Should i copy /var/www/miq/vmdb/certs/v2_key on a new independant appliance?


#1

We want to make a lab : that is , an independant appliance for dev . We have imported production automation code from production environment but it looks like encrypted password can’t be decrypted:

running raised exception: can not decrypt v2_key encrypted string

So should we replace the lab key with the production key? /var/www/miq/vmdb/certs/v2_key?

FYI lab is docker CF 4.2.

Regards.
Gaétan.


#2

Yes copying the v2 key from prod will allow you to decrypt password. Same is needed if you want to import database data from prod.
Otherwise, you need to edit your automatation instance to put password again on dev, and you will need to do that each time you do an import from prod.


#3

i have imported the production key, renamed it v2_key.prod.

then did: bundle exec ruby tools/fix_auth.rb --legacy-key=v2_key.prod

results:

/var/www/miq/vmdb/gems/pending/util/miq-password.rb:39:in rescue in decrypt': can not decrypt v2_key encrypted string (MiqPassword::MiqPasswordError) from /var/www/miq/vmdb/gems/pending/util/miq-password.rb:36:indecrypt’
from /var/www/miq/vmdb/gems/pending/util/miq-password.rb:55:in rescue in recrypt' from /var/www/miq/vmdb/gems/pending/util/miq-password.rb:47:inrecrypt’
from /var/www/miq/vmdb/tools/fix_auth/auth_model.rb:33:in recrypt' from /var/www/miq/vmdb/tools/fix_auth/auth_model.rb:46:inblock in fix_passwords’
from /var/www/miq/vmdb/tools/fix_auth/auth_model.rb:44:in each' from /var/www/miq/vmdb/tools/fix_auth/auth_model.rb:44:infix_passwords’
from /var/www/miq/vmdb/tools/fix_auth/auth_model.rb:85:in block in run' from /opt/rh/cfme-gemset/gems/activerecord-5.0.3/lib/active_record/relation/delegation.rb:40:ineach’
from /opt/rh/cfme-gemset/gems/activerecord-5.0.3/lib/active_record/relation/delegation.rb:40:in each' from /var/www/miq/vmdb/tools/fix_auth/auth_model.rb:84:inrun’
from /var/www/miq/vmdb/tools/fix_auth/fix_auth.rb:65:in block (2 levels) in fix_database_passwords' from /var/www/miq/vmdb/tools/fix_auth/fix_auth.rb:64:ineach’
from /var/www/miq/vmdb/tools/fix_auth/fix_auth.rb:64:in block in fix_database_passwords' from /var/www/miq/vmdb/tools/fix_auth/fix_auth.rb:61:ineach’
from /var/www/miq/vmdb/tools/fix_auth/fix_auth.rb:61:in fix_database_passwords' from /var/www/miq/vmdb/tools/fix_auth/fix_auth.rb:92:inrun’
from /var/www/miq/vmdb/tools/fix_auth/cli.rb:37:in run' from /var/www/miq/vmdb/tools/fix_auth/cli.rb:41:inrun’
from tools/fix_auth.rb:26:in `’

is there another method?


#4

You need to recreate DB using this key cause now you have password encrypted with v2_key.prod and database data encrypted using v2_key from your lab.
When installing lab, before creating DB, you must copy v2_key from prod instead of generating a new one. It should work.
(In my case dev DB has been created using a prod export)


#5

Good day @gquentin.

I have a similar problem with the v2_key (i.e. same errors). Did the proposal from LorkScorguar worked?


#6

I haven’t tried : i do not want to recreate the database. I would like to convert it.


#7

@gquentin You should be able to alter the passwords in database.yml using fix_auth’s -y option.

See my response to @codebeaver22’s question here


#8

It works:

  • stopping evm server
  • replacing the key with the prod one
  • bundle exec ruby tools/fix_auth.rb -v -y
  • bundle exec ruby tools/fix_auth.rb -v -p smartvm -P smartvm -i smartvm
  • bundle exec ruby tools/fix_auth.rb -v -y
  • starting evm

Regards.


Issue reusing v2_key across dev and prod appliances