<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=Content-Type content="text/html; charset=iso-8859-1">
<META content="MSHTML 6.00.2800.1400" name=GENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=#ffffff>
<DIV><FONT face=Arial size=2>(Looks as original message was lost).</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>Problem found - during installation, osirismd
generates keys, valid for 1 year only, and have not any way to regenerate and
distribute new keys. When keys expired, everything halts.</FONT></DIV>
<DIV><FONT face=Arial size=2>Manual key replacement (remove old keys and
restart) is a very time consuming process, having few hundreds of the servers (I
spend 4 hours using scripts; and it could take 1 week without
scripts).</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>This can compromise system, because it is the worst
scenario I can imaging - system installed, works for 1 year without problems
(btw, use my script to remove old databases - it allows to have everything
balanced), then (when no one can be on site, and everyone forget details)
halts.</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>I changed osirismd to generate keys, valid for
10 years, but it is not long term solution, anyway (if system still exists in 10
years and suddenly stops, it will be deadly stop because in 10 years, no one
will know, how to reinstall keys). Two real solutiosn possible (better
both):</FONT></DIV>
<DIV><FONT face=Arial size=2>- allow system to work with expired keys (sending
warnings) </FONT></DIV>
<DIV><FONT face=Arial size=2>- add automated key regeneration and distribution,
so system can replace keys when they are about to expire (or when they are
already expired, with operator's confirmation).</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>problem found at 2.4, but I believe it exists in
all versions. (? - Q. to Brian)</FONT></DIV>
<BLOCKQUOTE
style="PADDING-RIGHT: 0px; PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #000000 2px solid; MARGIN-RIGHT: 0px">
<DIV style="FONT: 10pt arial">----- Original Message ----- </DIV>
<DIV
style="BACKGROUND: #e4e4e4; FONT: 10pt arial; font-color: black"><B>From:</B>
<A title=Alexei_Roudnev@exigengroup.com
href="mailto:Alexei_Roudnev@exigengroup.com">Alexei_Roudnev</A> </DIV>
<DIV style="FONT: 10pt arial"><B>To:</B> <A title=osiris-devel@shmoo.com
href="mailto:osiris-devel@shmoo.com">osiris-devel@shmoo.com</A> </DIV>
<DIV style="FONT: 10pt arial"><B>Sent:</B> Saturday, September 25, 2004 12:17
AM</DIV>
<DIV style="FONT: 10pt arial"><B>Subject:</B> [osiris-devel] key regeneration
(expiration time = 1 year ,so be ready for headache after 1 year of succesfull
running)</DIV>
<DIV><BR></DIV>
<DIV><FONT face=Arial size=2>Hmm; I hacked daemon (so that it generates keys
valid for 10 years) and it took only 3 hours to clean old keys and restart
agents on 100 servers (so if you have 1000 servers, you can complete
everything in a week -:) even without automation). Btw, X509 do not allow to
generate keys valid for 100 years -:).</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>Anyway, it should have some bypass and long term
solution; long term can be _allow 2 different certificates to coexist, and
push new certificate if agent have old one); short term - some script. I find
pretty simple GUI for windows, allowing to install service remotely (having
simple exe file), which can be used for remote agent installation; may be,
something like this can be done in this case as well (change of certificate,
change of central server, etc).</FONT></DIV>
<P>
<HR>
<P></P>_______________________________________________<BR>osiris-devel mailing
list<BR>osiris-devel@lists.shmoo.com<BR>https://lists.shmoo.com/mailman/listinfo/osiris-devel</BLOCKQUOTE></BODY></HTML>