Knowledgebase:
Security Database restore leading to lingering Certificate Template id in Config files
02 March 2020 11:08 AM

Introduction

MarkLogic stores Certificate files in security database. All user created Security files are stored along with template ID in Security Database.

For example, new signed Certificate installed will be stored as uri -http://marklogic.com/xdmp/pki/certificates/160051481396114827.xml and it will have  template id value in it (<pki:template-id>13176215136521847243 </pki:template-id>)

Reference for template ID is also stored in groups.xml of that App Server config file when Cert template is attached to a specific App Server.

Template Id is only configuration value which has two way reference, one to value stored in groups.xml config file and other is value inside Security DB Cert URL document.

Problem Statement

When security database is restored, it replaces existing Certificate files in Security Database along with reference for old Template ID. Now, if Template ID is still referenced by any AppServer, previous SSL App Server which never detached Cert template prior to Security DB restore, then ‘groups.xml’ file will still have reference to nonexistence Template ID.  

In that scenario, user will receive an HTTP 500 Internal server error. 

500: Internal Server Error ADMIN-BADCERTTEMPLATE: (err:FOER0000) '18321675798544961903' is not a valid certificate template id In /MarkLogic/admin.xqy on line 15197 In validate-certificate-template-id("18321675798544961903", <xs:element name="ssl-certificate-template" type="ssl-certificate..." .../>) $value = "18321675798544961903" $typ = <xs:element name="ssl-certificate-template" type="ssl-certificate..." .../> $id = xs:unsignedLong("18321675798544961903") $template = ()

How to avoid the situation from occurring?

Best path is to remove all App Server to Template Id association by going through each AppServers before any Security Database restored. Once Security Database restore is done, AppServer to new Templates association based on restored Security can be done again to enable SSL for App Server.

How to recover? 

Workaround for this, will be to stop MarkLogic Service and remove Template ID from Config files as well. groups.xml Config file is located at /var/opt/MarkLogic/config.xml location,  and lingering Template ID can be found under App Server <ssl-certificate-template> tag which needs to be removed.

Please follow below steps to replace the groups.xml on cluster. 

  1. Stop the cluster ->Stop service on each host, starting by bootstrap host first and then stop service on all other hosts(Ex: as root user to stop MarkLogic service ("$/sbin/service MarkLogic stop")
  2. Go to groups.xml, located in /var/opt/MarkLogic folder -> You can move existing groups.xml file to /tmp/groups.xml.
  3. Set the template to zero for all matching lines for <ssl-certificate-template>

         <ssl-certificate-template>0</ssl-certificate-template>

  1. Restart MarkLogic -> Restart service, starting with bootstrap host.
  2. You can enable App Servers with SSL again through Admin GUI (Admin API) again with available Templates.

In latest version of MarkLogic, Warning message can be found about missing certificate template ID in Config file. However, there is further work that is still in progress to avoid issue from occurring all together, which requires certain redesign.

Related MarkLogic Documentation

Configuring SSL on App Servers

Restoring Security Database



Attachments 
 
 Error_App_invaild_cert_template (1).docx (118.13 KB)
(1 vote(s))
Helpful
Not helpful
Comments (0)