Back to bug 1388581
| Who | When | What | Removed | Added |
|---|---|---|---|---|
| Noriko Hosoi | 2016-10-26 22:13:36 UTC | Status | NEW | POST |
| Noriko Hosoi | 2016-10-31 21:28:45 UTC | Status | POST | MODIFIED |
| Fixed In Version | 389-ds-base-1.3.5.10-12.el7 | |||
| errata-xmlrpc | 2016-10-31 21:35:30 UTC | Status | MODIFIED | ON_QA |
| Noriko Hosoi | 2016-10-31 21:37:59 UTC | Fixed In Version | 389-ds-base-1.3.5.10-12.el7 | 389-ds-base-1.3.5.10-12.el7_3 |
| Noriko Hosoi | 2016-11-01 19:46:52 UTC | Doc Text | Cause: When FIPS mode is enabled on the security database, the token name is changed. This prevents the server from reverse decoding the replication manager's password. Which prevents replication sessions from getting established. Fix: Instead of getting the key slot from the harded coded token name, call slapd_pk11_getInternalKeySlot() which gets the current slot. Result: With the NSS version which has the FIPS issue (bug 1387811 and 1387812), the replication over SSL/startTLS has no problem with FIPS mode enabled. | |
| Doc Type | If docs needed, set a value | Bug Fix | ||
| Simon Pichugin | 2016-11-09 05:35:27 UTC | Status | ON_QA | VERIFIED |
| CC | spichugi | |||
| Marc Muehlfeld | 2016-11-14 12:54:04 UTC | CC | mmuehlfe | |
| Doc Text | Cause: When FIPS mode is enabled on the security database, the token name is changed. This prevents the server from reverse decoding the replication manager's password. Which prevents replication sessions from getting established. Fix: Instead of getting the key slot from the harded coded token name, call slapd_pk11_getInternalKeySlot() which gets the current slot. Result: With the NSS version which has the FIPS issue (bug 1387811 and 1387812), the replication over SSL/startTLS has no problem with FIPS mode enabled. | When the FIPS mode is enabled on the network security services (NSS) database, the token name changed. This prevents the server to reverse decode the replication manager's password. Consequently, replication sessions are not established. To fix the problem, the key slot is now received using the "slapd_pk11_getInternalKeySlot()" function instead of a hard-coded token name. As a result, the replication using SSL or STARTTLS no longer fails with FIPS mode enabled. | ||
| Flags | needinfo?(nhosoi) | |||
| Noriko Hosoi | 2016-11-14 17:34:39 UTC | CC | hkario | |
| Flags | needinfo?(nhosoi) | |||
| Marc Muehlfeld | 2016-11-15 15:14:51 UTC | Doc Text | When the FIPS mode is enabled on the network security services (NSS) database, the token name changed. This prevents the server to reverse decode the replication manager's password. Consequently, replication sessions are not established. To fix the problem, the key slot is now received using the "slapd_pk11_getInternalKeySlot()" function instead of a hard-coded token name. As a result, the replication using SSL or STARTTLS no longer fails with FIPS mode enabled. | When the FIPS mode is enabled on the network security services (NSS) database, the token name changed. This prevents the server to reverse decode the replication manager's password. Consequently, replication sessions are not established. To fix the problem, the key slot is now received using the "slapd_pk11_getInternalKeySlot()" function instead of a hard-coded token name. As a result, Directory server is now able to decode the replication manager's password and to establish replication sessions. |
| Flags | needinfo?(nhosoi) | |||
| Noriko Hosoi | 2016-11-15 15:37:27 UTC | Flags | needinfo?(nhosoi) | needinfo?(mreynolds) |
| Marc Muehlfeld | 2016-11-18 08:35:57 UTC | Flags | needinfo?(mreynolds) | |
| Doc Text | When the FIPS mode is enabled on the network security services (NSS) database, the token name changed. This prevents the server to reverse decode the replication manager's password. Consequently, replication sessions are not established. To fix the problem, the key slot is now received using the "slapd_pk11_getInternalKeySlot()" function instead of a hard-coded token name. As a result, Directory server is now able to decode the replication manager's password and to establish replication sessions. | When FIPS mode is enabled in the network security services (NSS) database, the token name changes. This prevents the server from reverse decoding the replication manager's password. Consequently, replication sessions using SSL or TLS to a replica server fail. This patch prepares Directory Manager to fix the problem. However, the bug in the nss package will be fixed in a future update of NSS. | ||
| errata-xmlrpc | 2016-12-06 00:23:47 UTC | Status | VERIFIED | RELEASE_PENDING |
| errata-xmlrpc | 2016-12-06 17:04:13 UTC | Status | RELEASE_PENDING | CLOSED |
| Resolution | --- | ERRATA | ||
| Last Closed | 2016-12-06 12:04:13 UTC |
Back to bug 1388581