Setting Centralized Administration

fine

#1

I remember having set Centralized Administration under the replication subscription in earlier version. I recently installed the latest Fine-2 and now I can’t seem to find where to set the Centralized Administration. Can anyone guide me?


#2

I keep getting an error from the Centrilized MIQ instance as: “Unable to create Cloud Subnet: can not decrypt v2_key encrypted string”.

I have tried rebuilding the remote miq instance an “fetch” a certs by using appliance_console option 12 from the remote (fetching the certs from the centralized miq instance). That failed miserably everytime where I was no longuer able to call appliance_console.


#3

Central admin only works if both regions share the same v2_key.

If you have both in hand I think the fix_auth.rb tool can help you translate encrypted strings in your database from using one key to the other.

I’m not sure of the exact usage for this case though. Maybe @kbrock would know.


#4

Good morning and thank you @carbonin. I understand well that we need the same v2_key in all miq instances in all regions (preferably fetched from the Global Region). But the problem resides with the appliance_console application where, wheather I create a new key (option: 12) -> 1)) or Fetch the key from the Global Region (option 2) --> 2)), it seems to break the miq instance under configuration to the point I am no longuer able to start the “Appliance_console” due to no longuer being able to decrypt the v2_key.

I have know did trial and error of multiple scenarios (i.e. steps sequence, trying to fix the v2_key with the bundle exec ruby tools/fix_auth.rb --key (different combinations), and I consistently get the same result,(i.e. no longuer able to start the “Appliance_console” due to no longuer being able to decrypt the v2_key.).

I am stuck at this point HELP!


#5

@codebeaver22 When you have troubles with the v2_key, the fix_auth tool is your friend.

Do keep in mind that --key will generate a new key. Which tends not to be what you want to do. Typically --key is only run one time within a whole installation.

If you want to change a database from one key to another:

  1. Backup the old key (e.g. copy to certs/v2_key.old)
  2. Put the new key into place (copy it to manageiq/certs directory or run fix_auth --key)
  3. Convert the passwords to using the new key: fix_auth --db --legacy v2_key.old

If you find yourself with a database and do not have a copy of the encryption key:

  1. Put the new key into place (copy it to manageiq/certs directory or run fix_auth --key)
  2. Reset passwords to use current key: fix_auth --db --invalid something.
  3. Change any passwords to the proper value. (The above line changed them all to "something".

You may need to fix_auth --databaseyml --password $DBPASSWORD to change the database.yml file to be encrypted with the proper password.