This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Master Key extending time issue

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Master Key extending time issue

Go to solution
TranceforLife
L6 Presenter

‎07-21-2017 11:28 AM - edited ‎07-21-2017 11:33 AM

Hi All Experts,

 

I am currently having an issue while attempting to extend a Master Key validity time:

 

master key.JPG

 

2017-07-21 00:08:20.473 +0100 ------------ Received event:3 (Cfg installed) in worker thread ------------
2017-07-21 00:08:20.475 +0100 [3] Reading mkey, ks files...
2017-07-21 00:08:20.475 +0100 [3] Get fips/cc mode, event_type
2017-07-21 00:08:20.482 +0100 [3] Begin to read master keys into mkobj
2017-07-21 00:08:20.483 +0100 Reading /opt/pancfg/.keystore/mkey.xml file into sysd dict
2017-07-21 00:08:20.484 +0100 [3] Read keystore file into cryptod_keystore dict
2017-07-21 00:08:20.484 +0100 Reading /opt/pancfg/.keystore/ks.xml file into sysd dict
2017-07-21 00:08:20.485 +0100 -- Reading startup keys files from disk, query:0 --
2017-07-21 00:08:20.485 +0100 -- Done reading and deleting 0 startup keys files from disk --
2017-07-21 00:08:20.486 +0100 [3] Done reading mkey and keystore files
2017-07-21 00:08:20.486 +0100 Mkey expiry timer stopped
2017-07-21 00:08:20.486 +0100 Mkey reminder timer stopped
2017-07-21 00:08:20.486 +0100 Starting reminder ager for mkey for 1590447 seconds from now
2017-07-21 00:08:20.486 +0100 Starting expiry ager for mkey for 4182447 seconds from now
2017-07-21 00:10:15.243 +0100 Error:  pan_cryptod_sysd_decr_recv_cb(pan_cryptod_crypt.c:1571): Decryption failed, abort
 
Thanks to All,
pinging: @reaper @Remo @BPry
 
 
 
0 Likes Likes
1 accepted solution

Accepted Solutions

Go to solution
TranceforLife
L6 Presenter
In response to Remo

‎07-27-2017 01:43 PM - edited ‎07-31-2017 07:43 AM

Hi @Remo,

 

Thanks. This is now with TAC and l think we are looking into the "wrong master key" scenario. Yes, l know ...... So current key most likely is not valid (wrong key). Don't ask me how it happened :D, but a workaround is quite tedious (reset the device to its default and re-type all config PASSWORDS manually).

View solution in original post

0 Likes Likes
7 REPLIES 7

Go to solution
Remo
L7 Applicator

‎07-21-2017 11:55 AM

@TranceforLife

Good question 😛

 

What character set did you you use for the new key? May be you used a character that is "not supported" --> bug

Did you try with only alphanumeric characters?

Go to solution
TranceforLife
L6 Presenter
In response to Remo

‎07-24-2017 06:33 AM

Hi @Remo,

 

Thanks for your feedback. l have followed this guide:

 

https://live.paloaltonetworks.com/t5/Management-Articles/Character-Limitation-for-Setting-Up-Master-...

 

I can see it is complaining about some private SSL cert key, but not sure why!!!!

0 Likes Likes

Go to solution
Remo
L7 Applicator
In response to TranceforLife

‎07-24-2017 07:41 AM

Hi @TranceforLife

 

Sorry for asking again ... Just to make sure that it is not related to a bug with a special character, you tried with something as easy (without special characters) as "password12345678"?

0 Likes Likes

Go to solution
TranceforLife
L6 Presenter
In response to Remo

‎07-24-2017 09:17 AM

Exactly simple password, it is something to do with the private key of the ssl cert. Maybe it needs to re-upload. Not sure ( 

0 Likes Likes

Go to solution
Remo
L7 Applicator
In response to TranceforLife

‎07-27-2017 09:54 AM - edited ‎07-27-2017 11:24 AM

@TranceforLife

PAN-79780? --> fixed in 8.0.4

Go to solution
TranceforLife
L6 Presenter
In response to Remo

‎07-27-2017 01:43 PM - edited ‎07-31-2017 07:43 AM

Hi @Remo,

 

Thanks. This is now with TAC and l think we are looking into the "wrong master key" scenario. Yes, l know ...... So current key most likely is not valid (wrong key). Don't ask me how it happened :D, but a workaround is quite tedious (reset the device to its default and re-type all config PASSWORDS manually).

0 Likes Likes

Go to solution
TranceforLife
L6 Presenter
In response to TranceforLife

‎07-28-2017 07:39 AM

Indeed the wrong MK.

0 Likes Likes
  • 1 accepted solution
  • 3111 Views
  • 7 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks