Hi there ok thought so, was missing the "literal" yaml key pair entry, is there somewhere that defines how to setup a password group like this (google foo didn't find any examples), and other examples (and documentation) of different password group types? is there a way instead of defining a literal clear string, that it can be hashed or salted so its not stored in the YAML in clear text? in some PCI-DSS environments, clear text, un-hashed passwords are a no-no (my target environments)
Related to the password, on import, are all 3 needing to be defined like your example, just for the import? I presume after import that they are stored in the data valult? I've seen references of encrypting the key in the data vault (or the password of the key protected by the vault), but anyone with access to the Database can get the password. So how is the password protected in the datavault? Documentation somewhere I might have missed? On Saturday, October 10, 2020, 7:27:16 PM GMT-4, <[email protected]> wrote: Hi Steve, I think I had a similar issue and I solved it by editing the crypto.yaml file of the realm as shown below. By the way, the ‘root’ password used in sampleconfig.sh is defined in /etc/openxpki/config.d/system/crypto.yaml in the section secrets: default: and is used by inheritance for all tokens if the realm’s crypto.yaml is not modified. Hope this helps! Regards Florian ##### changes in crypto.yaml #### … ca-signer: inherit: default key_store: DATAPOOL key: "[% ALIAS %]" secret: ca-signer vault: inherit: default key: /etc/openxpki/ca/[% ALIAS %].pem secret: vault scep: inherit: default backend: OpenXPKI::Crypto::Tool::LibSCEP key_store: DATAPOOL key: "[% ALIAS %]" secret: scep # Define the secret groups secret: default: # this let OpenXPKI use the secret of the same name from system.crypto # if you do not want to share the secret just replace this line with # the config found in system.crypto. You can create additional secrets # by adding similar blocks with another key import: 1 ca-signer: label: CA signer group method: literal value: <content of OpenXPKI_Issuing_CA.pass> vault: label: Vault group method: literal value: <content of OpenXPKI_DataVault.pass> scep: label: SCEP group method: literal value: <content of OpenXPKI_SCEP_RA.pass> -----Original Message----- From: Steve Downey via OpenXPKI-users <[email protected]> Sent: Samstag, 10. Oktober 2020 17:14 To: [email protected] Cc: Steve Downey <[email protected]> Subject: [OpenXPKI-users] Importing Certs into Datavault Hi there Im getting this error whenever I import a key, Seems I'm not setting the DataVault password correctly, wherever that is Encryption key needed to decrypt password safe entry is unavailable how its generated openssl req -new -verbose -config "${OPENSSL_CONF}" -reqexts v3_datavault_reqexts -batch -newkey rsa:$BITS -passout file:"${DATAVAULT_KEY_PASSWORD}" -keyout "${DATAVAULT_KEY}" -subj "${DATAVAULT_SUBJECT}" -out "${DATAVAULT_REQUEST}" The datavault is a 4K RSA key , key and permissions seem ok. root@can-lx-intca-01:~# ls -la /etc/openxpki/ca/ total 24 drwxr-xr-x 4 root root 4096 Oct 10 10:58 . drwxr-xr-x 11 openxpki root 4096 Oct 8 19:10 .. drwxr-xr-x 3 openxpki root 4096 Oct 9 19:27 dev -r-------- 1 openxpki openxpki 3413 Oct 10 10:58 vault-1.pem I've tried defining the secret here with no improvement /etc/openxpki/config.d/realm/dev/crypto.yaml /etc/openxpki/config.d/system/crypto.yaml all I see is "secret: default' only i'm not sure from any of the doc how the defined password in the .pass file is injected to allow the rest of the importing, if that's in fact the problem. i've based myself off of sampleconfig.sh but I see no reference on how the private key secret is set on import root@can-lx-intca-01:~# openxpkiadm certificate import --file "${DATAVAULT_CERTIFICATE}" --realm "${REALM}" --token datasafe --key ${DATAVAULT_KEY} Starting import Successfully imported certificate into database: Subject: CN=DEV LinuxCA Internal DataVault Issuer: CN=Enterprises DEV Intermediate Linux CA,OU=PKI,O=Enterprises,C=CA Identifier: f9BVEDgua8xsUVKBpPzD_JpQeHA Realm: dev Successfully created alias in realm dev: Alias : vault-1 Identifier: f9BVEDgua8xsUVKBpPzD_JpQeHA NotBefore : 2020-10-09 23:27:14 NotAfter : 2030-10-12 23:27:14 Successfully wrote key to /etc/openxpki/ca/vault-1.pem root@can-lx-intca-01:~# openxpkiadm alias --realm "${REALM}" --token certsign --file "${ISSUING_CA_CERTIFICATE}" --key ${ISSUING_CA_KEY} Successfully created alias in realm dev: Alias : ca-signer-1 Identifier: 6j87PRoXumH_EEamEXfVGfgidzk NotBefore : 2020-10-09 22:53:09 NotAfter : 2041-10-09 23:03:09 2020/10/10 10:58:46 Encryption key needed to decrypt password safe entry is unavailable _______________________________________________ OpenXPKI-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openxpki-users _______________________________________________ OpenXPKI-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openxpki-users
