Questions about encrypting enckey

Hello,

So I am thinking to encrypt my encKey with a password, however I have few
questions:

1- This will encrypt the current key, will not generate a new key ? so I
don’t lose the tokens and data in the Database already
2- When I start the service using systemctl or service " I am using deb
privacyidea-apache2 package, will that work and asks me to decrypt the
enckey ? if not, how I can decrypt the enckey in this case ?

Regards,
Sherif

It is this line:

When the user object is created with a loginname and the realmname, it
also checks in which resolver in the realm the user is located.
To get a user object consisting of loginname, realmname and
resolvername.

In this case, it can not check the LDAP resolver, since it can not
access the BIND PW.

Kind regards
CorneliusAm Freitag, den 04.12.2015, 08:03 -0800 schrieb Sherif Nagy:

Hi Cornelius,

Just to confirm, I created an empty realm and set it as default, and
the decyrption of the enckey works. so it seems the system checking
the user’s realm before the local admin.

Regards,
Sherif

On Friday, December 4, 2015 at 3:54:23 PM UTC, Cornelius Kölbel wrote:
Hi Sherif,

    thanks a lot for the details. 
    
    I can confirm this. 
    
    If the default realm contains an LDAP-Resolver with a BIND-PW
    you can 
    not login with a local administrator. 
    
    https://github.com/privacyidea/privacyidea/issues/280 
    
    I will dig into this. 
    
    Kind regards 
    Cornelius 
    
    Am Freitag, den 04.12.2015, 07:45 -0800 schrieb Sherif Nagy: 
    > Hi Cornelius, 
    > 
    > 
    > I guess I knew what is wrong, so here is what I have done: 
    > 
    > 
    > - Disabled all the policies " I have the one for u2f auth,
    weblogin 
    > and one for users login " and still got the same error. 
    > - Take out the usersresolvers from the default realm and
    the 
    > decryption of the key will work like a charm. 
    > - I have LDAP resolver and passwd one, I noticed just a
    message in the 
    > log says looking for /etc/passwd in /home/privacyidea, that
    is why I 
    > thought to disable the usersource. 
    > 
    > 
    > So I guess the realm usersources runs before the local admin
    ones ? 
    > 
    > 
    > Regards, 
    > Sherif 
    > 
    > On Friday, December 4, 2015 at 3:29:35 PM UTC, Sherif Nagy wrote: 
    >         okay let me disable the policies and will let you
    know if it 
    >         works or not and which policies I have :) 
    >         
    >         
    >         Sherif 
    >         
    >         On Friday, December 4, 2015 at 3:25:06 PM UTC, Cornelius  Kölbel wrote: 
    >                 Hi Sherif, 
    >                 
    >                 So for some reason the server returns an
    error. 
    >                 I could image due to some things it is doing
    _before_ 
    >                 checking the 
    >                 admins password. And in doing this stuff, it
    might run 
    >                 into a problem, 
    >                 since the encryption key does not exist,
    yet. 
    >                 
    >                 E.g. this could be some policies, which need
    the 
    >                 encryption key when 
    >                 being checked. 
    >                 
    >                 So can you please tell, what policies you
    have defined 
    >                 and also take a 
    >                 look into the servers log file? 
    >                 
    >                 THanks a lot 
    >                 Cornelius 
    >                 
    >                 
    >                 Am Freitag, den 04.12.2015, 07:18 -0800
    schrieb Sherif 
    >                 Nagy: 
    >                 > It's the local admin that has been added
    by 
    >                 pi-manage admin command 
    >                 > 
    >                 > 
    >                 > Sherif 
    >                 > 
    >                 > On Friday, December 4, 2015 at 3:06:09 PM UTC,  Cornelius Kölbel wrote: 
    >                 >         Is this a local admin? 
    >                 >         Or is it an admin in a
    superuser-realm? 
    >                 >         
    >                 >         If it is a local admin, which was
    added by 
    >                 >         
    >                 >          pi-manage admin 
    >                 >         
    >                 >         it should(TM) work, since the
    encryption 
    >                 keys are not used in 
    >                 >         this case. 
    >                 >         
    >                 >         If it is an admin in a
    superuser-realm in 
    >                 e.g. an LDAP, it 
    >                 >         will not 
    >                 >         work, since PI can not decrypt the
    LDAP 
    >                 password to find the 
    >                 >         admin in 
    >                 >         the LDAP. 
    >                 >         
    >                 >         Kind regards 
    >                 >         Cornelius 
    >                 >         
    >                 >         Am Freitag, den 04.12.2015, 07:02
    -0800 
    >                 schrieb Sherif Nagy: 
    >                 >         > Hello again, 
    >                 >         > 
    >                 >         > 
    >                 >         > So before encrypting the enckey,
    I am 
    >                 getting securitymodule 
    >                 >         value 
    >                 >         > true "after upgrading to
    2.7devX, I 
    >                 encrypt the enckey, 
    >                 >         paste the data 
    >                 >         > and replace the file, restart
    Apache, run 
    >                 again the command 
    >                 >         to check 
    >                 >         > the status " should be false or
    HSM not 
    >                 ready, but I am 
    >                 >         getting the 
    >                 >         > below error: 
    >                 >         > 
    >                 >         > 
    >                 >         > Traceback (most recent call
    last): 
    >                 >         >   File "/usr/bin/privacyidea",
    line 1467, 
    >                 in <module> 
    >                 >         >     main() 
    >                 >         >   File "/usr/bin/privacyidea",
    line 1462, 
    >                 in main 
    >                 >         >
    no_ssl_check=args.nosslcheck) 
    >                 >         >   File 
    >                 >         > 
    >                 > 
    >
    "/usr/lib/python2.7/dist-packages/privacyideautils/clientutils.py", 
    >                 >         > line 96, in __init__ 
    >                 >         >
    self.set_credentials(username, 
    >                 password) 
    >                 >         >   File 
    >                 >         > 
    >                 > 
    >
    "/usr/lib/python2.7/dist-packages/privacyideautils/clientutils.py", 
    >                 >         > line 129, in set_credentials 
    >                 >         >     raise Exception("Invalid
    Credentials: 
    >                 %s" % 
    >                 >         r.status_code) 
    >                 >         > Exception: Invalid Credentials:
    400 
    >                 >         > 
    >                 >         > 
    >                 >         > and the admin password is
    correct, I 
    >                 replace the encrypted 
    >                 >         key file 
    >                 >         > with none encrypted , restart
    apache and 
    >                 try again to check 
    >                 >         the 
    >                 >         > status, and I get True. 
    >                 >         > 
    >                 >         > 
    >                 >         > Do I need to re-add the admin
    user ? 
    >                 >         > 
    >                 >         > 
    >                 >         > Regards, 
    >                 >         > Sherif 
    >                 >         > 
    >                 >         > 
    >                 >         > On Friday, December 4, 2015 at 2:28:16 PM  UTC, Sherif Nagy  wrote: 
    >                 >         >         Hi Cornelius, 
    >                 >         >         
    >                 >         >         Oh yep the
    privacyideaadm is 
    >                 2.5 :/ will update 
    >                 >         now :) thank 
    >                 >         >         you 
    >                 >         >         
    >                 >         >         
    >                 >         >         Sherif 
    >                 >         >         
    >                 >         >         On Friday, December 4, 2015 at  1:16:11 PM UTC,  Cornelius  Kölbel wrote: 
    >                 >         >                 Hi Sherif, 
    >                 >         >                 
    >                 >         >                 you need at
    least version 
    >                 2.7dev1. 
    >                 >         >                 Hm, should
    release 
    >                 privacyideaadm 
    >                 >         2.7... :-/ 
    >                 >         >                 
    >                 >         >                 I guess you have
    2.5? 
    >                 >         >                 Oh, it is not
    available 
    >                 from launchpad 
    >                 >         > 
    >                 ppa:privacyidea/privacyidea-dev 
    >                 >         >                 (will just
    upload) 
    >                 >         >                 Or you can
    install it via 
    >                 pip. 
    >                 >         >                 
    >                 >         >                 Kind regards 
    >                 >         >                 Cornelius 
    >                 >         >                 
    >                 >         >                 Am Freitag, den 
    >                 04.12.2015, 04:41 -0800 
    >                 >         schrieb Sherif 
    >                 >         >                 Nagy: 
    >                 >         >                 > Hi Cornelius, 
    >                 >         >                 > 
    >                 >         >                 > 
    >                 >         >                 > I did try the
    following 
    >                 command " still 
    >                 >         did not 
    >                 >         >                 encrypt my key
    yet, 
    >                 >         >                 > and I am
    getting the 
    >                 following error: 
    >                 >         >                 > 
    >                 >         >                 > 
    >                 >         >                 > #privacyidea
    -U 
    >                 https://localhost 
    >                 >         --admin=admin 
    >                 >         >                 --nosslcheck 
    >                 >         >                 >
    securitymodule 
    >                 >         >                 > 
    >                 >         >                 > 
    >                 >         > 
    >                 > 
    >
    > /usr/lib/python2.7/dist-packages/urllib3/connectionpool.py:732: 
    >                 >         >                 >
    InsecureRequestWarning: 
    >                 Unverified HTTPS 
    >                 >         request is 
    >                 >         >                 being made.
    Adding 
    >                 >         >                 > certificate
    verification 
    >                 is strongly 
    >                 >         advised. See: 
    >                 >         >                 > 
    >                 >         > 
    >                 > 
    >
    https://urllib3.readthedocs.org/en/latest/security.html (This 
    >                 >         warning 
    >                 >         >                 > will only
    appear once by 
    >                 default.) 
    >                 >         >                 > 
    >                 InsecureRequestWarning) 
    >                 >         >                 > This is the 
    >                 configuration of your active 
    >                 >         Security 
    >                 >         >                 module: 
    >                 >         >                 > 
    >                 >         >                 > 
    >                 >         >                 > Traceback
    (most recent 
    >                 call last): 
    >                 >         >                 >   File 
    >                 "/usr/bin/privacyidea", line 1321, 
    >                 >         in 
    >                 >         >                 <module> 
    >                 >         >                 >     main() 
    >                 >         >                 >   File 
    >                 "/usr/bin/privacyidea", line 1317, 
    >                 >         in main 
    >                 >         >                 >
    args.func(args, 
    >                 client) 
    >                 >         >                 >   File 
    >                 "/usr/bin/privacyidea", line 683, 
    >                 >         in 
    >                 >         >                 securitymodule 
    >                 >         >                 >     r1 = 
    >                 client.securitymodule(param={}) 
    >                 >         >                 >   File 
    >                 >         >                 > 
    >                 >         > 
    >                 > 
    >
    "/usr/lib/python2.7/dist-packages/privacyideautils/clientutils.py", 
    >                 >         >                 > line 226, in 
    >                 securitymodule 
    >                 >         >                 >     return 
    >                 >         > 
    >                 self.connect('/system/setupSecurityModule', 
    >                 >         param) 
    >                 >         >                 >
    AttributeError: 
    >                 'privacyideaclient' object 
    >                 >         has no 
    >                 >         >                 attribute
    'connect' 
    >                 >         >                 > 
    >                 >         >                 > 
    >                 >         >                 > Any idea what
    might be 
    >                 the issue ? 
    >                 >         >                 > 
    >                 >         >                 > 
    >                 >         >                 > Regards, 
    >                 >         >                 > Sherif 
    >                 >         >                 > 
    >                 >         >                 > On Friday, December 4,  2015 at 10:21:05 AM  UTC,  Cornelius Kölbel  wrote: 
    >                 >         >                 >         Hi
    Sherif, 
    >                 >         >                 >         
    >                 >         >                 >         take a
    look 
    >                 here: 
    >                 >         >                 > 
    >                 >         > 
    >                 > 
    >
    http://privacyidea.readthedocs.org/en/latest/installation/system/securitymodule.html?highlight=securitymodule 
    >                 >         >                 >         
    >                 >         >                 >         To
    encrypt the 
    >                 enckey, you can use 
    >                 >         the 
    >                 >         >                 script 
    >                 >         >                 >         
    >                 >         >                 >
     pi-manage 
    >                 encrypt_enckey 
    >                 >         <filename> 
    >                 >         >                 >         
    >                 >         >                 >         This
    will not 
    >                 overwrite the file. 
    >                 >         The 
    >                 >         >                 encrypted data
    will be 
    >                 >         >                 >
    written to 
    >                 >         >                 >
    stdout. You can 
    >                 either pipe these 
    >                 >         or paste 
    >                 >         >                 it. 
    >                 >         >                 >         
    >                 >         >                 >         You
    may also 
    >                 want to make a backup 
    >                 >         of the 
    >                 >         >                 encryption key, 
    >                 >         >                 >
    anyway! 
    >                 >         >                 >         
    >                 >         >                 >         When
    you restart 
    >                 the apache it 
    >                 >         will start 
    >                 >         >                 quite normal. 
    >                 >         >                 >         But at
    certain 
    >                 points, when data 
    >                 >         needs to be 
    >                 >         >                 encrypted or 
    >                 >         >                 >
    decrypted you 
    >                 >         >                 >         will
    get the 
    >                 error: 
    >                 >         >                 >         
    >                 >         >                 >
    ERR707: 
    >                 hsm not ready! 
    >                 >         >                 >         
    >                 >         >                 >         You
    can also 
    >                 check this at the 
    >                 >         command line 
    >                 >         >                 after 
    >                 >         >                 >
    (re)-starting 
    >                 the 
    >                 >         >                 >
    apache: 
    >                 >         >                 >         
    >                 >         >                 >         #
    privacyidea 
    >                 -U 
    >                 >         https://localhost/pi 
    >                 >         >                 --admin=super 
    >                 >         >                 >
    --nosslcheck \ 
    >                 >         >                 > 
    >                 securitymodule 
    >                 >         >                 >         Please
    enter 
    >                 password for 
    >                 >         'super': 
    >                 >         >                 >         This
    is the 
    >                 configuration of your 
    >                 >         active 
    >                 >         >                 Security
    module: 
    >                 >         >                 >         {
    u'status': 
    >                 True, u'value': { 
    >                 >         >                 u'is_ready':
    False}} 
    >                 >         >                 >         
    >                 >         >                 >
    "is_ready": 
    >                 False shows you, that 
    >                 >         the 
    >                 >         >                 encryption key
    is not 
    >                 >         >                 >         ready
    to be 
    >                 >         >                 >         used. 
    >                 >         >                 >         
    >                 >         >                 >         So you
    need to 
    >                 run: 
    >                 >         >                 >         
    >                 >         >                 >         #
    privacyidea 
    >                 -U 
    >                 >         https://localhost/pi 
    >                 >         >                 --admin=super 
    >                 >         >                 >
    --nosslcheck \ 
    >                   
    >                 >         >                 > 
    >                  securitymodule 
    >                 >         --module=default 
    >                 >         >                 >         
    >                 >         >                 >         Please
    enter 
    >                 password for 
    >                 >         'super': 
    >                 >         >                 >         Please
    enter 
    >                 password for security 
    >                 >         module 
    >                 >         >                 'default': 
    >                 >         >                 >
    Setting the 
    >                 password of your 
    >                 >         security module 
    >                 >         >                 default 
    >                 >         >                 >         {
    u'status': 
    >                 True, u'value': { 
    >                 >         >                 u'is_ready':
    True}} 
    >                 >         >                 >         
    >                 >         >                 >         Now,
    "is_ready": 
    >                 True shows you, 
    >                 >         that the 
    >                 >         >                 encryption key
    can 
    >                 >         >                 >         be
    used by 
    >                 >         >                 >
    privacyIDEA... 
    >                 >         >                 >         
    >                 >         >                 >         Take
    care and do 
    >                 backups ;-) 
    >                 >         >                 >         I do
    not know, 
    >                 who uses it 
    >                 >         productively at 
    >                 >         >                 the moment. 
    >                 >         >                 >         
    >                 >         >                 >         Kind
    regards 
    >                 >         >                 >
    Cornelius 
    >                 >         >                 >         
    >                 >         >                 >         
    >                 >         >                 >         Am
    Freitag, den 
    >                 04.12.2015, 02:03 
    >                 >         -0800 
    >                 >         >                 schrieb Sherif
    Nagy: 
    >                 >         >                 >         >
    Hello, 
    >                 >         >                 >         > 
    >                 >         >                 >         > 
    >                 >         >                 >         > So I
    am 
    >                 thinking to encrypt my 
    >                 >         encKey with 
    >                 >         >                 a password, 
    >                 >         >                 >
    however I have 
    >                 >         >                 >         > few 
    >                 questions: 
    >                 >         >                 >         > 
    >                 >         >                 >         > 
    >                 >         >                 >         > 1-
    This will 
    >                 encrypt the current 
    >                 >         key, will 
    >                 >         >                 not generate a 
    >                 >         >                 >         new
    key ? so 
    >                 >         >                 >         > I
    don't lose 
    >                 the tokens and data 
    >                 >         in the 
    >                 >         >                 Database
    already 
    >                 >         >                 >         > 2-
    When I 
    >                 start the service 
    >                 >         using 
    >                 >         >                 systemctl or
    service " I 
    >                 >         >                 >         am
    using 
    >                 >         >                 >         > deb 
    >                 privacyidea-apache2 package, 
    >                 >         will that 
    >                 >         >                 work and asks
    me 
    >                 >         >                 >         to
    decrypt 
    >                 >         >                 >         > the
    enckey ? 
    >                 if not, how I can 
    >                 >         decrypt the 
    >                 >         >                 enckey in this 
    >                 >         >                 >
    case ? 
    >                 >         >                 >         > 
    >                 >         >                 >         > 
    >                 >         >                 >         > 
    >                 >         >                 >         > 
    >                 >         >                 >         >
    Regards, 
    >                 >         >                 >         >
    Sherif 
    >                 >         >                 >         > -- 
    >                 >         >                 >         > You
    received 
    >                 this message 
    >                 >         because you are 
    >                 >         >                 subscribed to
    the 
    >                 >         >                 >
    Google 
    >                 >         >                 >         >
    Groups 
    >                 "privacyidea" group. 
    >                 >         >                 >         > To
    unsubscribe 
    >                 from this group 
    >                 >         and stop 
    >                 >         >                 receiving
    emails 
    >                 >         >                 >         from
    it, send 
    >                 >         >                 >         > an
    email to 
    >                 >         > 
    >                 privacyidea...@googlegroups.com. 
    >                 >         >                 >         > To
    post to 
    >                 this group, send 
    >                 >         email to 
    >                 >         >                 > 
    >                 priva...@googlegroups.com. 
    >                 >         >                 >         > To
    view this 
    >                 discussion on the 
    >                 >         web visit 
    >                 >         >                 >         > 
    >                 >         >                 > 
    >                 >         > 
    >                 > 
    >
    https://groups.google.com/d/msgid/privacyidea/d4e7e11b-0b96-476e-a36c-b7189cc6e339%40googlegroups.com. 
    >                 >         >                 >         > For
    more 
    >                 options, visit 
    >                 >         > 
    >                 https://groups.google.com/d/optout. 
    >                 >         >                 >         
    >                 >         >                 >         -- 
    >                 >         >                 >
    Cornelius 
    >                 Kölbel 
    >                 >         >                 > 
    >                 corneliu...@netknights.it 
    >                 >         >                 >         +49
    151 2960 
    >                 1417 
    >                 >         >                 >         
    >                 >         >                 >
    NetKnights GmbH 
    >                 >         >                 > 
    >                 http://www.netknights.it 
    >                 >         >                 > 
    >                 Landgraf-Karl-Str. 19, 34131 
    >                 >         Kassel, 
    >                 >         >                 Germany 
    >                 >         >                 >         Tel:
    +49 561 
    >                 3166797, Fax: +49 561 
    >                 >         3166798 
    >                 >         >                 >         
    >                 >         >                 >
    Amtsgericht 
    >                 Kassel, HRB 16405 
    >                 >         >                 >
    Geschäftsführer: 
    >                 Cornelius Kölbel 
    >                 >         >                 >         
    >                 >         >                 >         
    >                 >         >                 > -- 
    >                 >         >                 > You received
    this 
    >                 message because you are 
    >                 >         subscribed 
    >                 >         >                 to the Google 
    >                 >         >                 > Groups
    "privacyidea" 
    >                 group. 
    >                 >         >                 > To unsubscribe
    from this 
    >                 group and stop 
    >                 >         receiving 
    >                 >         >                 emails from it,
    send 
    >                 >         >                 > an email to 
    >                 >         privacyidea...@googlegroups.com. 
    >                 >         >                 > To post to
    this group, 
    >                 send email to 
    >                 >         > 
    >                 priva...@googlegroups.com. 
    >                 >         >                 > To view this
    discussion 
    >                 on the web visit 
    >                 >         >                 > 
    >                 >         > 
    >                 > 
    >
    https://groups.google.com/d/msgid/privacyidea/9b251fd2-be6d-45f4-9d47-42f7e142166b%40googlegroups.com. 
    >                 >         >                 > For more
    options, visit 
    >                 >         > 
    >                 https://groups.google.com/d/optout. 
    >                 >         >                 
    >                 >         >                 -- 
    >                 >         >                 Cornelius
    Kölbel 
    >                 >         >
    corneliu...@netknights.it 
    >                 >         >                 +49 151 2960
    1417 
    >                 >         >                 
    >                 >         >                 NetKnights GmbH 
    >                 >         >
    http://www.netknights.it 
    >                 >         >
    Landgraf-Karl-Str. 19, 
    >                 34131 Kassel, 
    >                 >         Germany 
    >                 >         >                 Tel: +49 561
    3166797, Fax: 
    >                 +49 561 3166798 
    >                 >         >                 
    >                 >         >                 Amtsgericht
    Kassel, HRB 
    >                 16405 
    >                 >         >                 Geschäftsführer:
    Cornelius 
    >                 Kölbel 
    >                 >         >                 
    >                 >         >                 
    >                 >         > -- 
    >                 >         > You received this message
    because you are 
    >                 subscribed to the 
    >                 >         Google 
    >                 >         > Groups "privacyidea" group. 
    >                 >         > To unsubscribe from this group
    and stop 
    >                 receiving emails 
    >                 >         from it, send 
    >                 >         > an email to 
    >                 privacyidea...@googlegroups.com. 
    >                 >         > To post to this group, send
    email to 
    >                 >         priva...@googlegroups.com. 
    >                 >         > To view this discussion on the
    web visit 
    >                 >         > 
    >                 > 
    >
    https://groups.google.com/d/msgid/privacyidea/799090b8-3ca3-48de-a48e-02d9943a0e8d%40googlegroups.com. 
    >                 >         > For more options, visit 
    >                 https://groups.google.com/d/optout. 
    >                 >         
    >                 >         -- 
    >                 >         Cornelius Kölbel 
    >                 >         corneliu...@netknights.it 
    >                 >         +49 151 2960 1417 
    >                 >         
    >                 >         NetKnights GmbH 
    >                 >         http://www.netknights.it 
    >                 >         Landgraf-Karl-Str. 19, 34131
    Kassel, 
    >                 Germany 
    >                 >         Tel: +49 561 3166797, Fax: +49 561
    3166798 
    >                 >         
    >                 >         Amtsgericht Kassel, HRB 16405 
    >                 >         Geschäftsführer: Cornelius Kölbel 
    >                 >         
    >                 >         
    >                 > -- 
    >                 > You received this message because you are
    subscribed 
    >                 to the Google 
    >                 > Groups "privacyidea" group. 
    >                 > To unsubscribe from this group and stop
    receiving 
    >                 emails from it, send 
    >                 > an email to
    privacyidea...@googlegroups.com. 
    >                 > To post to this group, send email to 
    >                 priva...@googlegroups.com. 
    >                 > To view this discussion on the web visit 
    >                 > 
    >
    https://groups.google.com/d/msgid/privacyidea/bf13cc4c-f993-4d4f-abd3-6573915962a8%40googlegroups.com. 
    >                 > For more options, visit 
    >                 https://groups.google.com/d/optout. 
    >                 
    >                 -- 
    >                 Cornelius Kölbel 
    >                 corneliu...@netknights.it 
    >                 +49 151 2960 1417 
    >                 
    >                 NetKnights GmbH 
    >                 http://www.netknights.it 
    >                 Landgraf-Karl-Str. 19, 34131 Kassel,
    Germany 
    >                 Tel: +49 561 3166797, Fax: +49 561 3166798 
    >                 
    >                 Amtsgericht Kassel, HRB 16405 
    >                 Geschäftsführer: Cornelius Kölbel 
    >                 
    >                 
    > -- 
    > You received this message because you are subscribed to the
    Google 
    > Groups "privacyidea" group. 
    > To unsubscribe from this group and stop receiving emails
    from it, send 
    > an email to privacyidea...@googlegroups.com. 
    > To post to this group, send email to
    priva...@googlegroups.com. 
    > To view this discussion on the web visit 
    >
    https://groups.google.com/d/msgid/privacyidea/a583bfc2-d95f-4eae-a67d-ab0032846c1d%40googlegroups.com. 
    > For more options, visit https://groups.google.com/d/optout. 
    
    -- 
    Cornelius Kölbel 
    corneliu...@netknights.it 
    +49 151 2960 1417 
    
    NetKnights GmbH 
    http://www.netknights.it 
    Landgraf-Karl-Str. 19, 34131 Kassel, Germany 
    Tel: +49 561 3166797, Fax: +49 561 3166798 
    
    Amtsgericht Kassel, HRB 16405 
    Geschäftsführer: Cornelius Kölbel 


You received this message because you are subscribed to the Google
Groups “privacyidea” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to privacyidea+unsubscribe@googlegroups.com.
To post to this group, send email to privacyidea@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/privacyidea/14cc0121-09da-42aa-ba7b-284fe0152ee7%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


Cornelius Kölbel
@cornelinux
+49 151 2960 1417

NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel

signature.asc (836 Bytes)

Hi Cornelius,

I did try the following command " still did not encrypt my key yet, and I
am getting the following error:

#privacyidea -U https://localhost --admin=admin --nosslcheck securitymodule

/usr/lib/python2.7/dist-packages/urllib3/connectionpool.py:732:
InsecureRequestWarning: Unverified HTTPS request is being made. Adding
certificate verification is strongly advised. See:
https://urllib3.readthedocs.org/en/latest/security.html (This warning will
only appear once by default.)
InsecureRequestWarning)
This is the configuration of your active Security module:

Traceback (most recent call last):
File “/usr/bin/privacyidea”, line 1321, in
main()
File “/usr/bin/privacyidea”, line 1317, in main
args.func(args, client)
File “/usr/bin/privacyidea”, line 683, in securitymodule
r1 = client.securitymodule(param={})
File “/usr/lib/python2.7/dist-packages/privacyideautils/clientutils.py”,
line 226, in securitymodule
return self.connect(’/system/setupSecurityModule’, param)
AttributeError: ‘privacyideaclient’ object has no attribute ‘connect’

Any idea what might be the issue ?

Regards,
SherifOn Friday, December 4, 2015 at 10:21:05 AM UTC, Cornelius Kölbel wrote:

Hi Sherif,

take a look here:

http://privacyidea.readthedocs.org/en/latest/installation/system/securitymodule.html?highlight=securitymodule

To encrypt the enckey, you can use the script

pi-manage encrypt_enckey

This will not overwrite the file. The encrypted data will be written to
stdout. You can either pipe these or paste it.

You may also want to make a backup of the encryption key, anyway!

When you restart the apache it will start quite normal.
But at certain points, when data needs to be encrypted or decrypted you
will get the error:

    ERR707: hsm not ready! 

You can also check this at the command line after (re)-starting the
apache:

privacyidea -U https://localhost/pi --admin=super --nosslcheck \

    securitymodule 

Please enter password for ‘super’:
This is the configuration of your active Security module:
{ u’status’: True, u’value’: { u’is_ready’: False}}

“is_ready”: False shows you, that the encryption key is not ready to be
used.

So you need to run:

privacyidea -U https://localhost/pi --admin=super --nosslcheck \

 securitymodule --module=default 

Please enter password for ‘super’:
Please enter password for security module ‘default’:
Setting the password of your security module default
{ u’status’: True, u’value’: { u’is_ready’: True}}

Now, “is_ready”: True shows you, that the encryption key can be used by
privacyIDEA…

Take care and do backups :wink:
I do not know, who uses it productively at the moment.

Kind regards
Cornelius

Am Freitag, den 04.12.2015, 02:03 -0800 schrieb Sherif Nagy:

Hello,

So I am thinking to encrypt my encKey with a password, however I have
few questions:

1- This will encrypt the current key, will not generate a new key ? so
I don’t lose the tokens and data in the Database already
2- When I start the service using systemctl or service " I am using
deb privacyidea-apache2 package, will that work and asks me to decrypt
the enckey ? if not, how I can decrypt the enckey in this case ?

Regards,
Sherif

You received this message because you are subscribed to the Google
Groups “privacyidea” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to privacyidea...@googlegroups.com <javascript:>.
To post to this group, send email to priva...@googlegroups.com
<javascript:>.
To view this discussion on the web visit

https://groups.google.com/d/msgid/privacyidea/d4e7e11b-0b96-476e-a36c-b7189cc6e339%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.


Cornelius Kölbel
corneliu...@netknights.it <javascript:>
+49 151 2960 1417

NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel

Hi Sherif,

So for some reason the server returns an error.
I could image due to some things it is doing before checking the
admins password. And in doing this stuff, it might run into a problem,
since the encryption key does not exist, yet.

E.g. this could be some policies, which need the encryption key when
being checked.

So can you please tell, what policies you have defined and also take a
look into the servers log file?

THanks a lot
CorneliusAm Freitag, den 04.12.2015, 07:18 -0800 schrieb Sherif Nagy:

It’s the local admin that has been added by pi-manage admin command

Sherif

On Friday, December 4, 2015 at 3:06:09 PM UTC, Cornelius Kölbel wrote:
Is this a local admin?
Or is it an admin in a superuser-realm?

    If it is a local admin, which was added by 
    
     pi-manage admin 
    
    it should(TM) work, since the encryption keys are not used in
    this case. 
    
    If it is an admin in a superuser-realm in e.g. an LDAP, it
    will not 
    work, since PI can not decrypt the LDAP password to find the
    admin in 
    the LDAP. 
    
    Kind regards 
    Cornelius 
    
    Am Freitag, den 04.12.2015, 07:02 -0800 schrieb Sherif Nagy: 
    > Hello again, 
    > 
    > 
    > So before encrypting the enckey, I am getting securitymodule
    value 
    > true "after upgrading to 2.7devX, I encrypt the enckey,
    paste the data 
    > and replace the file, restart Apache, run again the command
    to check 
    > the status " should be false or HSM not ready, but I am
    getting the 
    > below error: 
    > 
    > 
    > Traceback (most recent call last): 
    >   File "/usr/bin/privacyidea", line 1467, in <module> 
    >     main() 
    >   File "/usr/bin/privacyidea", line 1462, in main 
    >     no_ssl_check=args.nosslcheck) 
    >   File 
    >
    "/usr/lib/python2.7/dist-packages/privacyideautils/clientutils.py", 
    > line 96, in __init__ 
    >     self.set_credentials(username, password) 
    >   File 
    >
    "/usr/lib/python2.7/dist-packages/privacyideautils/clientutils.py", 
    > line 129, in set_credentials 
    >     raise Exception("Invalid Credentials: %s" %
    r.status_code) 
    > Exception: Invalid Credentials: 400 
    > 
    > 
    > and the admin password is correct, I replace the encrypted
    key file 
    > with none encrypted , restart apache and try again to check
    the 
    > status, and I get True. 
    > 
    > 
    > Do I need to re-add the admin user ? 
    > 
    > 
    > Regards, 
    > Sherif 
    > 
    > 
    > On Friday, December 4, 2015 at 2:28:16 PM UTC, Sherif Nagy wrote: 
    >         Hi Cornelius, 
    >         
    >         Oh yep the privacyideaadm is 2.5 :/ will update
    now :) thank 
    >         you 
    >         
    >         
    >         Sherif 
    >         
    >         On Friday, December 4, 2015 at 1:16:11 PM UTC, Cornelius  Kölbel wrote: 
    >                 Hi Sherif, 
    >                 
    >                 you need at least version 2.7dev1. 
    >                 Hm, should release privacyideaadm
    2.7... :-/ 
    >                 
    >                 I guess you have 2.5? 
    >                 Oh, it is not available from launchpad 
    >                 ppa:privacyidea/privacyidea-dev 
    >                 (will just upload) 
    >                 Or you can install it via pip. 
    >                 
    >                 Kind regards 
    >                 Cornelius 
    >                 
    >                 Am Freitag, den 04.12.2015, 04:41 -0800
    schrieb Sherif 
    >                 Nagy: 
    >                 > Hi Cornelius, 
    >                 > 
    >                 > 
    >                 > I did try the following command " still
    did not 
    >                 encrypt my key yet, 
    >                 > and I am getting the following error: 
    >                 > 
    >                 > 
    >                 > #privacyidea -U https://localhost
    --admin=admin 
    >                 --nosslcheck 
    >                 > securitymodule 
    >                 > 
    >                 > 
    >
    > /usr/lib/python2.7/dist-packages/urllib3/connectionpool.py:732: 
    >                 > InsecureRequestWarning: Unverified HTTPS
    request is 
    >                 being made. Adding 
    >                 > certificate verification is strongly
    advised. See: 
    >                 > 
    >
    https://urllib3.readthedocs.org/en/latest/security.html (This
    warning 
    >                 > will only appear once by default.) 
    >                 >   InsecureRequestWarning) 
    >                 > This is the configuration of your active
    Security 
    >                 module: 
    >                 > 
    >                 > 
    >                 > Traceback (most recent call last): 
    >                 >   File "/usr/bin/privacyidea", line 1321,
    in 
    >                 <module> 
    >                 >     main() 
    >                 >   File "/usr/bin/privacyidea", line 1317,
    in main 
    >                 >     args.func(args, client) 
    >                 >   File "/usr/bin/privacyidea", line 683,
    in 
    >                 securitymodule 
    >                 >     r1 = client.securitymodule(param={}) 
    >                 >   File 
    >                 > 
    >
    "/usr/lib/python2.7/dist-packages/privacyideautils/clientutils.py", 
    >                 > line 226, in securitymodule 
    >                 >     return 
    >                 self.connect('/system/setupSecurityModule',
    param) 
    >                 > AttributeError: 'privacyideaclient' object
    has no 
    >                 attribute 'connect' 
    >                 > 
    >                 > 
    >                 > Any idea what might be the issue ? 
    >                 > 
    >                 > 
    >                 > Regards, 
    >                 > Sherif 
    >                 > 
    >                 > On Friday, December 4, 2015 at 10:21:05 AM UTC,  Cornelius Kölbel  wrote: 
    >                 >         Hi Sherif, 
    >                 >         
    >                 >         take a look here: 
    >                 > 
    >
    http://privacyidea.readthedocs.org/en/latest/installation/system/securitymodule.html?highlight=securitymodule 
    >                 >         
    >                 >         To encrypt the enckey, you can use
    the 
    >                 script 
    >                 >         
    >                 >          pi-manage encrypt_enckey
    <filename> 
    >                 >         
    >                 >         This will not overwrite the file.
    The 
    >                 encrypted data will be 
    >                 >         written to 
    >                 >         stdout. You can either pipe these
    or paste 
    >                 it. 
    >                 >         
    >                 >         You may also want to make a backup
    of the 
    >                 encryption key, 
    >                 >         anyway! 
    >                 >         
    >                 >         When you restart the apache it
    will start 
    >                 quite normal. 
    >                 >         But at certain points, when data
    needs to be 
    >                 encrypted or 
    >                 >         decrypted you 
    >                 >         will get the error: 
    >                 >         
    >                 >                 ERR707: hsm not ready! 
    >                 >         
    >                 >         You can also check this at the
    command line 
    >                 after 
    >                 >         (re)-starting the 
    >                 >         apache: 
    >                 >         
    >                 >         # privacyidea -U
    https://localhost/pi 
    >                 --admin=super 
    >                 >         --nosslcheck \ 
    >                 >                 securitymodule 
    >                 >         Please enter password for
    'super': 
    >                 >         This is the configuration of your
    active 
    >                 Security module: 
    >                 >         {   u'status': True, u'value': { 
    >                 u'is_ready': False}} 
    >                 >         
    >                 >         "is_ready": False shows you, that
    the 
    >                 encryption key is not 
    >                 >         ready to be 
    >                 >         used. 
    >                 >         
    >                 >         So you need to run: 
    >                 >         
    >                 >         # privacyidea -U
    https://localhost/pi 
    >                 --admin=super 
    >                 >         --nosslcheck \   
    >                 >              securitymodule
    --module=default 
    >                 >         
    >                 >         Please enter password for
    'super': 
    >                 >         Please enter password for security
    module 
    >                 'default': 
    >                 >         Setting the password of your
    security module 
    >                 default 
    >                 >         {   u'status': True, u'value': { 
    >                 u'is_ready': True}} 
    >                 >         
    >                 >         Now, "is_ready": True shows you,
    that the 
    >                 encryption key can 
    >                 >         be used by 
    >                 >         privacyIDEA... 
    >                 >         
    >                 >         Take care and do backups ;-) 
    >                 >         I do not know, who uses it
    productively at 
    >                 the moment. 
    >                 >         
    >                 >         Kind regards 
    >                 >         Cornelius 
    >                 >         
    >                 >         
    >                 >         Am Freitag, den 04.12.2015, 02:03
    -0800 
    >                 schrieb Sherif Nagy: 
    >                 >         > Hello, 
    >                 >         > 
    >                 >         > 
    >                 >         > So I am thinking to encrypt my
    encKey with 
    >                 a password, 
    >                 >         however I have 
    >                 >         > few questions: 
    >                 >         > 
    >                 >         > 
    >                 >         > 1- This will encrypt the current
    key, will 
    >                 not generate a 
    >                 >         new key ? so 
    >                 >         > I don't lose the tokens and data
    in the 
    >                 Database already 
    >                 >         > 2- When I start the service
    using 
    >                 systemctl or service " I 
    >                 >         am using 
    >                 >         > deb privacyidea-apache2 package,
    will that 
    >                 work and asks me 
    >                 >         to decrypt 
    >                 >         > the enckey ? if not, how I can
    decrypt the 
    >                 enckey in this 
    >                 >         case ? 
    >                 >         > 
    >                 >         > 
    >                 >         > 
    >                 >         > 
    >                 >         > Regards, 
    >                 >         > Sherif 
    >                 >         > -- 
    >                 >         > You received this message
    because you are 
    >                 subscribed to the 
    >                 >         Google 
    >                 >         > Groups "privacyidea" group. 
    >                 >         > To unsubscribe from this group
    and stop 
    >                 receiving emails 
    >                 >         from it, send 
    >                 >         > an email to 
    >                 privacyidea...@googlegroups.com. 
    >                 >         > To post to this group, send
    email to 
    >                 >         priva...@googlegroups.com. 
    >                 >         > To view this discussion on the
    web visit 
    >                 >         > 
    >                 > 
    >
    https://groups.google.com/d/msgid/privacyidea/d4e7e11b-0b96-476e-a36c-b7189cc6e339%40googlegroups.com. 
    >                 >         > For more options, visit 
    >                 https://groups.google.com/d/optout. 
    >                 >         
    >                 >         -- 
    >                 >         Cornelius Kölbel 
    >                 >         corneliu...@netknights.it 
    >                 >         +49 151 2960 1417 
    >                 >         
    >                 >         NetKnights GmbH 
    >                 >         http://www.netknights.it 
    >                 >         Landgraf-Karl-Str. 19, 34131
    Kassel, 
    >                 Germany 
    >                 >         Tel: +49 561 3166797, Fax: +49 561
    3166798 
    >                 >         
    >                 >         Amtsgericht Kassel, HRB 16405 
    >                 >         Geschäftsführer: Cornelius Kölbel 
    >                 >         
    >                 >         
    >                 > -- 
    >                 > You received this message because you are
    subscribed 
    >                 to the Google 
    >                 > Groups "privacyidea" group. 
    >                 > To unsubscribe from this group and stop
    receiving 
    >                 emails from it, send 
    >                 > an email to
    privacyidea...@googlegroups.com. 
    >                 > To post to this group, send email to 
    >                 priva...@googlegroups.com. 
    >                 > To view this discussion on the web visit 
    >                 > 
    >
    https://groups.google.com/d/msgid/privacyidea/9b251fd2-be6d-45f4-9d47-42f7e142166b%40googlegroups.com. 
    >                 > For more options, visit 
    >                 https://groups.google.com/d/optout. 
    >                 
    >                 -- 
    >                 Cornelius Kölbel 
    >                 corneliu...@netknights.it 
    >                 +49 151 2960 1417 
    >                 
    >                 NetKnights GmbH 
    >                 http://www.netknights.it 
    >                 Landgraf-Karl-Str. 19, 34131 Kassel,
    Germany 
    >                 Tel: +49 561 3166797, Fax: +49 561 3166798 
    >                 
    >                 Amtsgericht Kassel, HRB 16405 
    >                 Geschäftsführer: Cornelius Kölbel 
    >                 
    >                 
    > -- 
    > You received this message because you are subscribed to the
    Google 
    > Groups "privacyidea" group. 
    > To unsubscribe from this group and stop receiving emails
    from it, send 
    > an email to privacyidea...@googlegroups.com. 
    > To post to this group, send email to
    priva...@googlegroups.com. 
    > To view this discussion on the web visit 
    >
    https://groups.google.com/d/msgid/privacyidea/799090b8-3ca3-48de-a48e-02d9943a0e8d%40googlegroups.com. 
    > For more options, visit https://groups.google.com/d/optout. 
    
    -- 
    Cornelius Kölbel 
    corneliu...@netknights.it 
    +49 151 2960 1417 
    
    NetKnights GmbH 
    http://www.netknights.it 
    Landgraf-Karl-Str. 19, 34131 Kassel, Germany 
    Tel: +49 561 3166797, Fax: +49 561 3166798 
    
    Amtsgericht Kassel, HRB 16405 
    Geschäftsführer: Cornelius Kölbel 


You received this message because you are subscribed to the Google
Groups “privacyidea” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to privacyidea+unsubscribe@googlegroups.com.
To post to this group, send email to privacyidea@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/privacyidea/bf13cc4c-f993-4d4f-abd3-6573915962a8%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


Cornelius Kölbel
@cornelinux
+49 151 2960 1417

NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel

signature.asc (836 Bytes)

Hi Sherif,

you need at least version 2.7dev1.
Hm, should release privacyideaadm 2.7… :-/

I guess you have 2.5?
Oh, it is not available from launchpad ppa:privacyidea/privacyidea-dev
(will just upload)
Or you can install it via pip.

Kind regards
CorneliusAm Freitag, den 04.12.2015, 04:41 -0800 schrieb Sherif Nagy:

Hi Cornelius,

I did try the following command " still did not encrypt my key yet,
and I am getting the following error:

#privacyidea -U https://localhost --admin=admin --nosslcheck
securitymodule

/usr/lib/python2.7/dist-packages/urllib3/connectionpool.py:732:
InsecureRequestWarning: Unverified HTTPS request is being made. Adding
certificate verification is strongly advised. See:
https://urllib3.readthedocs.org/en/latest/security.html (This warning
will only appear once by default.)
InsecureRequestWarning)
This is the configuration of your active Security module:

Traceback (most recent call last):
File “/usr/bin/privacyidea”, line 1321, in
main()
File “/usr/bin/privacyidea”, line 1317, in main
args.func(args, client)
File “/usr/bin/privacyidea”, line 683, in securitymodule
r1 = client.securitymodule(param={})
File
“/usr/lib/python2.7/dist-packages/privacyideautils/clientutils.py”,
line 226, in securitymodule
return self.connect(’/system/setupSecurityModule’, param)
AttributeError: ‘privacyideaclient’ object has no attribute ‘connect’

Any idea what might be the issue ?

Regards,
Sherif

On Friday, December 4, 2015 at 10:21:05 AM UTC, Cornelius Kölbel wrote:
Hi Sherif,

    take a look here: 
    http://privacyidea.readthedocs.org/en/latest/installation/system/securitymodule.html?highlight=securitymodule 
    
    To encrypt the enckey, you can use the script 
    
     pi-manage encrypt_enckey <filename> 
    
    This will not overwrite the file. The encrypted data will be
    written to 
    stdout. You can either pipe these or paste it. 
    
    You may also want to make a backup of the encryption key,
    anyway! 
    
    When you restart the apache it will start quite normal. 
    But at certain points, when data needs to be encrypted or
    decrypted you 
    will get the error: 
    
            ERR707: hsm not ready! 
    
    You can also check this at the command line after
    (re)-starting the 
    apache: 
    
    # privacyidea -U https://localhost/pi --admin=super
    --nosslcheck \ 
            securitymodule 
    Please enter password for 'super': 
    This is the configuration of your active Security module: 
    {   u'status': True, u'value': {   u'is_ready': False}} 
    
    "is_ready": False shows you, that the encryption key is not
    ready to be 
    used. 
    
    So you need to run: 
    
    # privacyidea -U https://localhost/pi --admin=super
    --nosslcheck \   
         securitymodule --module=default 
    
    Please enter password for 'super': 
    Please enter password for security module 'default': 
    Setting the password of your security module default 
    {   u'status': True, u'value': {   u'is_ready': True}} 
    
    Now, "is_ready": True shows you, that the encryption key can
    be used by 
    privacyIDEA... 
    
    Take care and do backups ;-) 
    I do not know, who uses it productively at the moment. 
    
    Kind regards 
    Cornelius 
    
    
    Am Freitag, den 04.12.2015, 02:03 -0800 schrieb Sherif Nagy: 
    > Hello, 
    > 
    > 
    > So I am thinking to encrypt my encKey with a password,
    however I have 
    > few questions: 
    > 
    > 
    > 1- This will encrypt the current key, will not generate a
    new key ? so 
    > I don't lose the tokens and data in the Database already 
    > 2- When I start the service using systemctl or service " I
    am using 
    > deb privacyidea-apache2 package, will that work and asks me
    to decrypt 
    > the enckey ? if not, how I can decrypt the enckey in this
    case ? 
    > 
    > 
    > 
    > 
    > Regards, 
    > Sherif 
    > -- 
    > You received this message because you are subscribed to the
    Google 
    > Groups "privacyidea" group. 
    > To unsubscribe from this group and stop receiving emails
    from it, send 
    > an email to privacyidea...@googlegroups.com. 
    > To post to this group, send email to
    priva...@googlegroups.com. 
    > To view this discussion on the web visit 
    >
    https://groups.google.com/d/msgid/privacyidea/d4e7e11b-0b96-476e-a36c-b7189cc6e339%40googlegroups.com. 
    > For more options, visit https://groups.google.com/d/optout. 
    
    -- 
    Cornelius Kölbel 
    corneliu...@netknights.it 
    +49 151 2960 1417 
    
    NetKnights GmbH 
    http://www.netknights.it 
    Landgraf-Karl-Str. 19, 34131 Kassel, Germany 
    Tel: +49 561 3166797, Fax: +49 561 3166798 
    
    Amtsgericht Kassel, HRB 16405 
    Geschäftsführer: Cornelius Kölbel 


You received this message because you are subscribed to the Google
Groups “privacyidea” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to privacyidea+unsubscribe@googlegroups.com.
To post to this group, send email to privacyidea@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/privacyidea/9b251fd2-be6d-45f4-9d47-42f7e142166b%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


Cornelius Kölbel
@cornelinux
+49 151 2960 1417

NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel

signature.asc (836 Bytes)

Hi Cornelius,

I guess I knew what is wrong, so here is what I have done:

  • Disabled all the policies " I have the one for u2f auth, weblogin and one
    for users login " and still got the same error.
  • Take out the usersresolvers from the default realm and the decryption of
    the key will work like a charm.
  • I have LDAP resolver and passwd one, I noticed just a message in the log
    says looking for /etc/passwd in /home/privacyidea, that is why I thought to
    disable the usersource.

So I guess the realm usersources runs before the local admin ones ?

Regards,
SherifOn Friday, December 4, 2015 at 3:29:35 PM UTC, Sherif Nagy wrote:

okay let me disable the policies and will let you know if it works or not
and which policies I have :slight_smile:

Sherif

On Friday, December 4, 2015 at 3:25:06 PM UTC, Cornelius Kölbel wrote:

Hi Sherif,

So for some reason the server returns an error.
I could image due to some things it is doing before checking the
admins password. And in doing this stuff, it might run into a problem,
since the encryption key does not exist, yet.

E.g. this could be some policies, which need the encryption key when
being checked.

So can you please tell, what policies you have defined and also take a
look into the servers log file?

THanks a lot
Cornelius

Am Freitag, den 04.12.2015, 07:18 -0800 schrieb Sherif Nagy:

It’s the local admin that has been added by pi-manage admin command

Sherif

On Friday, December 4, 2015 at 3:06:09 PM UTC, Cornelius Kölbel wrote:
Is this a local admin?
Or is it an admin in a superuser-realm?

    If it is a local admin, which was added by 
    
     pi-manage admin 
    
    it should(TM) work, since the encryption keys are not used in 
    this case. 
    
    If it is an admin in a superuser-realm in e.g. an LDAP, it 
    will not 
    work, since PI can not decrypt the LDAP password to find the 
    admin in 
    the LDAP. 
    
    Kind regards 
    Cornelius 
    
    Am Freitag, den 04.12.2015, 07:02 -0800 schrieb Sherif Nagy: 
    > Hello again, 
    > 
    > 
    > So before encrypting the enckey, I am getting securitymodule 
    value 
    > true "after upgrading to 2.7devX, I encrypt the enckey, 
    paste the data 
    > and replace the file, restart Apache, run again the command 
    to check 
    > the status " should be false or HSM not ready, but I am 
    getting the 
    > below error: 
    > 
    > 
    > Traceback (most recent call last): 
    >   File "/usr/bin/privacyidea", line 1467, in <module> 
    >     main() 
    >   File "/usr/bin/privacyidea", line 1462, in main 
    >     no_ssl_check=args.nosslcheck) 
    >   File 
    > 

“/usr/lib/python2.7/dist-packages/privacyideautils/clientutils.py”,

    > line 96, in __init__ 
    >     self.set_credentials(username, password) 
    >   File 
    > 

“/usr/lib/python2.7/dist-packages/privacyideautils/clientutils.py”,

    > line 129, in set_credentials 
    >     raise Exception("Invalid Credentials: %s" % 
    r.status_code) 
    > Exception: Invalid Credentials: 400 
    > 
    > 
    > and the admin password is correct, I replace the encrypted 
    key file 
    > with none encrypted , restart apache and try again to check 
    the 
    > status, and I get True. 
    > 
    > 
    > Do I need to re-add the admin user ? 
    > 
    > 
    > Regards, 
    > Sherif 
    > 
    > 
    > On Friday, December 4, 2015 at 2:28:16 PM UTC, Sherif Nagy  wrote: 
    >         Hi Cornelius, 
    >         
    >         Oh yep the privacyideaadm is 2.5 :/ will update 
    now :) thank 
    >         you 
    >         
    >         
    >         Sherif 
    >         
    >         On Friday, December 4, 2015 at 1:16:11 PM UTC,  Cornelius  Kölbel wrote: 
    >                 Hi Sherif, 
    >                 
    >                 you need at least version 2.7dev1. 
    >                 Hm, should release privacyideaadm 
    2.7... :-/ 
    >                 
    >                 I guess you have 2.5? 
    >                 Oh, it is not available from launchpad 
    >                 ppa:privacyidea/privacyidea-dev 
    >                 (will just upload) 
    >                 Or you can install it via pip. 
    >                 
    >                 Kind regards 
    >                 Cornelius 
    >                 
    >                 Am Freitag, den 04.12.2015, 04:41 -0800 
    schrieb Sherif 
    >                 Nagy: 
    >                 > Hi Cornelius, 
    >                 > 
    >                 > 
    >                 > I did try the following command " still 
    did not 
    >                 encrypt my key yet, 
    >                 > and I am getting the following error: 
    >                 > 
    >                 > 
    >                 > #privacyidea -U https://localhost 
    --admin=admin 
    >                 --nosslcheck 
    >                 > securitymodule 
    >                 > 
    >                 > 
    > 
    > 

/usr/lib/python2.7/dist-packages/urllib3/connectionpool.py:732:

    >                 > InsecureRequestWarning: Unverified HTTPS 
    request is 
    >                 being made. Adding 
    >                 > certificate verification is strongly 
    advised. See: 
    >                 > 
    > 
    https://urllib3.readthedocs.org/en/latest/security.html (This 
    warning 
    >                 > will only appear once by default.) 
    >                 >   InsecureRequestWarning) 
    >                 > This is the configuration of your active 
    Security 
    >                 module: 
    >                 > 
    >                 > 
    >                 > Traceback (most recent call last): 
    >                 >   File "/usr/bin/privacyidea", line 1321, 
    in 
    >                 <module> 
    >                 >     main() 
    >                 >   File "/usr/bin/privacyidea", line 1317, 
    in main 
    >                 >     args.func(args, client) 
    >                 >   File "/usr/bin/privacyidea", line 683, 
    in 
    >                 securitymodule 
    >                 >     r1 = client.securitymodule(param={}) 
    >                 >   File 
    >                 > 
    > 

“/usr/lib/python2.7/dist-packages/privacyideautils/clientutils.py”,

    >                 > line 226, in securitymodule 
    >                 >     return 
    >                 self.connect('/system/setupSecurityModule', 
    param) 
    >                 > AttributeError: 'privacyideaclient' object 
    has no 
    >                 attribute 'connect' 
    >                 > 
    >                 > 
    >                 > Any idea what might be the issue ? 
    >                 > 
    >                 > 
    >                 > Regards, 
    >                 > Sherif 
    >                 > 
    >                 > On Friday, December 4, 2015 at 10:21:05 AM  UTC,  Cornelius Kölbel  wrote: 
    >                 >         Hi Sherif, 
    >                 >         
    >                 >         take a look here: 
    >                 > 
    > 

http://privacyidea.readthedocs.org/en/latest/installation/system/securitymodule.html?highlight=securitymodule

    >                 >         
    >                 >         To encrypt the enckey, you can use 
    the 
    >                 script 
    >                 >         
    >                 >          pi-manage encrypt_enckey 
    <filename> 
    >                 >         
    >                 >         This will not overwrite the file. 
    The 
    >                 encrypted data will be 
    >                 >         written to 
    >                 >         stdout. You can either pipe these 
    or paste 
    >                 it. 
    >                 >         
    >                 >         You may also want to make a backup 
    of the 
    >                 encryption key, 
    >                 >         anyway! 
    >                 >         
    >                 >         When you restart the apache it 
    will start 
    >                 quite normal. 
    >                 >         But at certain points, when data 
    needs to be 
    >                 encrypted or 
    >                 >         decrypted you 
    >                 >         will get the error: 
    >                 >         
    >                 >                 ERR707: hsm not ready! 
    >                 >         
    >                 >         You can also check this at the 
    command line 
    >                 after 
    >                 >         (re)-starting the 
    >                 >         apache: 
    >                 >         
    >                 >         # privacyidea -U 
    https://localhost/pi 
    >                 --admin=super 
    >                 >         --nosslcheck \ 
    >                 >                 securitymodule 
    >                 >         Please enter password for 
    'super': 
    >                 >         This is the configuration of your 
    active 
    >                 Security module: 
    >                 >         {   u'status': True, u'value': { 
    >                 u'is_ready': False}} 
    >                 >         
    >                 >         "is_ready": False shows you, that 
    the 
    >                 encryption key is not 
    >                 >         ready to be 
    >                 >         used. 
    >                 >         
    >                 >         So you need to run: 
    >                 >         
    >                 >         # privacyidea -U 
    https://localhost/pi 
    >                 --admin=super 
    >                 >         --nosslcheck \   
    >                 >              securitymodule 
    --module=default 
    >                 >         
    >                 >         Please enter password for 
    'super': 
    >                 >         Please enter password for security 
    module 
    >                 'default': 
    >                 >         Setting the password of your 
    security module 
    >                 default 
    >                 >         {   u'status': True, u'value': { 
    >                 u'is_ready': True}} 
    >                 >         
    >                 >         Now, "is_ready": True shows you, 
    that the 
    >                 encryption key can 
    >                 >         be used by 
    >                 >         privacyIDEA... 
    >                 >         
    >                 >         Take care and do backups ;-) 
    >                 >         I do not know, who uses it 
    productively at 
    >                 the moment. 
    >                 >         
    >                 >         Kind regards 
    >                 >         Cornelius 
    >                 >         
    >                 >         
    >                 >         Am Freitag, den 04.12.2015, 02:03 
    -0800 
    >                 schrieb Sherif Nagy: 
    >                 >         > Hello, 
    >                 >         > 
    >                 >         > 
    >                 >         > So I am thinking to encrypt my 
    encKey with 
    >                 a password, 
    >                 >         however I have 
    >                 >         > few questions: 
    >                 >         > 
    >                 >         > 
    >                 >         > 1- This will encrypt the current 
    key, will 
    >                 not generate a 
    >                 >         new key ? so 
    >                 >         > I don't lose the tokens and data 
    in the 
    >                 Database already 
    >                 >         > 2- When I start the service 
    using 
    >                 systemctl or service " I 
    >                 >         am using 
    >                 >         > deb privacyidea-apache2 package, 
    will that 
    >                 work and asks me 
    >                 >         to decrypt 
    >                 >         > the enckey ? if not, how I can 
    decrypt the 
    >                 enckey in this 
    >                 >         case ? 
    >                 >         > 
    >                 >         > 
    >                 >         > 
    >                 >         > 
    >                 >         > Regards, 
    >                 >         > Sherif 
    >                 >         > -- 
    >                 >         > You received this message 
    because you are 
    >                 subscribed to the 
    >                 >         Google 
    >                 >         > Groups "privacyidea" group. 
    >                 >         > To unsubscribe from this group 
    and stop 
    >                 receiving emails 
    >                 >         from it, send 
    >                 >         > an email to 
    >                 privacyidea...@googlegroups.com. 
    >                 >         > To post to this group, send 
    email to 
    >                 >         priva...@googlegroups.com. 
    >                 >         > To view this discussion on the 
    web visit 
    >                 >         > 
    >                 > 
    > 

https://groups.google.com/d/msgid/privacyidea/d4e7e11b-0b96-476e-a36c-b7189cc6e339%40googlegroups.com.

    >                 >         > For more options, visit 
    >                 https://groups.google.com/d/optout. 
    >                 >         
    >                 >         -- 
    >                 >         Cornelius Kölbel 
    >                 >         corneliu...@netknights.it 
    >                 >         +49 151 2960 1417 
    >                 >         
    >                 >         NetKnights GmbH 
    >                 >         http://www.netknights.it 
    >                 >         Landgraf-Karl-Str. 19, 34131 
    Kassel, 
    >                 Germany 
    >                 >         Tel: +49 561 3166797, Fax: +49 561 
    3166798 
    >                 >         
    >                 >         Amtsgericht Kassel, HRB 16405 
    >                 >         Geschäftsführer: Cornelius Kölbel 
    >                 >         
    >                 >         
    >                 > -- 
    >                 > You received this message because you are 
    subscribed 
    >                 to the Google 
    >                 > Groups "privacyidea" group. 
    >                 > To unsubscribe from this group and stop 
    receiving 
    >                 emails from it, send 
    >                 > an email to 
    privacyidea...@googlegroups.com. 
    >                 > To post to this group, send email to 
    >                 priva...@googlegroups.com. 
    >                 > To view this discussion on the web visit 
    >                 > 
    > 

https://groups.google.com/d/msgid/privacyidea/9b251fd2-be6d-45f4-9d47-42f7e142166b%40googlegroups.com.

    >                 > For more options, visit 
    >                 https://groups.google.com/d/optout. 
    >                 
    >                 -- 
    >                 Cornelius Kölbel 
    >                 corneliu...@netknights.it 
    >                 +49 151 2960 1417 
    >                 
    >                 NetKnights GmbH 
    >                 http://www.netknights.it 
    >                 Landgraf-Karl-Str. 19, 34131 Kassel, 
    Germany 
    >                 Tel: +49 561 3166797, Fax: +49 561 3166798 
    >                 
    >                 Amtsgericht Kassel, HRB 16405 
    >                 Geschäftsführer: Cornelius Kölbel 
    >                 
    >                 
    > -- 
    > You received this message because you are subscribed to the 
    Google 
    > Groups "privacyidea" group. 
    > To unsubscribe from this group and stop receiving emails 
    from it, send 
    > an email to privacyidea...@googlegroups.com. 
    > To post to this group, send email to 
    priva...@googlegroups.com. 
    > To view this discussion on the web visit 
    > 

https://groups.google.com/d/msgid/privacyidea/799090b8-3ca3-48de-a48e-02d9943a0e8d%40googlegroups.com.

    > For more options, visit https://groups.google.com/d/optout. 
    
    -- 
    Cornelius Kölbel 
    corneliu...@netknights.it 
    +49 151 2960 1417 
    
    NetKnights GmbH 
    http://www.netknights.it 
    Landgraf-Karl-Str. 19, 34131 Kassel, Germany 
    Tel: +49 561 3166797, Fax: +49 561 3166798 
    
    Amtsgericht Kassel, HRB 16405 
    Geschäftsführer: Cornelius Kölbel 


You received this message because you are subscribed to the Google
Groups “privacyidea” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to privacyidea...@googlegroups.com.
To post to this group, send email to priva...@googlegroups.com.
To view this discussion on the web visit

https://groups.google.com/d/msgid/privacyidea/bf13cc4c-f993-4d4f-abd3-6573915962a8%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.


Cornelius Kölbel
corneliu...@netknights.it
+49 151 2960 1417

NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel

Hello again,

So before encrypting the enckey, I am getting securitymodule value true
"after upgrading to 2.7devX, I encrypt the enckey, paste the data and
replace the file, restart Apache, run again the command to check the status
" should be false or HSM not ready, but I am getting the below error:

Traceback (most recent call last):
File “/usr/bin/privacyidea”, line 1467, in
main()
File “/usr/bin/privacyidea”, line 1462, in main
no_ssl_check=args.nosslcheck)
File “/usr/lib/python2.7/dist-packages/privacyideautils/clientutils.py”,
line 96, in init
self.set_credentials(username, password)
File “/usr/lib/python2.7/dist-packages/privacyideautils/clientutils.py”,
line 129, in set_credentials
raise Exception(“Invalid Credentials: %s” % r.status_code)
Exception: Invalid Credentials: 400

and the admin password is correct, I replace the encrypted key file with
none encrypted , restart apache and try again to check the status, and I
get True.

Do I need to re-add the admin user ?

Regards,
SherifOn Friday, December 4, 2015 at 2:28:16 PM UTC, Sherif Nagy wrote:

Hi Cornelius,

Oh yep the privacyideaadm is 2.5 :confused: will update now :slight_smile: thank you

Sherif

On Friday, December 4, 2015 at 1:16:11 PM UTC, Cornelius Kölbel wrote:

Hi Sherif,

you need at least version 2.7dev1.
Hm, should release privacyideaadm 2.7… :-/

I guess you have 2.5?
Oh, it is not available from launchpad ppa:privacyidea/privacyidea-dev
(will just upload)
Or you can install it via pip.

Kind regards
Cornelius

Am Freitag, den 04.12.2015, 04:41 -0800 schrieb Sherif Nagy:

Hi Cornelius,

I did try the following command " still did not encrypt my key yet,
and I am getting the following error:

#privacyidea -U https://localhost --admin=admin --nosslcheck
securitymodule

/usr/lib/python2.7/dist-packages/urllib3/connectionpool.py:732:
InsecureRequestWarning: Unverified HTTPS request is being made. Adding
certificate verification is strongly advised. See:
https://urllib3.readthedocs.org/en/latest/security.html (This warning
will only appear once by default.)
InsecureRequestWarning)
This is the configuration of your active Security module:

Traceback (most recent call last):
File “/usr/bin/privacyidea”, line 1321, in
main()
File “/usr/bin/privacyidea”, line 1317, in main
args.func(args, client)
File “/usr/bin/privacyidea”, line 683, in securitymodule
r1 = client.securitymodule(param={})
File
"/usr/lib/python2.7/dist-packages/privacyideautils/clientutils.py",
line 226, in securitymodule
return self.connect(’/system/setupSecurityModule’, param)
AttributeError: ‘privacyideaclient’ object has no attribute ‘connect’

Any idea what might be the issue ?

Regards,
Sherif

On Friday, December 4, 2015 at 10:21:05 AM UTC, Cornelius Kölbel wrote:
Hi Sherif,

    take a look here: 

http://privacyidea.readthedocs.org/en/latest/installation/system/securitymodule.html?highlight=securitymodule

    To encrypt the enckey, you can use the script 
    
     pi-manage encrypt_enckey <filename> 
    
    This will not overwrite the file. The encrypted data will be 
    written to 
    stdout. You can either pipe these or paste it. 
    
    You may also want to make a backup of the encryption key, 
    anyway! 
    
    When you restart the apache it will start quite normal. 
    But at certain points, when data needs to be encrypted or 
    decrypted you 
    will get the error: 
    
            ERR707: hsm not ready! 
    
    You can also check this at the command line after 
    (re)-starting the 
    apache: 
    
    # privacyidea -U https://localhost/pi --admin=super 
    --nosslcheck \ 
            securitymodule 
    Please enter password for 'super': 
    This is the configuration of your active Security module: 
    {   u'status': True, u'value': {   u'is_ready': False}} 
    
    "is_ready": False shows you, that the encryption key is not 
    ready to be 
    used. 
    
    So you need to run: 
    
    # privacyidea -U https://localhost/pi --admin=super 
    --nosslcheck \   
         securitymodule --module=default 
    
    Please enter password for 'super': 
    Please enter password for security module 'default': 
    Setting the password of your security module default 
    {   u'status': True, u'value': {   u'is_ready': True}} 
    
    Now, "is_ready": True shows you, that the encryption key can 
    be used by 
    privacyIDEA... 
    
    Take care and do backups ;-) 
    I do not know, who uses it productively at the moment. 
    
    Kind regards 
    Cornelius 
    
    
    Am Freitag, den 04.12.2015, 02:03 -0800 schrieb Sherif Nagy: 
    > Hello, 
    > 
    > 
    > So I am thinking to encrypt my encKey with a password, 
    however I have 
    > few questions: 
    > 
    > 
    > 1- This will encrypt the current key, will not generate a 
    new key ? so 
    > I don't lose the tokens and data in the Database already 
    > 2- When I start the service using systemctl or service " I 
    am using 
    > deb privacyidea-apache2 package, will that work and asks me 
    to decrypt 
    > the enckey ? if not, how I can decrypt the enckey in this 
    case ? 
    > 
    > 
    > 
    > 
    > Regards, 
    > Sherif 
    > -- 
    > You received this message because you are subscribed to the 
    Google 
    > Groups "privacyidea" group. 
    > To unsubscribe from this group and stop receiving emails 
    from it, send 
    > an email to privacyidea...@googlegroups.com. 
    > To post to this group, send email to 
    priva...@googlegroups.com. 
    > To view this discussion on the web visit 
    > 

https://groups.google.com/d/msgid/privacyidea/d4e7e11b-0b96-476e-a36c-b7189cc6e339%40googlegroups.com.

    > For more options, visit https://groups.google.com/d/optout. 
    
    -- 
    Cornelius Kölbel 
    corneliu...@netknights.it 
    +49 151 2960 1417 
    
    NetKnights GmbH 
    http://www.netknights.it 
    Landgraf-Karl-Str. 19, 34131 Kassel, Germany 
    Tel: +49 561 3166797, Fax: +49 561 3166798 
    
    Amtsgericht Kassel, HRB 16405 
    Geschäftsführer: Cornelius Kölbel 


You received this message because you are subscribed to the Google
Groups “privacyidea” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to privacyidea...@googlegroups.com.
To post to this group, send email to priva...@googlegroups.com.
To view this discussion on the web visit

https://groups.google.com/d/msgid/privacyidea/9b251fd2-be6d-45f4-9d47-42f7e142166b%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.


Cornelius Kölbel
corneliu...@netknights.it
+49 151 2960 1417

NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel

Hi Cornelius,

Oh yep the privacyideaadm is 2.5 :confused: will update now :slight_smile: thank you

SherifOn Friday, December 4, 2015 at 1:16:11 PM UTC, Cornelius Kölbel wrote:

Hi Sherif,

you need at least version 2.7dev1.
Hm, should release privacyideaadm 2.7… :-/

I guess you have 2.5?
Oh, it is not available from launchpad ppa:privacyidea/privacyidea-dev
(will just upload)
Or you can install it via pip.

Kind regards
Cornelius

Am Freitag, den 04.12.2015, 04:41 -0800 schrieb Sherif Nagy:

Hi Cornelius,

I did try the following command " still did not encrypt my key yet,
and I am getting the following error:

#privacyidea -U https://localhost --admin=admin --nosslcheck
securitymodule

/usr/lib/python2.7/dist-packages/urllib3/connectionpool.py:732:
InsecureRequestWarning: Unverified HTTPS request is being made. Adding
certificate verification is strongly advised. See:
https://urllib3.readthedocs.org/en/latest/security.html (This warning
will only appear once by default.)
InsecureRequestWarning)
This is the configuration of your active Security module:

Traceback (most recent call last):
File “/usr/bin/privacyidea”, line 1321, in
main()
File “/usr/bin/privacyidea”, line 1317, in main
args.func(args, client)
File “/usr/bin/privacyidea”, line 683, in securitymodule
r1 = client.securitymodule(param={})
File
"/usr/lib/python2.7/dist-packages/privacyideautils/clientutils.py",
line 226, in securitymodule
return self.connect(’/system/setupSecurityModule’, param)
AttributeError: ‘privacyideaclient’ object has no attribute ‘connect’

Any idea what might be the issue ?

Regards,
Sherif

On Friday, December 4, 2015 at 10:21:05 AM UTC, Cornelius Kölbel wrote:
Hi Sherif,

    take a look here: 

http://privacyidea.readthedocs.org/en/latest/installation/system/securitymodule.html?highlight=securitymodule

    To encrypt the enckey, you can use the script 
    
     pi-manage encrypt_enckey <filename> 
    
    This will not overwrite the file. The encrypted data will be 
    written to 
    stdout. You can either pipe these or paste it. 
    
    You may also want to make a backup of the encryption key, 
    anyway! 
    
    When you restart the apache it will start quite normal. 
    But at certain points, when data needs to be encrypted or 
    decrypted you 
    will get the error: 
    
            ERR707: hsm not ready! 
    
    You can also check this at the command line after 
    (re)-starting the 
    apache: 
    
    # privacyidea -U https://localhost/pi --admin=super 
    --nosslcheck \ 
            securitymodule 
    Please enter password for 'super': 
    This is the configuration of your active Security module: 
    {   u'status': True, u'value': {   u'is_ready': False}} 
    
    "is_ready": False shows you, that the encryption key is not 
    ready to be 
    used. 
    
    So you need to run: 
    
    # privacyidea -U https://localhost/pi --admin=super 
    --nosslcheck \   
         securitymodule --module=default 
    
    Please enter password for 'super': 
    Please enter password for security module 'default': 
    Setting the password of your security module default 
    {   u'status': True, u'value': {   u'is_ready': True}} 
    
    Now, "is_ready": True shows you, that the encryption key can 
    be used by 
    privacyIDEA... 
    
    Take care and do backups ;-) 
    I do not know, who uses it productively at the moment. 
    
    Kind regards 
    Cornelius 
    
    
    Am Freitag, den 04.12.2015, 02:03 -0800 schrieb Sherif Nagy: 
    > Hello, 
    > 
    > 
    > So I am thinking to encrypt my encKey with a password, 
    however I have 
    > few questions: 
    > 
    > 
    > 1- This will encrypt the current key, will not generate a 
    new key ? so 
    > I don't lose the tokens and data in the Database already 
    > 2- When I start the service using systemctl or service " I 
    am using 
    > deb privacyidea-apache2 package, will that work and asks me 
    to decrypt 
    > the enckey ? if not, how I can decrypt the enckey in this 
    case ? 
    > 
    > 
    > 
    > 
    > Regards, 
    > Sherif 
    > -- 
    > You received this message because you are subscribed to the 
    Google 
    > Groups "privacyidea" group. 
    > To unsubscribe from this group and stop receiving emails 
    from it, send 
    > an email to privacyidea...@googlegroups.com. 
    > To post to this group, send email to 
    priva...@googlegroups.com. 
    > To view this discussion on the web visit 
    > 

https://groups.google.com/d/msgid/privacyidea/d4e7e11b-0b96-476e-a36c-b7189cc6e339%40googlegroups.com.

    > For more options, visit https://groups.google.com/d/optout. 
    
    -- 
    Cornelius Kölbel 
    corneliu...@netknights.it 
    +49 151 2960 1417 
    
    NetKnights GmbH 
    http://www.netknights.it 
    Landgraf-Karl-Str. 19, 34131 Kassel, Germany 
    Tel: +49 561 3166797, Fax: +49 561 3166798 
    
    Amtsgericht Kassel, HRB 16405 
    Geschäftsführer: Cornelius Kölbel 


You received this message because you are subscribed to the Google
Groups “privacyidea” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to privacyidea...@googlegroups.com <javascript:>.
To post to this group, send email to priva...@googlegroups.com
<javascript:>.
To view this discussion on the web visit

https://groups.google.com/d/msgid/privacyidea/9b251fd2-be6d-45f4-9d47-42f7e142166b%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.


Cornelius Kölbel
corneliu...@netknights.it <javascript:>
+49 151 2960 1417

NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel

Hi Sherif,

thanks a lot for the details.

I can confirm this.

If the default realm contains an LDAP-Resolver with a BIND-PW you can
not login with a local administrator.

I will dig into this.

Kind regards
CorneliusAm Freitag, den 04.12.2015, 07:45 -0800 schrieb Sherif Nagy:

Hi Cornelius,

I guess I knew what is wrong, so here is what I have done:

  • Disabled all the policies " I have the one for u2f auth, weblogin
    and one for users login " and still got the same error.
  • Take out the usersresolvers from the default realm and the
    decryption of the key will work like a charm.
  • I have LDAP resolver and passwd one, I noticed just a message in the
    log says looking for /etc/passwd in /home/privacyidea, that is why I
    thought to disable the usersource.

So I guess the realm usersources runs before the local admin ones ?

Regards,
Sherif

On Friday, December 4, 2015 at 3:29:35 PM UTC, Sherif Nagy wrote:
okay let me disable the policies and will let you know if it
works or not and which policies I have :slight_smile:

    Sherif
    
    On Friday, December 4, 2015 at 3:25:06 PM UTC, Cornelius Kölbel wrote:
            Hi Sherif, 
            
            So for some reason the server returns an error. 
            I could image due to some things it is doing _before_
            checking the 
            admins password. And in doing this stuff, it might run
            into a problem, 
            since the encryption key does not exist, yet. 
            
            E.g. this could be some policies, which need the
            encryption key when 
            being checked. 
            
            So can you please tell, what policies you have defined
            and also take a 
            look into the servers log file? 
            
            THanks a lot 
            Cornelius 
            
            
            Am Freitag, den 04.12.2015, 07:18 -0800 schrieb Sherif
            Nagy: 
            > It's the local admin that has been added by
            pi-manage admin command 
            > 
            > 
            > Sherif 
            > 
            > On Friday, December 4, 2015 at 3:06:09 PM UTC, Cornelius Kölbel wrote: 
            >         Is this a local admin? 
            >         Or is it an admin in a superuser-realm? 
            >         
            >         If it is a local admin, which was added by 
            >         
            >          pi-manage admin 
            >         
            >         it should(TM) work, since the encryption
            keys are not used in 
            >         this case. 
            >         
            >         If it is an admin in a superuser-realm in
            e.g. an LDAP, it 
            >         will not 
            >         work, since PI can not decrypt the LDAP
            password to find the 
            >         admin in 
            >         the LDAP. 
            >         
            >         Kind regards 
            >         Cornelius 
            >         
            >         Am Freitag, den 04.12.2015, 07:02 -0800
            schrieb Sherif Nagy: 
            >         > Hello again, 
            >         > 
            >         > 
            >         > So before encrypting the enckey, I am
            getting securitymodule 
            >         value 
            >         > true "after upgrading to 2.7devX, I
            encrypt the enckey, 
            >         paste the data 
            >         > and replace the file, restart Apache, run
            again the command 
            >         to check 
            >         > the status " should be false or HSM not
            ready, but I am 
            >         getting the 
            >         > below error: 
            >         > 
            >         > 
            >         > Traceback (most recent call last): 
            >         >   File "/usr/bin/privacyidea", line 1467,
            in <module> 
            >         >     main() 
            >         >   File "/usr/bin/privacyidea", line 1462,
            in main 
            >         >     no_ssl_check=args.nosslcheck) 
            >         >   File 
            >         > 
            >
            "/usr/lib/python2.7/dist-packages/privacyideautils/clientutils.py", 
            >         > line 96, in __init__ 
            >         >     self.set_credentials(username,
            password) 
            >         >   File 
            >         > 
            >
            "/usr/lib/python2.7/dist-packages/privacyideautils/clientutils.py", 
            >         > line 129, in set_credentials 
            >         >     raise Exception("Invalid Credentials:
            %s" % 
            >         r.status_code) 
            >         > Exception: Invalid Credentials: 400 
            >         > 
            >         > 
            >         > and the admin password is correct, I
            replace the encrypted 
            >         key file 
            >         > with none encrypted , restart apache and
            try again to check 
            >         the 
            >         > status, and I get True. 
            >         > 
            >         > 
            >         > Do I need to re-add the admin user ? 
            >         > 
            >         > 
            >         > Regards, 
            >         > Sherif 
            >         > 
            >         > 
            >         > On Friday, December 4, 2015 at 2:28:16 PM UTC, Sherif Nagy  wrote: 
            >         >         Hi Cornelius, 
            >         >         
            >         >         Oh yep the privacyideaadm is
            2.5 :/ will update 
            >         now :) thank 
            >         >         you 
            >         >         
            >         >         
            >         >         Sherif 
            >         >         
            >         >         On Friday, December 4, 2015 at 1:16:11 PM UTC,  Cornelius  Kölbel wrote: 
            >         >                 Hi Sherif, 
            >         >                 
            >         >                 you need at least version
            2.7dev1. 
            >         >                 Hm, should release
            privacyideaadm 
            >         2.7... :-/ 
            >         >                 
            >         >                 I guess you have 2.5? 
            >         >                 Oh, it is not available
            from launchpad 
            >         >
            ppa:privacyidea/privacyidea-dev 
            >         >                 (will just upload) 
            >         >                 Or you can install it via
            pip. 
            >         >                 
            >         >                 Kind regards 
            >         >                 Cornelius 
            >         >                 
            >         >                 Am Freitag, den
            04.12.2015, 04:41 -0800 
            >         schrieb Sherif 
            >         >                 Nagy: 
            >         >                 > Hi Cornelius, 
            >         >                 > 
            >         >                 > 
            >         >                 > I did try the following
            command " still 
            >         did not 
            >         >                 encrypt my key yet, 
            >         >                 > and I am getting the
            following error: 
            >         >                 > 
            >         >                 > 
            >         >                 > #privacyidea -U
            https://localhost 
            >         --admin=admin 
            >         >                 --nosslcheck 
            >         >                 > securitymodule 
            >         >                 > 
            >         >                 > 
            >         > 
            >
            > /usr/lib/python2.7/dist-packages/urllib3/connectionpool.py:732: 
            >         >                 > InsecureRequestWarning:
            Unverified HTTPS 
            >         request is 
            >         >                 being made. Adding 
            >         >                 > certificate verification
            is strongly 
            >         advised. See: 
            >         >                 > 
            >         > 
            >
            https://urllib3.readthedocs.org/en/latest/security.html (This 
            >         warning 
            >         >                 > will only appear once by
            default.) 
            >         >                 >
            InsecureRequestWarning) 
            >         >                 > This is the
            configuration of your active 
            >         Security 
            >         >                 module: 
            >         >                 > 
            >         >                 > 
            >         >                 > Traceback (most recent
            call last): 
            >         >                 >   File
            "/usr/bin/privacyidea", line 1321, 
            >         in 
            >         >                 <module> 
            >         >                 >     main() 
            >         >                 >   File
            "/usr/bin/privacyidea", line 1317, 
            >         in main 
            >         >                 >     args.func(args,
            client) 
            >         >                 >   File
            "/usr/bin/privacyidea", line 683, 
            >         in 
            >         >                 securitymodule 
            >         >                 >     r1 =
            client.securitymodule(param={}) 
            >         >                 >   File 
            >         >                 > 
            >         > 
            >
            "/usr/lib/python2.7/dist-packages/privacyideautils/clientutils.py", 
            >         >                 > line 226, in
            securitymodule 
            >         >                 >     return 
            >         >
            self.connect('/system/setupSecurityModule', 
            >         param) 
            >         >                 > AttributeError:
            'privacyideaclient' object 
            >         has no 
            >         >                 attribute 'connect' 
            >         >                 > 
            >         >                 > 
            >         >                 > Any idea what might be
            the issue ? 
            >         >                 > 
            >         >                 > 
            >         >                 > Regards, 
            >         >                 > Sherif 
            >         >                 > 
            >         >                 > On Friday, December 4, 2015 at 10:21:05 AM  UTC,  Cornelius Kölbel  wrote: 
            >         >                 >         Hi Sherif, 
            >         >                 >         
            >         >                 >         take a look
            here: 
            >         >                 > 
            >         > 
            >
            http://privacyidea.readthedocs.org/en/latest/installation/system/securitymodule.html?highlight=securitymodule 
            >         >                 >         
            >         >                 >         To encrypt the
            enckey, you can use 
            >         the 
            >         >                 script 
            >         >                 >         
            >         >                 >          pi-manage
            encrypt_enckey 
            >         <filename> 
            >         >                 >         
            >         >                 >         This will not
            overwrite the file. 
            >         The 
            >         >                 encrypted data will be 
            >         >                 >         written to 
            >         >                 >         stdout. You can
            either pipe these 
            >         or paste 
            >         >                 it. 
            >         >                 >         
            >         >                 >         You may also
            want to make a backup 
            >         of the 
            >         >                 encryption key, 
            >         >                 >         anyway! 
            >         >                 >         
            >         >                 >         When you restart
            the apache it 
            >         will start 
            >         >                 quite normal. 
            >         >                 >         But at certain
            points, when data 
            >         needs to be 
            >         >                 encrypted or 
            >         >                 >         decrypted you 
            >         >                 >         will get the
            error: 
            >         >                 >         
            >         >                 >                 ERR707:
            hsm not ready! 
            >         >                 >         
            >         >                 >         You can also
            check this at the 
            >         command line 
            >         >                 after 
            >         >                 >         (re)-starting
            the 
            >         >                 >         apache: 
            >         >                 >         
            >         >                 >         # privacyidea
            -U 
            >         https://localhost/pi 
            >         >                 --admin=super 
            >         >                 >         --nosslcheck \ 
            >         >                 >
            securitymodule 
            >         >                 >         Please enter
            password for 
            >         'super': 
            >         >                 >         This is the
            configuration of your 
            >         active 
            >         >                 Security module: 
            >         >                 >         {   u'status':
            True, u'value': { 
            >         >                 u'is_ready': False}} 
            >         >                 >         
            >         >                 >         "is_ready":
            False shows you, that 
            >         the 
            >         >                 encryption key is not 
            >         >                 >         ready to be 
            >         >                 >         used. 
            >         >                 >         
            >         >                 >         So you need to
            run: 
            >         >                 >         
            >         >                 >         # privacyidea
            -U 
            >         https://localhost/pi 
            >         >                 --admin=super 
            >         >                 >         --nosslcheck \
              
            >         >                 >
             securitymodule 
            >         --module=default 
            >         >                 >         
            >         >                 >         Please enter
            password for 
            >         'super': 
            >         >                 >         Please enter
            password for security 
            >         module 
            >         >                 'default': 
            >         >                 >         Setting the
            password of your 
            >         security module 
            >         >                 default 
            >         >                 >         {   u'status':
            True, u'value': { 
            >         >                 u'is_ready': True}} 
            >         >                 >         
            >         >                 >         Now, "is_ready":
            True shows you, 
            >         that the 
            >         >                 encryption key can 
            >         >                 >         be used by 
            >         >                 >         privacyIDEA... 
            >         >                 >         
            >         >                 >         Take care and do
            backups ;-) 
            >         >                 >         I do not know,
            who uses it 
            >         productively at 
            >         >                 the moment. 
            >         >                 >         
            >         >                 >         Kind regards 
            >         >                 >         Cornelius 
            >         >                 >         
            >         >                 >         
            >         >                 >         Am Freitag, den
            04.12.2015, 02:03 
            >         -0800 
            >         >                 schrieb Sherif Nagy: 
            >         >                 >         > Hello, 
            >         >                 >         > 
            >         >                 >         > 
            >         >                 >         > So I am
            thinking to encrypt my 
            >         encKey with 
            >         >                 a password, 
            >         >                 >         however I have 
            >         >                 >         > few
            questions: 
            >         >                 >         > 
            >         >                 >         > 
            >         >                 >         > 1- This will
            encrypt the current 
            >         key, will 
            >         >                 not generate a 
            >         >                 >         new key ? so 
            >         >                 >         > I don't lose
            the tokens and data 
            >         in the 
            >         >                 Database already 
            >         >                 >         > 2- When I
            start the service 
            >         using 
            >         >                 systemctl or service " I 
            >         >                 >         am using 
            >         >                 >         > deb
            privacyidea-apache2 package, 
            >         will that 
            >         >                 work and asks me 
            >         >                 >         to decrypt 
            >         >                 >         > the enckey ?
            if not, how I can 
            >         decrypt the 
            >         >                 enckey in this 
            >         >                 >         case ? 
            >         >                 >         > 
            >         >                 >         > 
            >         >                 >         > 
            >         >                 >         > 
            >         >                 >         > Regards, 
            >         >                 >         > Sherif 
            >         >                 >         > -- 
            >         >                 >         > You received
            this message 
            >         because you are 
            >         >                 subscribed to the 
            >         >                 >         Google 
            >         >                 >         > Groups
            "privacyidea" group. 
            >         >                 >         > To unsubscribe
            from this group 
            >         and stop 
            >         >                 receiving emails 
            >         >                 >         from it, send 
            >         >                 >         > an email to 
            >         >
            privacyidea...@googlegroups.com. 
            >         >                 >         > To post to
            this group, send 
            >         email to 
            >         >                 >
            priva...@googlegroups.com. 
            >         >                 >         > To view this
            discussion on the 
            >         web visit 
            >         >                 >         > 
            >         >                 > 
            >         > 
            >
            https://groups.google.com/d/msgid/privacyidea/d4e7e11b-0b96-476e-a36c-b7189cc6e339%40googlegroups.com. 
            >         >                 >         > For more
            options, visit 
            >         >
            https://groups.google.com/d/optout. 
            >         >                 >         
            >         >                 >         -- 
            >         >                 >         Cornelius
            Kölbel 
            >         >                 >
            corneliu...@netknights.it 
            >         >                 >         +49 151 2960
            1417 
            >         >                 >         
            >         >                 >         NetKnights GmbH 
            >         >                 >
            http://www.netknights.it 
            >         >                 >
            Landgraf-Karl-Str. 19, 34131 
            >         Kassel, 
            >         >                 Germany 
            >         >                 >         Tel: +49 561
            3166797, Fax: +49 561 
            >         3166798 
            >         >                 >         
            >         >                 >         Amtsgericht
            Kassel, HRB 16405 
            >         >                 >         Geschäftsführer:
            Cornelius Kölbel 
            >         >                 >         
            >         >                 >         
            >         >                 > -- 
            >         >                 > You received this
            message because you are 
            >         subscribed 
            >         >                 to the Google 
            >         >                 > Groups "privacyidea"
            group. 
            >         >                 > To unsubscribe from this
            group and stop 
            >         receiving 
            >         >                 emails from it, send 
            >         >                 > an email to 
            >         privacyidea...@googlegroups.com. 
            >         >                 > To post to this group,
            send email to 
            >         >
            priva...@googlegroups.com. 
            >         >                 > To view this discussion
            on the web visit 
            >         >                 > 
            >         > 
            >
            https://groups.google.com/d/msgid/privacyidea/9b251fd2-be6d-45f4-9d47-42f7e142166b%40googlegroups.com. 
            >         >                 > For more options, visit 
            >         >
            https://groups.google.com/d/optout. 
            >         >                 
            >         >                 -- 
            >         >                 Cornelius Kölbel 
            >         >                 corneliu...@netknights.it 
            >         >                 +49 151 2960 1417 
            >         >                 
            >         >                 NetKnights GmbH 
            >         >                 http://www.netknights.it 
            >         >                 Landgraf-Karl-Str. 19,
            34131 Kassel, 
            >         Germany 
            >         >                 Tel: +49 561 3166797, Fax:
            +49 561 3166798 
            >         >                 
            >         >                 Amtsgericht Kassel, HRB
            16405 
            >         >                 Geschäftsführer: Cornelius
            Kölbel 
            >         >                 
            >         >                 
            >         > -- 
            >         > You received this message because you are
            subscribed to the 
            >         Google 
            >         > Groups "privacyidea" group. 
            >         > To unsubscribe from this group and stop
            receiving emails 
            >         from it, send 
            >         > an email to
            privacyidea...@googlegroups.com. 
            >         > To post to this group, send email to 
            >         priva...@googlegroups.com. 
            >         > To view this discussion on the web visit 
            >         > 
            >
            https://groups.google.com/d/msgid/privacyidea/799090b8-3ca3-48de-a48e-02d9943a0e8d%40googlegroups.com. 
            >         > For more options, visit
            https://groups.google.com/d/optout. 
            >         
            >         -- 
            >         Cornelius Kölbel 
            >         corneliu...@netknights.it 
            >         +49 151 2960 1417 
            >         
            >         NetKnights GmbH 
            >         http://www.netknights.it 
            >         Landgraf-Karl-Str. 19, 34131 Kassel,
            Germany 
            >         Tel: +49 561 3166797, Fax: +49 561 3166798 
            >         
            >         Amtsgericht Kassel, HRB 16405 
            >         Geschäftsführer: Cornelius Kölbel 
            >         
            >         
            > -- 
            > You received this message because you are subscribed
            to the Google 
            > Groups "privacyidea" group. 
            > To unsubscribe from this group and stop receiving
            emails from it, send 
            > an email to privacyidea...@googlegroups.com. 
            > To post to this group, send email to
            priva...@googlegroups.com. 
            > To view this discussion on the web visit 
            >
            https://groups.google.com/d/msgid/privacyidea/bf13cc4c-f993-4d4f-abd3-6573915962a8%40googlegroups.com. 
            > For more options, visit
            https://groups.google.com/d/optout. 
            
            -- 
            Cornelius Kölbel 
            corneliu...@netknights.it 
            +49 151 2960 1417 
            
            NetKnights GmbH 
            http://www.netknights.it 
            Landgraf-Karl-Str. 19, 34131 Kassel, Germany 
            Tel: +49 561 3166797, Fax: +49 561 3166798 
            
            Amtsgericht Kassel, HRB 16405 
            Geschäftsführer: Cornelius Kölbel 


You received this message because you are subscribed to the Google
Groups “privacyidea” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to privacyidea+unsubscribe@googlegroups.com.
To post to this group, send email to privacyidea@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/privacyidea/a583bfc2-d95f-4eae-a67d-ab0032846c1d%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


Cornelius Kölbel
@cornelinux
+49 151 2960 1417

NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel

signature.asc (836 Bytes)

Hi Sherif,

take a look here:
http://privacyidea.readthedocs.org/en/latest/installation/system/securitymodule.html?highlight=securitymodule

To encrypt the enckey, you can use the script

pi-manage encrypt_enckey

This will not overwrite the file. The encrypted data will be written to
stdout. You can either pipe these or paste it.

You may also want to make a backup of the encryption key, anyway!

When you restart the apache it will start quite normal.
But at certain points, when data needs to be encrypted or decrypted you
will get the error:

ERR707: hsm not ready!

You can also check this at the command line after (re)-starting the
apache:

privacyidea -U https://localhost/pi --admin=super --nosslcheck \

securitymodule

Please enter password for ‘super’:
This is the configuration of your active Security module:
{ u’status’: True, u’value’: { u’is_ready’: False}}

“is_ready”: False shows you, that the encryption key is not ready to be
used.

So you need to run:

privacyidea -U https://localhost/pi --admin=super --nosslcheck \

 securitymodule --module=default

Please enter password for ‘super’:
Please enter password for security module ‘default’:
Setting the password of your security module default
{ u’status’: True, u’value’: { u’is_ready’: True}}

Now, “is_ready”: True shows you, that the encryption key can be used by
privacyIDEA…

Take care and do backups :wink:
I do not know, who uses it productively at the moment.

Kind regards
CorneliusAm Freitag, den 04.12.2015, 02:03 -0800 schrieb Sherif Nagy:

Hello,

So I am thinking to encrypt my encKey with a password, however I have
few questions:

1- This will encrypt the current key, will not generate a new key ? so
I don’t lose the tokens and data in the Database already
2- When I start the service using systemctl or service " I am using
deb privacyidea-apache2 package, will that work and asks me to decrypt
the enckey ? if not, how I can decrypt the enckey in this case ?

Regards,
Sherif

You received this message because you are subscribed to the Google
Groups “privacyidea” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to privacyidea+unsubscribe@googlegroups.com.
To post to this group, send email to privacyidea@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/privacyidea/d4e7e11b-0b96-476e-a36c-b7189cc6e339%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


Cornelius Kölbel
@cornelinux
+49 151 2960 1417

NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel

signature.asc (836 Bytes)

It’s the local admin that has been added by pi-manage admin command

SherifOn Friday, December 4, 2015 at 3:06:09 PM UTC, Cornelius Kölbel wrote:

Is this a local admin?
Or is it an admin in a superuser-realm?

If it is a local admin, which was added by

pi-manage admin

it should™ work, since the encryption keys are not used in this case.

If it is an admin in a superuser-realm in e.g. an LDAP, it will not
work, since PI can not decrypt the LDAP password to find the admin in
the LDAP.

Kind regards
Cornelius

Am Freitag, den 04.12.2015, 07:02 -0800 schrieb Sherif Nagy:

Hello again,

So before encrypting the enckey, I am getting securitymodule value
true "after upgrading to 2.7devX, I encrypt the enckey, paste the data
and replace the file, restart Apache, run again the command to check
the status " should be false or HSM not ready, but I am getting the
below error:

Traceback (most recent call last):
File “/usr/bin/privacyidea”, line 1467, in
main()
File “/usr/bin/privacyidea”, line 1462, in main
no_ssl_check=args.nosslcheck)
File
"/usr/lib/python2.7/dist-packages/privacyideautils/clientutils.py",
line 96, in init
self.set_credentials(username, password)
File
"/usr/lib/python2.7/dist-packages/privacyideautils/clientutils.py",
line 129, in set_credentials
raise Exception(“Invalid Credentials: %s” % r.status_code)
Exception: Invalid Credentials: 400

and the admin password is correct, I replace the encrypted key file
with none encrypted , restart apache and try again to check the
status, and I get True.

Do I need to re-add the admin user ?

Regards,
Sherif

On Friday, December 4, 2015 at 2:28:16 PM UTC, Sherif Nagy wrote:
Hi Cornelius,

    Oh yep the privacyideaadm is 2.5 :/ will update now :) thank 
    you 
    
    
    Sherif 
    
    On Friday, December 4, 2015 at 1:16:11 PM UTC, Cornelius  Kölbel wrote: 
            Hi Sherif, 
            
            you need at least version 2.7dev1. 
            Hm, should release privacyideaadm 2.7... :-/ 
            
            I guess you have 2.5? 
            Oh, it is not available from launchpad 
            ppa:privacyidea/privacyidea-dev 
            (will just upload) 
            Or you can install it via pip. 
            
            Kind regards 
            Cornelius 
            
            Am Freitag, den 04.12.2015, 04:41 -0800 schrieb Sherif 
            Nagy: 
            > Hi Cornelius, 
            > 
            > 
            > I did try the following command " still did not 
            encrypt my key yet, 
            > and I am getting the following error: 
            > 
            > 
            > #privacyidea -U https://localhost --admin=admin 
            --nosslcheck 
            > securitymodule 
            > 
            > 
            > 

/usr/lib/python2.7/dist-packages/urllib3/connectionpool.py:732:

            > InsecureRequestWarning: Unverified HTTPS request is 
            being made. Adding 
            > certificate verification is strongly advised. See: 
            > 
            https://urllib3.readthedocs.org/en/latest/security.html 

(This warning

            > will only appear once by default.) 
            >   InsecureRequestWarning) 
            > This is the configuration of your active Security 
            module: 
            > 
            > 
            > Traceback (most recent call last): 
            >   File "/usr/bin/privacyidea", line 1321, in 
            <module> 
            >     main() 
            >   File "/usr/bin/privacyidea", line 1317, in main 
            >     args.func(args, client) 
            >   File "/usr/bin/privacyidea", line 683, in 
            securitymodule 
            >     r1 = client.securitymodule(param={}) 
            >   File 
            > 

“/usr/lib/python2.7/dist-packages/privacyideautils/clientutils.py”,

            > line 226, in securitymodule 
            >     return 
            self.connect('/system/setupSecurityModule', param) 
            > AttributeError: 'privacyideaclient' object has no 
            attribute 'connect' 
            > 
            > 
            > Any idea what might be the issue ? 
            > 
            > 
            > Regards, 
            > Sherif 
            > 
            > On Friday, December 4, 2015 at 10:21:05 AM UTC,  Cornelius Kölbel  wrote: 
            >         Hi Sherif, 
            >         
            >         take a look here: 
            > 

http://privacyidea.readthedocs.org/en/latest/installation/system/securitymodule.html?highlight=securitymodule

            >         
            >         To encrypt the enckey, you can use the 
            script 
            >         
            >          pi-manage encrypt_enckey <filename> 
            >         
            >         This will not overwrite the file. The 
            encrypted data will be 
            >         written to 
            >         stdout. You can either pipe these or paste 
            it. 
            >         
            >         You may also want to make a backup of the 
            encryption key, 
            >         anyway! 
            >         
            >         When you restart the apache it will start 
            quite normal. 
            >         But at certain points, when data needs to be 
            encrypted or 
            >         decrypted you 
            >         will get the error: 
            >         
            >                 ERR707: hsm not ready! 
            >         
            >         You can also check this at the command line 
            after 
            >         (re)-starting the 
            >         apache: 
            >         
            >         # privacyidea -U https://localhost/pi 
            --admin=super 
            >         --nosslcheck \ 
            >                 securitymodule 
            >         Please enter password for 'super': 
            >         This is the configuration of your active 
            Security module: 
            >         {   u'status': True, u'value': { 
            u'is_ready': False}} 
            >         
            >         "is_ready": False shows you, that the 
            encryption key is not 
            >         ready to be 
            >         used. 
            >         
            >         So you need to run: 
            >         
            >         # privacyidea -U https://localhost/pi 
            --admin=super 
            >         --nosslcheck \   
            >              securitymodule --module=default 
            >         
            >         Please enter password for 'super': 
            >         Please enter password for security module 
            'default': 
            >         Setting the password of your security module 
            default 
            >         {   u'status': True, u'value': { 
            u'is_ready': True}} 
            >         
            >         Now, "is_ready": True shows you, that the 
            encryption key can 
            >         be used by 
            >         privacyIDEA... 
            >         
            >         Take care and do backups ;-) 
            >         I do not know, who uses it productively at 
            the moment. 
            >         
            >         Kind regards 
            >         Cornelius 
            >         
            >         
            >         Am Freitag, den 04.12.2015, 02:03 -0800 
            schrieb Sherif Nagy: 
            >         > Hello, 
            >         > 
            >         > 
            >         > So I am thinking to encrypt my encKey with 
            a password, 
            >         however I have 
            >         > few questions: 
            >         > 
            >         > 
            >         > 1- This will encrypt the current key, will 
            not generate a 
            >         new key ? so 
            >         > I don't lose the tokens and data in the 
            Database already 
            >         > 2- When I start the service using 
            systemctl or service " I 
            >         am using 
            >         > deb privacyidea-apache2 package, will that 
            work and asks me 
            >         to decrypt 
            >         > the enckey ? if not, how I can decrypt the 
            enckey in this 
            >         case ? 
            >         > 
            >         > 
            >         > 
            >         > 
            >         > Regards, 
            >         > Sherif 
            >         > -- 
            >         > You received this message because you are 
            subscribed to the 
            >         Google 
            >         > Groups "privacyidea" group. 
            >         > To unsubscribe from this group and stop 
            receiving emails 
            >         from it, send 
            >         > an email to 
            privacyidea...@googlegroups.com. 
            >         > To post to this group, send email to 
            >         priva...@googlegroups.com. 
            >         > To view this discussion on the web visit 
            >         > 
            > 

https://groups.google.com/d/msgid/privacyidea/d4e7e11b-0b96-476e-a36c-b7189cc6e339%40googlegroups.com.

            >         > For more options, visit 
            https://groups.google.com/d/optout. 
            >         
            >         -- 
            >         Cornelius Kölbel 
            >         corneliu...@netknights.it 
            >         +49 151 2960 1417 
            >         
            >         NetKnights GmbH 
            >         http://www.netknights.it 
            >         Landgraf-Karl-Str. 19, 34131 Kassel, 
            Germany 
            >         Tel: +49 561 3166797, Fax: +49 561 3166798 
            >         
            >         Amtsgericht Kassel, HRB 16405 
            >         Geschäftsführer: Cornelius Kölbel 
            >         
            >         
            > -- 
            > You received this message because you are subscribed 
            to the Google 
            > Groups "privacyidea" group. 
            > To unsubscribe from this group and stop receiving 
            emails from it, send 
            > an email to privacyidea...@googlegroups.com. 
            > To post to this group, send email to 
            priva...@googlegroups.com. 
            > To view this discussion on the web visit 
            > 

https://groups.google.com/d/msgid/privacyidea/9b251fd2-be6d-45f4-9d47-42f7e142166b%40googlegroups.com.

            > For more options, visit 
            https://groups.google.com/d/optout. 
            
            -- 
            Cornelius Kölbel 
            corneliu...@netknights.it 
            +49 151 2960 1417 
            
            NetKnights GmbH 
            http://www.netknights.it 
            Landgraf-Karl-Str. 19, 34131 Kassel, Germany 
            Tel: +49 561 3166797, Fax: +49 561 3166798 
            
            Amtsgericht Kassel, HRB 16405 
            Geschäftsführer: Cornelius Kölbel 


You received this message because you are subscribed to the Google
Groups “privacyidea” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to privacyidea...@googlegroups.com <javascript:>.
To post to this group, send email to priva...@googlegroups.com
<javascript:>.
To view this discussion on the web visit

https://groups.google.com/d/msgid/privacyidea/799090b8-3ca3-48de-a48e-02d9943a0e8d%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.


Cornelius Kölbel
corneliu...@netknights.it <javascript:>
+49 151 2960 1417

NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel

Hi Cornelius,

Just to confirm, I created an empty realm and set it as default, and the
decyrption of the enckey works. so it seems the system checking the user’s
realm before the local admin.

Regards,
SherifOn Friday, December 4, 2015 at 3:54:23 PM UTC, Cornelius Kölbel wrote:

Hi Sherif,

thanks a lot for the details.

I can confirm this.

If the default realm contains an LDAP-Resolver with a BIND-PW you can
not login with a local administrator.

https://github.com/privacyidea/privacyidea/issues/280

I will dig into this.

Kind regards
Cornelius

Am Freitag, den 04.12.2015, 07:45 -0800 schrieb Sherif Nagy:

Hi Cornelius,

I guess I knew what is wrong, so here is what I have done:

  • Disabled all the policies " I have the one for u2f auth, weblogin
    and one for users login " and still got the same error.
  • Take out the usersresolvers from the default realm and the
    decryption of the key will work like a charm.
  • I have LDAP resolver and passwd one, I noticed just a message in the
    log says looking for /etc/passwd in /home/privacyidea, that is why I
    thought to disable the usersource.

So I guess the realm usersources runs before the local admin ones ?

Regards,
Sherif

On Friday, December 4, 2015 at 3:29:35 PM UTC, Sherif Nagy wrote:
okay let me disable the policies and will let you know if it
works or not and which policies I have :slight_smile:

    Sherif 
    
    On Friday, December 4, 2015 at 3:25:06 PM UTC, Cornelius  Kölbel wrote: 
            Hi Sherif, 
            
            So for some reason the server returns an error. 
            I could image due to some things it is doing _before_ 
            checking the 
            admins password. And in doing this stuff, it might run 
            into a problem, 
            since the encryption key does not exist, yet. 
            
            E.g. this could be some policies, which need the 
            encryption key when 
            being checked. 
            
            So can you please tell, what policies you have defined 
            and also take a 
            look into the servers log file? 
            
            THanks a lot 
            Cornelius 
            
            
            Am Freitag, den 04.12.2015, 07:18 -0800 schrieb Sherif 
            Nagy: 
            > It's the local admin that has been added by 
            pi-manage admin command 
            > 
            > 
            > Sherif 
            > 
            > On Friday, December 4, 2015 at 3:06:09 PM UTC,  Cornelius Kölbel wrote: 
            >         Is this a local admin? 
            >         Or is it an admin in a superuser-realm? 
            >         
            >         If it is a local admin, which was added by 
            >         
            >          pi-manage admin 
            >         
            >         it should(TM) work, since the encryption 
            keys are not used in 
            >         this case. 
            >         
            >         If it is an admin in a superuser-realm in 
            e.g. an LDAP, it 
            >         will not 
            >         work, since PI can not decrypt the LDAP 
            password to find the 
            >         admin in 
            >         the LDAP. 
            >         
            >         Kind regards 
            >         Cornelius 
            >         
            >         Am Freitag, den 04.12.2015, 07:02 -0800 
            schrieb Sherif Nagy: 
            >         > Hello again, 
            >         > 
            >         > 
            >         > So before encrypting the enckey, I am 
            getting securitymodule 
            >         value 
            >         > true "after upgrading to 2.7devX, I 
            encrypt the enckey, 
            >         paste the data 
            >         > and replace the file, restart Apache, run 
            again the command 
            >         to check 
            >         > the status " should be false or HSM not 
            ready, but I am 
            >         getting the 
            >         > below error: 
            >         > 
            >         > 
            >         > Traceback (most recent call last): 
            >         >   File "/usr/bin/privacyidea", line 1467, 
            in <module> 
            >         >     main() 
            >         >   File "/usr/bin/privacyidea", line 1462, 
            in main 
            >         >     no_ssl_check=args.nosslcheck) 
            >         >   File 
            >         > 
            > 

“/usr/lib/python2.7/dist-packages/privacyideautils/clientutils.py”,

            >         > line 96, in __init__ 
            >         >     self.set_credentials(username, 
            password) 
            >         >   File 
            >         > 
            > 

“/usr/lib/python2.7/dist-packages/privacyideautils/clientutils.py”,

            >         > line 129, in set_credentials 
            >         >     raise Exception("Invalid Credentials: 
            %s" % 
            >         r.status_code) 
            >         > Exception: Invalid Credentials: 400 
            >         > 
            >         > 
            >         > and the admin password is correct, I 
            replace the encrypted 
            >         key file 
            >         > with none encrypted , restart apache and 
            try again to check 
            >         the 
            >         > status, and I get True. 
            >         > 
            >         > 
            >         > Do I need to re-add the admin user ? 
            >         > 
            >         > 
            >         > Regards, 
            >         > Sherif 
            >         > 
            >         > 
            >         > On Friday, December 4, 2015 at 2:28:16 PM  UTC, Sherif Nagy  wrote: 
            >         >         Hi Cornelius, 
            >         >         
            >         >         Oh yep the privacyideaadm is 
            2.5 :/ will update 
            >         now :) thank 
            >         >         you 
            >         >         
            >         >         
            >         >         Sherif 
            >         >         
            >         >         On Friday, December 4, 2015 at  1:16:11 PM UTC,  Cornelius  Kölbel wrote: 
            >         >                 Hi Sherif, 
            >         >                 
            >         >                 you need at least version 
            2.7dev1. 
            >         >                 Hm, should release 
            privacyideaadm 
            >         2.7... :-/ 
            >         >                 
            >         >                 I guess you have 2.5? 
            >         >                 Oh, it is not available 
            from launchpad 
            >         > 
            ppa:privacyidea/privacyidea-dev 
            >         >                 (will just upload) 
            >         >                 Or you can install it via 
            pip. 
            >         >                 
            >         >                 Kind regards 
            >         >                 Cornelius 
            >         >                 
            >         >                 Am Freitag, den 
            04.12.2015, 04:41 -0800 
            >         schrieb Sherif 
            >         >                 Nagy: 
            >         >                 > Hi Cornelius, 
            >         >                 > 
            >         >                 > 
            >         >                 > I did try the following 
            command " still 
            >         did not 
            >         >                 encrypt my key yet, 
            >         >                 > and I am getting the 
            following error: 
            >         >                 > 
            >         >                 > 
            >         >                 > #privacyidea -U 
            https://localhost 
            >         --admin=admin 
            >         >                 --nosslcheck 
            >         >                 > securitymodule 
            >         >                 > 
            >         >                 > 
            >         > 
            > 
            > 

/usr/lib/python2.7/dist-packages/urllib3/connectionpool.py:732:

            >         >                 > InsecureRequestWarning: 
            Unverified HTTPS 
            >         request is 
            >         >                 being made. Adding 
            >         >                 > certificate verification 
            is strongly 
            >         advised. See: 
            >         >                 > 
            >         > 
            > 
            https://urllib3.readthedocs.org/en/latest/security.html 

(This

            >         warning 
            >         >                 > will only appear once by 
            default.) 
            >         >                 > 
            InsecureRequestWarning) 
            >         >                 > This is the 
            configuration of your active 
            >         Security 
            >         >                 module: 
            >         >                 > 
            >         >                 > 
            >         >                 > Traceback (most recent 
            call last): 
            >         >                 >   File 
            "/usr/bin/privacyidea", line 1321, 
            >         in 
            >         >                 <module> 
            >         >                 >     main() 
            >         >                 >   File 
            "/usr/bin/privacyidea", line 1317, 
            >         in main 
            >         >                 >     args.func(args, 
            client) 
            >         >                 >   File 
            "/usr/bin/privacyidea", line 683, 
            >         in 
            >         >                 securitymodule 
            >         >                 >     r1 = 
            client.securitymodule(param={}) 
            >         >                 >   File 
            >         >                 > 
            >         > 
            > 

“/usr/lib/python2.7/dist-packages/privacyideautils/clientutils.py”,

            >         >                 > line 226, in 
            securitymodule 
            >         >                 >     return 
            >         > 
            self.connect('/system/setupSecurityModule', 
            >         param) 
            >         >                 > AttributeError: 
            'privacyideaclient' object 
            >         has no 
            >         >                 attribute 'connect' 
            >         >                 > 
            >         >                 > 
            >         >                 > Any idea what might be 
            the issue ? 
            >         >                 > 
            >         >                 > 
            >         >                 > Regards, 
            >         >                 > Sherif 
            >         >                 > 
            >         >                 > On Friday, December 4,  2015 at 10:21:05 AM  UTC,  Cornelius Kölbel  wrote: 
            >         >                 >         Hi Sherif, 
            >         >                 >         
            >         >                 >         take a look 
            here: 
            >         >                 > 
            >         > 
            > 

http://privacyidea.readthedocs.org/en/latest/installation/system/securitymodule.html?highlight=securitymodule

            >         >                 >         
            >         >                 >         To encrypt the 
            enckey, you can use 
            >         the 
            >         >                 script 
            >         >                 >         
            >         >                 >          pi-manage 
            encrypt_enckey 
            >         <filename> 
            >         >                 >         
            >         >                 >         This will not 
            overwrite the file. 
            >         The 
            >         >                 encrypted data will be 
            >         >                 >         written to 
            >         >                 >         stdout. You can 
            either pipe these 
            >         or paste 
            >         >                 it. 
            >         >                 >         
            >         >                 >         You may also 
            want to make a backup 
            >         of the 
            >         >                 encryption key, 
            >         >                 >         anyway! 
            >         >                 >         
            >         >                 >         When you restart 
            the apache it 
            >         will start 
            >         >                 quite normal. 
            >         >                 >         But at certain 
            points, when data 
            >         needs to be 
            >         >                 encrypted or 
            >         >                 >         decrypted you 
            >         >                 >         will get the 
            error: 
            >         >                 >         
            >         >                 >                 ERR707: 
            hsm not ready! 
            >         >                 >         
            >         >                 >         You can also 
            check this at the 
            >         command line 
            >         >                 after 
            >         >                 >         (re)-starting 
            the 
            >         >                 >         apache: 
            >         >                 >         
            >         >                 >         # privacyidea 
            -U 
            >         https://localhost/pi 
            >         >                 --admin=super 
            >         >                 >         --nosslcheck \ 
            >         >                 > 
            securitymodule 
            >         >                 >         Please enter 
            password for 
            >         'super': 
            >         >                 >         This is the 
            configuration of your 
            >         active 
            >         >                 Security module: 
            >         >                 >         {   u'status': 
            True, u'value': { 
            >         >                 u'is_ready': False}} 
            >         >                 >         
            >         >                 >         "is_ready": 
            False shows you, that 
            >         the 
            >         >                 encryption key is not 
            >         >                 >         ready to be 
            >         >                 >         used. 
            >         >                 >         
            >         >                 >         So you need to 
            run: 
            >         >                 >         
            >         >                 >         # privacyidea 
            -U 
            >         https://localhost/pi 
            >         >                 --admin=super 
            >         >                 >         --nosslcheck \ 
              
            >         >                 > 
             securitymodule 
            >         --module=default 
            >         >                 >         
            >         >                 >         Please enter 
            password for 
            >         'super': 
            >         >                 >         Please enter 
            password for security 
            >         module 
            >         >                 'default': 
            >         >                 >         Setting the 
            password of your 
            >         security module 
            >         >                 default 
            >         >                 >         {   u'status': 
            True, u'value': { 
            >         >                 u'is_ready': True}} 
            >         >                 >         
            >         >                 >         Now, "is_ready": 
            True shows you, 
            >         that the 
            >         >                 encryption key can 
            >         >                 >         be used by 
            >         >                 >         privacyIDEA... 
            >         >                 >         
            >         >                 >         Take care and do 
            backups ;-) 
            >         >                 >         I do not know, 
            who uses it 
            >         productively at 
            >         >                 the moment. 
            >         >                 >         
            >         >                 >         Kind regards 
            >         >                 >         Cornelius 
            >         >                 >         
            >         >                 >         
            >         >                 >         Am Freitag, den 
            04.12.2015, 02:03 
            >         -0800 
            >         >                 schrieb Sherif Nagy: 
            >         >                 >         > Hello, 
            >         >                 >         > 
            >         >                 >         > 
            >         >                 >         > So I am 
            thinking to encrypt my 
            >         encKey with 
            >         >                 a password, 
            >         >                 >         however I have 
            >         >                 >         > few 
            questions: 
            >         >                 >         > 
            >         >                 >         > 
            >         >                 >         > 1- This will 
            encrypt the current 
            >         key, will 
            >         >                 not generate a 
            >         >                 >         new key ? so 
            >         >                 >         > I don't lose 
            the tokens and data 
            >         in the 
            >         >                 Database already 
            >         >                 >         > 2- When I 
            start the service 
            >         using 
            >         >                 systemctl or service " I 
            >         >                 >         am using 
            >         >                 >         > deb 
            privacyidea-apache2 package, 
            >         will that 
            >         >                 work and asks me 
            >         >                 >         to decrypt 
            >         >                 >         > the enckey ? 
            if not, how I can 
            >         decrypt the 
            >         >                 enckey in this 
            >         >                 >         case ? 
            >         >                 >         > 
            >         >                 >         > 
            >         >                 >         > 
            >         >                 >         > 
            >         >                 >         > Regards, 
            >         >                 >         > Sherif 
            >         >                 >         > -- 
            >         >                 >         > You received 
            this message 
            >         because you are 
            >         >                 subscribed to the 
            >         >                 >         Google 
            >         >                 >         > Groups 
            "privacyidea" group. 
            >         >                 >         > To unsubscribe 
            from this group 
            >         and stop 
            >         >                 receiving emails 
            >         >                 >         from it, send 
            >         >                 >         > an email to 
            >         > 
            privacyidea...@googlegroups.com. 
            >         >                 >         > To post to 
            this group, send 
            >         email to 
            >         >                 > 
            priva...@googlegroups.com. 
            >         >                 >         > To view this 
            discussion on the 
            >         web visit 
            >         >                 >         > 
            >         >                 > 
            >         > 
            > 

https://groups.google.com/d/msgid/privacyidea/d4e7e11b-0b96-476e-a36c-b7189cc6e339%40googlegroups.com.

            >         >                 >         > For more 
            options, visit 
            >         > 
            https://groups.google.com/d/optout. 
            >         >                 >         
            >         >                 >         -- 
            >         >                 >         Cornelius 
            Kölbel 
            >         >                 > 
            corneliu...@netknights.it 
            >         >                 >         +49 151 2960 
            1417 
            >         >                 >         
            >         >                 >         NetKnights GmbH 
            >         >                 > 
            http://www.netknights.it 
            >         >                 > 
            Landgraf-Karl-Str. 19, 34131 
            >         Kassel, 
            >         >                 Germany 
            >         >                 >         Tel: +49 561 
            3166797, Fax: +49 561 
            >         3166798 
            >         >                 >         
            >         >                 >         Amtsgericht 
            Kassel, HRB 16405 
            >         >                 >         Geschäftsführer: 
            Cornelius Kölbel 
            >         >                 >         
            >         >                 >         
            >         >                 > -- 
            >         >                 > You received this 
            message because you are 
            >         subscribed 
            >         >                 to the Google 
            >         >                 > Groups "privacyidea" 
            group. 
            >         >                 > To unsubscribe from this 
            group and stop 
            >         receiving 
            >         >                 emails from it, send 
            >         >                 > an email to 
            >         privacyidea...@googlegroups.com. 
            >         >                 > To post to this group, 
            send email to 
            >         > 
            priva...@googlegroups.com. 
            >         >                 > To view this discussion 
            on the web visit 
            >         >                 > 
            >         > 
            > 

https://groups.google.com/d/msgid/privacyidea/9b251fd2-be6d-45f4-9d47-42f7e142166b%40googlegroups.com.

            >         >                 > For more options, visit 
            >         > 
            https://groups.google.com/d/optout. 
            >         >                 
            >         >                 -- 
            >         >                 Cornelius Kölbel 
            >         >                 corneliu...@netknights.it 
            >         >                 +49 151 2960 1417 
            >         >                 
            >         >                 NetKnights GmbH 
            >         >                 http://www.netknights.it 
            >         >                 Landgraf-Karl-Str. 19, 
            34131 Kassel, 
            >         Germany 
            >         >                 Tel: +49 561 3166797, Fax: 
            +49 561 3166798 
            >         >                 
            >         >                 Amtsgericht Kassel, HRB 
            16405 
            >         >                 Geschäftsführer: Cornelius 
            Kölbel 
            >         >                 
            >         >                 
            >         > -- 
            >         > You received this message because you are 
            subscribed to the 
            >         Google 
            >         > Groups "privacyidea" group. 
            >         > To unsubscribe from this group and stop 
            receiving emails 
            >         from it, send 
            >         > an email to 
            privacyidea...@googlegroups.com. 
            >         > To post to this group, send email to 
            >         priva...@googlegroups.com. 
            >         > To view this discussion on the web visit 
            >         > 
            > 

https://groups.google.com/d/msgid/privacyidea/799090b8-3ca3-48de-a48e-02d9943a0e8d%40googlegroups.com.

            >         > For more options, visit 
            https://groups.google.com/d/optout. 
            >         
            >         -- 
            >         Cornelius Kölbel 
            >         corneliu...@netknights.it 
            >         +49 151 2960 1417 
            >         
            >         NetKnights GmbH 
            >         http://www.netknights.it 
            >         Landgraf-Karl-Str. 19, 34131 Kassel, 
            Germany 
            >         Tel: +49 561 3166797, Fax: +49 561 3166798 
            >         
            >         Amtsgericht Kassel, HRB 16405 
            >         Geschäftsführer: Cornelius Kölbel 
            >         
            >         
            > -- 
            > You received this message because you are subscribed 
            to the Google 
            > Groups "privacyidea" group. 
            > To unsubscribe from this group and stop receiving 
            emails from it, send 
            > an email to privacyidea...@googlegroups.com. 
            > To post to this group, send email to 
            priva...@googlegroups.com. 
            > To view this discussion on the web visit 
            > 

https://groups.google.com/d/msgid/privacyidea/bf13cc4c-f993-4d4f-abd3-6573915962a8%40googlegroups.com.

            > For more options, visit 
            https://groups.google.com/d/optout. 
            
            -- 
            Cornelius Kölbel 
            corneliu...@netknights.it 
            +49 151 2960 1417 
            
            NetKnights GmbH 
            http://www.netknights.it 
            Landgraf-Karl-Str. 19, 34131 Kassel, Germany 
            Tel: +49 561 3166797, Fax: +49 561 3166798 
            
            Amtsgericht Kassel, HRB 16405 
            Geschäftsführer: Cornelius Kölbel 


You received this message because you are subscribed to the Google
Groups “privacyidea” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to privacyidea...@googlegroups.com <javascript:>.
To post to this group, send email to priva...@googlegroups.com
<javascript:>.
To view this discussion on the web visit

https://groups.google.com/d/msgid/privacyidea/a583bfc2-d95f-4eae-a67d-ab0032846c1d%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.


Cornelius Kölbel
corneliu...@netknights.it <javascript:>
+49 151 2960 1417

NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel

okay let me disable the policies and will let you know if it works or not
and which policies I have :slight_smile:

SherifOn Friday, December 4, 2015 at 3:25:06 PM UTC, Cornelius Kölbel wrote:

Hi Sherif,

So for some reason the server returns an error.
I could image due to some things it is doing before checking the
admins password. And in doing this stuff, it might run into a problem,
since the encryption key does not exist, yet.

E.g. this could be some policies, which need the encryption key when
being checked.

So can you please tell, what policies you have defined and also take a
look into the servers log file?

THanks a lot
Cornelius

Am Freitag, den 04.12.2015, 07:18 -0800 schrieb Sherif Nagy:

It’s the local admin that has been added by pi-manage admin command

Sherif

On Friday, December 4, 2015 at 3:06:09 PM UTC, Cornelius Kölbel wrote:
Is this a local admin?
Or is it an admin in a superuser-realm?

    If it is a local admin, which was added by 
    
     pi-manage admin 
    
    it should(TM) work, since the encryption keys are not used in 
    this case. 
    
    If it is an admin in a superuser-realm in e.g. an LDAP, it 
    will not 
    work, since PI can not decrypt the LDAP password to find the 
    admin in 
    the LDAP. 
    
    Kind regards 
    Cornelius 
    
    Am Freitag, den 04.12.2015, 07:02 -0800 schrieb Sherif Nagy: 
    > Hello again, 
    > 
    > 
    > So before encrypting the enckey, I am getting securitymodule 
    value 
    > true "after upgrading to 2.7devX, I encrypt the enckey, 
    paste the data 
    > and replace the file, restart Apache, run again the command 
    to check 
    > the status " should be false or HSM not ready, but I am 
    getting the 
    > below error: 
    > 
    > 
    > Traceback (most recent call last): 
    >   File "/usr/bin/privacyidea", line 1467, in <module> 
    >     main() 
    >   File "/usr/bin/privacyidea", line 1462, in main 
    >     no_ssl_check=args.nosslcheck) 
    >   File 
    > 

“/usr/lib/python2.7/dist-packages/privacyideautils/clientutils.py”,

    > line 96, in __init__ 
    >     self.set_credentials(username, password) 
    >   File 
    > 

“/usr/lib/python2.7/dist-packages/privacyideautils/clientutils.py”,

    > line 129, in set_credentials 
    >     raise Exception("Invalid Credentials: %s" % 
    r.status_code) 
    > Exception: Invalid Credentials: 400 
    > 
    > 
    > and the admin password is correct, I replace the encrypted 
    key file 
    > with none encrypted , restart apache and try again to check 
    the 
    > status, and I get True. 
    > 
    > 
    > Do I need to re-add the admin user ? 
    > 
    > 
    > Regards, 
    > Sherif 
    > 
    > 
    > On Friday, December 4, 2015 at 2:28:16 PM UTC, Sherif Nagy  wrote: 
    >         Hi Cornelius, 
    >         
    >         Oh yep the privacyideaadm is 2.5 :/ will update 
    now :) thank 
    >         you 
    >         
    >         
    >         Sherif 
    >         
    >         On Friday, December 4, 2015 at 1:16:11 PM UTC,  Cornelius  Kölbel wrote: 
    >                 Hi Sherif, 
    >                 
    >                 you need at least version 2.7dev1. 
    >                 Hm, should release privacyideaadm 
    2.7... :-/ 
    >                 
    >                 I guess you have 2.5? 
    >                 Oh, it is not available from launchpad 
    >                 ppa:privacyidea/privacyidea-dev 
    >                 (will just upload) 
    >                 Or you can install it via pip. 
    >                 
    >                 Kind regards 
    >                 Cornelius 
    >                 
    >                 Am Freitag, den 04.12.2015, 04:41 -0800 
    schrieb Sherif 
    >                 Nagy: 
    >                 > Hi Cornelius, 
    >                 > 
    >                 > 
    >                 > I did try the following command " still 
    did not 
    >                 encrypt my key yet, 
    >                 > and I am getting the following error: 
    >                 > 
    >                 > 
    >                 > #privacyidea -U https://localhost 
    --admin=admin 
    >                 --nosslcheck 
    >                 > securitymodule 
    >                 > 
    >                 > 
    > 
    > 

/usr/lib/python2.7/dist-packages/urllib3/connectionpool.py:732:

    >                 > InsecureRequestWarning: Unverified HTTPS 
    request is 
    >                 being made. Adding 
    >                 > certificate verification is strongly 
    advised. See: 
    >                 > 
    > 
    https://urllib3.readthedocs.org/en/latest/security.html (This 
    warning 
    >                 > will only appear once by default.) 
    >                 >   InsecureRequestWarning) 
    >                 > This is the configuration of your active 
    Security 
    >                 module: 
    >                 > 
    >                 > 
    >                 > Traceback (most recent call last): 
    >                 >   File "/usr/bin/privacyidea", line 1321, 
    in 
    >                 <module> 
    >                 >     main() 
    >                 >   File "/usr/bin/privacyidea", line 1317, 
    in main 
    >                 >     args.func(args, client) 
    >                 >   File "/usr/bin/privacyidea", line 683, 
    in 
    >                 securitymodule 
    >                 >     r1 = client.securitymodule(param={}) 
    >                 >   File 
    >                 > 
    > 

“/usr/lib/python2.7/dist-packages/privacyideautils/clientutils.py”,

    >                 > line 226, in securitymodule 
    >                 >     return 
    >                 self.connect('/system/setupSecurityModule', 
    param) 
    >                 > AttributeError: 'privacyideaclient' object 
    has no 
    >                 attribute 'connect' 
    >                 > 
    >                 > 
    >                 > Any idea what might be the issue ? 
    >                 > 
    >                 > 
    >                 > Regards, 
    >                 > Sherif 
    >                 > 
    >                 > On Friday, December 4, 2015 at 10:21:05 AM  UTC,  Cornelius Kölbel  wrote: 
    >                 >         Hi Sherif, 
    >                 >         
    >                 >         take a look here: 
    >                 > 
    > 

http://privacyidea.readthedocs.org/en/latest/installation/system/securitymodule.html?highlight=securitymodule

    >                 >         
    >                 >         To encrypt the enckey, you can use 
    the 
    >                 script 
    >                 >         
    >                 >          pi-manage encrypt_enckey 
    <filename> 
    >                 >         
    >                 >         This will not overwrite the file. 
    The 
    >                 encrypted data will be 
    >                 >         written to 
    >                 >         stdout. You can either pipe these 
    or paste 
    >                 it. 
    >                 >         
    >                 >         You may also want to make a backup 
    of the 
    >                 encryption key, 
    >                 >         anyway! 
    >                 >         
    >                 >         When you restart the apache it 
    will start 
    >                 quite normal. 
    >                 >         But at certain points, when data 
    needs to be 
    >                 encrypted or 
    >                 >         decrypted you 
    >                 >         will get the error: 
    >                 >         
    >                 >                 ERR707: hsm not ready! 
    >                 >         
    >                 >         You can also check this at the 
    command line 
    >                 after 
    >                 >         (re)-starting the 
    >                 >         apache: 
    >                 >         
    >                 >         # privacyidea -U 
    https://localhost/pi 
    >                 --admin=super 
    >                 >         --nosslcheck \ 
    >                 >                 securitymodule 
    >                 >         Please enter password for 
    'super': 
    >                 >         This is the configuration of your 
    active 
    >                 Security module: 
    >                 >         {   u'status': True, u'value': { 
    >                 u'is_ready': False}} 
    >                 >         
    >                 >         "is_ready": False shows you, that 
    the 
    >                 encryption key is not 
    >                 >         ready to be 
    >                 >         used. 
    >                 >         
    >                 >         So you need to run: 
    >                 >         
    >                 >         # privacyidea -U 
    https://localhost/pi 
    >                 --admin=super 
    >                 >         --nosslcheck \   
    >                 >              securitymodule 
    --module=default 
    >                 >         
    >                 >         Please enter password for 
    'super': 
    >                 >         Please enter password for security 
    module 
    >                 'default': 
    >                 >         Setting the password of your 
    security module 
    >                 default 
    >                 >         {   u'status': True, u'value': { 
    >                 u'is_ready': True}} 
    >                 >         
    >                 >         Now, "is_ready": True shows you, 
    that the 
    >                 encryption key can 
    >                 >         be used by 
    >                 >         privacyIDEA... 
    >                 >         
    >                 >         Take care and do backups ;-) 
    >                 >         I do not know, who uses it 
    productively at 
    >                 the moment. 
    >                 >         
    >                 >         Kind regards 
    >                 >         Cornelius 
    >                 >         
    >                 >         
    >                 >         Am Freitag, den 04.12.2015, 02:03 
    -0800 
    >                 schrieb Sherif Nagy: 
    >                 >         > Hello, 
    >                 >         > 
    >                 >         > 
    >                 >         > So I am thinking to encrypt my 
    encKey with 
    >                 a password, 
    >                 >         however I have 
    >                 >         > few questions: 
    >                 >         > 
    >                 >         > 
    >                 >         > 1- This will encrypt the current 
    key, will 
    >                 not generate a 
    >                 >         new key ? so 
    >                 >         > I don't lose the tokens and data 
    in the 
    >                 Database already 
    >                 >         > 2- When I start the service 
    using 
    >                 systemctl or service " I 
    >                 >         am using 
    >                 >         > deb privacyidea-apache2 package, 
    will that 
    >                 work and asks me 
    >                 >         to decrypt 
    >                 >         > the enckey ? if not, how I can 
    decrypt the 
    >                 enckey in this 
    >                 >         case ? 
    >                 >         > 
    >                 >         > 
    >                 >         > 
    >                 >         > 
    >                 >         > Regards, 
    >                 >         > Sherif 
    >                 >         > -- 
    >                 >         > You received this message 
    because you are 
    >                 subscribed to the 
    >                 >         Google 
    >                 >         > Groups "privacyidea" group. 
    >                 >         > To unsubscribe from this group 
    and stop 
    >                 receiving emails 
    >                 >         from it, send 
    >                 >         > an email to 
    >                 privacyidea...@googlegroups.com. 
    >                 >         > To post to this group, send 
    email to 
    >                 >         priva...@googlegroups.com. 
    >                 >         > To view this discussion on the 
    web visit 
    >                 >         > 
    >                 > 
    > 

https://groups.google.com/d/msgid/privacyidea/d4e7e11b-0b96-476e-a36c-b7189cc6e339%40googlegroups.com.

    >                 >         > For more options, visit 
    >                 https://groups.google.com/d/optout. 
    >                 >         
    >                 >         -- 
    >                 >         Cornelius Kölbel 
    >                 >         corneliu...@netknights.it 
    >                 >         +49 151 2960 1417 
    >                 >         
    >                 >         NetKnights GmbH 
    >                 >         http://www.netknights.it 
    >                 >         Landgraf-Karl-Str. 19, 34131 
    Kassel, 
    >                 Germany 
    >                 >         Tel: +49 561 3166797, Fax: +49 561 
    3166798 
    >                 >         
    >                 >         Amtsgericht Kassel, HRB 16405 
    >                 >         Geschäftsführer: Cornelius Kölbel 
    >                 >         
    >                 >         
    >                 > -- 
    >                 > You received this message because you are 
    subscribed 
    >                 to the Google 
    >                 > Groups "privacyidea" group. 
    >                 > To unsubscribe from this group and stop 
    receiving 
    >                 emails from it, send 
    >                 > an email to 
    privacyidea...@googlegroups.com. 
    >                 > To post to this group, send email to 
    >                 priva...@googlegroups.com. 
    >                 > To view this discussion on the web visit 
    >                 > 
    > 

https://groups.google.com/d/msgid/privacyidea/9b251fd2-be6d-45f4-9d47-42f7e142166b%40googlegroups.com.

    >                 > For more options, visit 
    >                 https://groups.google.com/d/optout. 
    >                 
    >                 -- 
    >                 Cornelius Kölbel 
    >                 corneliu...@netknights.it 
    >                 +49 151 2960 1417 
    >                 
    >                 NetKnights GmbH 
    >                 http://www.netknights.it 
    >                 Landgraf-Karl-Str. 19, 34131 Kassel, 
    Germany 
    >                 Tel: +49 561 3166797, Fax: +49 561 3166798 
    >                 
    >                 Amtsgericht Kassel, HRB 16405 
    >                 Geschäftsführer: Cornelius Kölbel 
    >                 
    >                 
    > -- 
    > You received this message because you are subscribed to the 
    Google 
    > Groups "privacyidea" group. 
    > To unsubscribe from this group and stop receiving emails 
    from it, send 
    > an email to privacyidea...@googlegroups.com. 
    > To post to this group, send email to 
    priva...@googlegroups.com. 
    > To view this discussion on the web visit 
    > 

https://groups.google.com/d/msgid/privacyidea/799090b8-3ca3-48de-a48e-02d9943a0e8d%40googlegroups.com.

    > For more options, visit https://groups.google.com/d/optout. 
    
    -- 
    Cornelius Kölbel 
    corneliu...@netknights.it 
    +49 151 2960 1417 
    
    NetKnights GmbH 
    http://www.netknights.it 
    Landgraf-Karl-Str. 19, 34131 Kassel, Germany 
    Tel: +49 561 3166797, Fax: +49 561 3166798 
    
    Amtsgericht Kassel, HRB 16405 
    Geschäftsführer: Cornelius Kölbel 


You received this message because you are subscribed to the Google
Groups “privacyidea” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to privacyidea...@googlegroups.com <javascript:>.
To post to this group, send email to priva...@googlegroups.com
<javascript:>.
To view this discussion on the web visit

https://groups.google.com/d/msgid/privacyidea/bf13cc4c-f993-4d4f-abd3-6573915962a8%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.


Cornelius Kölbel
corneliu...@netknights.it <javascript:>
+49 151 2960 1417

NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel

Is this a local admin?
Or is it an admin in a superuser-realm?

If it is a local admin, which was added by

pi-manage admin

it should™ work, since the encryption keys are not used in this case.

If it is an admin in a superuser-realm in e.g. an LDAP, it will not
work, since PI can not decrypt the LDAP password to find the admin in
the LDAP.

Kind regards
CorneliusAm Freitag, den 04.12.2015, 07:02 -0800 schrieb Sherif Nagy:

Hello again,

So before encrypting the enckey, I am getting securitymodule value
true "after upgrading to 2.7devX, I encrypt the enckey, paste the data
and replace the file, restart Apache, run again the command to check
the status " should be false or HSM not ready, but I am getting the
below error:

Traceback (most recent call last):
File “/usr/bin/privacyidea”, line 1467, in
main()
File “/usr/bin/privacyidea”, line 1462, in main
no_ssl_check=args.nosslcheck)
File
“/usr/lib/python2.7/dist-packages/privacyideautils/clientutils.py”,
line 96, in init
self.set_credentials(username, password)
File
“/usr/lib/python2.7/dist-packages/privacyideautils/clientutils.py”,
line 129, in set_credentials
raise Exception(“Invalid Credentials: %s” % r.status_code)
Exception: Invalid Credentials: 400

and the admin password is correct, I replace the encrypted key file
with none encrypted , restart apache and try again to check the
status, and I get True.

Do I need to re-add the admin user ?

Regards,
Sherif

On Friday, December 4, 2015 at 2:28:16 PM UTC, Sherif Nagy wrote:
Hi Cornelius,

    Oh yep the privacyideaadm is 2.5 :/ will update now :) thank
    you
    
    
    Sherif
    
    On Friday, December 4, 2015 at 1:16:11 PM UTC, Cornelius Kölbel wrote:
            Hi Sherif, 
            
            you need at least version 2.7dev1. 
            Hm, should release privacyideaadm 2.7... :-/ 
            
            I guess you have 2.5? 
            Oh, it is not available from launchpad
            ppa:privacyidea/privacyidea-dev 
            (will just upload) 
            Or you can install it via pip. 
            
            Kind regards 
            Cornelius 
            
            Am Freitag, den 04.12.2015, 04:41 -0800 schrieb Sherif
            Nagy: 
            > Hi Cornelius, 
            > 
            > 
            > I did try the following command " still did not
            encrypt my key yet, 
            > and I am getting the following error: 
            > 
            > 
            > #privacyidea -U https://localhost --admin=admin
            --nosslcheck 
            > securitymodule 
            > 
            > 
            > /usr/lib/python2.7/dist-packages/urllib3/connectionpool.py:732: 
            > InsecureRequestWarning: Unverified HTTPS request is
            being made. Adding 
            > certificate verification is strongly advised. See: 
            >
            https://urllib3.readthedocs.org/en/latest/security.html (This warning 
            > will only appear once by default.) 
            >   InsecureRequestWarning) 
            > This is the configuration of your active Security
            module: 
            > 
            > 
            > Traceback (most recent call last): 
            >   File "/usr/bin/privacyidea", line 1321, in
            <module> 
            >     main() 
            >   File "/usr/bin/privacyidea", line 1317, in main 
            >     args.func(args, client) 
            >   File "/usr/bin/privacyidea", line 683, in
            securitymodule 
            >     r1 = client.securitymodule(param={}) 
            >   File 
            >
            "/usr/lib/python2.7/dist-packages/privacyideautils/clientutils.py", 
            > line 226, in securitymodule 
            >     return
            self.connect('/system/setupSecurityModule', param) 
            > AttributeError: 'privacyideaclient' object has no
            attribute 'connect' 
            > 
            > 
            > Any idea what might be the issue ? 
            > 
            > 
            > Regards, 
            > Sherif 
            > 
            > On Friday, December 4, 2015 at 10:21:05 AM UTC, Cornelius Kölbel  wrote: 
            >         Hi Sherif, 
            >         
            >         take a look here: 
            >
            http://privacyidea.readthedocs.org/en/latest/installation/system/securitymodule.html?highlight=securitymodule 
            >         
            >         To encrypt the enckey, you can use the
            script 
            >         
            >          pi-manage encrypt_enckey <filename> 
            >         
            >         This will not overwrite the file. The
            encrypted data will be 
            >         written to 
            >         stdout. You can either pipe these or paste
            it. 
            >         
            >         You may also want to make a backup of the
            encryption key, 
            >         anyway! 
            >         
            >         When you restart the apache it will start
            quite normal. 
            >         But at certain points, when data needs to be
            encrypted or 
            >         decrypted you 
            >         will get the error: 
            >         
            >                 ERR707: hsm not ready! 
            >         
            >         You can also check this at the command line
            after 
            >         (re)-starting the 
            >         apache: 
            >         
            >         # privacyidea -U https://localhost/pi
            --admin=super 
            >         --nosslcheck \ 
            >                 securitymodule 
            >         Please enter password for 'super': 
            >         This is the configuration of your active
            Security module: 
            >         {   u'status': True, u'value': {
            u'is_ready': False}} 
            >         
            >         "is_ready": False shows you, that the
            encryption key is not 
            >         ready to be 
            >         used. 
            >         
            >         So you need to run: 
            >         
            >         # privacyidea -U https://localhost/pi
            --admin=super 
            >         --nosslcheck \   
            >              securitymodule --module=default 
            >         
            >         Please enter password for 'super': 
            >         Please enter password for security module
            'default': 
            >         Setting the password of your security module
            default 
            >         {   u'status': True, u'value': {
            u'is_ready': True}} 
            >         
            >         Now, "is_ready": True shows you, that the
            encryption key can 
            >         be used by 
            >         privacyIDEA... 
            >         
            >         Take care and do backups ;-) 
            >         I do not know, who uses it productively at
            the moment. 
            >         
            >         Kind regards 
            >         Cornelius 
            >         
            >         
            >         Am Freitag, den 04.12.2015, 02:03 -0800
            schrieb Sherif Nagy: 
            >         > Hello, 
            >         > 
            >         > 
            >         > So I am thinking to encrypt my encKey with
            a password, 
            >         however I have 
            >         > few questions: 
            >         > 
            >         > 
            >         > 1- This will encrypt the current key, will
            not generate a 
            >         new key ? so 
            >         > I don't lose the tokens and data in the
            Database already 
            >         > 2- When I start the service using
            systemctl or service " I 
            >         am using 
            >         > deb privacyidea-apache2 package, will that
            work and asks me 
            >         to decrypt 
            >         > the enckey ? if not, how I can decrypt the
            enckey in this 
            >         case ? 
            >         > 
            >         > 
            >         > 
            >         > 
            >         > Regards, 
            >         > Sherif 
            >         > -- 
            >         > You received this message because you are
            subscribed to the 
            >         Google 
            >         > Groups "privacyidea" group. 
            >         > To unsubscribe from this group and stop
            receiving emails 
            >         from it, send 
            >         > an email to
            privacyidea...@googlegroups.com. 
            >         > To post to this group, send email to 
            >         priva...@googlegroups.com. 
            >         > To view this discussion on the web visit 
            >         > 
            >
            https://groups.google.com/d/msgid/privacyidea/d4e7e11b-0b96-476e-a36c-b7189cc6e339%40googlegroups.com. 
            >         > For more options, visit
            https://groups.google.com/d/optout. 
            >         
            >         -- 
            >         Cornelius Kölbel 
            >         corneliu...@netknights.it 
            >         +49 151 2960 1417 
            >         
            >         NetKnights GmbH 
            >         http://www.netknights.it 
            >         Landgraf-Karl-Str. 19, 34131 Kassel,
            Germany 
            >         Tel: +49 561 3166797, Fax: +49 561 3166798 
            >         
            >         Amtsgericht Kassel, HRB 16405 
            >         Geschäftsführer: Cornelius Kölbel 
            >         
            >         
            > -- 
            > You received this message because you are subscribed
            to the Google 
            > Groups "privacyidea" group. 
            > To unsubscribe from this group and stop receiving
            emails from it, send 
            > an email to privacyidea...@googlegroups.com. 
            > To post to this group, send email to
            priva...@googlegroups.com. 
            > To view this discussion on the web visit 
            >
            https://groups.google.com/d/msgid/privacyidea/9b251fd2-be6d-45f4-9d47-42f7e142166b%40googlegroups.com. 
            > For more options, visit
            https://groups.google.com/d/optout. 
            
            -- 
            Cornelius Kölbel 
            corneliu...@netknights.it 
            +49 151 2960 1417 
            
            NetKnights GmbH 
            http://www.netknights.it 
            Landgraf-Karl-Str. 19, 34131 Kassel, Germany 
            Tel: +49 561 3166797, Fax: +49 561 3166798 
            
            Amtsgericht Kassel, HRB 16405 
            Geschäftsführer: Cornelius Kölbel 


You received this message because you are subscribed to the Google
Groups “privacyidea” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to privacyidea+unsubscribe@googlegroups.com.
To post to this group, send email to privacyidea@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/privacyidea/799090b8-3ca3-48de-a48e-02d9943a0e8d%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


Cornelius Kölbel
@cornelinux
+49 151 2960 1417

NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel

signature.asc (836 Bytes)