Issues Fixed in Cloudera Navigator Key Trustee Server
The following sections describe issues fixed in each Cloudera Navigator Key Trustee Server release.
- Issues Fixed in Cloudera Navigator Key Trustee Server 5.15.0
- Issues Fixed in Cloudera Navigator Key Trustee Server 5.14.0
- Issues Fixed in Cloudera Navigator Key Trustee Server 5.13.0
- Issues Fixed in Cloudera Navigator Key Trustee Server 5.12.0
- Issues Fixed in Cloudera Navigator Key Trustee Server 5.11.1
- Issues Fixed in Cloudera Navigator Key Trustee Server 5.11.0
- Issues Fixed in Cloudera Navigator Key Trustee Server 5.10.1
- Issues Fixed in Cloudera Navigator Key Trustee Server 5.10.0
- Issues Fixed in Cloudera Navigator Key Trustee Server 5.9.0
- Issues Fixed in Cloudera Navigator Key Trustee Server 5.8.0
- Issues Fixed in Cloudera Navigator Key Trustee Server 5.7.0
- Issues Fixed in Cloudera Navigator Key Trustee Server 5.5.2
- Issues Fixed in Cloudera Navigator Key Trustee Server 5.5.0
- Issues Fixed in Cloudera Navigator Key Trustee Server 5.4.9
- Issues Fixed in Cloudera Navigator Key Trustee Server 5.4.3
- Issues Fixed in Cloudera Navigator Key Trustee Server 5.4.0
Issues Fixed in Cloudera Navigator Key Trustee Server 5.15.0
ktbackup.sh script not rolling GPG encrypted files
Encrypted backup tarballs have an additional .gpg file extension after .tar to indicate that they are encrypted (.tar.gpg). When the ktbackup.sh script searched for files to roll, it only sought files that ended in .tar, so it was not rolling the encrypted backup tarballs. The script has been updated to account for the .tar.gpg extension for encrypted backups, and now rolls them as expected.
Cloudera Bug: KT-6107Issues Fixed in Cloudera Navigator Key Trustee Server 5.14.0
Malicious user can access database used to store HDFS encryption zone keys
This vulnerability, which impacted Key Trustee Server, allowed anyone with access to the host on which Key Trustee Server is running to use a non-libpq based connection driver to connect to the Postgres database used by Key Trustee Server without specifying a password.
The keys stored in the database are encrypted, which means access to data could not be gained by this method. However, the vulnerability could provide a way for someone to alter encryption zone key metadata, delete the encryption zone keys, or delete the contents of the entire database.
Cloudera Bug: DOCS-2788Issues Fixed in Cloudera Navigator Key Trustee Server 5.13.0
Issues Fixed in Cloudera Navigator Key Trustee Server 5.12.0
Issues Fixed in Cloudera Navigator Key Trustee Server 5.11.1
Issues Fixed in Cloudera Navigator Key Trustee Server 5.11.0
Issues Fixed in Cloudera Navigator Key Trustee Server 5.10.1
Issues Fixed in Cloudera Navigator Key Trustee Server 5.10.0
For new features in Key Trustee Server 5.10.0, see New Features and Changes in Cloudera Navigator Key Trustee Server.
Issues Fixed in Cloudera Navigator Key Trustee Server 5.9.0
For new features in Key Trustee Server 5.9.0, see New Features and Changes in Cloudera Navigator Key Trustee Server.
Issues Fixed in Cloudera Navigator Key Trustee Server 5.8.0
Key Trustee Server logs superfluous error during registration
Traceback (most recent call last): File "/usr/lib/python2.6/site-packages/keytrustee/server/webapp.py", line 2151, in lookup return hkp.lookup(g.hkpdb, app.config['LOCAL_FINGERPRINT']) File "/usr/lib/python2.6/site-packages/keytrustee/server/hkp.py", line 72, in lookup raise wzex.BadRequest("Operation not specified.") BadRequest: 400: Operation not specified.
Issues Fixed in Cloudera Navigator Key Trustee Server 5.7.0
Email messages from Key Trustee Server use hostname instead of fully qualified domain name
Email sent from Key Trustee Server includes a link that uses the Key Trustee Server short name instead of the fully qualified domain name.
Host Inspector displays the wrong version of Key Trustee Server
Host Inspector displays the wrong Key Trustee Server version, showing the Key Trustee KMS version instead.
Key Trustee Server supports weak RC4 ciphers for TLS
Key Trustee Server supports weak RC4 ciphers for TLS connections, potentially allowing clients to negotiate a weaker connection.
The ktadmin keyhsm command fails with M2Crypto error
Running the ktadmin keyhsm --server https://khsm01.example.com:9090 --trust command fails with the following error:
M2Crypto.X509.X509Error: 140405990356800:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:703:Expecting: CERTIFICATE
Issues Fixed in Cloudera Navigator Key Trustee Server 5.5.2
Issues Fixed in Cloudera Navigator Key Trustee Server 5.5.0
Key Trustee Server missing from Components page
Key Trustee Server is not listed in the Components page (Hosts > Hostname > Components) of the host it is installed on.
Passive Database role fails to restart after enabling synchronous replication
After enabling synchronous replication, the Passive Database role fails to start when restarting the Key Trustee Server service in Cloudera Manager.
Key Trustee Server using CherryPy allows SSLv3
Key Trustee Server using CherryPy as the web backend allows SSLv3 connections, which are considered insecure.
Key Trustee Server sends wrong command in email notification
When you register a client, Key Trustee Server sends an email notification with a command to import the Key Trustee Server GPG key. The command uses the hkp protocol and port 80. The correct protocol is hkps and the correct port is 11371.
Enabling synchronous replication fails if python-ordereddict is not installed
Traceback (most recent call last): File "aux/prop2x.py", line 14, in <module> from ordereddict import OrderedDict ImportError: No module named ordereddict
Key Trustee Server does not respond to requests
2015-06-03 11:44:17,232 - keytrustee.server.webapp - ERROR - 'None' is not a valid qualified fingerprint Traceback (most recent call last): File "/opt/cloudera/parcels/KEYTRUSTEE_SERVER-5.4.0-1.keytrustee5.4.0.p0.204/lib/python2.6/ site-packages/keytrustee-5.4.0-py2.6.egg/keytrustee/server/webapp.py", line 1917, in index server.response = server.respond() File "/opt/cloudera/parcels/KEYTRUSTEE_SERVER-5.4.0-1.keytrustee5.4.0.p0.204/lib/python2.6/ site-packages/keytrustee-5.4.0-py2.6.egg/keytrustee/server/webapp.py", line 1783, in respond return Response(self.get_fingerprint(), **g.resp_kwargs) File "/opt/cloudera/parcels/KEYTRUSTEE_SERVER-5.4.0-1.keytrustee5.4.0.p0.204/lib/python2.6/ site-packages/keytrustee-5.4.0-py2.6.egg/keytrustee/server/webapp.py", line 1338, in get_fingerprint key_info = g.gpg.get_key_info(str(app.config['LOCAL_FINGERPRINT'])) File "/opt/cloudera/parcels/KEYTRUSTEE_SERVER-5.4.0-1.keytrustee5.4.0.p0.204/lib/python2.6/ site-packages/keytrustee-5.4.0-py2.6.egg/keytrustee/gnupg.py", line 415, in get_key_info search_string = fp_or_id(fingerprint, keyid) File "/opt/cloudera/parcels/KEYTRUSTEE_SERVER-5.4.0-1.keytrustee5.4.0.p0.204/lib/python2.6/ site-packages/keytrustee-5.4.0-py2.6.egg/keytrustee/gnupg.py", line 817, in fp_or_id result = unqualified_fp(fingerprint) File "/opt/cloudera/parcels/KEYTRUSTEE_SERVER-5.4.0-1.keytrustee5.4.0.p0.204/lib/python2.6/ site-packages/keytrustee-5.4.0-py2.6.egg/keytrustee/gnupg.py", line 761, in unqualified_fp _, _, fp = read_qualified_fp(fp) File "/opt/cloudera/parcels/KEYTRUSTEE_SERVER-5.4.0-1.keytrustee5.4.0.p0.204/lib/python2.6/ site-packages/keytrustee-5.4.0-py2.6.egg/keytrustee/gnupg.py", line 770, in read_qualified_fp raise ValueError("'%s' is not a valid qualified fingerprint" % (s)) ValueError: 'None' is not a valid qualified fingerprint
Cannot register a client with Key Trustee Server after registering GPG public key
After creating an organization, the organization administrator receives a link to register a GPG key. If the administrator registers the GPG key before any clients are registered with the organization, all subsequent registrations with that organization fail.
Starting Key Trustee Server with --daemonize option fails
2015-04-01 05:33:26,843 - cherrypy.error - ERROR - [01/Apr/2015:05:33:26] ENGINE Error in 'start' listener <bound method Daemonizer.start of <cherrypy.process.plugins.Daemonizer object at 0x1e71490>> Traceback (most recent call last): File "/usr/lib/python2.6/site-packages/cherrypy/process/wspbus.py", line 197, in publish output.append(listener(*args, **kwargs)) File "/usr/lib/python2.6/site-packages/cherrypy/process/plugins.py", line 380, in start si = open(self.stdin, "r") IOError: [Errno 2] No such file or directory: '/tmp/stdout'
Starting Key Trustee Server when it is already running updates keytrustee.pid file
Traceback (most recent call last): File "/usr/bin/keytrustee-server", line 136, in <module> main() File "/usr/bin/keytrustee-server", line 131, in main status() File "/usr/bin/keytrustee-server", line 104, in status pid_file = ProcessIDInfo(ARGS.pidfile) File "/usr/lib/python2.6/site-packages/keytrustee/process.py", line 8, in __init__ raise ex.KeytrusteeError('Invalid PID path: %s' % path) keytrustee.exceptions.KeytrusteeError: Invalid PID path: /var/lib/keytrustee/.keytrustee/keytrustee.pid
Starting Key Trustee Server while the port is in use fails silently
Traceback (most recent call last): File "/usr/lib/python2.6/site-packages/cherrypy/process/wspbus.py", line 235, in start self.publish('start') File "/usr/lib/python2.6/site-packages/cherrypy/process/wspbus.py", line 215, in publish raise exc ChannelFailures: IOError("Port 11371 not free on 'keytrustee01.example.com'",)
Issues Fixed in Cloudera Navigator Key Trustee Server 5.4.9
Cannot register a client with Key Trustee Server after registering GPG public key
After creating an organization, the organization administrator receives a link to register a GPG key. If the administrator registers the GPG key before any clients are registered with the organization, all subsequent registrations with that organization fail.
Cloudera Bug: KT-1894
Issues Fixed in Cloudera Navigator Key Trustee Server 5.4.3
Key Trustee Server logs error GnuPG operation exited with return code=2
2014-12-30 04:23:22,166 - keytrustee.gnupg - ERROR - GnuPG operation exited with return code=2: [GNUPG:] ENC_TO 9375BEFD0BEC8C12 1 0 [GNUPG:] GOOD_PASSPHRASE [GNUPG:] BEGIN_DECRYPTION [GNUPG:] PLAINTEXT 62 1419942201 [GNUPG:] PLAINTEXT_LENGTH 230 [GNUPG:] ERRSIG DF46C6427B4466F3 1 10 00 1419942201 9 [GNUPG:] NO_PUBKEY DF46C6427B4466F3 [GNUPG:] DECRYPTION_OKAY [GNUPG:] END_DECRYPTION
Package conflict: python-jinja2
Installing or upgrading Key Trustee Server on RHEL fails on hosts where python-jinja2 is installed.
The keytrustee-orgtool add command fails with timeout: timed out error on CentOS 6.6
Exception in thread Thread-1: Traceback (most recent call last): File "/usr/lib64/python2.6/threading.py", line 532, in __bootstrap_inner self.run() File "/usr/lib64/python2.6/threading.py", line 484, in run self.__target(*self.__args, **self.__kwargs) File "/usr/lib/python2.6/site-packages/keytrustee/server/util.py", line 363, in send_mail smtp = smtplib.SMTP('localhost', timeout=timeout) File "/usr/lib64/python2.6/smtplib.py", line 239, in __init__ (code, msg) = self.connect(host, port) File "/usr/lib64/python2.6/smtplib.py", line 296, in connect (code, msg) = self.getreply() File "/usr/lib64/python2.6/smtplib.py", line 337, in getreply line = self.file.readline() File "/usr/lib64/python2.6/socket.py", line 450, in readline data = self._sock.recv(self._rbufsize) timeout: timed out
Passive Database role sometimes fails to start when starting the Key Trustee Server service
Starting or restarting the Key Trustee Server service attempts to start the Active Database role and Passive Database role. If the Active Database has not completed starting up when the Passive Database attempts to start, the Passive Database fails to start.
For parcel-based installations, client and path environments must be manually configured
Users cannot use Key Trustee Server command-line utilities without configuring the path and setting environment variables.
Issues Fixed in Cloudera Navigator Key Trustee Server 5.4.0
Categories: Fixed Issues | Key Trustee | Navigator | Release Notes | Troubleshooting | Upgrading | All Categories