Bug #81159 MySQL TDE Encryption using OKV(Oracle Key Vault) Configuration Issues
Submitted: 20 Apr 2016 14:38
Reporter: BAJRANG LAL PANIGRAHI Email Updates:
Status: Open Impact on me:
Category:MySQL Server: Security: Encryption Severity:S4 (Feature request)
Version:5.7.12 OS:Debian (Ubuntu Linux 12.04)
Assigned to: CPU Architecture:Any
Tags: configuration, encryption, okv

[20 Apr 2016 14:38] BAJRANG LAL PANIGRAHI
Hi Experts, 

Following up with the 9 pts configuring the keyring_okv plugin


I found the Step - 8 does not give any object.,
" /usr/bin/okvutil: 1: /usr/bin/okvutil: /bin/env: not found
No objects found "

" mysql> create table test.T1(id int) ENCRYPTION='Y' ;
ERROR 3185 (HY000): Can't find master key from keyring, please check keyring plugin is loaded. "

okvclient.ora file has the following info:
GEN_TIMESTAMP=2016-04-19 11\:45\:19 UTC
UPDATE_TIMESTAMP=2016-04-19 18\:13\:48.087 IST


user            = mysql
pid-file        = /var/run/mysqld/mysqld.pid
socket          = /var/run/mysqld/mysqld.sock
port            = 3306
basedir         = /usr
datadir         = /var/lib/mysql
tmpdir          = /tmp
lc-messages-dir = /usr/share/mysql


The mysql-keyring-okv has the following files :

root@BLR-SOFT-228:~# ls /usr/lib/mysql/mydata/mysql-keyring-okv/  
CA.pem    cert_req.pem  keytemp.pem         okvclient.ora
cert.pem  key.pem       logging.properties  ssl

mysql> show variables like '%key%' \G;
*************************** 1. row ***************************
Variable_name: delay_key_write
        Value: ON
*************************** 2. row ***************************
Variable_name: foreign_key_checks
        Value: ON
*************************** 3. row ***************************
Variable_name: have_rtree_keys
        Value: YES
*************************** 4. row ***************************
Variable_name: key_buffer_size
        Value: 8388608
*************************** 5. row ***************************
Variable_name: key_cache_age_threshold
        Value: 300
*************************** 6. row ***************************
Variable_name: key_cache_block_size
        Value: 1024
*************************** 7. row ***************************
Variable_name: key_cache_division_limit
        Value: 100
*************************** 8. row ***************************
Variable_name: keyring_okv_conf_dir
        Value: /usr/lib/mysql/mydata/mysql-keyring-okv
*************************** 9. row ***************************
Variable_name: max_seeks_for_key
        Value: 18446744073709551615
*************************** 10. row ***************************
Variable_name: sha256_password_auto_generate_rsa_keys
        Value: ON
*************************** 11. row ***************************
Variable_name: sha256_password_private_key_path
        Value: private_key.pem
*************************** 12. row ***************************
Variable_name: sha256_password_public_key_path
        Value: public_key.pem
*************************** 13. row ***************************
Variable_name: ssl_key
        Value: server-key.pem
13 rows in set (0.01 sec)

Please suggest .

How to repeat:

1.) After setting up the OKV Server, 
2.) enabled endpoint self enrollment and downloaded the okvclient.jar file,
3.) Installed okvclient.jar using command :
java -jar okvclient.jar -d /usr/lib/mysql/mydata/test -v

Files in test dir: 
root@BLR-SOFT-228:/usr/lib/mysql/mydata/test# ls
bin  conf  jlib  lib  log  ssl

5.) Checking for okvclient.ora file content : 

root@BLR-SOFT-228:/usr/lib/mysql/mydata/test# cd conf 
<dir> conf : It has two files 
root@BLR-SOFT-228:/usr/lib/mysql/mydata/test/conf# ls
logging.properties  okvclient.ora

root@BLR-SOFT-228:/usr/lib/mysql/mydata/test/conf# cat okvclient.ora 
GEN_TIMESTAMP=2016-04-20 11\:17\:15 UTC
UPDATE_TIMESTAMP=2016-04-20 16\:48\:55.094 IST

6.)  "Go to the Oracle Key Vault installer directory and test the setup by running this command:
okvutil/bin/okvutil list" 

This process as per the documentation gives me 

root@BLR-SOFT-228:/usr/lib/mysql/mydata/test/bin# okvutil list
/usr/bin/okvutil: 1: /usr/bin/okvutil: /bin/env: not found
Error: Server Communication Error

7.) Extracting SSL material from 
using jar xf okvclient.jar ssl command 

root@BLR-SOFT-228:/usr/lib/mysql/mydata# jar xf okvclient.jar ssl

root@BLR-SOFT-228:/usr/lib/mysql/mydata# ls
mysql-keyring-okv  okvclient.jar  ssl  test

root@BLR-SOFT-228:/usr/lib/mysql/mydata# cd ssl

root@BLR-SOFT-228:/usr/lib/mysql/mydata/ssl# ls
CA.pem  cert.pem  cert_req.pem  key.pem  keytemp.pem

8.) Placing the SSL files from <ssl directory> and okvclient.ora 
to mysql-keyring-okv <dir> created as per :

shell> cd /usr/lib/mysql (used lib instead of local)
shell> mkdir mysql-keyring-okv
shell> chmod 750 mysql-keyring-okv
shell> chown mysql mysql-keyring-okv
shell> chgrp mysql mysql-keyring-okv

root@BLR-SOFT-228:/usr/lib/mysql/mydata/mysql-keyring-okv# ls
CA.pem  cert.pem  cert_req.pem  key.pem  keytemp.pem  logging.properties  okvclient.ora 

9.) Setting path in my.cnf to keyring_okv_conf_dir and early-plugin-load variables


10.) Restarting MySQL service 

" mysql> create table test.T1(id int) ENCRYPTION='Y' ;
ERROR 3185 (HY000): Can't find master key from keyring, please check keyring plugin is loaded. "

12.) Plugin is loaded as per show plugins 
 keyring_okv  | ACTIVE   | KEYRING            | keyring_okv.so | PROPRIETARY |

Suggested fix:

The error message is insufficient to debug, setting ssl materials need to communicate along with dir configuaration where ssl materials and logging.properties  and okvclient.ora are placed.

The error error message shows can't find key from keyring.