Say goodbuy LockBox

Imagine that you are a bloody idiot and trust everything what EMC write in their Documentation and, so, when installing content server you have chosen to use LockBox option. The problem is LockBox does protect nothing and, moreover, it is sensitive to machine configuration (MAC address, ip address, hostname, CPU), so, at one point you will get something like:

[dmadmin@demo-server ~]$ cat /opt/dctm/dba/log/MyRepo.log
The Lockbox stable value threshold was not met because the system fingerprint has changed. 
 To reset the system fingerprint, open the Lockbox using the passphrase.
The Lockbox stable value threshold was not met because the system fingerprint has changed. 
 To reset the system fingerprint, open the Lockbox using the passphrase.
2016-11-06T01:04:35.281642	2325[2325]	0000000000000000	[DM_CRYPTO_F_KEYSTORE_INIT]
 fatal: "Failed to initialize keystore at /opt/dctm/dba/secure/aek.key. Internal error ..."

[dmadmin@demo-server ~]$ 

What to do? Actually, EMC released a special utility (dm_crypto_manage_lockbox) which allows to reset system fingerprints in LockBox, but there is another option – remove LockBox completely and switch to the old good aek.key, all what we need is:

  • LB.jar, LBJNI.jar from D2 installation
  • groovy shell

old server.ini:

##############################
#RKM configuration parameters
crypto_mode = AES256_RSA1024_SHA256
crypto_keystore = Local
crypto_lockbox = lockbox.lb
crypto_keyname = aek.key
#Above values cannot be changed once docbase is created

groovy magic:

[dmadmin@demo-server ~]$ ls /opt/dctm/dba/secure
ldapdb  lockbox.lb  lockbox.lb.bak  lockbox.lb.bak.FCD  lockbox.lb.FCD

[dmadmin@demo-server ~]$ export CLASSPATH=$CLASSPATH:LB.jar:LBJNI.jar
[dmadmin@demo-server ~]$ ./groovy-2.4.7/bin/groovysh \
> -Dclb.library.path=/home/dmadmin/lib/native/linux_gcc34_x64
Groovy Shell (2.4.7, JVM: 1.7.0_17)
Type ':help' or ':h' for help.
-----------------------------------------------------------------------------
groovy:000> import com.emc.clb.LockBox
===> com.emc.clb.LockBox
groovy:000> lb = new LockBox("/opt/dctm/dba/secure/lockbox.lb","Password@123")
===> com.emc.clb.LockBox@54f02243
groovy:000> new File("/home/dmadmin/aek.key").withOutputStream{
groovy:001> it.write lb.retrieveItemAsBinary("aek.key")
groovy:002> }
===> null
groovy:000>
[dmadmin@demo-server ~]$ ls -la aek.key 
-rw-rw-r--. 1 dmadmin dmadmin 144 Nov  6 01:19 aek.key
[dmadmin@demo-server ~]$ mv aek.key /opt/dctm/dba/secure/
[dmadmin@demo-server ~]$ dm_crypto_change_passphrase \
> -location /opt/dctm/dba/secure/aek.key \
> -passphrase Password@123 -noprompt

Please wait, this will take a few seconds
Successfully changed passphrase for AEK located at /opt/dctm/dba/secure/aek.key

new server.ini:

##############################
#RKM configuration parameters
crypto_mode = AES256_RSA1024_SHA256
crypto_keystore = Local
#crypto_lockbox = lockbox.lb
crypto_keyname = aek.key
#Above values cannot be changed once docbase is created

One thought on “Say goodbuy LockBox

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s