Documentum Docker 23.4 - Docbase fails to start - [DM_CRYPTO_F_KEYSTORE_INIT]

I'm trying to get a Documentum Docker 23.4 environment working but keep running into the same issue. The docbase will boot and work the first time after installation, but every subsequent attempt, I get the following error:

[DM_STARTUP_W_DOCBASE_OWNER_NOT_FOUND] *** warning *** : The database user, dctm as specified by your server.ini is not a valid user as determined using the system password check api. This will likely severly impair the operation of your docbase.

[DM_CRYPTO_F_KEYSTORE_INIT]fatal: "Failed to initialize keystore at /opt/dctm/dba/secure/aek. Internal error - 1057226525"

I have performed the following steps:

  • Windows 11 host
  • Docker 24.0.7
  • Documentum Content Server 23.4 docker image
  • Postgres 15.5 docker image
  1. Setup the Postgres 15.5 DB using docker image
  2. Set the required parameters for the Documentum Content Server yaml file and run the docker-compose command to install the docbase
  3. Check the docbase installs correctly by checking the install logs in /opt/dctm_docker/logs/
  4. After install, restart the docbroker + docbase. Check the docbase logs within /opt/<docbase>/dba/logs/<docbase>.log
  5. Run IDQL and check that it logs in and queries can be performed. All works correctly.
  6. Now, shutting down the docbase, stopping the docker images, and restarting them, the docbase will no longer boot and I receive the [DM_STARTUP_W_DOCBASE_OWNER_NOT_FOUND] and [DM_CRYPTO_F_KEYSTORE_INIT] messages.

Has anyone seen this problem? Or got around it? Many thanks

Tagged:

Best Answer

  • JCHall
    #2 Answer ✓

    OK problem solved.

    After starting the Documentum Server container, the docbase/content server won't successfully boot unless the following command is entered:

    dm_crypto_boot -all -passphrase <password>

Answers

  • DM_STARTUP_W_DOCBASE_OWNER_NOT_FOUND is just a warning. I wouldn't worry about it since this user is generally not used.

    You should have several persistent volumes to store things like content files (data) or the $DOCUMENTUM/dba directory where the AEK should be stored. Are you sure that they are mounted properly and that they contain the expected data?

  • Thanks for getting back. I've setup the yaml file as such:

    services:
    volumes:     
    - dctm_data:/opt/dctm/data
    - dctm_dba:/opt/dctm/dba
    - dctm_share:/opt/dctm/share

    And then the volumes section is blank:
    volumes: 
    dctm_data: 
    dctm_share: 
    dctm_dba:

    This then creates docker volumes for each of these. Is this incorrect? Should I manually create the volumes for data and share?

  • Yes that's the correct and no, you don't need to create them manually. Can you see the volumes when you do docker volume ls? And when you connect to the Documentum container, can you see content under the volumes, e.g. under $DOCUMENTUM/dba/secure or $Documentum/data ?

  • Yes, I can see both volumes created within Docker. Data is filled with the usual expected content. dba/secure has the CSaek file in it (see attached screenshots).

    Everything works fine after installation, until the container is stopped/shutdown and then restarted again. At which point I get the [DM_CRYPTO_F_KEYSTORE_INIT]  error message within the docbase log.

    I could try a previous version of Content Server image, but I'm unsure if it's the image or something I'm doing wrong. Thanks

  • The message mentions /opt/dctm/dba/secure/aek which is not what you have : your file is at /opt/dctm/dba/secure/CSaek. I suppose you used the default CS-Docker-Compose_Stateless.yml which sets AEK_NAME=CSaek. I don't suppose that you changed the yml in between restarts? It might also be that the error message is misleading.

  • Good point. I did try and change the name of CSaek to aek within the yaml file, but unfortunately it didn't make a difference.

    I'll raise a support request and also try a previous version. Thanks for your help.

  • I tried with Documentum Server Docker 23.2 and get the same error.

    I've renamed the AEK_NAME within the yaml file from CSaek to aek.key. Still the same error.

    Running dm_crypto_boot sets the aek.key file up again, but the docbase still fails with the same error. I'm very confused…

  • JCHall
    #10 Answer ✓

    OK problem solved.

    After starting the Documentum Server container, the docbase/content server won't successfully boot unless the following command is entered:

    dm_crypto_boot -all -passphrase <password>