Bug #107401 keyring not installed properly
Submitted: 26 May 2022 7:47 Modified: 27 Jun 2022 14:41
Reporter: Marco Antonelli Email Updates:
Status: No Feedback Impact on me:
None 
Category:MySQL Server Severity:S4 (Feature request)
Version:5.7.27 commercial OS:CentOS (7)
Assigned to: MySQL Verification Team CPU Architecture:Any
Tags: keyring, plugin dir, plugins

[26 May 2022 7:47] Marco Antonelli 
Description:
i'm trying to install and integrate this mysql's plugin keyring_okv following this guide  https://dev.mysql.com/doc/mysql-security-excerpt/5.7/en/keyring-okv-plugin.html but when i restart the mysqld service i get this errors:

2022-05-26T07:10:16.885091Z 0 [Warning] Plugin keyring_okv reported: 'Could not connect to the primary server! Trying the standby server.'
2022-05-26T07:10:16.910022Z 0 [Warning] Plugin keyring_okv reported: 'Could not connect to the primary server! Trying the standby server.'
2022-05-26T07:10:16.910048Z 0 [ERROR] Plugin keyring_okv reported: 'Could not connect to the OKV server'
2022-05-26T07:10:16.910055Z 0 [ERROR] Plugin keyring_okv reported: 'keyring_okv initialization failure. Please check that the keyring_okv_conf_dir points to a readable directory and that the directory contains Oracle Key Vault configuration file and ssl materials. Please also check that Oracle Key Vault is up and running.'
2022-05-26T07:10:16.910060Z 0 [ERROR] Plugin 'keyring_okv' init function returned error.

The my.cnf is configured as explained in the guide above:
[mysqld]
early-plugin-load=keyring_okv.so
keyring_okv_conf_dir=/usr/local/mysql/mysql-keyring-okv

the okvclient is also configured with my Ciphertrust servers.

thanks.

How to repeat:
this can be repeated following this guide for gemalto keysecure :
https://dev.mysql.com/doc/mysql-security-excerpt/5.7/en/keyring-okv-plugin.html

having virtual Ciphertrust manager k170v (even the trial version is good).
https://supportportal.thalesgroup.com/csm?id=csm_product&sys_id=a0fff7bbdb5e541091a9742339...

because this is a KMIP integration on Ciphertrust manager i had to create:
1. Local RootCA for KMIP, and apload to /usr/local/mysql/mysql-keyring-okv/ssl
2. CSR for Client (centos) signing with the Local RootCA for KMIP and with its private key upload to /usr/local/mysql/mysql-keyring-okv/ssl
3. CSR for server and signing with Local RootCA for KMIP
[27 May 2022 14:41] MySQL Verification Team 
Hi,

Supported and tested are

* Oracle Key Vault
* Gemalto SafeNet KeySecure Appliance
* Townsend Alliance Key Manager 

THALES Virtual CipherTrust Manager is not supported. I can log this as a feature request if you want.

kind regards
[28 Jun 2022 1:00] Bugs System 
No feedback was provided for this bug for over a month, so it is
being suspended automatically. If you are able to provide the
information that was originally requested, please do so and change
the status of the bug back to "Open".