Hello,
So I am thinking to encrypt my encKey with a password, however I have few
questions:
1- This will encrypt the current key, will not generate a new key ? so I
don’t lose the tokens and data in the Database already
2- When I start the service using systemctl or service " I am using deb
privacyidea-apache2 package, will that work and asks me to decrypt the
enckey ? if not, how I can decrypt the enckey in this case ?
Regards,
Sherif
It is this line:
When the user object is created with a loginname and the realmname, it
also checks in which resolver in the realm the user is located.
To get a user object consisting of loginname, realmname and
resolvername.
In this case, it can not check the LDAP resolver, since it can not
access the BIND PW.
Kind regards
CorneliusAm Freitag, den 04.12.2015, 08:03 -0800 schrieb Sherif Nagy:
Hi Cornelius,
Just to confirm, I created an empty realm and set it as default, and
the decyrption of the enckey works. so it seems the system checking
the user’s realm before the local admin.Regards,
SherifOn Friday, December 4, 2015 at 3:54:23 PM UTC, Cornelius Kölbel wrote:
Hi Sherif,thanks a lot for the details. I can confirm this. If the default realm contains an LDAP-Resolver with a BIND-PW you can not login with a local administrator. https://github.com/privacyidea/privacyidea/issues/280 I will dig into this. Kind regards Cornelius Am Freitag, den 04.12.2015, 07:45 -0800 schrieb Sherif Nagy: > Hi Cornelius, > > > I guess I knew what is wrong, so here is what I have done: > > > - Disabled all the policies " I have the one for u2f auth, weblogin > and one for users login " and still got the same error. > - Take out the usersresolvers from the default realm and the > decryption of the key will work like a charm. > - I have LDAP resolver and passwd one, I noticed just a message in the > log says looking for /etc/passwd in /home/privacyidea, that is why I > thought to disable the usersource. > > > So I guess the realm usersources runs before the local admin ones ? > > > Regards, > Sherif > > On Friday, December 4, 2015 at 3:29:35 PM UTC, Sherif Nagy wrote: > okay let me disable the policies and will let you know if it > works or not and which policies I have :) > > > Sherif > > On Friday, December 4, 2015 at 3:25:06 PM UTC, Cornelius Kölbel wrote: > Hi Sherif, > > So for some reason the server returns an error. > I could image due to some things it is doing _before_ > checking the > admins password. And in doing this stuff, it might run > into a problem, > since the encryption key does not exist, yet. > > E.g. this could be some policies, which need the > encryption key when > being checked. > > So can you please tell, what policies you have defined > and also take a > look into the servers log file? > > THanks a lot > Cornelius > > > Am Freitag, den 04.12.2015, 07:18 -0800 schrieb Sherif > Nagy: > > It's the local admin that has been added by > pi-manage admin command > > > > > > Sherif > > > > On Friday, December 4, 2015 at 3:06:09 PM UTC, Cornelius Kölbel wrote: > > Is this a local admin? > > Or is it an admin in a superuser-realm? > > > > If it is a local admin, which was added by > > > > pi-manage admin > > > > it should(TM) work, since the encryption > keys are not used in > > this case. > > > > If it is an admin in a superuser-realm in > e.g. an LDAP, it > > will not > > work, since PI can not decrypt the LDAP > password to find the > > admin in > > the LDAP. > > > > Kind regards > > Cornelius > > > > Am Freitag, den 04.12.2015, 07:02 -0800 > schrieb Sherif Nagy: > > > Hello again, > > > > > > > > > So before encrypting the enckey, I am > getting securitymodule > > value > > > true "after upgrading to 2.7devX, I > encrypt the enckey, > > paste the data > > > and replace the file, restart Apache, run > again the command > > to check > > > the status " should be false or HSM not > ready, but I am > > getting the > > > below error: > > > > > > > > > Traceback (most recent call last): > > > File "/usr/bin/privacyidea", line 1467, > in <module> > > > main() > > > File "/usr/bin/privacyidea", line 1462, > in main > > > no_ssl_check=args.nosslcheck) > > > File > > > > > > "/usr/lib/python2.7/dist-packages/privacyideautils/clientutils.py", > > > line 96, in __init__ > > > self.set_credentials(username, > password) > > > File > > > > > > "/usr/lib/python2.7/dist-packages/privacyideautils/clientutils.py", > > > line 129, in set_credentials > > > raise Exception("Invalid Credentials: > %s" % > > r.status_code) > > > Exception: Invalid Credentials: 400 > > > > > > > > > and the admin password is correct, I > replace the encrypted > > key file > > > with none encrypted , restart apache and > try again to check > > the > > > status, and I get True. > > > > > > > > > Do I need to re-add the admin user ? > > > > > > > > > Regards, > > > Sherif > > > > > > > > > On Friday, December 4, 2015 at 2:28:16 PM UTC, Sherif Nagy wrote: > > > Hi Cornelius, > > > > > > Oh yep the privacyideaadm is > 2.5 :/ will update > > now :) thank > > > you > > > > > > > > > Sherif > > > > > > On Friday, December 4, 2015 at 1:16:11 PM UTC, Cornelius Kölbel wrote: > > > Hi Sherif, > > > > > > you need at least version > 2.7dev1. > > > Hm, should release > privacyideaadm > > 2.7... :-/ > > > > > > I guess you have 2.5? > > > Oh, it is not available > from launchpad > > > > ppa:privacyidea/privacyidea-dev > > > (will just upload) > > > Or you can install it via > pip. > > > > > > Kind regards > > > Cornelius > > > > > > Am Freitag, den > 04.12.2015, 04:41 -0800 > > schrieb Sherif > > > Nagy: > > > > Hi Cornelius, > > > > > > > > > > > > I did try the following > command " still > > did not > > > encrypt my key yet, > > > > and I am getting the > following error: > > > > > > > > > > > > #privacyidea -U > https://localhost > > --admin=admin > > > --nosslcheck > > > > securitymodule > > > > > > > > > > > > > > > /usr/lib/python2.7/dist-packages/urllib3/connectionpool.py:732: > > > > InsecureRequestWarning: > Unverified HTTPS > > request is > > > being made. Adding > > > > certificate verification > is strongly > > advised. See: > > > > > > > > > > https://urllib3.readthedocs.org/en/latest/security.html (This > > warning > > > > will only appear once by > default.) > > > > > InsecureRequestWarning) > > > > This is the > configuration of your active > > Security > > > module: > > > > > > > > > > > > Traceback (most recent > call last): > > > > File > "/usr/bin/privacyidea", line 1321, > > in > > > <module> > > > > main() > > > > File > "/usr/bin/privacyidea", line 1317, > > in main > > > > args.func(args, > client) > > > > File > "/usr/bin/privacyidea", line 683, > > in > > > securitymodule > > > > r1 = > client.securitymodule(param={}) > > > > File > > > > > > > > > > "/usr/lib/python2.7/dist-packages/privacyideautils/clientutils.py", > > > > line 226, in > securitymodule > > > > return > > > > self.connect('/system/setupSecurityModule', > > param) > > > > AttributeError: > 'privacyideaclient' object > > has no > > > attribute 'connect' > > > > > > > > > > > > Any idea what might be > the issue ? > > > > > > > > > > > > Regards, > > > > Sherif > > > > > > > > On Friday, December 4, 2015 at 10:21:05 AM UTC, Cornelius Kölbel wrote: > > > > Hi Sherif, > > > > > > > > take a look > here: > > > > > > > > > > http://privacyidea.readthedocs.org/en/latest/installation/system/securitymodule.html?highlight=securitymodule > > > > > > > > To encrypt the > enckey, you can use > > the > > > script > > > > > > > > pi-manage > encrypt_enckey > > <filename> > > > > > > > > This will not > overwrite the file. > > The > > > encrypted data will be > > > > written to > > > > stdout. You can > either pipe these > > or paste > > > it. > > > > > > > > You may also > want to make a backup > > of the > > > encryption key, > > > > anyway! > > > > > > > > When you restart > the apache it > > will start > > > quite normal. > > > > But at certain > points, when data > > needs to be > > > encrypted or > > > > decrypted you > > > > will get the > error: > > > > > > > > ERR707: > hsm not ready! > > > > > > > > You can also > check this at the > > command line > > > after > > > > (re)-starting > the > > > > apache: > > > > > > > > # privacyidea > -U > > https://localhost/pi > > > --admin=super > > > > --nosslcheck \ > > > > > securitymodule > > > > Please enter > password for > > 'super': > > > > This is the > configuration of your > > active > > > Security module: > > > > { u'status': > True, u'value': { > > > u'is_ready': False}} > > > > > > > > "is_ready": > False shows you, that > > the > > > encryption key is not > > > > ready to be > > > > used. > > > > > > > > So you need to > run: > > > > > > > > # privacyidea > -U > > https://localhost/pi > > > --admin=super > > > > --nosslcheck \ > > > > > > securitymodule > > --module=default > > > > > > > > Please enter > password for > > 'super': > > > > Please enter > password for security > > module > > > 'default': > > > > Setting the > password of your > > security module > > > default > > > > { u'status': > True, u'value': { > > > u'is_ready': True}} > > > > > > > > Now, "is_ready": > True shows you, > > that the > > > encryption key can > > > > be used by > > > > privacyIDEA... > > > > > > > > Take care and do > backups ;-) > > > > I do not know, > who uses it > > productively at > > > the moment. > > > > > > > > Kind regards > > > > Cornelius > > > > > > > > > > > > Am Freitag, den > 04.12.2015, 02:03 > > -0800 > > > schrieb Sherif Nagy: > > > > > Hello, > > > > > > > > > > > > > > > So I am > thinking to encrypt my > > encKey with > > > a password, > > > > however I have > > > > > few > questions: > > > > > > > > > > > > > > > 1- This will > encrypt the current > > key, will > > > not generate a > > > > new key ? so > > > > > I don't lose > the tokens and data > > in the > > > Database already > > > > > 2- When I > start the service > > using > > > systemctl or service " I > > > > am using > > > > > deb > privacyidea-apache2 package, > > will that > > > work and asks me > > > > to decrypt > > > > > the enckey ? > if not, how I can > > decrypt the > > > enckey in this > > > > case ? > > > > > > > > > > > > > > > > > > > > > > > > > Regards, > > > > > Sherif > > > > > -- > > > > > You received > this message > > because you are > > > subscribed to the > > > > Google > > > > > Groups > "privacyidea" group. > > > > > To unsubscribe > from this group > > and stop > > > receiving emails > > > > from it, send > > > > > an email to > > > > privacyidea...@googlegroups.com. > > > > > To post to > this group, send > > email to > > > > > priva...@googlegroups.com. > > > > > To view this > discussion on the > > web visit > > > > > > > > > > > > > > > https://groups.google.com/d/msgid/privacyidea/d4e7e11b-0b96-476e-a36c-b7189cc6e339%40googlegroups.com. > > > > > For more > options, visit > > > > https://groups.google.com/d/optout. > > > > > > > > -- > > > > Cornelius > Kölbel > > > > > corneliu...@netknights.it > > > > +49 151 2960 > 1417 > > > > > > > > NetKnights GmbH > > > > > http://www.netknights.it > > > > > Landgraf-Karl-Str. 19, 34131 > > Kassel, > > > Germany > > > > Tel: +49 561 > 3166797, Fax: +49 561 > > 3166798 > > > > > > > > Amtsgericht > Kassel, HRB 16405 > > > > Geschäftsführer: > Cornelius Kölbel > > > > > > > > > > > > -- > > > > You received this > message because you are > > subscribed > > > to the Google > > > > Groups "privacyidea" > group. > > > > To unsubscribe from this > group and stop > > receiving > > > emails from it, send > > > > an email to > > privacyidea...@googlegroups.com. > > > > To post to this group, > send email to > > > > priva...@googlegroups.com. > > > > To view this discussion > on the web visit > > > > > > > > > > https://groups.google.com/d/msgid/privacyidea/9b251fd2-be6d-45f4-9d47-42f7e142166b%40googlegroups.com. > > > > For more options, visit > > > > https://groups.google.com/d/optout. > > > > > > -- > > > Cornelius Kölbel > > > corneliu...@netknights.it > > > +49 151 2960 1417 > > > > > > NetKnights GmbH > > > http://www.netknights.it > > > Landgraf-Karl-Str. 19, > 34131 Kassel, > > Germany > > > Tel: +49 561 3166797, Fax: > +49 561 3166798 > > > > > > Amtsgericht Kassel, HRB > 16405 > > > Geschäftsführer: Cornelius > Kölbel > > > > > > > > > -- > > > You received this message because you are > subscribed to the > > Google > > > Groups "privacyidea" group. > > > To unsubscribe from this group and stop > receiving emails > > from it, send > > > an email to > privacyidea...@googlegroups.com. > > > To post to this group, send email to > > priva...@googlegroups.com. > > > To view this discussion on the web visit > > > > > > https://groups.google.com/d/msgid/privacyidea/799090b8-3ca3-48de-a48e-02d9943a0e8d%40googlegroups.com. > > > For more options, visit > https://groups.google.com/d/optout. > > > > -- > > Cornelius Kölbel > > corneliu...@netknights.it > > +49 151 2960 1417 > > > > NetKnights GmbH > > http://www.netknights.it > > Landgraf-Karl-Str. 19, 34131 Kassel, > Germany > > Tel: +49 561 3166797, Fax: +49 561 3166798 > > > > Amtsgericht Kassel, HRB 16405 > > Geschäftsführer: Cornelius Kölbel > > > > > > -- > > You received this message because you are subscribed > to the Google > > Groups "privacyidea" group. > > To unsubscribe from this group and stop receiving > emails from it, send > > an email to privacyidea...@googlegroups.com. > > To post to this group, send email to > priva...@googlegroups.com. > > To view this discussion on the web visit > > > https://groups.google.com/d/msgid/privacyidea/bf13cc4c-f993-4d4f-abd3-6573915962a8%40googlegroups.com. > > For more options, visit > https://groups.google.com/d/optout. > > -- > Cornelius Kölbel > corneliu...@netknights.it > +49 151 2960 1417 > > NetKnights GmbH > http://www.netknights.it > Landgraf-Karl-Str. 19, 34131 Kassel, Germany > Tel: +49 561 3166797, Fax: +49 561 3166798 > > Amtsgericht Kassel, HRB 16405 > Geschäftsführer: Cornelius Kölbel > > > -- > You received this message because you are subscribed to the Google > Groups "privacyidea" group. > To unsubscribe from this group and stop receiving emails from it, send > an email to privacyidea...@googlegroups.com. > To post to this group, send email to priva...@googlegroups.com. > To view this discussion on the web visit > https://groups.google.com/d/msgid/privacyidea/a583bfc2-d95f-4eae-a67d-ab0032846c1d%40googlegroups.com. > For more options, visit https://groups.google.com/d/optout. -- Cornelius Kölbel corneliu...@netknights.it +49 151 2960 1417 NetKnights GmbH http://www.netknights.it Landgraf-Karl-Str. 19, 34131 Kassel, Germany Tel: +49 561 3166797, Fax: +49 561 3166798 Amtsgericht Kassel, HRB 16405 Geschäftsführer: Cornelius Kölbel–
You received this message because you are subscribed to the Google
Groups “privacyidea” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to privacyidea+unsubscribe@googlegroups.com.
To post to this group, send email to privacyidea@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/privacyidea/14cc0121-09da-42aa-ba7b-284fe0152ee7%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
–
Cornelius Kölbel
@cornelinux
+49 151 2960 1417
NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798
Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel
signature.asc (836 Bytes)
Hi Cornelius,
I did try the following command " still did not encrypt my key yet, and I
am getting the following error:
#privacyidea -U https://localhost --admin=admin --nosslcheck securitymodule
/usr/lib/python2.7/dist-packages/urllib3/connectionpool.py:732:
InsecureRequestWarning: Unverified HTTPS request is being made. Adding
certificate verification is strongly advised. See:
Advanced Usage - urllib3 2.1.0 documentation (This warning will
only appear once by default.)
InsecureRequestWarning)
This is the configuration of your active Security module:
Traceback (most recent call last):
File “/usr/bin/privacyidea”, line 1321, in
main()
File “/usr/bin/privacyidea”, line 1317, in main
args.func(args, client)
File “/usr/bin/privacyidea”, line 683, in securitymodule
r1 = client.securitymodule(param={})
File “/usr/lib/python2.7/dist-packages/privacyideautils/clientutils.py”,
line 226, in securitymodule
return self.connect(‘/system/setupSecurityModule’, param)
AttributeError: ‘privacyideaclient’ object has no attribute ‘connect’
Any idea what might be the issue ?
Regards,
SherifOn Friday, December 4, 2015 at 10:21:05 AM UTC, Cornelius Kölbel wrote:
Hi Sherif,
take a look here:
2.9. Security Modules — privacyIDEA 3.8 documentation
To encrypt the enckey, you can use the script
pi-manage encrypt_enckey
This will not overwrite the file. The encrypted data will be written to
stdout. You can either pipe these or paste it.You may also want to make a backup of the encryption key, anyway!
When you restart the apache it will start quite normal.
But at certain points, when data needs to be encrypted or decrypted you
will get the error:ERR707: hsm not ready!You can also check this at the command line after (re)-starting the
apache:privacyidea -U https://localhost/pi --admin=super --nosslcheck \
securitymodulePlease enter password for ‘super’:
This is the configuration of your active Security module:
{ u’status’: True, u’value’: { u’is_ready’: False}}“is_ready”: False shows you, that the encryption key is not ready to be
used.So you need to run:
privacyidea -U https://localhost/pi --admin=super --nosslcheck \
securitymodule --module=defaultPlease enter password for ‘super’:
Please enter password for security module ‘default’:
Setting the password of your security module default
{ u’status’: True, u’value’: { u’is_ready’: True}}Now, “is_ready”: True shows you, that the encryption key can be used by
privacyIDEA…Take care and do backups
I do not know, who uses it productively at the moment.Kind regards
CorneliusAm Freitag, den 04.12.2015, 02:03 -0800 schrieb Sherif Nagy:
Hello,
So I am thinking to encrypt my encKey with a password, however I have
few questions:1- This will encrypt the current key, will not generate a new key ? so
I don’t lose the tokens and data in the Database already
2- When I start the service using systemctl or service " I am using
deb privacyidea-apache2 package, will that work and asks me to decrypt
the enckey ? if not, how I can decrypt the enckey in this case ?Regards,
SherifYou received this message because you are subscribed to the Google
Groups “privacyidea” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to privacyidea...@googlegroups.com <javascript:>.
To post to this group, send email to priva...@googlegroups.com
<javascript:>.
To view this discussion on the web visitFor more options, visit https://groups.google.com/d/optout.
–
Cornelius Kölbel
corneliu…@netknights.it <javascript:>
+49 151 2960 1417NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel
Hi Sherif,
So for some reason the server returns an error.
I could image due to some things it is doing before checking the
admins password. And in doing this stuff, it might run into a problem,
since the encryption key does not exist, yet.
E.g. this could be some policies, which need the encryption key when
being checked.
So can you please tell, what policies you have defined and also take a
look into the servers log file?
THanks a lot
CorneliusAm Freitag, den 04.12.2015, 07:18 -0800 schrieb Sherif Nagy:
It’s the local admin that has been added by pi-manage admin command
Sherif
On Friday, December 4, 2015 at 3:06:09 PM UTC, Cornelius Kölbel wrote:
Is this a local admin?
Or is it an admin in a superuser-realm?If it is a local admin, which was added by pi-manage admin it should(TM) work, since the encryption keys are not used in this case. If it is an admin in a superuser-realm in e.g. an LDAP, it will not work, since PI can not decrypt the LDAP password to find the admin in the LDAP. Kind regards Cornelius Am Freitag, den 04.12.2015, 07:02 -0800 schrieb Sherif Nagy: > Hello again, > > > So before encrypting the enckey, I am getting securitymodule value > true "after upgrading to 2.7devX, I encrypt the enckey, paste the data > and replace the file, restart Apache, run again the command to check > the status " should be false or HSM not ready, but I am getting the > below error: > > > Traceback (most recent call last): > File "/usr/bin/privacyidea", line 1467, in <module> > main() > File "/usr/bin/privacyidea", line 1462, in main > no_ssl_check=args.nosslcheck) > File > "/usr/lib/python2.7/dist-packages/privacyideautils/clientutils.py", > line 96, in __init__ > self.set_credentials(username, password) > File > "/usr/lib/python2.7/dist-packages/privacyideautils/clientutils.py", > line 129, in set_credentials > raise Exception("Invalid Credentials: %s" % r.status_code) > Exception: Invalid Credentials: 400 > > > and the admin password is correct, I replace the encrypted key file > with none encrypted , restart apache and try again to check the > status, and I get True. > > > Do I need to re-add the admin user ? > > > Regards, > Sherif > > > On Friday, December 4, 2015 at 2:28:16 PM UTC, Sherif Nagy wrote: > Hi Cornelius, > > Oh yep the privacyideaadm is 2.5 :/ will update now :) thank > you > > > Sherif > > On Friday, December 4, 2015 at 1:16:11 PM UTC, Cornelius Kölbel wrote: > Hi Sherif, > > you need at least version 2.7dev1. > Hm, should release privacyideaadm 2.7... :-/ > > I guess you have 2.5? > Oh, it is not available from launchpad > ppa:privacyidea/privacyidea-dev > (will just upload) > Or you can install it via pip. > > Kind regards > Cornelius > > Am Freitag, den 04.12.2015, 04:41 -0800 schrieb Sherif > Nagy: > > Hi Cornelius, > > > > > > I did try the following command " still did not > encrypt my key yet, > > and I am getting the following error: > > > > > > #privacyidea -U https://localhost --admin=admin > --nosslcheck > > securitymodule > > > > > > /usr/lib/python2.7/dist-packages/urllib3/connectionpool.py:732: > > InsecureRequestWarning: Unverified HTTPS request is > being made. Adding > > certificate verification is strongly advised. See: > > > https://urllib3.readthedocs.org/en/latest/security.html (This warning > > will only appear once by default.) > > InsecureRequestWarning) > > This is the configuration of your active Security > module: > > > > > > Traceback (most recent call last): > > File "/usr/bin/privacyidea", line 1321, in > <module> > > main() > > File "/usr/bin/privacyidea", line 1317, in main > > args.func(args, client) > > File "/usr/bin/privacyidea", line 683, in > securitymodule > > r1 = client.securitymodule(param={}) > > File > > > "/usr/lib/python2.7/dist-packages/privacyideautils/clientutils.py", > > line 226, in securitymodule > > return > self.connect('/system/setupSecurityModule', param) > > AttributeError: 'privacyideaclient' object has no > attribute 'connect' > > > > > > Any idea what might be the issue ? > > > > > > Regards, > > Sherif > > > > On Friday, December 4, 2015 at 10:21:05 AM UTC, Cornelius Kölbel wrote: > > Hi Sherif, > > > > take a look here: > > > http://privacyidea.readthedocs.org/en/latest/installation/system/securitymodule.html?highlight=securitymodule > > > > To encrypt the enckey, you can use the > script > > > > pi-manage encrypt_enckey <filename> > > > > This will not overwrite the file. The > encrypted data will be > > written to > > stdout. You can either pipe these or paste > it. > > > > You may also want to make a backup of the > encryption key, > > anyway! > > > > When you restart the apache it will start > quite normal. > > But at certain points, when data needs to be > encrypted or > > decrypted you > > will get the error: > > > > ERR707: hsm not ready! > > > > You can also check this at the command line > after > > (re)-starting the > > apache: > > > > # privacyidea -U https://localhost/pi > --admin=super > > --nosslcheck \ > > securitymodule > > Please enter password for 'super': > > This is the configuration of your active > Security module: > > { u'status': True, u'value': { > u'is_ready': False}} > > > > "is_ready": False shows you, that the > encryption key is not > > ready to be > > used. > > > > So you need to run: > > > > # privacyidea -U https://localhost/pi > --admin=super > > --nosslcheck \ > > securitymodule --module=default > > > > Please enter password for 'super': > > Please enter password for security module > 'default': > > Setting the password of your security module > default > > { u'status': True, u'value': { > u'is_ready': True}} > > > > Now, "is_ready": True shows you, that the > encryption key can > > be used by > > privacyIDEA... > > > > Take care and do backups ;-) > > I do not know, who uses it productively at > the moment. > > > > Kind regards > > Cornelius > > > > > > Am Freitag, den 04.12.2015, 02:03 -0800 > schrieb Sherif Nagy: > > > Hello, > > > > > > > > > So I am thinking to encrypt my encKey with > a password, > > however I have > > > few questions: > > > > > > > > > 1- This will encrypt the current key, will > not generate a > > new key ? so > > > I don't lose the tokens and data in the > Database already > > > 2- When I start the service using > systemctl or service " I > > am using > > > deb privacyidea-apache2 package, will that > work and asks me > > to decrypt > > > the enckey ? if not, how I can decrypt the > enckey in this > > case ? > > > > > > > > > > > > > > > Regards, > > > Sherif > > > -- > > > You received this message because you are > subscribed to the > > Google > > > Groups "privacyidea" group. > > > To unsubscribe from this group and stop > receiving emails > > from it, send > > > an email to > privacyidea...@googlegroups.com. > > > To post to this group, send email to > > priva...@googlegroups.com. > > > To view this discussion on the web visit > > > > > > https://groups.google.com/d/msgid/privacyidea/d4e7e11b-0b96-476e-a36c-b7189cc6e339%40googlegroups.com. > > > For more options, visit > https://groups.google.com/d/optout. > > > > -- > > Cornelius Kölbel > > corneliu...@netknights.it > > +49 151 2960 1417 > > > > NetKnights GmbH > > http://www.netknights.it > > Landgraf-Karl-Str. 19, 34131 Kassel, > Germany > > Tel: +49 561 3166797, Fax: +49 561 3166798 > > > > Amtsgericht Kassel, HRB 16405 > > Geschäftsführer: Cornelius Kölbel > > > > > > -- > > You received this message because you are subscribed > to the Google > > Groups "privacyidea" group. > > To unsubscribe from this group and stop receiving > emails from it, send > > an email to privacyidea...@googlegroups.com. > > To post to this group, send email to > priva...@googlegroups.com. > > To view this discussion on the web visit > > > https://groups.google.com/d/msgid/privacyidea/9b251fd2-be6d-45f4-9d47-42f7e142166b%40googlegroups.com. > > For more options, visit > https://groups.google.com/d/optout. > > -- > Cornelius Kölbel > corneliu...@netknights.it > +49 151 2960 1417 > > NetKnights GmbH > http://www.netknights.it > Landgraf-Karl-Str. 19, 34131 Kassel, Germany > Tel: +49 561 3166797, Fax: +49 561 3166798 > > Amtsgericht Kassel, HRB 16405 > Geschäftsführer: Cornelius Kölbel > > > -- > You received this message because you are subscribed to the Google > Groups "privacyidea" group. > To unsubscribe from this group and stop receiving emails from it, send > an email to privacyidea...@googlegroups.com. > To post to this group, send email to priva...@googlegroups.com. > To view this discussion on the web visit > https://groups.google.com/d/msgid/privacyidea/799090b8-3ca3-48de-a48e-02d9943a0e8d%40googlegroups.com. > For more options, visit https://groups.google.com/d/optout. -- Cornelius Kölbel corneliu...@netknights.it +49 151 2960 1417 NetKnights GmbH http://www.netknights.it Landgraf-Karl-Str. 19, 34131 Kassel, Germany Tel: +49 561 3166797, Fax: +49 561 3166798 Amtsgericht Kassel, HRB 16405 Geschäftsführer: Cornelius Kölbel–
You received this message because you are subscribed to the Google
Groups “privacyidea” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to privacyidea+unsubscribe@googlegroups.com.
To post to this group, send email to privacyidea@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/privacyidea/bf13cc4c-f993-4d4f-abd3-6573915962a8%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
–
Cornelius Kölbel
@cornelinux
+49 151 2960 1417
NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798
Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel
signature.asc (836 Bytes)
Hi Sherif,
you need at least version 2.7dev1.
Hm, should release privacyideaadm 2.7… :-/
I guess you have 2.5?
Oh, it is not available from launchpad ppa:privacyidea/privacyidea-dev
(will just upload)
Or you can install it via pip.
Kind regards
CorneliusAm Freitag, den 04.12.2015, 04:41 -0800 schrieb Sherif Nagy:
Hi Cornelius,
I did try the following command " still did not encrypt my key yet,
and I am getting the following error:#privacyidea -U https://localhost --admin=admin --nosslcheck
securitymodule/usr/lib/python2.7/dist-packages/urllib3/connectionpool.py:732:
InsecureRequestWarning: Unverified HTTPS request is being made. Adding
certificate verification is strongly advised. See:
Advanced Usage - urllib3 2.1.0 documentation (This warning
will only appear once by default.)
InsecureRequestWarning)
This is the configuration of your active Security module:Traceback (most recent call last):
File “/usr/bin/privacyidea”, line 1321, in
main()
File “/usr/bin/privacyidea”, line 1317, in main
args.func(args, client)
File “/usr/bin/privacyidea”, line 683, in securitymodule
r1 = client.securitymodule(param={})
File
“/usr/lib/python2.7/dist-packages/privacyideautils/clientutils.py”,
line 226, in securitymodule
return self.connect(‘/system/setupSecurityModule’, param)
AttributeError: ‘privacyideaclient’ object has no attribute ‘connect’Any idea what might be the issue ?
Regards,
SherifOn Friday, December 4, 2015 at 10:21:05 AM UTC, Cornelius Kölbel wrote:
Hi Sherif,take a look here: http://privacyidea.readthedocs.org/en/latest/installation/system/securitymodule.html?highlight=securitymodule To encrypt the enckey, you can use the script pi-manage encrypt_enckey <filename> This will not overwrite the file. The encrypted data will be written to stdout. You can either pipe these or paste it. You may also want to make a backup of the encryption key, anyway! When you restart the apache it will start quite normal. But at certain points, when data needs to be encrypted or decrypted you will get the error: ERR707: hsm not ready! You can also check this at the command line after (re)-starting the apache: # privacyidea -U https://localhost/pi --admin=super --nosslcheck \ securitymodule Please enter password for 'super': This is the configuration of your active Security module: { u'status': True, u'value': { u'is_ready': False}} "is_ready": False shows you, that the encryption key is not ready to be used. So you need to run: # privacyidea -U https://localhost/pi --admin=super --nosslcheck \ securitymodule --module=default Please enter password for 'super': Please enter password for security module 'default': Setting the password of your security module default { u'status': True, u'value': { u'is_ready': True}} Now, "is_ready": True shows you, that the encryption key can be used by privacyIDEA... Take care and do backups ;-) I do not know, who uses it productively at the moment. Kind regards Cornelius Am Freitag, den 04.12.2015, 02:03 -0800 schrieb Sherif Nagy: > Hello, > > > So I am thinking to encrypt my encKey with a password, however I have > few questions: > > > 1- This will encrypt the current key, will not generate a new key ? so > I don't lose the tokens and data in the Database already > 2- When I start the service using systemctl or service " I am using > deb privacyidea-apache2 package, will that work and asks me to decrypt > the enckey ? if not, how I can decrypt the enckey in this case ? > > > > > Regards, > Sherif > -- > You received this message because you are subscribed to the Google > Groups "privacyidea" group. > To unsubscribe from this group and stop receiving emails from it, send > an email to privacyidea...@googlegroups.com. > To post to this group, send email to priva...@googlegroups.com. > To view this discussion on the web visit > https://groups.google.com/d/msgid/privacyidea/d4e7e11b-0b96-476e-a36c-b7189cc6e339%40googlegroups.com. > For more options, visit https://groups.google.com/d/optout. -- Cornelius Kölbel corneliu...@netknights.it +49 151 2960 1417 NetKnights GmbH http://www.netknights.it Landgraf-Karl-Str. 19, 34131 Kassel, Germany Tel: +49 561 3166797, Fax: +49 561 3166798 Amtsgericht Kassel, HRB 16405 Geschäftsführer: Cornelius Kölbel–
You received this message because you are subscribed to the Google
Groups “privacyidea” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to privacyidea+unsubscribe@googlegroups.com.
To post to this group, send email to privacyidea@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/privacyidea/9b251fd2-be6d-45f4-9d47-42f7e142166b%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
–
Cornelius Kölbel
@cornelinux
+49 151 2960 1417
NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798
Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel
signature.asc (836 Bytes)
Hi Cornelius,
I guess I knew what is wrong, so here is what I have done:
So I guess the realm usersources runs before the local admin ones ?
Regards,
SherifOn Friday, December 4, 2015 at 3:29:35 PM UTC, Sherif Nagy wrote:
okay let me disable the policies and will let you know if it works or not
and which policies I haveSherif
On Friday, December 4, 2015 at 3:25:06 PM UTC, Cornelius Kölbel wrote:
Hi Sherif,
So for some reason the server returns an error.
I could image due to some things it is doing before checking the
admins password. And in doing this stuff, it might run into a problem,
since the encryption key does not exist, yet.E.g. this could be some policies, which need the encryption key when
being checked.So can you please tell, what policies you have defined and also take a
look into the servers log file?THanks a lot
CorneliusAm Freitag, den 04.12.2015, 07:18 -0800 schrieb Sherif Nagy:
It’s the local admin that has been added by pi-manage admin command
Sherif
On Friday, December 4, 2015 at 3:06:09 PM UTC, Cornelius Kölbel wrote:
Is this a local admin?
Or is it an admin in a superuser-realm?If it is a local admin, which was added by pi-manage admin it should(TM) work, since the encryption keys are not used in this case. If it is an admin in a superuser-realm in e.g. an LDAP, it will not work, since PI can not decrypt the LDAP password to find the admin in the LDAP. Kind regards Cornelius Am Freitag, den 04.12.2015, 07:02 -0800 schrieb Sherif Nagy: > Hello again, > > > So before encrypting the enckey, I am getting securitymodule value > true "after upgrading to 2.7devX, I encrypt the enckey, paste the data > and replace the file, restart Apache, run again the command to check > the status " should be false or HSM not ready, but I am getting the > below error: > > > Traceback (most recent call last): > File "/usr/bin/privacyidea", line 1467, in <module> > main() > File "/usr/bin/privacyidea", line 1462, in main > no_ssl_check=args.nosslcheck) > File >“/usr/lib/python2.7/dist-packages/privacyideautils/clientutils.py”,
> line 96, in __init__ > self.set_credentials(username, password) > File >“/usr/lib/python2.7/dist-packages/privacyideautils/clientutils.py”,
> line 129, in set_credentials > raise Exception("Invalid Credentials: %s" % r.status_code) > Exception: Invalid Credentials: 400 > > > and the admin password is correct, I replace the encrypted key file > with none encrypted , restart apache and try again to check the > status, and I get True. > > > Do I need to re-add the admin user ? > > > Regards, > Sherif > > > On Friday, December 4, 2015 at 2:28:16 PM UTC, Sherif Nagy wrote: > Hi Cornelius, > > Oh yep the privacyideaadm is 2.5 :/ will update now :) thank > you > > > Sherif > > On Friday, December 4, 2015 at 1:16:11 PM UTC, Cornelius Kölbel wrote: > Hi Sherif, > > you need at least version 2.7dev1. > Hm, should release privacyideaadm 2.7... :-/ > > I guess you have 2.5? > Oh, it is not available from launchpad > ppa:privacyidea/privacyidea-dev > (will just upload) > Or you can install it via pip. > > Kind regards > Cornelius > > Am Freitag, den 04.12.2015, 04:41 -0800 schrieb Sherif > Nagy: > > Hi Cornelius, > > > > > > I did try the following command " still did not > encrypt my key yet, > > and I am getting the following error: > > > > > > #privacyidea -U https://localhost --admin=admin > --nosslcheck > > securitymodule > > > > > >/usr/lib/python2.7/dist-packages/urllib3/connectionpool.py:732:
> > InsecureRequestWarning: Unverified HTTPS request is > being made. Adding > > certificate verification is strongly advised. See: > > > https://urllib3.readthedocs.org/en/latest/security.html (This warning > > will only appear once by default.) > > InsecureRequestWarning) > > This is the configuration of your active Security > module: > > > > > > Traceback (most recent call last): > > File "/usr/bin/privacyidea", line 1321, in > <module> > > main() > > File "/usr/bin/privacyidea", line 1317, in main > > args.func(args, client) > > File "/usr/bin/privacyidea", line 683, in > securitymodule > > r1 = client.securitymodule(param={}) > > File > > >“/usr/lib/python2.7/dist-packages/privacyideautils/clientutils.py”,
> > line 226, in securitymodule > > return > self.connect('/system/setupSecurityModule', param) > > AttributeError: 'privacyideaclient' object has no > attribute 'connect' > > > > > > Any idea what might be the issue ? > > > > > > Regards, > > Sherif > > > > On Friday, December 4, 2015 at 10:21:05 AM UTC, Cornelius Kölbel wrote: > > Hi Sherif, > > > > take a look here: > > >2.9. Security Modules — privacyIDEA 3.8 documentation
> > > > To encrypt the enckey, you can use the > script > > > > pi-manage encrypt_enckey <filename> > > > > This will not overwrite the file. The > encrypted data will be > > written to > > stdout. You can either pipe these or paste > it. > > > > You may also want to make a backup of the > encryption key, > > anyway! > > > > When you restart the apache it will start > quite normal. > > But at certain points, when data needs to be > encrypted or > > decrypted you > > will get the error: > > > > ERR707: hsm not ready! > > > > You can also check this at the command line > after > > (re)-starting the > > apache: > > > > # privacyidea -U https://localhost/pi > --admin=super > > --nosslcheck \ > > securitymodule > > Please enter password for 'super': > > This is the configuration of your active > Security module: > > { u'status': True, u'value': { > u'is_ready': False}} > > > > "is_ready": False shows you, that the > encryption key is not > > ready to be > > used. > > > > So you need to run: > > > > # privacyidea -U https://localhost/pi > --admin=super > > --nosslcheck \ > > securitymodule --module=default > > > > Please enter password for 'super': > > Please enter password for security module > 'default': > > Setting the password of your security module > default > > { u'status': True, u'value': { > u'is_ready': True}} > > > > Now, "is_ready": True shows you, that the > encryption key can > > be used by > > privacyIDEA... > > > > Take care and do backups ;-) > > I do not know, who uses it productively at > the moment. > > > > Kind regards > > Cornelius > > > > > > Am Freitag, den 04.12.2015, 02:03 -0800 > schrieb Sherif Nagy: > > > Hello, > > > > > > > > > So I am thinking to encrypt my encKey with > a password, > > however I have > > > few questions: > > > > > > > > > 1- This will encrypt the current key, will > not generate a > > new key ? so > > > I don't lose the tokens and data in the > Database already > > > 2- When I start the service using > systemctl or service " I > > am using > > > deb privacyidea-apache2 package, will that > work and asks me > > to decrypt > > > the enckey ? if not, how I can decrypt the > enckey in this > > case ? > > > > > > > > > > > > > > > Regards, > > > Sherif > > > -- > > > You received this message because you are > subscribed to the > > Google > > > Groups "privacyidea" group. > > > To unsubscribe from this group and stop > receiving emails > > from it, send > > > an email to > privacyidea...@googlegroups.com. > > > To post to this group, send email to > > priva...@googlegroups.com. > > > To view this discussion on the web visit > > > > > >> > > For more options, visit > https://groups.google.com/d/optout. > > > > -- > > Cornelius Kölbel > > corneliu...@netknights.it > > +49 151 2960 1417 > > > > NetKnights GmbH > > http://www.netknights.it > > Landgraf-Karl-Str. 19, 34131 Kassel, > Germany > > Tel: +49 561 3166797, Fax: +49 561 3166798 > > > > Amtsgericht Kassel, HRB 16405 > > Geschäftsführer: Cornelius Kölbel > > > > > > -- > > You received this message because you are subscribed > to the Google > > Groups "privacyidea" group. > > To unsubscribe from this group and stop receiving > emails from it, send > > an email to privacyidea...@googlegroups.com. > > To post to this group, send email to > priva...@googlegroups.com. > > To view this discussion on the web visit > > >> > For more options, visit > https://groups.google.com/d/optout. > > -- > Cornelius Kölbel > corneliu...@netknights.it > +49 151 2960 1417 > > NetKnights GmbH > http://www.netknights.it > Landgraf-Karl-Str. 19, 34131 Kassel, Germany > Tel: +49 561 3166797, Fax: +49 561 3166798 > > Amtsgericht Kassel, HRB 16405 > Geschäftsführer: Cornelius Kölbel > > > -- > You received this message because you are subscribed to the Google > Groups "privacyidea" group. > To unsubscribe from this group and stop receiving emails from it, send > an email to privacyidea...@googlegroups.com. > To post to this group, send email to priva...@googlegroups.com. > To view this discussion on the web visit >> For more options, visit https://groups.google.com/d/optout. -- Cornelius Kölbel corneliu...@netknights.it +49 151 2960 1417 NetKnights GmbH http://www.netknights.it Landgraf-Karl-Str. 19, 34131 Kassel, Germany Tel: +49 561 3166797, Fax: +49 561 3166798 Amtsgericht Kassel, HRB 16405 Geschäftsführer: Cornelius Kölbel–
You received this message because you are subscribed to the Google
Groups “privacyidea” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to privacyidea...@googlegroups.com.
To post to this group, send email to priva...@googlegroups.com.
To view this discussion on the web visitFor more options, visit https://groups.google.com/d/optout.
–
Cornelius Kölbel
corneliu…@netknights.it
+49 151 2960 1417NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel
Hello again,
So before encrypting the enckey, I am getting securitymodule value true
"after upgrading to 2.7devX, I encrypt the enckey, paste the data and
replace the file, restart Apache, run again the command to check the status
" should be false or HSM not ready, but I am getting the below error:
Traceback (most recent call last):
File “/usr/bin/privacyidea”, line 1467, in
main()
File “/usr/bin/privacyidea”, line 1462, in main
no_ssl_check=args.nosslcheck)
File “/usr/lib/python2.7/dist-packages/privacyideautils/clientutils.py”,
line 96, in init
self.set_credentials(username, password)
File “/usr/lib/python2.7/dist-packages/privacyideautils/clientutils.py”,
line 129, in set_credentials
raise Exception(“Invalid Credentials: %s” % r.status_code)
Exception: Invalid Credentials: 400
and the admin password is correct, I replace the encrypted key file with
none encrypted , restart apache and try again to check the status, and I
get True.
Do I need to re-add the admin user ?
Regards,
SherifOn Friday, December 4, 2015 at 2:28:16 PM UTC, Sherif Nagy wrote:
Hi Cornelius,
Oh yep the privacyideaadm is 2.5
will update now
thank you
Sherif
On Friday, December 4, 2015 at 1:16:11 PM UTC, Cornelius Kölbel wrote:
Hi Sherif,
you need at least version 2.7dev1.
Hm, should release privacyideaadm 2.7… :-/I guess you have 2.5?
Oh, it is not available from launchpad ppa:privacyidea/privacyidea-dev
(will just upload)
Or you can install it via pip.Kind regards
CorneliusAm Freitag, den 04.12.2015, 04:41 -0800 schrieb Sherif Nagy:
Hi Cornelius,
I did try the following command " still did not encrypt my key yet,
and I am getting the following error:#privacyidea -U https://localhost --admin=admin --nosslcheck
securitymodule/usr/lib/python2.7/dist-packages/urllib3/connectionpool.py:732:
InsecureRequestWarning: Unverified HTTPS request is being made. Adding
certificate verification is strongly advised. See:
Advanced Usage - urllib3 2.1.0 documentation (This warning
will only appear once by default.)
InsecureRequestWarning)
This is the configuration of your active Security module:Traceback (most recent call last):
File “/usr/bin/privacyidea”, line 1321, in
main()
File “/usr/bin/privacyidea”, line 1317, in main
args.func(args, client)
File “/usr/bin/privacyidea”, line 683, in securitymodule
r1 = client.securitymodule(param={})
File
“/usr/lib/python2.7/dist-packages/privacyideautils/clientutils.py”,
line 226, in securitymodule
return self.connect(‘/system/setupSecurityModule’, param)
AttributeError: ‘privacyideaclient’ object has no attribute ‘connect’Any idea what might be the issue ?
Regards,
SherifOn Friday, December 4, 2015 at 10:21:05 AM UTC, Cornelius Kölbel wrote:
Hi Sherif,take a look here:2.9. Security Modules — privacyIDEA 3.8 documentation
To encrypt the enckey, you can use the script pi-manage encrypt_enckey <filename> This will not overwrite the file. The encrypted data will be written to stdout. You can either pipe these or paste it. You may also want to make a backup of the encryption key, anyway! When you restart the apache it will start quite normal. But at certain points, when data needs to be encrypted or decrypted you will get the error: ERR707: hsm not ready! You can also check this at the command line after (re)-starting the apache: # privacyidea -U https://localhost/pi --admin=super --nosslcheck \ securitymodule Please enter password for 'super': This is the configuration of your active Security module: { u'status': True, u'value': { u'is_ready': False}} "is_ready": False shows you, that the encryption key is not ready to be used. So you need to run: # privacyidea -U https://localhost/pi --admin=super --nosslcheck \ securitymodule --module=default Please enter password for 'super': Please enter password for security module 'default': Setting the password of your security module default { u'status': True, u'value': { u'is_ready': True}} Now, "is_ready": True shows you, that the encryption key can be used by privacyIDEA... Take care and do backups ;-) I do not know, who uses it productively at the moment. Kind regards Cornelius Am Freitag, den 04.12.2015, 02:03 -0800 schrieb Sherif Nagy: > Hello, > > > So I am thinking to encrypt my encKey with a password, however I have > few questions: > > > 1- This will encrypt the current key, will not generate a new key ? so > I don't lose the tokens and data in the Database already > 2- When I start the service using systemctl or service " I am using > deb privacyidea-apache2 package, will that work and asks me to decrypt > the enckey ? if not, how I can decrypt the enckey in this case ? > > > > > Regards, > Sherif > -- > You received this message because you are subscribed to the Google > Groups "privacyidea" group. > To unsubscribe from this group and stop receiving emails from it, send > an email to privacyidea...@googlegroups.com. > To post to this group, send email to priva...@googlegroups.com. > To view this discussion on the web visit >> For more options, visit https://groups.google.com/d/optout. -- Cornelius Kölbel corneliu...@netknights.it +49 151 2960 1417 NetKnights GmbH http://www.netknights.it Landgraf-Karl-Str. 19, 34131 Kassel, Germany Tel: +49 561 3166797, Fax: +49 561 3166798 Amtsgericht Kassel, HRB 16405 Geschäftsführer: Cornelius Kölbel–
You received this message because you are subscribed to the Google
Groups “privacyidea” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to privacyidea...@googlegroups.com.
To post to this group, send email to priva...@googlegroups.com.
To view this discussion on the web visitFor more options, visit https://groups.google.com/d/optout.
–
Cornelius Kölbel
corneliu…@netknights.it
+49 151 2960 1417NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel
Hi Cornelius,
Oh yep the privacyideaadm is 2.5 will update now thank you
SherifOn Friday, December 4, 2015 at 1:16:11 PM UTC, Cornelius Kölbel wrote:
Hi Sherif,
you need at least version 2.7dev1.
Hm, should release privacyideaadm 2.7… :-/I guess you have 2.5?
Oh, it is not available from launchpad ppa:privacyidea/privacyidea-dev
(will just upload)
Or you can install it via pip.Kind regards
CorneliusAm Freitag, den 04.12.2015, 04:41 -0800 schrieb Sherif Nagy:
Hi Cornelius,
I did try the following command " still did not encrypt my key yet,
and I am getting the following error:#privacyidea -U https://localhost --admin=admin --nosslcheck
securitymodule/usr/lib/python2.7/dist-packages/urllib3/connectionpool.py:732:
InsecureRequestWarning: Unverified HTTPS request is being made. Adding
certificate verification is strongly advised. See:
Advanced Usage - urllib3 2.1.0 documentation (This warning
will only appear once by default.)
InsecureRequestWarning)
This is the configuration of your active Security module:Traceback (most recent call last):
File “/usr/bin/privacyidea”, line 1321, in
main()
File “/usr/bin/privacyidea”, line 1317, in main
args.func(args, client)
File “/usr/bin/privacyidea”, line 683, in securitymodule
r1 = client.securitymodule(param={})
File
“/usr/lib/python2.7/dist-packages/privacyideautils/clientutils.py”,
line 226, in securitymodule
return self.connect(‘/system/setupSecurityModule’, param)
AttributeError: ‘privacyideaclient’ object has no attribute ‘connect’Any idea what might be the issue ?
Regards,
SherifOn Friday, December 4, 2015 at 10:21:05 AM UTC, Cornelius Kölbel wrote:
Hi Sherif,take a look here:2.9. Security Modules — privacyIDEA 3.8 documentation
To encrypt the enckey, you can use the script pi-manage encrypt_enckey <filename> This will not overwrite the file. The encrypted data will be written to stdout. You can either pipe these or paste it. You may also want to make a backup of the encryption key, anyway! When you restart the apache it will start quite normal. But at certain points, when data needs to be encrypted or decrypted you will get the error: ERR707: hsm not ready! You can also check this at the command line after (re)-starting the apache: # privacyidea -U https://localhost/pi --admin=super --nosslcheck \ securitymodule Please enter password for 'super': This is the configuration of your active Security module: { u'status': True, u'value': { u'is_ready': False}} "is_ready": False shows you, that the encryption key is not ready to be used. So you need to run: # privacyidea -U https://localhost/pi --admin=super --nosslcheck \ securitymodule --module=default Please enter password for 'super': Please enter password for security module 'default': Setting the password of your security module default { u'status': True, u'value': { u'is_ready': True}} Now, "is_ready": True shows you, that the encryption key can be used by privacyIDEA... Take care and do backups ;-) I do not know, who uses it productively at the moment. Kind regards Cornelius Am Freitag, den 04.12.2015, 02:03 -0800 schrieb Sherif Nagy: > Hello, > > > So I am thinking to encrypt my encKey with a password, however I have > few questions: > > > 1- This will encrypt the current key, will not generate a new key ? so > I don't lose the tokens and data in the Database already > 2- When I start the service using systemctl or service " I am using > deb privacyidea-apache2 package, will that work and asks me to decrypt > the enckey ? if not, how I can decrypt the enckey in this case ? > > > > > Regards, > Sherif > -- > You received this message because you are subscribed to the Google > Groups "privacyidea" group. > To unsubscribe from this group and stop receiving emails from it, send > an email to privacyidea...@googlegroups.com. > To post to this group, send email to priva...@googlegroups.com. > To view this discussion on the web visit >> For more options, visit https://groups.google.com/d/optout. -- Cornelius Kölbel corneliu...@netknights.it +49 151 2960 1417 NetKnights GmbH http://www.netknights.it Landgraf-Karl-Str. 19, 34131 Kassel, Germany Tel: +49 561 3166797, Fax: +49 561 3166798 Amtsgericht Kassel, HRB 16405 Geschäftsführer: Cornelius Kölbel–
You received this message because you are subscribed to the Google
Groups “privacyidea” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to privacyidea...@googlegroups.com <javascript:>.
To post to this group, send email to priva...@googlegroups.com
<javascript:>.
To view this discussion on the web visitFor more options, visit https://groups.google.com/d/optout.
–
Cornelius Kölbel
corneliu…@netknights.it <javascript:>
+49 151 2960 1417NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel
Hi Sherif,
thanks a lot for the details.
I can confirm this.
If the default realm contains an LDAP-Resolver with a BIND-PW you can
not login with a local administrator.
I will dig into this.
Kind regards
CorneliusAm Freitag, den 04.12.2015, 07:45 -0800 schrieb Sherif Nagy:
Hi Cornelius,
I guess I knew what is wrong, so here is what I have done:
- Disabled all the policies " I have the one for u2f auth, weblogin
and one for users login " and still got the same error.- Take out the usersresolvers from the default realm and the
decryption of the key will work like a charm.- I have LDAP resolver and passwd one, I noticed just a message in the
log says looking for /etc/passwd in /home/privacyidea, that is why I
thought to disable the usersource.So I guess the realm usersources runs before the local admin ones ?
Regards,
SherifOn Friday, December 4, 2015 at 3:29:35 PM UTC, Sherif Nagy wrote:
okay let me disable the policies and will let you know if it
works or not and which policies I haveSherif On Friday, December 4, 2015 at 3:25:06 PM UTC, Cornelius Kölbel wrote: Hi Sherif, So for some reason the server returns an error. I could image due to some things it is doing _before_ checking the admins password. And in doing this stuff, it might run into a problem, since the encryption key does not exist, yet. E.g. this could be some policies, which need the encryption key when being checked. So can you please tell, what policies you have defined and also take a look into the servers log file? THanks a lot Cornelius Am Freitag, den 04.12.2015, 07:18 -0800 schrieb Sherif Nagy: > It's the local admin that has been added by pi-manage admin command > > > Sherif > > On Friday, December 4, 2015 at 3:06:09 PM UTC, Cornelius Kölbel wrote: > Is this a local admin? > Or is it an admin in a superuser-realm? > > If it is a local admin, which was added by > > pi-manage admin > > it should(TM) work, since the encryption keys are not used in > this case. > > If it is an admin in a superuser-realm in e.g. an LDAP, it > will not > work, since PI can not decrypt the LDAP password to find the > admin in > the LDAP. > > Kind regards > Cornelius > > Am Freitag, den 04.12.2015, 07:02 -0800 schrieb Sherif Nagy: > > Hello again, > > > > > > So before encrypting the enckey, I am getting securitymodule > value > > true "after upgrading to 2.7devX, I encrypt the enckey, > paste the data > > and replace the file, restart Apache, run again the command > to check > > the status " should be false or HSM not ready, but I am > getting the > > below error: > > > > > > Traceback (most recent call last): > > File "/usr/bin/privacyidea", line 1467, in <module> > > main() > > File "/usr/bin/privacyidea", line 1462, in main > > no_ssl_check=args.nosslcheck) > > File > > > "/usr/lib/python2.7/dist-packages/privacyideautils/clientutils.py", > > line 96, in __init__ > > self.set_credentials(username, password) > > File > > > "/usr/lib/python2.7/dist-packages/privacyideautils/clientutils.py", > > line 129, in set_credentials > > raise Exception("Invalid Credentials: %s" % > r.status_code) > > Exception: Invalid Credentials: 400 > > > > > > and the admin password is correct, I replace the encrypted > key file > > with none encrypted , restart apache and try again to check > the > > status, and I get True. > > > > > > Do I need to re-add the admin user ? > > > > > > Regards, > > Sherif > > > > > > On Friday, December 4, 2015 at 2:28:16 PM UTC, Sherif Nagy wrote: > > Hi Cornelius, > > > > Oh yep the privacyideaadm is 2.5 :/ will update > now :) thank > > you > > > > > > Sherif > > > > On Friday, December 4, 2015 at 1:16:11 PM UTC, Cornelius Kölbel wrote: > > Hi Sherif, > > > > you need at least version 2.7dev1. > > Hm, should release privacyideaadm > 2.7... :-/ > > > > I guess you have 2.5? > > Oh, it is not available from launchpad > > ppa:privacyidea/privacyidea-dev > > (will just upload) > > Or you can install it via pip. > > > > Kind regards > > Cornelius > > > > Am Freitag, den 04.12.2015, 04:41 -0800 > schrieb Sherif > > Nagy: > > > Hi Cornelius, > > > > > > > > > I did try the following command " still > did not > > encrypt my key yet, > > > and I am getting the following error: > > > > > > > > > #privacyidea -U https://localhost > --admin=admin > > --nosslcheck > > > securitymodule > > > > > > > > > > /usr/lib/python2.7/dist-packages/urllib3/connectionpool.py:732: > > > InsecureRequestWarning: Unverified HTTPS > request is > > being made. Adding > > > certificate verification is strongly > advised. See: > > > > > > https://urllib3.readthedocs.org/en/latest/security.html (This > warning > > > will only appear once by default.) > > > InsecureRequestWarning) > > > This is the configuration of your active > Security > > module: > > > > > > > > > Traceback (most recent call last): > > > File "/usr/bin/privacyidea", line 1321, > in > > <module> > > > main() > > > File "/usr/bin/privacyidea", line 1317, > in main > > > args.func(args, client) > > > File "/usr/bin/privacyidea", line 683, > in > > securitymodule > > > r1 = client.securitymodule(param={}) > > > File > > > > > > "/usr/lib/python2.7/dist-packages/privacyideautils/clientutils.py", > > > line 226, in securitymodule > > > return > > self.connect('/system/setupSecurityModule', > param) > > > AttributeError: 'privacyideaclient' object > has no > > attribute 'connect' > > > > > > > > > Any idea what might be the issue ? > > > > > > > > > Regards, > > > Sherif > > > > > > On Friday, December 4, 2015 at 10:21:05 AM UTC, Cornelius Kölbel wrote: > > > Hi Sherif, > > > > > > take a look here: > > > > > > http://privacyidea.readthedocs.org/en/latest/installation/system/securitymodule.html?highlight=securitymodule > > > > > > To encrypt the enckey, you can use > the > > script > > > > > > pi-manage encrypt_enckey > <filename> > > > > > > This will not overwrite the file. > The > > encrypted data will be > > > written to > > > stdout. You can either pipe these > or paste > > it. > > > > > > You may also want to make a backup > of the > > encryption key, > > > anyway! > > > > > > When you restart the apache it > will start > > quite normal. > > > But at certain points, when data > needs to be > > encrypted or > > > decrypted you > > > will get the error: > > > > > > ERR707: hsm not ready! > > > > > > You can also check this at the > command line > > after > > > (re)-starting the > > > apache: > > > > > > # privacyidea -U > https://localhost/pi > > --admin=super > > > --nosslcheck \ > > > securitymodule > > > Please enter password for > 'super': > > > This is the configuration of your > active > > Security module: > > > { u'status': True, u'value': { > > u'is_ready': False}} > > > > > > "is_ready": False shows you, that > the > > encryption key is not > > > ready to be > > > used. > > > > > > So you need to run: > > > > > > # privacyidea -U > https://localhost/pi > > --admin=super > > > --nosslcheck \ > > > securitymodule > --module=default > > > > > > Please enter password for > 'super': > > > Please enter password for security > module > > 'default': > > > Setting the password of your > security module > > default > > > { u'status': True, u'value': { > > u'is_ready': True}} > > > > > > Now, "is_ready": True shows you, > that the > > encryption key can > > > be used by > > > privacyIDEA... > > > > > > Take care and do backups ;-) > > > I do not know, who uses it > productively at > > the moment. > > > > > > Kind regards > > > Cornelius > > > > > > > > > Am Freitag, den 04.12.2015, 02:03 > -0800 > > schrieb Sherif Nagy: > > > > Hello, > > > > > > > > > > > > So I am thinking to encrypt my > encKey with > > a password, > > > however I have > > > > few questions: > > > > > > > > > > > > 1- This will encrypt the current > key, will > > not generate a > > > new key ? so > > > > I don't lose the tokens and data > in the > > Database already > > > > 2- When I start the service > using > > systemctl or service " I > > > am using > > > > deb privacyidea-apache2 package, > will that > > work and asks me > > > to decrypt > > > > the enckey ? if not, how I can > decrypt the > > enckey in this > > > case ? > > > > > > > > > > > > > > > > > > > > Regards, > > > > Sherif > > > > -- > > > > You received this message > because you are > > subscribed to the > > > Google > > > > Groups "privacyidea" group. > > > > To unsubscribe from this group > and stop > > receiving emails > > > from it, send > > > > an email to > > privacyidea...@googlegroups.com. > > > > To post to this group, send > email to > > > priva...@googlegroups.com. > > > > To view this discussion on the > web visit > > > > > > > > > > https://groups.google.com/d/msgid/privacyidea/d4e7e11b-0b96-476e-a36c-b7189cc6e339%40googlegroups.com. > > > > For more options, visit > > https://groups.google.com/d/optout. > > > > > > -- > > > Cornelius Kölbel > > > corneliu...@netknights.it > > > +49 151 2960 1417 > > > > > > NetKnights GmbH > > > http://www.netknights.it > > > Landgraf-Karl-Str. 19, 34131 > Kassel, > > Germany > > > Tel: +49 561 3166797, Fax: +49 561 > 3166798 > > > > > > Amtsgericht Kassel, HRB 16405 > > > Geschäftsführer: Cornelius Kölbel > > > > > > > > > -- > > > You received this message because you are > subscribed > > to the Google > > > Groups "privacyidea" group. > > > To unsubscribe from this group and stop > receiving > > emails from it, send > > > an email to > privacyidea...@googlegroups.com. > > > To post to this group, send email to > > priva...@googlegroups.com. > > > To view this discussion on the web visit > > > > > > https://groups.google.com/d/msgid/privacyidea/9b251fd2-be6d-45f4-9d47-42f7e142166b%40googlegroups.com. > > > For more options, visit > > https://groups.google.com/d/optout. > > > > -- > > Cornelius Kölbel > > corneliu...@netknights.it > > +49 151 2960 1417 > > > > NetKnights GmbH > > http://www.netknights.it > > Landgraf-Karl-Str. 19, 34131 Kassel, > Germany > > Tel: +49 561 3166797, Fax: +49 561 3166798 > > > > Amtsgericht Kassel, HRB 16405 > > Geschäftsführer: Cornelius Kölbel > > > > > > -- > > You received this message because you are subscribed to the > Google > > Groups "privacyidea" group. > > To unsubscribe from this group and stop receiving emails > from it, send > > an email to privacyidea...@googlegroups.com. > > To post to this group, send email to > priva...@googlegroups.com. > > To view this discussion on the web visit > > > https://groups.google.com/d/msgid/privacyidea/799090b8-3ca3-48de-a48e-02d9943a0e8d%40googlegroups.com. > > For more options, visit https://groups.google.com/d/optout. > > -- > Cornelius Kölbel > corneliu...@netknights.it > +49 151 2960 1417 > > NetKnights GmbH > http://www.netknights.it > Landgraf-Karl-Str. 19, 34131 Kassel, Germany > Tel: +49 561 3166797, Fax: +49 561 3166798 > > Amtsgericht Kassel, HRB 16405 > Geschäftsführer: Cornelius Kölbel > > > -- > You received this message because you are subscribed to the Google > Groups "privacyidea" group. > To unsubscribe from this group and stop receiving emails from it, send > an email to privacyidea...@googlegroups.com. > To post to this group, send email to priva...@googlegroups.com. > To view this discussion on the web visit > https://groups.google.com/d/msgid/privacyidea/bf13cc4c-f993-4d4f-abd3-6573915962a8%40googlegroups.com. > For more options, visit https://groups.google.com/d/optout. -- Cornelius Kölbel corneliu...@netknights.it +49 151 2960 1417 NetKnights GmbH http://www.netknights.it Landgraf-Karl-Str. 19, 34131 Kassel, Germany Tel: +49 561 3166797, Fax: +49 561 3166798 Amtsgericht Kassel, HRB 16405 Geschäftsführer: Cornelius Kölbel–
You received this message because you are subscribed to the Google
Groups “privacyidea” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to privacyidea+unsubscribe@googlegroups.com.
To post to this group, send email to privacyidea@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/privacyidea/a583bfc2-d95f-4eae-a67d-ab0032846c1d%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
–
Cornelius Kölbel
@cornelinux
+49 151 2960 1417
NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798
Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel
signature.asc (836 Bytes)
Hi Sherif,
take a look here:
http://privacyidea.readthedocs.org/en/latest/installation/system/securitymodule.html?highlight=securitymodule
To encrypt the enckey, you can use the script
pi-manage encrypt_enckey
This will not overwrite the file. The encrypted data will be written to
stdout. You can either pipe these or paste it.
You may also want to make a backup of the encryption key, anyway!
When you restart the apache it will start quite normal.
But at certain points, when data needs to be encrypted or decrypted you
will get the error:
ERR707: hsm not ready!
You can also check this at the command line after (re)-starting the
apache:
securitymodule
Please enter password for ‘super’:
This is the configuration of your active Security module:
{ u’status’: True, u’value’: { u’is_ready’: False}}
“is_ready”: False shows you, that the encryption key is not ready to be
used.
So you need to run:
securitymodule --module=default
Please enter password for ‘super’:
Please enter password for security module ‘default’:
Setting the password of your security module default
{ u’status’: True, u’value’: { u’is_ready’: True}}
Now, “is_ready”: True shows you, that the encryption key can be used by
privacyIDEA…
Take care and do backups 
I do not know, who uses it productively at the moment.
Kind regards
CorneliusAm Freitag, den 04.12.2015, 02:03 -0800 schrieb Sherif Nagy:
Hello,
So I am thinking to encrypt my encKey with a password, however I have
few questions:1- This will encrypt the current key, will not generate a new key ? so
I don’t lose the tokens and data in the Database already
2- When I start the service using systemctl or service " I am using
deb privacyidea-apache2 package, will that work and asks me to decrypt
the enckey ? if not, how I can decrypt the enckey in this case ?Regards,
SherifYou received this message because you are subscribed to the Google
Groups “privacyidea” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to privacyidea+unsubscribe@googlegroups.com.
To post to this group, send email to privacyidea@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/privacyidea/d4e7e11b-0b96-476e-a36c-b7189cc6e339%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
–
Cornelius Kölbel
@cornelinux
+49 151 2960 1417
NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798
Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel
signature.asc (836 Bytes)
It’s the local admin that has been added by pi-manage admin command
SherifOn Friday, December 4, 2015 at 3:06:09 PM UTC, Cornelius Kölbel wrote:
Is this a local admin?
Or is it an admin in a superuser-realm?If it is a local admin, which was added by
pi-manage admin
it should™ work, since the encryption keys are not used in this case.
If it is an admin in a superuser-realm in e.g. an LDAP, it will not
work, since PI can not decrypt the LDAP password to find the admin in
the LDAP.Kind regards
CorneliusAm Freitag, den 04.12.2015, 07:02 -0800 schrieb Sherif Nagy:
Hello again,
So before encrypting the enckey, I am getting securitymodule value
true "after upgrading to 2.7devX, I encrypt the enckey, paste the data
and replace the file, restart Apache, run again the command to check
the status " should be false or HSM not ready, but I am getting the
below error:Traceback (most recent call last):
File “/usr/bin/privacyidea”, line 1467, in
main()
File “/usr/bin/privacyidea”, line 1462, in main
no_ssl_check=args.nosslcheck)
File
“/usr/lib/python2.7/dist-packages/privacyideautils/clientutils.py”,
line 96, in init
self.set_credentials(username, password)
File
“/usr/lib/python2.7/dist-packages/privacyideautils/clientutils.py”,
line 129, in set_credentials
raise Exception(“Invalid Credentials: %s” % r.status_code)
Exception: Invalid Credentials: 400and the admin password is correct, I replace the encrypted key file
with none encrypted , restart apache and try again to check the
status, and I get True.Do I need to re-add the admin user ?
Regards,
SherifOn Friday, December 4, 2015 at 2:28:16 PM UTC, Sherif Nagy wrote:
Hi Cornelius,Oh yep the privacyideaadm is 2.5 :/ will update now :) thank you Sherif On Friday, December 4, 2015 at 1:16:11 PM UTC, Cornelius Kölbel wrote: Hi Sherif, you need at least version 2.7dev1. Hm, should release privacyideaadm 2.7... :-/ I guess you have 2.5? Oh, it is not available from launchpad ppa:privacyidea/privacyidea-dev (will just upload) Or you can install it via pip. Kind regards Cornelius Am Freitag, den 04.12.2015, 04:41 -0800 schrieb Sherif Nagy: > Hi Cornelius, > > > I did try the following command " still did not encrypt my key yet, > and I am getting the following error: > > > #privacyidea -U https://localhost --admin=admin --nosslcheck > securitymodule > > >/usr/lib/python2.7/dist-packages/urllib3/connectionpool.py:732:
> InsecureRequestWarning: Unverified HTTPS request is being made. Adding > certificate verification is strongly advised. See: > https://urllib3.readthedocs.org/en/latest/security.html(This warning
> will only appear once by default.) > InsecureRequestWarning) > This is the configuration of your active Security module: > > > Traceback (most recent call last): > File "/usr/bin/privacyidea", line 1321, in <module> > main() > File "/usr/bin/privacyidea", line 1317, in main > args.func(args, client) > File "/usr/bin/privacyidea", line 683, in securitymodule > r1 = client.securitymodule(param={}) > File >“/usr/lib/python2.7/dist-packages/privacyideautils/clientutils.py”,
> line 226, in securitymodule > return self.connect('/system/setupSecurityModule', param) > AttributeError: 'privacyideaclient' object has no attribute 'connect' > > > Any idea what might be the issue ? > > > Regards, > Sherif > > On Friday, December 4, 2015 at 10:21:05 AM UTC, Cornelius Kölbel wrote: > Hi Sherif, > > take a look here: >2.9. Security Modules — privacyIDEA 3.8 documentation
> > To encrypt the enckey, you can use the script > > pi-manage encrypt_enckey <filename> > > This will not overwrite the file. The encrypted data will be > written to > stdout. You can either pipe these or paste it. > > You may also want to make a backup of the encryption key, > anyway! > > When you restart the apache it will start quite normal. > But at certain points, when data needs to be encrypted or > decrypted you > will get the error: > > ERR707: hsm not ready! > > You can also check this at the command line after > (re)-starting the > apache: > > # privacyidea -U https://localhost/pi --admin=super > --nosslcheck \ > securitymodule > Please enter password for 'super': > This is the configuration of your active Security module: > { u'status': True, u'value': { u'is_ready': False}} > > "is_ready": False shows you, that the encryption key is not > ready to be > used. > > So you need to run: > > # privacyidea -U https://localhost/pi --admin=super > --nosslcheck \ > securitymodule --module=default > > Please enter password for 'super': > Please enter password for security module 'default': > Setting the password of your security module default > { u'status': True, u'value': { u'is_ready': True}} > > Now, "is_ready": True shows you, that the encryption key can > be used by > privacyIDEA... > > Take care and do backups ;-) > I do not know, who uses it productively at the moment. > > Kind regards > Cornelius > > > Am Freitag, den 04.12.2015, 02:03 -0800 schrieb Sherif Nagy: > > Hello, > > > > > > So I am thinking to encrypt my encKey with a password, > however I have > > few questions: > > > > > > 1- This will encrypt the current key, will not generate a > new key ? so > > I don't lose the tokens and data in the Database already > > 2- When I start the service using systemctl or service " I > am using > > deb privacyidea-apache2 package, will that work and asks me > to decrypt > > the enckey ? if not, how I can decrypt the enckey in this > case ? > > > > > > > > > > Regards, > > Sherif > > -- > > You received this message because you are subscribed to the > Google > > Groups "privacyidea" group. > > To unsubscribe from this group and stop receiving emails > from it, send > > an email to privacyidea...@googlegroups.com. > > To post to this group, send email to > priva...@googlegroups.com. > > To view this discussion on the web visit > > >> > For more options, visit https://groups.google.com/d/optout. > > -- > Cornelius Kölbel > corneliu...@netknights.it > +49 151 2960 1417 > > NetKnights GmbH > http://www.netknights.it > Landgraf-Karl-Str. 19, 34131 Kassel, Germany > Tel: +49 561 3166797, Fax: +49 561 3166798 > > Amtsgericht Kassel, HRB 16405 > Geschäftsführer: Cornelius Kölbel > > > -- > You received this message because you are subscribed to the Google > Groups "privacyidea" group. > To unsubscribe from this group and stop receiving emails from it, send > an email to privacyidea...@googlegroups.com. > To post to this group, send email to priva...@googlegroups.com. > To view this discussion on the web visit >> For more options, visit https://groups.google.com/d/optout. -- Cornelius Kölbel corneliu...@netknights.it +49 151 2960 1417 NetKnights GmbH http://www.netknights.it Landgraf-Karl-Str. 19, 34131 Kassel, Germany Tel: +49 561 3166797, Fax: +49 561 3166798 Amtsgericht Kassel, HRB 16405 Geschäftsführer: Cornelius Kölbel–
You received this message because you are subscribed to the Google
Groups “privacyidea” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to privacyidea...@googlegroups.com <javascript:>.
To post to this group, send email to priva...@googlegroups.com
<javascript:>.
To view this discussion on the web visitFor more options, visit https://groups.google.com/d/optout.
–
Cornelius Kölbel
corneliu…@netknights.it <javascript:>
+49 151 2960 1417NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel
Hi Cornelius,
Just to confirm, I created an empty realm and set it as default, and the
decyrption of the enckey works. so it seems the system checking the user’s
realm before the local admin.
Regards,
SherifOn Friday, December 4, 2015 at 3:54:23 PM UTC, Cornelius Kölbel wrote:
Hi Sherif,
thanks a lot for the details.
I can confirm this.
If the default realm contains an LDAP-Resolver with a BIND-PW you can
not login with a local administrator.I will dig into this.
Kind regards
CorneliusAm Freitag, den 04.12.2015, 07:45 -0800 schrieb Sherif Nagy:
Hi Cornelius,
I guess I knew what is wrong, so here is what I have done:
- Disabled all the policies " I have the one for u2f auth, weblogin
and one for users login " and still got the same error.- Take out the usersresolvers from the default realm and the
decryption of the key will work like a charm.- I have LDAP resolver and passwd one, I noticed just a message in the
log says looking for /etc/passwd in /home/privacyidea, that is why I
thought to disable the usersource.So I guess the realm usersources runs before the local admin ones ?
Regards,
SherifOn Friday, December 4, 2015 at 3:29:35 PM UTC, Sherif Nagy wrote:
okay let me disable the policies and will let you know if it
works or not and which policies I haveSherif On Friday, December 4, 2015 at 3:25:06 PM UTC, Cornelius Kölbel wrote: Hi Sherif, So for some reason the server returns an error. I could image due to some things it is doing _before_ checking the admins password. And in doing this stuff, it might run into a problem, since the encryption key does not exist, yet. E.g. this could be some policies, which need the encryption key when being checked. So can you please tell, what policies you have defined and also take a look into the servers log file? THanks a lot Cornelius Am Freitag, den 04.12.2015, 07:18 -0800 schrieb Sherif Nagy: > It's the local admin that has been added by pi-manage admin command > > > Sherif > > On Friday, December 4, 2015 at 3:06:09 PM UTC, Cornelius Kölbel wrote: > Is this a local admin? > Or is it an admin in a superuser-realm? > > If it is a local admin, which was added by > > pi-manage admin > > it should(TM) work, since the encryption keys are not used in > this case. > > If it is an admin in a superuser-realm in e.g. an LDAP, it > will not > work, since PI can not decrypt the LDAP password to find the > admin in > the LDAP. > > Kind regards > Cornelius > > Am Freitag, den 04.12.2015, 07:02 -0800 schrieb Sherif Nagy: > > Hello again, > > > > > > So before encrypting the enckey, I am getting securitymodule > value > > true "after upgrading to 2.7devX, I encrypt the enckey, > paste the data > > and replace the file, restart Apache, run again the command > to check > > the status " should be false or HSM not ready, but I am > getting the > > below error: > > > > > > Traceback (most recent call last): > > File "/usr/bin/privacyidea", line 1467, in <module> > > main() > > File "/usr/bin/privacyidea", line 1462, in main > > no_ssl_check=args.nosslcheck) > > File > > >“/usr/lib/python2.7/dist-packages/privacyideautils/clientutils.py”,
> > line 96, in __init__ > > self.set_credentials(username, password) > > File > > >“/usr/lib/python2.7/dist-packages/privacyideautils/clientutils.py”,
> > line 129, in set_credentials > > raise Exception("Invalid Credentials: %s" % > r.status_code) > > Exception: Invalid Credentials: 400 > > > > > > and the admin password is correct, I replace the encrypted > key file > > with none encrypted , restart apache and try again to check > the > > status, and I get True. > > > > > > Do I need to re-add the admin user ? > > > > > > Regards, > > Sherif > > > > > > On Friday, December 4, 2015 at 2:28:16 PM UTC, Sherif Nagy wrote: > > Hi Cornelius, > > > > Oh yep the privacyideaadm is 2.5 :/ will update > now :) thank > > you > > > > > > Sherif > > > > On Friday, December 4, 2015 at 1:16:11 PM UTC, Cornelius Kölbel wrote: > > Hi Sherif, > > > > you need at least version 2.7dev1. > > Hm, should release privacyideaadm > 2.7... :-/ > > > > I guess you have 2.5? > > Oh, it is not available from launchpad > > ppa:privacyidea/privacyidea-dev > > (will just upload) > > Or you can install it via pip. > > > > Kind regards > > Cornelius > > > > Am Freitag, den 04.12.2015, 04:41 -0800 > schrieb Sherif > > Nagy: > > > Hi Cornelius, > > > > > > > > > I did try the following command " still > did not > > encrypt my key yet, > > > and I am getting the following error: > > > > > > > > > #privacyidea -U https://localhost > --admin=admin > > --nosslcheck > > > securitymodule > > > > > > > > > >/usr/lib/python2.7/dist-packages/urllib3/connectionpool.py:732:
> > > InsecureRequestWarning: Unverified HTTPS > request is > > being made. Adding > > > certificate verification is strongly > advised. See: > > > > > > https://urllib3.readthedocs.org/en/latest/security.html(This
> warning > > > will only appear once by default.) > > > InsecureRequestWarning) > > > This is the configuration of your active > Security > > module: > > > > > > > > > Traceback (most recent call last): > > > File "/usr/bin/privacyidea", line 1321, > in > > <module> > > > main() > > > File "/usr/bin/privacyidea", line 1317, > in main > > > args.func(args, client) > > > File "/usr/bin/privacyidea", line 683, > in > > securitymodule > > > r1 = client.securitymodule(param={}) > > > File > > > > > >“/usr/lib/python2.7/dist-packages/privacyideautils/clientutils.py”,
> > > line 226, in securitymodule > > > return > > self.connect('/system/setupSecurityModule', > param) > > > AttributeError: 'privacyideaclient' object > has no > > attribute 'connect' > > > > > > > > > Any idea what might be the issue ? > > > > > > > > > Regards, > > > Sherif > > > > > > On Friday, December 4, 2015 at 10:21:05 AM UTC, Cornelius Kölbel wrote: > > > Hi Sherif, > > > > > > take a look here: > > > > > >2.9. Security Modules — privacyIDEA 3.8 documentation
> > > > > > To encrypt the enckey, you can use > the > > script > > > > > > pi-manage encrypt_enckey > <filename> > > > > > > This will not overwrite the file. > The > > encrypted data will be > > > written to > > > stdout. You can either pipe these > or paste > > it. > > > > > > You may also want to make a backup > of the > > encryption key, > > > anyway! > > > > > > When you restart the apache it > will start > > quite normal. > > > But at certain points, when data > needs to be > > encrypted or > > > decrypted you > > > will get the error: > > > > > > ERR707: hsm not ready! > > > > > > You can also check this at the > command line > > after > > > (re)-starting the > > > apache: > > > > > > # privacyidea -U > https://localhost/pi > > --admin=super > > > --nosslcheck \ > > > securitymodule > > > Please enter password for > 'super': > > > This is the configuration of your > active > > Security module: > > > { u'status': True, u'value': { > > u'is_ready': False}} > > > > > > "is_ready": False shows you, that > the > > encryption key is not > > > ready to be > > > used. > > > > > > So you need to run: > > > > > > # privacyidea -U > https://localhost/pi > > --admin=super > > > --nosslcheck \ > > > securitymodule > --module=default > > > > > > Please enter password for > 'super': > > > Please enter password for security > module > > 'default': > > > Setting the password of your > security module > > default > > > { u'status': True, u'value': { > > u'is_ready': True}} > > > > > > Now, "is_ready": True shows you, > that the > > encryption key can > > > be used by > > > privacyIDEA... > > > > > > Take care and do backups ;-) > > > I do not know, who uses it > productively at > > the moment. > > > > > > Kind regards > > > Cornelius > > > > > > > > > Am Freitag, den 04.12.2015, 02:03 > -0800 > > schrieb Sherif Nagy: > > > > Hello, > > > > > > > > > > > > So I am thinking to encrypt my > encKey with > > a password, > > > however I have > > > > few questions: > > > > > > > > > > > > 1- This will encrypt the current > key, will > > not generate a > > > new key ? so > > > > I don't lose the tokens and data > in the > > Database already > > > > 2- When I start the service > using > > systemctl or service " I > > > am using > > > > deb privacyidea-apache2 package, > will that > > work and asks me > > > to decrypt > > > > the enckey ? if not, how I can > decrypt the > > enckey in this > > > case ? > > > > > > > > > > > > > > > > > > > > Regards, > > > > Sherif > > > > -- > > > > You received this message > because you are > > subscribed to the > > > Google > > > > Groups "privacyidea" group. > > > > To unsubscribe from this group > and stop > > receiving emails > > > from it, send > > > > an email to > > privacyidea...@googlegroups.com. > > > > To post to this group, send > email to > > > priva...@googlegroups.com. > > > > To view this discussion on the > web visit > > > > > > > > > >> > > > For more options, visit > > https://groups.google.com/d/optout. > > > > > > -- > > > Cornelius Kölbel > > > corneliu...@netknights.it > > > +49 151 2960 1417 > > > > > > NetKnights GmbH > > > http://www.netknights.it > > > Landgraf-Karl-Str. 19, 34131 > Kassel, > > Germany > > > Tel: +49 561 3166797, Fax: +49 561 > 3166798 > > > > > > Amtsgericht Kassel, HRB 16405 > > > Geschäftsführer: Cornelius Kölbel > > > > > > > > > -- > > > You received this message because you are > subscribed > > to the Google > > > Groups "privacyidea" group. > > > To unsubscribe from this group and stop > receiving > > emails from it, send > > > an email to > privacyidea...@googlegroups.com. > > > To post to this group, send email to > > priva...@googlegroups.com. > > > To view this discussion on the web visit > > > > > >> > > For more options, visit > > https://groups.google.com/d/optout. > > > > -- > > Cornelius Kölbel > > corneliu...@netknights.it > > +49 151 2960 1417 > > > > NetKnights GmbH > > http://www.netknights.it > > Landgraf-Karl-Str. 19, 34131 Kassel, > Germany > > Tel: +49 561 3166797, Fax: +49 561 3166798 > > > > Amtsgericht Kassel, HRB 16405 > > Geschäftsführer: Cornelius Kölbel > > > > > > -- > > You received this message because you are subscribed to the > Google > > Groups "privacyidea" group. > > To unsubscribe from this group and stop receiving emails > from it, send > > an email to privacyidea...@googlegroups.com. > > To post to this group, send email to > priva...@googlegroups.com. > > To view this discussion on the web visit > > >> > For more options, visit https://groups.google.com/d/optout. > > -- > Cornelius Kölbel > corneliu...@netknights.it > +49 151 2960 1417 > > NetKnights GmbH > http://www.netknights.it > Landgraf-Karl-Str. 19, 34131 Kassel, Germany > Tel: +49 561 3166797, Fax: +49 561 3166798 > > Amtsgericht Kassel, HRB 16405 > Geschäftsführer: Cornelius Kölbel > > > -- > You received this message because you are subscribed to the Google > Groups "privacyidea" group. > To unsubscribe from this group and stop receiving emails from it, send > an email to privacyidea...@googlegroups.com. > To post to this group, send email to priva...@googlegroups.com. > To view this discussion on the web visit >> For more options, visit https://groups.google.com/d/optout. -- Cornelius Kölbel corneliu...@netknights.it +49 151 2960 1417 NetKnights GmbH http://www.netknights.it Landgraf-Karl-Str. 19, 34131 Kassel, Germany Tel: +49 561 3166797, Fax: +49 561 3166798 Amtsgericht Kassel, HRB 16405 Geschäftsführer: Cornelius Kölbel–
You received this message because you are subscribed to the Google
Groups “privacyidea” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to privacyidea...@googlegroups.com <javascript:>.
To post to this group, send email to priva...@googlegroups.com
<javascript:>.
To view this discussion on the web visitFor more options, visit https://groups.google.com/d/optout.
–
Cornelius Kölbel
corneliu…@netknights.it <javascript:>
+49 151 2960 1417NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel
okay let me disable the policies and will let you know if it works or not
and which policies I have
SherifOn Friday, December 4, 2015 at 3:25:06 PM UTC, Cornelius Kölbel wrote:
Hi Sherif,
So for some reason the server returns an error.
I could image due to some things it is doing before checking the
admins password. And in doing this stuff, it might run into a problem,
since the encryption key does not exist, yet.E.g. this could be some policies, which need the encryption key when
being checked.So can you please tell, what policies you have defined and also take a
look into the servers log file?THanks a lot
CorneliusAm Freitag, den 04.12.2015, 07:18 -0800 schrieb Sherif Nagy:
It’s the local admin that has been added by pi-manage admin command
Sherif
On Friday, December 4, 2015 at 3:06:09 PM UTC, Cornelius Kölbel wrote:
Is this a local admin?
Or is it an admin in a superuser-realm?If it is a local admin, which was added by pi-manage admin it should(TM) work, since the encryption keys are not used in this case. If it is an admin in a superuser-realm in e.g. an LDAP, it will not work, since PI can not decrypt the LDAP password to find the admin in the LDAP. Kind regards Cornelius Am Freitag, den 04.12.2015, 07:02 -0800 schrieb Sherif Nagy: > Hello again, > > > So before encrypting the enckey, I am getting securitymodule value > true "after upgrading to 2.7devX, I encrypt the enckey, paste the data > and replace the file, restart Apache, run again the command to check > the status " should be false or HSM not ready, but I am getting the > below error: > > > Traceback (most recent call last): > File "/usr/bin/privacyidea", line 1467, in <module> > main() > File "/usr/bin/privacyidea", line 1462, in main > no_ssl_check=args.nosslcheck) > File >“/usr/lib/python2.7/dist-packages/privacyideautils/clientutils.py”,
> line 96, in __init__ > self.set_credentials(username, password) > File >“/usr/lib/python2.7/dist-packages/privacyideautils/clientutils.py”,
> line 129, in set_credentials > raise Exception("Invalid Credentials: %s" % r.status_code) > Exception: Invalid Credentials: 400 > > > and the admin password is correct, I replace the encrypted key file > with none encrypted , restart apache and try again to check the > status, and I get True. > > > Do I need to re-add the admin user ? > > > Regards, > Sherif > > > On Friday, December 4, 2015 at 2:28:16 PM UTC, Sherif Nagy wrote: > Hi Cornelius, > > Oh yep the privacyideaadm is 2.5 :/ will update now :) thank > you > > > Sherif > > On Friday, December 4, 2015 at 1:16:11 PM UTC, Cornelius Kölbel wrote: > Hi Sherif, > > you need at least version 2.7dev1. > Hm, should release privacyideaadm 2.7... :-/ > > I guess you have 2.5? > Oh, it is not available from launchpad > ppa:privacyidea/privacyidea-dev > (will just upload) > Or you can install it via pip. > > Kind regards > Cornelius > > Am Freitag, den 04.12.2015, 04:41 -0800 schrieb Sherif > Nagy: > > Hi Cornelius, > > > > > > I did try the following command " still did not > encrypt my key yet, > > and I am getting the following error: > > > > > > #privacyidea -U https://localhost --admin=admin > --nosslcheck > > securitymodule > > > > > >/usr/lib/python2.7/dist-packages/urllib3/connectionpool.py:732:
> > InsecureRequestWarning: Unverified HTTPS request is > being made. Adding > > certificate verification is strongly advised. See: > > > https://urllib3.readthedocs.org/en/latest/security.html (This warning > > will only appear once by default.) > > InsecureRequestWarning) > > This is the configuration of your active Security > module: > > > > > > Traceback (most recent call last): > > File "/usr/bin/privacyidea", line 1321, in > <module> > > main() > > File "/usr/bin/privacyidea", line 1317, in main > > args.func(args, client) > > File "/usr/bin/privacyidea", line 683, in > securitymodule > > r1 = client.securitymodule(param={}) > > File > > >“/usr/lib/python2.7/dist-packages/privacyideautils/clientutils.py”,
> > line 226, in securitymodule > > return > self.connect('/system/setupSecurityModule', param) > > AttributeError: 'privacyideaclient' object has no > attribute 'connect' > > > > > > Any idea what might be the issue ? > > > > > > Regards, > > Sherif > > > > On Friday, December 4, 2015 at 10:21:05 AM UTC, Cornelius Kölbel wrote: > > Hi Sherif, > > > > take a look here: > > >2.9. Security Modules — privacyIDEA 3.8 documentation
> > > > To encrypt the enckey, you can use the > script > > > > pi-manage encrypt_enckey <filename> > > > > This will not overwrite the file. The > encrypted data will be > > written to > > stdout. You can either pipe these or paste > it. > > > > You may also want to make a backup of the > encryption key, > > anyway! > > > > When you restart the apache it will start > quite normal. > > But at certain points, when data needs to be > encrypted or > > decrypted you > > will get the error: > > > > ERR707: hsm not ready! > > > > You can also check this at the command line > after > > (re)-starting the > > apache: > > > > # privacyidea -U https://localhost/pi > --admin=super > > --nosslcheck \ > > securitymodule > > Please enter password for 'super': > > This is the configuration of your active > Security module: > > { u'status': True, u'value': { > u'is_ready': False}} > > > > "is_ready": False shows you, that the > encryption key is not > > ready to be > > used. > > > > So you need to run: > > > > # privacyidea -U https://localhost/pi > --admin=super > > --nosslcheck \ > > securitymodule --module=default > > > > Please enter password for 'super': > > Please enter password for security module > 'default': > > Setting the password of your security module > default > > { u'status': True, u'value': { > u'is_ready': True}} > > > > Now, "is_ready": True shows you, that the > encryption key can > > be used by > > privacyIDEA... > > > > Take care and do backups ;-) > > I do not know, who uses it productively at > the moment. > > > > Kind regards > > Cornelius > > > > > > Am Freitag, den 04.12.2015, 02:03 -0800 > schrieb Sherif Nagy: > > > Hello, > > > > > > > > > So I am thinking to encrypt my encKey with > a password, > > however I have > > > few questions: > > > > > > > > > 1- This will encrypt the current key, will > not generate a > > new key ? so > > > I don't lose the tokens and data in the > Database already > > > 2- When I start the service using > systemctl or service " I > > am using > > > deb privacyidea-apache2 package, will that > work and asks me > > to decrypt > > > the enckey ? if not, how I can decrypt the > enckey in this > > case ? > > > > > > > > > > > > > > > Regards, > > > Sherif > > > -- > > > You received this message because you are > subscribed to the > > Google > > > Groups "privacyidea" group. > > > To unsubscribe from this group and stop > receiving emails > > from it, send > > > an email to > privacyidea...@googlegroups.com. > > > To post to this group, send email to > > priva...@googlegroups.com. > > > To view this discussion on the web visit > > > > > >> > > For more options, visit > https://groups.google.com/d/optout. > > > > -- > > Cornelius Kölbel > > corneliu...@netknights.it > > +49 151 2960 1417 > > > > NetKnights GmbH > > http://www.netknights.it > > Landgraf-Karl-Str. 19, 34131 Kassel, > Germany > > Tel: +49 561 3166797, Fax: +49 561 3166798 > > > > Amtsgericht Kassel, HRB 16405 > > Geschäftsführer: Cornelius Kölbel > > > > > > -- > > You received this message because you are subscribed > to the Google > > Groups "privacyidea" group. > > To unsubscribe from this group and stop receiving > emails from it, send > > an email to privacyidea...@googlegroups.com. > > To post to this group, send email to > priva...@googlegroups.com. > > To view this discussion on the web visit > > >> > For more options, visit > https://groups.google.com/d/optout. > > -- > Cornelius Kölbel > corneliu...@netknights.it > +49 151 2960 1417 > > NetKnights GmbH > http://www.netknights.it > Landgraf-Karl-Str. 19, 34131 Kassel, Germany > Tel: +49 561 3166797, Fax: +49 561 3166798 > > Amtsgericht Kassel, HRB 16405 > Geschäftsführer: Cornelius Kölbel > > > -- > You received this message because you are subscribed to the Google > Groups "privacyidea" group. > To unsubscribe from this group and stop receiving emails from it, send > an email to privacyidea...@googlegroups.com. > To post to this group, send email to priva...@googlegroups.com. > To view this discussion on the web visit >> For more options, visit https://groups.google.com/d/optout. -- Cornelius Kölbel corneliu...@netknights.it +49 151 2960 1417 NetKnights GmbH http://www.netknights.it Landgraf-Karl-Str. 19, 34131 Kassel, Germany Tel: +49 561 3166797, Fax: +49 561 3166798 Amtsgericht Kassel, HRB 16405 Geschäftsführer: Cornelius Kölbel–
You received this message because you are subscribed to the Google
Groups “privacyidea” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to privacyidea...@googlegroups.com <javascript:>.
To post to this group, send email to priva...@googlegroups.com
<javascript:>.
To view this discussion on the web visitFor more options, visit https://groups.google.com/d/optout.
–
Cornelius Kölbel
corneliu…@netknights.it <javascript:>
+49 151 2960 1417NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel
Is this a local admin?
Or is it an admin in a superuser-realm?
If it is a local admin, which was added by
pi-manage admin
it should™ work, since the encryption keys are not used in this case.
If it is an admin in a superuser-realm in e.g. an LDAP, it will not
work, since PI can not decrypt the LDAP password to find the admin in
the LDAP.
Kind regards
CorneliusAm Freitag, den 04.12.2015, 07:02 -0800 schrieb Sherif Nagy:
Hello again,
So before encrypting the enckey, I am getting securitymodule value
true "after upgrading to 2.7devX, I encrypt the enckey, paste the data
and replace the file, restart Apache, run again the command to check
the status " should be false or HSM not ready, but I am getting the
below error:Traceback (most recent call last):
File “/usr/bin/privacyidea”, line 1467, in
main()
File “/usr/bin/privacyidea”, line 1462, in main
no_ssl_check=args.nosslcheck)
File
“/usr/lib/python2.7/dist-packages/privacyideautils/clientutils.py”,
line 96, in init
self.set_credentials(username, password)
File
“/usr/lib/python2.7/dist-packages/privacyideautils/clientutils.py”,
line 129, in set_credentials
raise Exception(“Invalid Credentials: %s” % r.status_code)
Exception: Invalid Credentials: 400and the admin password is correct, I replace the encrypted key file
with none encrypted , restart apache and try again to check the
status, and I get True.Do I need to re-add the admin user ?
Regards,
SherifOn Friday, December 4, 2015 at 2:28:16 PM UTC, Sherif Nagy wrote:
Hi Cornelius,Oh yep the privacyideaadm is 2.5 :/ will update now :) thank you Sherif On Friday, December 4, 2015 at 1:16:11 PM UTC, Cornelius Kölbel wrote: Hi Sherif, you need at least version 2.7dev1. Hm, should release privacyideaadm 2.7... :-/ I guess you have 2.5? Oh, it is not available from launchpad ppa:privacyidea/privacyidea-dev (will just upload) Or you can install it via pip. Kind regards Cornelius Am Freitag, den 04.12.2015, 04:41 -0800 schrieb Sherif Nagy: > Hi Cornelius, > > > I did try the following command " still did not encrypt my key yet, > and I am getting the following error: > > > #privacyidea -U https://localhost --admin=admin --nosslcheck > securitymodule > > > /usr/lib/python2.7/dist-packages/urllib3/connectionpool.py:732: > InsecureRequestWarning: Unverified HTTPS request is being made. Adding > certificate verification is strongly advised. See: > https://urllib3.readthedocs.org/en/latest/security.html (This warning > will only appear once by default.) > InsecureRequestWarning) > This is the configuration of your active Security module: > > > Traceback (most recent call last): > File "/usr/bin/privacyidea", line 1321, in <module> > main() > File "/usr/bin/privacyidea", line 1317, in main > args.func(args, client) > File "/usr/bin/privacyidea", line 683, in securitymodule > r1 = client.securitymodule(param={}) > File > "/usr/lib/python2.7/dist-packages/privacyideautils/clientutils.py", > line 226, in securitymodule > return self.connect('/system/setupSecurityModule', param) > AttributeError: 'privacyideaclient' object has no attribute 'connect' > > > Any idea what might be the issue ? > > > Regards, > Sherif > > On Friday, December 4, 2015 at 10:21:05 AM UTC, Cornelius Kölbel wrote: > Hi Sherif, > > take a look here: > http://privacyidea.readthedocs.org/en/latest/installation/system/securitymodule.html?highlight=securitymodule > > To encrypt the enckey, you can use the script > > pi-manage encrypt_enckey <filename> > > This will not overwrite the file. The encrypted data will be > written to > stdout. You can either pipe these or paste it. > > You may also want to make a backup of the encryption key, > anyway! > > When you restart the apache it will start quite normal. > But at certain points, when data needs to be encrypted or > decrypted you > will get the error: > > ERR707: hsm not ready! > > You can also check this at the command line after > (re)-starting the > apache: > > # privacyidea -U https://localhost/pi --admin=super > --nosslcheck \ > securitymodule > Please enter password for 'super': > This is the configuration of your active Security module: > { u'status': True, u'value': { u'is_ready': False}} > > "is_ready": False shows you, that the encryption key is not > ready to be > used. > > So you need to run: > > # privacyidea -U https://localhost/pi --admin=super > --nosslcheck \ > securitymodule --module=default > > Please enter password for 'super': > Please enter password for security module 'default': > Setting the password of your security module default > { u'status': True, u'value': { u'is_ready': True}} > > Now, "is_ready": True shows you, that the encryption key can > be used by > privacyIDEA... > > Take care and do backups ;-) > I do not know, who uses it productively at the moment. > > Kind regards > Cornelius > > > Am Freitag, den 04.12.2015, 02:03 -0800 schrieb Sherif Nagy: > > Hello, > > > > > > So I am thinking to encrypt my encKey with a password, > however I have > > few questions: > > > > > > 1- This will encrypt the current key, will not generate a > new key ? so > > I don't lose the tokens and data in the Database already > > 2- When I start the service using systemctl or service " I > am using > > deb privacyidea-apache2 package, will that work and asks me > to decrypt > > the enckey ? if not, how I can decrypt the enckey in this > case ? > > > > > > > > > > Regards, > > Sherif > > -- > > You received this message because you are subscribed to the > Google > > Groups "privacyidea" group. > > To unsubscribe from this group and stop receiving emails > from it, send > > an email to privacyidea...@googlegroups.com. > > To post to this group, send email to > priva...@googlegroups.com. > > To view this discussion on the web visit > > > https://groups.google.com/d/msgid/privacyidea/d4e7e11b-0b96-476e-a36c-b7189cc6e339%40googlegroups.com. > > For more options, visit https://groups.google.com/d/optout. > > -- > Cornelius Kölbel > corneliu...@netknights.it > +49 151 2960 1417 > > NetKnights GmbH > http://www.netknights.it > Landgraf-Karl-Str. 19, 34131 Kassel, Germany > Tel: +49 561 3166797, Fax: +49 561 3166798 > > Amtsgericht Kassel, HRB 16405 > Geschäftsführer: Cornelius Kölbel > > > -- > You received this message because you are subscribed to the Google > Groups "privacyidea" group. > To unsubscribe from this group and stop receiving emails from it, send > an email to privacyidea...@googlegroups.com. > To post to this group, send email to priva...@googlegroups.com. > To view this discussion on the web visit > https://groups.google.com/d/msgid/privacyidea/9b251fd2-be6d-45f4-9d47-42f7e142166b%40googlegroups.com. > For more options, visit https://groups.google.com/d/optout. -- Cornelius Kölbel corneliu...@netknights.it +49 151 2960 1417 NetKnights GmbH http://www.netknights.it Landgraf-Karl-Str. 19, 34131 Kassel, Germany Tel: +49 561 3166797, Fax: +49 561 3166798 Amtsgericht Kassel, HRB 16405 Geschäftsführer: Cornelius Kölbel–
You received this message because you are subscribed to the Google
Groups “privacyidea” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to privacyidea+unsubscribe@googlegroups.com.
To post to this group, send email to privacyidea@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/privacyidea/799090b8-3ca3-48de-a48e-02d9943a0e8d%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
–
Cornelius Kölbel
@cornelinux
+49 151 2960 1417
NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798
Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel
signature.asc (836 Bytes)