Error with encrypted keys

I just updated to the 2.15.X from 2.14.x on a Debian environment, I had the
enckey already encrypted with the security module, after the update
whenever I run the commands for the securitymodule to decrypt the key I get
the following error:

root@MACHINENAME:/etc/privacyidea# privacyidea -U https
https://machinename/:// https://machinename/MACHINENAME
https://machinename/ --admin=admin securitymodule --init_hsm
Please enter password for ‘admin’:
Traceback (most recent call last):
File “/usr/bin/privacyidea”, line 1563, in
main()
File “/usr/bin/privacyidea”, line 1555, in main
no_ssl_check=args.nosslcheck)
File “/usr/lib/python2.7/dist-
packages/privacyideautils/clientutils.py”, line 96, in init
self.set_credentials(username, password)
File “/usr/lib/python2.7/dist-
packages/privacyideautils/clientutils.py”, line 135, in set_credentials
raise Exception(“Invalid Credentials: %s” % r.status_code)
Exception: Invalid Credentials: 400

  • I am using stable release of privacyIDEA and privacyIDEA Admin
  • LDAP for the users and local for the admin
  • enckey and pi.cfg did not change on the machine

Regards,
Sherif

Take a look in the server log, what is happening there.
Kind regards
CorneliusAm Montag, 24. Oktober 2016 15:22:52 UTC+2 schrieb Sherif Nagy:

I just updated to the 2.15.X from 2.14.x on a Debian environment, I had
the enckey already encrypted with the security module, after the update
whenever I run the commands for the securitymodule to decrypt the key I get
the following error:

root@MACHINENAME:/etc/privacyidea# privacyidea -U https
https://machinename/:// https://machinename/MACHINENAME
https://machinename/ --admin=admin securitymodule --init_hsm
Please enter password for ‘admin’:
Traceback (most recent call last):
File “/usr/bin/privacyidea”, line 1563, in
main()
File “/usr/bin/privacyidea”, line 1555, in main
no_ssl_check=args.nosslcheck)
File “/usr/lib/python2.7/dist-
packages/privacyideautils/clientutils.py”, line 96, in init
self.set_credentials(username, password)
File “/usr/lib/python2.7/dist-
packages/privacyideautils/clientutils.py”, line 135, in set_credentials
raise Exception(“Invalid Credentials: %s” % r.status_code)
Exception: Invalid Credentials: 400

  • I am using stable release of privacyIDEA and privacyIDEA Admin
  • LDAP for the users and local for the admin
  • enckey and pi.cfg did not change on the machine

Regards,
Sherif

Hi,

Here are the logs

http logs:

[Thu Nov 03 09:08:53.111220 2016] [wsgi:error] [pid 683:tid
139837077231360] No handlers could be found for logger
“privacyidea.lib.stats”
[Thu Nov 03 09:08:54.653678 2016] [wsgi:error] [pid 683:tid
139837077231360] The config file specified in PI_LOGCONFIG does not exist.
[Thu Nov 03 09:08:54.653708 2016] [wsgi:error] [pid 683:tid
139837077231360] Could not use PI_LOGCONFIG. Using PI_LOGLEVEL and
PI_LOGFILE.
[Thu Nov 03 09:08:54.653717 2016] [wsgi:error] [pid 683:tid
139837077231360] Using PI_LOGLEVEL 20.
[Thu Nov 03 09:08:54.653722 2016] [wsgi:error] [pid 683:tid
139837077231360] Using PI_LOGFILE /var/log/privacyidea/privacyidea.log.
[Thu Nov 03 09:08:54.655099 2016] [wsgi:error] [pid 683:tid
139837077231360] The configuration name is: production
[Thu Nov 03 09:08:54.655132 2016] [wsgi:error] [pid 683:tid
139837077231360] Additional configuration can be read from the file
/etc/privacyidea/pi.cfg
[Thu Nov 03 09:08:54.669794 2016] [wsgi:error] [pid 683:tid
139837077231360] The config file specified in PI_LOGCONFIG does not exist.
[Thu Nov 03 09:08:54.669821 2016] [wsgi:error] [pid 683:tid
139837077231360] Could not use PI_LOGCONFIG. Using PI_LOGLEVEL and
PI_LOGFILE.
[Thu Nov 03 09:08:54.669828 2016] [wsgi:error] [pid 683:tid
139837077231360] Using PI_LOGLEVEL 20.
[Thu Nov 03 09:08:54.669831 2016] [wsgi:error] [pid 683:tid
139837077231360] Using PI_LOGFILE /var/log/privacyidea/privacyidea.log.
[Thu Nov 03 09:08:55.014854 2016] [wsgi:error] [pid 683:tid
139837077231360]
/usr/lib/python2.7/dist-packages/sqlalchemy/engine/default.py:573:
SAWarning: Unicode type received non-unicode bind param value
[Thu Nov 03 09:08:55.014919 2016] [wsgi:error] [pid 683:tid
139837077231360] param.append(processorskey)

privacyidea logs:

[2016-11-03
09:08:55,046][683][139837077231360][INFO][privacyidea.lib.crypto:299]
initializing HSM class: <class
‘privacyidea.lib.security.default.DefaultSecurityModule’>
[2016-11-03
09:08:55,085][683][139837077231360][INFO][privacyidea.lib.crypto:319]
Initialized HSM object {‘obj’:
<privacyidea.lib.security.default.DefaultSecurityModule object at
0x7f2e45b2f590>}

and when I actually try to unlock the HSM, noting shows in the logs

we had a similar issue like this before:

Sherif

We still having the same problem in 2.16, I think it has something to do
with adding the latest supported token after 2.14 ? I don’t want to revert
back to non encrypted key. But we had this issue before and got fixed as i
mentioned in ky previous comment.

Regards,
SherifOn Nov 3, 2016 9:32 AM, “Sherif Nagy” <@Sherif_Nagy> wrote:

Hi,

Here are the logs

http logs:

[Thu Nov 03 09:08:53.111220 2016] [wsgi:error] [pid 683:tid
139837077231360] No handlers could be found for logger
“privacyidea.lib.stats”
[Thu Nov 03 09:08:54.653678 2016] [wsgi:error] [pid 683:tid
139837077231360] The config file specified in PI_LOGCONFIG does not exist.
[Thu Nov 03 09:08:54.653708 2016] [wsgi:error] [pid 683:tid
139837077231360] Could not use PI_LOGCONFIG. Using PI_LOGLEVEL and
PI_LOGFILE.
[Thu Nov 03 09:08:54.653717 2016] [wsgi:error] [pid 683:tid
139837077231360] Using PI_LOGLEVEL 20.
[Thu Nov 03 09:08:54.653722 2016] [wsgi:error] [pid 683:tid
139837077231360] Using PI_LOGFILE /var/log/privacyidea/privacyidea.log.
[Thu Nov 03 09:08:54.655099 2016] [wsgi:error] [pid 683:tid
139837077231360] The configuration name is: production
[Thu Nov 03 09:08:54.655132 2016] [wsgi:error] [pid 683:tid
139837077231360] Additional configuration can be read from the file
/etc/privacyidea/pi.cfg
[Thu Nov 03 09:08:54.669794 2016] [wsgi:error] [pid 683:tid
139837077231360] The config file specified in PI_LOGCONFIG does not exist.
[Thu Nov 03 09:08:54.669821 2016] [wsgi:error] [pid 683:tid
139837077231360] Could not use PI_LOGCONFIG. Using PI_LOGLEVEL and
PI_LOGFILE.
[Thu Nov 03 09:08:54.669828 2016] [wsgi:error] [pid 683:tid
139837077231360] Using PI_LOGLEVEL 20.
[Thu Nov 03 09:08:54.669831 2016] [wsgi:error] [pid 683:tid
139837077231360] Using PI_LOGFILE /var/log/privacyidea/privacyidea.log.
[Thu Nov 03 09:08:55.014854 2016] [wsgi:error] [pid 683:tid
139837077231360] /usr/lib/python2.7/dist-packages/sqlalchemy/engine/default.py:573:
SAWarning: Unicode type received non-unicode bind param value
[Thu Nov 03 09:08:55.014919 2016] [wsgi:error] [pid 683:tid
139837077231360] param.append(processorskey)

privacyidea logs:

[2016-11-03 09:08:55,046][683][139837077231360][INFO][privacyidea.lib.crypto:299]
initializing HSM class: <class ‘privacyidea.lib.security.
default.DefaultSecurityModule’>
[2016-11-03 09:08:55,085][683][139837077231360][INFO][privacyidea.lib.crypto:319]
Initialized HSM object {‘obj’: <privacyidea.lib.security.default.DefaultSecurityModule
object at 0x7f2e45b2f590>}

and when I actually try to unlock the HSM, noting shows in the logs

we had a similar issue like this before: https://github.com/
privacyidea/privacyideaadm/issues/16

Sherif