a sh[2979]: /var/www/miq/vmdb/lib/vmdb/settings/walker.rb:56:in `block in decr
Jul 26 07:48:36 miq-02a sh[2979]: /var/www/miq/vmdb/lib/vmdb/settings/walker.rb:41:in `block in walk
Jul 26 07:48:36 miq-02a sh[2979]: /var/www/miq/vmdb/lib/vmdb/settings/walker.rb:22:in `block in walk
Jul 26 07:48:36 miq-02a sh[2979]: /var/www/miq/vmdb/lib/vmdb/settings/walker.rb:19:in `walk'
Jul 26 07:48:36 miq-02a sh[2979]: /var/www/miq/vmdb/lib/vmdb/settings/walker.rb:26:in `block in walk
Jul 26 07:48:36 miq-02a sh[2979]: /var/www/miq/vmdb/lib/vmdb/settings/walker.rb:19:in `walk'
Jul 26 07:48:36 miq-02a sh[2979]: /var/www/miq/vmdb/lib/vmdb/settings/walker.rb:40:in `walk_password
Jul 26 07:48:36 miq-02a sh[2979]: /var/www/miq/vmdb/lib/vmdb/settings/walker.rb:56:in `decrypt_passw
Jul 26 07:48:36 miq-02a sh[2979]: /var/www/miq/vmdb/lib/vmdb/settings.rb:69:in `decrypt_passwords!'
Jul 26 07:48:36 miq-02a sh[2979]: /var/www/miq/vmdb/lib/patches/config_patch.rb:3:in `reload!'
Jul 26 07:48:36 miq-02a sh[2979]: /var/www/miq/vmdb/lib/vmdb/settings.rb:57:in `for_resource'
Jul 26 07:48:36 miq-02a sh[2979]: /var/www/miq/vmdb/lib/vmdb/settings.rb:16:in `init'
Jul 26 07:48:36 miq-02a sh[2979]: /var/www/miq/vmdb/config/application.rb:125:in `block in <class:Ap
Jul 26 07:48:36 miq-02a sh[2979]: /var/www/miq/vmdb/config/environment.rb:5:in `<top (required)>'
Jul 26 07:48:36 miq-02a sh[2979]: Tasks: TOP => evm:start => environment
Jul 26 07:48:36 miq-02a sh[2979]: (See full trace by running task with --trace)
Jul 26 07:48:36 miq-02a systemd[1]: evmserverd.service: control process exited, code=exited status=1
Jul 26 07:48:36 miq-02a systemd[1]: Failed to start EVM server daemon.
-- Subject: Unit evmserverd.service has failed
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- 
-- Unit evmserverd.service has failed.
-- 
-- The result is failed.
Jul 26 07:48:36 miq-02a systemd[1]: Unit evmserverd.service entered failed state.
Jul 26 07:48:36 miq-02a systemd[1]: evmserverd.service failed.
Jul 26 07:48:36 miq-02a systemd[1]: evmserverd.service holdoff time over, scheduling restart.
Jul 26 07:48:36 miq-02a systemd[1]: Starting EVM server daemon...
-- Subject: Unit evmserverd.service has begun start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- 
-- Unit evmserverd.service has begun starting up.

[root@miq-02a ~]# cd /var/www/miq/vmdb
[root@miq-02a vmdb]# bundle exec ruby tools/fix_auth.rb -v -y
fixing /var/www/miq/vmdb/config/database.yml.yaml
  /var/www/miq/vmdb/config/database.yml:
    yaml:
      production.password: v2:{4gp9ZXRNyEfXSCQyug1Aeg==}
[root@miq-02a vmdb]# bundle exec ruby tools/fix_auth.rb -v -p smartvm -P smartvm -i smartvm
fixing authentications.password, auth_key
  2000000000001:
    password: "v2:{Yt3wnI20ZnMTJSmwhdeXmw==}" => v2:{4gp9ZXRNyEfXSCQyug1Aeg==} HARDCODED
fixing miq_databases.registration_http_proxy_server, session_secret_token, csrf_secret_token
  2000000000001:
    session_secret_token: "v2:{Z3+GoRWF2UahHLi+2viVtMo97xQfDh7PCcu0ZfvBSH4kWMfRUl/i7h83GnHr3L+FX71/SS/Wzh8625mXsxrZGlAKl+S3XHFcUkE5f4WfeyBnOYUv3RAnW9XS1zWvNhLM7Y8blL4YbmhT2nWsewlQhQ340TkP5rGWW441amxz/eLg28DgBIZn57J03hd3H7jS}" => v2:{yoSq1qi1+QuOvAvNIzLpTTiqH6tpGehmtOu9G9YiHQAVjcmnu9S/cwWmog6B6TA1aLpnwvlVBhldypx8rBJY1J7GA+GxU0socfTmBFCQ/6dph2svQa2xwzBg/r+DXfX8dCdmLI7nsr5NsquvNxZP2rSjoTRIPP2/E/RcyzYLsuOlHu76NSPh9XiVDKo6irRZ}
    csrf_secret_token: "v2:{9Lt53IuLs+tH4qFfAZfGdVCpRr6qwfAoONmvMT/lLR5iAGI3+yKIHMsJ1SMz7QKqhjQJWpz/WWYw3kobiHR8zsR117Cp4BGfrOww6LUME36Fhf7NIkl/sPXJEnYMayWCSBoTfGNpDJQ1r9iBelbW8OKfxdpxQEIuBCAGqVBAq4cFdvqUs2+pnLEFeTrXB5yA}" => v2:{t1o3l4W6RvyXBXt5m9a/JG2uvypZmVAEbJxF4w8vqhQzZ2trdYs2MsVZAxBfzdNkkBqdxMF3bj46f+F3JTa8GSdiTHJx7uarStmcceKnnlPj5BDD+ouS9s23VxYaYCTfKnTeNF0UadJfPsVwncLb3FonAbzsjxm+Q6sSn0g5pw5COFhhSczk1DQDfpHk+5f9}
fixing miq_ae_values.value
fixing miq_ae_fields.default_value
fixing miq_requests.options
fixing miq_request_tasks.options
fixing settings_changes.value
  2000000000015:
    value: "v2:{ChS2Ugn6u+JrboUpsOLB+g==}" => v2:{4gp9ZXRNyEfXSCQyug1Aeg==} HARDCODED
[root@miq-02a vmdb]# bundle exec ruby tools/fix_auth.rb -v -y
fixing /var/www/miq/vmdb/config/database.yml.yaml
  /var/www/miq/vmdb/config/database.yml:
    yaml:
      production.password: v2:{4gp9ZXRNyEfXSCQyug1Aeg==}
[root@miq-02a vmdb]# Connection to 172.16.0.60 closed by remote host.
Connection to 172.16.0.60 closed.
[pod@node0 ~]$