Say goodbuy LockBox

Imagine that you are a bloody idiot and trust everything what EMC write in their Documentation and, so, when installing content server you have chosen to use LockBox option. The problem is LockBox does protect nothing and, moreover, it is sensitive to machine configuration (MAC address, ip address, hostname, CPU), so, at one point you will get something like:

[dmadmin@demo-server ~]$ cat /opt/dctm/dba/log/MyRepo.log
The Lockbox stable value threshold was not met because the system fingerprint has changed. 
 To reset the system fingerprint, open the Lockbox using the passphrase.
The Lockbox stable value threshold was not met because the system fingerprint has changed. 
 To reset the system fingerprint, open the Lockbox using the passphrase.
2016-11-06T01:04:35.281642	2325[2325]	0000000000000000	[DM_CRYPTO_F_KEYSTORE_INIT]
 fatal: "Failed to initialize keystore at /opt/dctm/dba/secure/aek.key. Internal error ..."

[dmadmin@demo-server ~]$ 

What to do? Actually, EMC released a special utility (dm_crypto_manage_lockbox) which allows to reset system fingerprints in LockBox, but there is another option – remove LockBox completely and switch to the old good aek.key, all what we need is:

  • LB.jar, LBJNI.jar from D2 installation
  • groovy shell

old server.ini:

##############################
#RKM configuration parameters
crypto_mode = AES256_RSA1024_SHA256
crypto_keystore = Local
crypto_lockbox = lockbox.lb
crypto_keyname = aek.key
#Above values cannot be changed once docbase is created

groovy magic:

[dmadmin@demo-server ~]$ ls /opt/dctm/dba/secure
ldapdb  lockbox.lb  lockbox.lb.bak  lockbox.lb.bak.FCD  lockbox.lb.FCD

[dmadmin@demo-server ~]$ export CLASSPATH=$CLASSPATH:LB.jar:LBJNI.jar
[dmadmin@demo-server ~]$ ./groovy-2.4.7/bin/groovysh \
> -Dclb.library.path=/home/dmadmin/lib/native/linux_gcc34_x64
Groovy Shell (2.4.7, JVM: 1.7.0_17)
Type ':help' or ':h' for help.
-----------------------------------------------------------------------------
groovy:000> import com.emc.clb.LockBox
===> com.emc.clb.LockBox
groovy:000> lb = new LockBox("/opt/dctm/dba/secure/lockbox.lb","Password@123")
===> com.emc.clb.LockBox@54f02243
groovy:000> new File("/home/dmadmin/aek.key").withOutputStream{
groovy:001> it.write lb.retrieveItemAsBinary("aek.key")
groovy:002> }
===> null
groovy:000>
[dmadmin@demo-server ~]$ ls -la aek.key 
-rw-rw-r--. 1 dmadmin dmadmin 144 Nov  6 01:19 aek.key
[dmadmin@demo-server ~]$ mv aek.key /opt/dctm/dba/secure/
[dmadmin@demo-server ~]$ dm_crypto_change_passphrase \
> -location /opt/dctm/dba/secure/aek.key \
> -passphrase Password@123 -noprompt

Please wait, this will take a few seconds
Successfully changed passphrase for AEK located at /opt/dctm/dba/secure/aek.key

new server.ini:

##############################
#RKM configuration parameters
crypto_mode = AES256_RSA1024_SHA256
crypto_keystore = Local
#crypto_lockbox = lockbox.lb
crypto_keyname = aek.key
#Above values cannot be changed once docbase is created

Encryption madness. Part IV

Interesting, dm_crypto_create utility is able to create AES128, AES192 and AES256 encryption keys, note -algorithm argument:

[dmadmin@docu72dev01 ~]$ dm_crypto_create --help
Option --help has no meaning !!
Usage: dm_crypto_db_create [-lockbox <lockbox>] [-lockboxpassphrase [lockboxpassphrase]] 
                           [-keyname <keyname>] [-location <location>] 
                           [-passphrase [passphrase]] [-noprompt] [-move] 
                           [-check] [-algorithm] [-help] 

  -lockbox  - Optional lockbox to store administration key.
  -lockboxpassphrase  - Passphrase for the lockbox.
               Should be specified for a new lockbox.
  -keyname  - Optional name of the administration key to be stored in lockbox.
  -location  - Optional location of the administration key file.
  -passphrase  - Optional passphrase to protect the administration key.
               If not specified a default passphrase will be used.
  -move     - Optional argument to move existing key into lockbox.

  -check     - Optional argument to check for an existing administration key at
               the specified location.

  -algorithm   - Optional argument to specify the algorithm used for generating key.
                Valid values are AES_128_CBC, AES_192_CBC and AES_256_CBC. 
  -noprompt  - Optional flag to not prompt for default passphrase confirmation.
  -help      - Print this help/usage information.

** If -location is not specified, environment variable 
   DM_CRYPTO_FILE or DOCUMENTUM will be used to determine the location.
** -passphrase and -noprompt options are exclusive.

** It is suggested that you specify a passphrase **

but DFC recognises AES128 keys only – AES256 fails with “PBKDF2WithHmacSHA256 SecretKeyFactory not available” error (this factory is available since Java8 only):

 ~]$ dm_crypto_create -location /tmp/aek.key -noprompt -algorithm AES_256_CBC

** Will use default passphrase **



Please wait. This will take a few seconds ...
** Successfully created key store /tmp/aek.key using algorithm AES_256_CBC
[dmadmin@docu72dev01 ~]$ iapi DCTM_DEV
Please enter a user (dmadmin): 
Please enter password for dmadmin: 


        EMC Documentum iapi - Interactive API interface
        (c) Copyright EMC Corp., 1992 - 2015
        All rights reserved.
        Client Library Release 7.2.0030.0072


Connecting to Server using docbase DCTM_DEV
[DM_SESSION_I_SESSION_START]info:  "Session 01024be98000746a started for user dmadmin."


Connected to Documentum Server running Release 7.2.0030.0195  Linux64.Oracle
Session id is s0
API> initcrypto,c,/tmp/aek.key
...
Unexpected problem with key generation: PBKDF2WithHmacSHA256 SecretKeyFactory not available


API> 

AES192 fails with “Unsupported algorithm ID: 4” error:

 ~]$ dm_crypto_create -location /tmp/aek.key -noprompt -algorithm AES_192_CBC

** Will use default passphrase **



Please wait. This will take a few seconds ...
** Successfully created key store /tmp/aek.key using algorithm AES_192_CBC
[dmadmin@docu72dev01 ~]$ iapi DCTM_DEV
Please enter a user (dmadmin): 
Please enter password for dmadmin: 


        EMC Documentum iapi - Interactive API interface
        (c) Copyright EMC Corp., 1992 - 2015
        All rights reserved.
        Client Library Release 7.2.0030.0072


Connecting to Server using docbase DCTM_DEV
[DM_SESSION_I_SESSION_START]info:  "Session 01024be98000746d started for user dmadmin."


Connected to Documentum Server running Release 7.2.0030.0195  Linux64.Oracle
Session id is s0
API> initcrypto,c,/tmp/aek.key
...
Unsupported algorithm ID: 4


API> 

I have checked DFC and found out that EMC made mess not only of encryption algorithm names on CS side – their understanding of cryptography on java side is also extremely poor.