Bug #107401 keyring not installed properly
Submitted: 26 May 2022 7:47 Modified: 27 Jun 2022 14:41
Reporter: Marco Antonelli Email Updates:
Status: No Feedback Impact on me:
Category:MySQL Server Severity:S4 (Feature request)
Version:5.7.27 commercial OS:CentOS (7)
Assigned to: MySQL Verification Team CPU Architecture:Any
Tags: keyring, plugin dir, plugins

[26 May 2022 7:47] Marco Antonelli
i'm trying to install and integrate this mysql's plugin keyring_okv following this guide  https://dev.mysql.com/doc/mysql-security-excerpt/5.7/en/keyring-okv-plugin.html but when i restart the mysqld service i get this errors:

2022-05-26T07:10:16.885091Z 0 [Warning] Plugin keyring_okv reported: 'Could not connect to the primary server! Trying the standby server.'
2022-05-26T07:10:16.910022Z 0 [Warning] Plugin keyring_okv reported: 'Could not connect to the primary server! Trying the standby server.'
2022-05-26T07:10:16.910048Z 0 [ERROR] Plugin keyring_okv reported: 'Could not connect to the OKV server'
2022-05-26T07:10:16.910055Z 0 [ERROR] Plugin keyring_okv reported: 'keyring_okv initialization failure. Please check that the keyring_okv_conf_dir points to a readable directory and that the directory contains Oracle Key Vault configuration file and ssl materials. Please also check that Oracle Key Vault is up and running.'
2022-05-26T07:10:16.910060Z 0 [ERROR] Plugin 'keyring_okv' init function returned error.

The my.cnf is configured as explained in the guide above:

the okvclient is also configured with my Ciphertrust servers.


How to repeat:
this can be repeated following this guide for gemalto keysecure :

having virtual Ciphertrust manager k170v (even the trial version is good).

because this is a KMIP integration on Ciphertrust manager i had to create:
1. Local RootCA for KMIP, and apload to /usr/local/mysql/mysql-keyring-okv/ssl
2. CSR for Client (centos) signing with the Local RootCA for KMIP and with its private key upload to /usr/local/mysql/mysql-keyring-okv/ssl
3. CSR for server and signing with Local RootCA for KMIP
[27 May 2022 14:41] MySQL Verification Team

Supported and tested are

* Oracle Key Vault
* Gemalto SafeNet KeySecure Appliance
* Townsend Alliance Key Manager 

THALES Virtual CipherTrust Manager is not supported. I can log this as a feature request if you want.

kind regards
[28 Jun 2022 1:00] Bugs System
No feedback was provided for this bug for over a month, so it is
being suspended automatically. If you are able to provide the
information that was originally requested, please do so and change
the status of the bug back to "Open".