Enforced FIPS LUKS; Unable to View Stored Documents


#1

We have two separate clusters of three nodes. It has been working well for awhile, but recently we needed to enforce FIPS LUKS on the disks for CLUSTER_1. This meant moving the data off of the partition, encrypting the disk, moving the data back. And enforcing the use of FIPS approved ciphers on the system.

Issue 1
Now, I can connect to port 8091 well enough. The buckets are there. But the documents are not. The data appears to be there on the file system - there’s several hundred items within the bucket. But in the web console on port 8091, when I look at the bucket, the item count is 0.

Issue 2
Additionally, we are no longer able to continue using cbbackup and cbrestore from CLUSTER_2 (nonfips) to CLUSTER_1 (fips). Appears to be related to encryption keys. Result of cbrestore is:

Exception in thread s3:

Traceback (most recent call last):
File “/usr/lib64/python2.6/threading.py”,
line 532, in __bootstrap_inner
self.run()
File “/usr/lib64/python2.6/threading.py”,
line 484, in run
self.__target(*self.__args,
**self.__kwargs)
File
"/opt/couchbase/lib/python/pump_mc.py", line 90, in run
rv, batch, need_backoff =
self.scatter_gather(mconns, batch)
File “/opt/couchbase/lib/python/pump_cb.py”,
line 71, in scatter_gather
rv, conn = self.find_conn(mconns,
vbucket_id, msgs)
File
"/opt/couchbase/lib/python/pump_cb.py", line 326, in find_conn
rv, conn = CBSink.connect_mc(host, port,
user, pswd)
File “/opt/couchbase/lib/python/pump_mc.py”,
line 331, in connect_mc
mc.sasl_auth_cram_md5(str(user),
str(pswd))
File
"/opt/couchbase/lib/python/cb_bin_client.py", line 261, in
sasl_auth_cram_md5
dig = hmac.HMAC(password,
challenge).hexdigest()
File “/usr/lib64/python2.6/hmac.py”, line
49, in init
self.outer = self.digest_cons()
ValueError:
error:060800A3:digital envelope routines:EVP_DigestInit_ex:disabled for fips