| Bug #55505 | Imported root CAs not kept after upgrade | ||
|---|---|---|---|
| Submitted: | 23 Jul 2010 11:39 | Modified: | 9 Jan 2015 10:25 |
| Reporter: | Leandro Morgado | Email Updates: | |
| Status: | Closed | Impact on me: | |
| Category: | MySQL Enterprise Monitor: Server | Severity: | S3 (Non-critical) |
| Version: | 2.2.1.1721 -> 2.2.2.1730 | OS: | Any |
| Assigned to: | Assigned Account | CPU Architecture: | Any |
[19 Aug 2010 15:43]
BitRock Merlin
Hi, We would need to know the specific path that you want us to check and backup. For java it seems that the default location is <install-root>/java/lib/security/cacerts, but we will need to know also the path that we need to check for tomcat. Thanks.
[25 Aug 2010 14:24]
BitRock Merlin
Patch sent to Andy.
[13 Sep 2010 11:56]
Enterprise Tools JIRA Robot
Carsten Segieth writes: - tested with 2.2.3.1745 for all systems, with 2.3.0.2023 for Linux the msg is shown during update and written to configuration_report.txt - but: on Mac OSX a dir ".../java/..." is mentioned in the message which does not exist in MacOSX installations (see also Marcos' note above). This needs to be fixed
[20 Sep 2010 10:08]
BitRock Merlin
Patch sent to Andy.
[21 Sep 2010 11:25]
Leandro Morgado
Hi guys, Current instructions are: Keystores backup: If you have imported your own SSL certificates into either the Java or Tomcat system keystores (e.g. to enable LDAP authentication with SSL/STARTTLS), you will have to extract them from the backups listed below and manually re-import them: /opt/mysql/enterprise/monitor/backup-2.2.3.1739/apache-tomcat/conf/myKeystore /opt/mysql/enterprise/monitor/backup-2.2.3.1739/java/lib/security/cacerts This should really point to documentation stating *how* to import it: https://enterprise.mysql.com/docs/monitor/2.2/en/mem-program-reference.html#mem-program-re... I guess the page above could have more specific instructions for upgrade scenarios.
[21 Sep 2010 12:02]
Simon Mudd
Also what would seem helpful is to import the keys from the OLD keystore. This isn't shown. Perhaps the mechanism is the same, but I'm not sure. It's much easier since you've just done a backup to know FOR SURE where the old keystore was located and not need to depend on external keys anywhere. Not sure if this is possible or makes sense but most DBAs do not play with SSL keys and stuff so this is all a bit confusing. I'd rather spend my time worrying about database configurations than worrying about the complexities of moving keys about during a merlin server upgrade.
[21 Sep 2010 18:39]
Leandro Morgado
Hi,
Merging the keystores might not be possible to do automatically, but it looks achievable with some user input. We have the location of both the backed up and newly installed keystores. We need:
1) Passwords to both source and destination keystores
2) Source and destination aliases for the custom root CAs to be imported
If we want to allow importing more than one root CA (edge use case) then we'll need a list of tuples of aliases instead.
Assuming we only need to import 1 root CA we can issue the following command:
shell> pwd
/opt/mysql/enterprise/monitor/java/bin
shell> ./keytool -importkeystore
-srckeystore /opt/mysql/enterprise/monitor/backup/java/lib/security/cacerts -destkeystore /opt/mysql/enterprise/monitor/java/lib/security/cacerts
-srcstorepass changeit -deststorepass changeit
-srcalias myorigrootca -destalias myrootca
The default password for keystores in Java is "changeit". Users might however have changed it ;)
We'll always need the myorigrootca alias to extract the original root CA from the backed up keystore. We can opt to store it in the newly installed keystore with the same alias.
[29 Sep 2010 18:46]
Enterprise Tools JIRA Robot
Carsten Segieth writes: messages checked OK in 2.3.0.2025 + 2.2.4.1756
[5 Oct 2010 21:03]
Enterprise Tools JIRA Robot
Andy Bang writes: When EM-4934 is done, we will add a link to the associated section in the documentation in both the installer and the configuration report.
Description: If using LDAP authentication will SSL/STARTTLS and the LDAP server has a "self-signed" certificate, we need to import the root CA that issued it. This is imported by default to: opt/mysql/enterprise/monitor/java/lib/security/cacerts When upgrading the monitor, anything manually imported is discarded and overwritten with a new cacert bundle. How to repeat: Install MEM and import the root CA certificate with: shell> cd /opt/mysql/enterprise/monitor/java shell> bin/keytool -import -trustcacerts -alias ldapssl \ -file /etc/openldap/ssl/ca-cert.pem -keystore lib/security/cacerts Upgrade the server using the upgrade installation binaries. See that the previously imported certificate is not there: shell> cd /opt/mysql/enterprise/monitor/java shell>bin/keytool --list -v -keystore lib/security/cacerts -alias ldapssl Suggested fix: Retain previously imported certificates when upgrading