[osiris-devel] key regeneration (expiration time = 1 year , so be ready for headache after 1 year of succesfull running)

Alexei_Roudnev Alexei_Roudnev at exigengroup.com
Mon Sep 27 13:34:56 EDT 2004 

(Looks as original message was lost).

Problem found - during installation, osirismd generates keys, valid for 1 year only, and have not any way to regenerate and distribute new keys. When keys expired, everything halts.
Manual key replacement (remove old keys and restart) is a very time consuming process, having few hundreds of the servers (I spend 4 hours using scripts; and it could take 1 week without scripts).

This can compromise system, because it is the worst scenario I can imaging - system installed, works for 1 year without problems (btw, use my script to remove old databases - it allows to have everything balanced), then (when no one can be on site, and everyone forget details)  halts.

I changed osirismd to generate keys, valid for 10 years, but it is not long term solution, anyway (if system still exists in 10 years and suddenly stops, it will be deadly stop because in 10 years, no one will know, how to reinstall keys). Two real solutiosn possible (better both):
- allow system to work with expired keys (sending warnings) 
- add automated key regeneration and distribution, so system can replace keys when they are about to expire (or when they are already expired, with operator's confirmation).

problem found at 2.4, but I believe it exists in all versions. (? - Q. to Brian)
  ----- Original Message ----- 
  From: Alexei_Roudnev 
  To: osiris-devel at shmoo.com 
  Sent: Saturday, September 25, 2004 12:17 AM
  Subject: [osiris-devel] key regeneration (expiration time = 1 year ,so be ready for headache after 1 year of succesfull running)


  Hmm; I hacked daemon (so that it generates keys valid for 10 years) and it took only 3 hours to clean old keys and restart agents on 100 servers (so if you have 1000 servers, you can complete everything in a week -:) even without automation). Btw, X509 do not allow to generate keys valid for 100 years -:).

  Anyway, it should have some bypass and long term solution; long term can be _allow 2 different certificates to coexist, and push new certificate if agent have old one); short term - some script. I find pretty simple GUI for windows, allowing to install service remotely (having simple exe file), which can be used for remote agent installation; may be, something like this can be done in this case as well (change of certificate, change of central server, etc).


------------------------------------------------------------------------------


  _______________________________________________
  osiris-devel mailing list
  osiris-devel at lists.shmoo.com
  https://lists.shmoo.com/mailman/listinfo/osiris-devel
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.shmoo.com/pipermail/osiris-devel/attachments/20040927/99849d2c/attachment-0001.htm

More information about the osiris-devel mailing list