Description:
Hi Experts,
Following up with the 9 pts configuring the keyring_okv plugin
http://dev.mysql.com/doc/refman/5.7/en/keyring-okv-plugin.html
I found the Step - 8 does not give any object.,
" /usr/bin/okvutil: 1: /usr/bin/okvutil: /bin/env: not found
No objects found "
" mysql> create table test.T1(id int) ENCRYPTION='Y' ;
ERROR 3185 (HY000): Can't find master key from keyring, please check keyring plugin is loaded. "
okvclient.ora file has the following info:
SERVER=172.29.87.79:5696
STANDBY_SERVER=127.0.0.1:5696
SERVER_DN=CN=server_cert,OU=Key_Vault,O=Oracle,L=Redwood_City,ST=California,C=us
GEN_TIMESTAMP=2016-04-19 11\:45\:19 UTC
UPDATE_TIMESTAMP=2016-04-19 18\:13\:48.087 IST
SW_TYPE=ENROLLED_ENDPOINT_SOFTWARE
my.cnf:
[mysqld]
user = mysql
pid-file = /var/run/mysqld/mysqld.pid
socket = /var/run/mysqld/mysqld.sock
port = 3306
basedir = /usr
datadir = /var/lib/mysql
tmpdir = /tmp
lc-messages-dir = /usr/share/mysql
explicit_defaults_for_timestamp
early-plugin-load=keyring_okv.so
keyring_okv_conf_dir=/usr/lib/mysql/mydata/mysql-keyring-okv
The mysql-keyring-okv has the following files :
root@BLR-SOFT-228:~# ls /usr/lib/mysql/mydata/mysql-keyring-okv/
CA.pem cert_req.pem keytemp.pem okvclient.ora
cert.pem key.pem logging.properties ssl
mysql> show variables like '%key%' \G;
*************************** 1. row ***************************
Variable_name: delay_key_write
Value: ON
*************************** 2. row ***************************
Variable_name: foreign_key_checks
Value: ON
*************************** 3. row ***************************
Variable_name: have_rtree_keys
Value: YES
*************************** 4. row ***************************
Variable_name: key_buffer_size
Value: 8388608
*************************** 5. row ***************************
Variable_name: key_cache_age_threshold
Value: 300
*************************** 6. row ***************************
Variable_name: key_cache_block_size
Value: 1024
*************************** 7. row ***************************
Variable_name: key_cache_division_limit
Value: 100
*************************** 8. row ***************************
Variable_name: keyring_okv_conf_dir
Value: /usr/lib/mysql/mydata/mysql-keyring-okv
*************************** 9. row ***************************
Variable_name: max_seeks_for_key
Value: 18446744073709551615
*************************** 10. row ***************************
Variable_name: sha256_password_auto_generate_rsa_keys
Value: ON
*************************** 11. row ***************************
Variable_name: sha256_password_private_key_path
Value: private_key.pem
*************************** 12. row ***************************
Variable_name: sha256_password_public_key_path
Value: public_key.pem
*************************** 13. row ***************************
Variable_name: ssl_key
Value: server-key.pem
13 rows in set (0.01 sec)
Please suggest .
How to repeat:
1.) After setting up the OKV Server,
2.) enabled endpoint self enrollment and downloaded the okvclient.jar file,
3.) Installed okvclient.jar using command :
java -jar okvclient.jar -d /usr/lib/mysql/mydata/test -v
Files in test dir:
root@BLR-SOFT-228:/usr/lib/mysql/mydata/test# ls
bin conf jlib lib log ssl
5.) Checking for okvclient.ora file content :
root@BLR-SOFT-228:/usr/lib/mysql/mydata/test# cd conf
<dir> conf : It has two files
root@BLR-SOFT-228:/usr/lib/mysql/mydata/test/conf# ls
logging.properties okvclient.ora
OUTPUT:
root@BLR-SOFT-228:/usr/lib/mysql/mydata/test/conf# cat okvclient.ora
SERVER=172.29.87.79:5696
STANDBY_SERVER=127.0.0.1:5696
SERVER_DN=CN=server_cert,OU=Key_Vault,O=Oracle,L=Redwood_City,ST=California,C=us
GEN_TIMESTAMP=2016-04-20 11\:17\:15 UTC
UPDATE_TIMESTAMP=2016-04-20 16\:48\:55.094 IST
SW_TYPE=ENROLLED_ENDPOINT_SOFTWARE
JAVA_HOME=/usr/lib/jvm/java-6-openjdk-amd64/jre
OKV_JVM_LIB_PATH=/usr/lib/jvm/java-6-openjdk-amd64/jre/lib/amd64/cacao/libjvm.so
SSL_WALLET_LOC=/usr/lib/mysql/mydata/test/ssl
_NOT_STRICT_PKCS11=1
PKCS11_NO_KMIP_OBJECT_ACCESS_CHECK=0
6.) "Go to the Oracle Key Vault installer directory and test the setup by running this command:
okvutil/bin/okvutil list"
This process as per the documentation gives me
root@BLR-SOFT-228:/usr/lib/mysql/mydata/test/bin# okvutil list
/usr/bin/okvutil: 1: /usr/bin/okvutil: /bin/env: not found
Error: Server Communication Error
7.) Extracting SSL material from
using jar xf okvclient.jar ssl command
root@BLR-SOFT-228:/usr/lib/mysql/mydata# jar xf okvclient.jar ssl
root@BLR-SOFT-228:/usr/lib/mysql/mydata# ls
mysql-keyring-okv okvclient.jar ssl test
root@BLR-SOFT-228:/usr/lib/mysql/mydata# cd ssl
root@BLR-SOFT-228:/usr/lib/mysql/mydata/ssl# ls
CA.pem cert.pem cert_req.pem key.pem keytemp.pem
8.) Placing the SSL files from <ssl directory> and okvclient.ora
to mysql-keyring-okv <dir> created as per :
shell> cd /usr/lib/mysql (used lib instead of local)
shell> mkdir mysql-keyring-okv
shell> chmod 750 mysql-keyring-okv
shell> chown mysql mysql-keyring-okv
shell> chgrp mysql mysql-keyring-okv
root@BLR-SOFT-228:/usr/lib/mysql/mydata/mysql-keyring-okv# ls
CA.pem cert.pem cert_req.pem key.pem keytemp.pem logging.properties okvclient.ora
9.) Setting path in my.cnf to keyring_okv_conf_dir and early-plugin-load variables
early-plugin-load=keyring_okv.so
keyring_okv_conf_dir=/usr/lib/mysql/mydata/mysql-keyring-okv
10.) Restarting MySQL service
11.)
" mysql> create table test.T1(id int) ENCRYPTION='Y' ;
ERROR 3185 (HY000): Can't find master key from keyring, please check keyring plugin is loaded. "
12.) Plugin is loaded as per show plugins
keyring_okv | ACTIVE | KEYRING | keyring_okv.so | PROPRIETARY |
Suggested fix:
The error message is insufficient to debug, setting ssl materials need to communicate along with dir configuaration where ssl materials and logging.properties and okvclient.ora are placed.
The error error message shows can't find key from keyring.
