Back to bug 2089907
| Who | When | What | Removed | Added |
|---|---|---|---|---|
| Red Hat Bugzilla | 2022-05-24 16:56:38 UTC | Pool ID | sst_idm_ipa_rhel_9 | |
| Varun Mylaraiah | 2022-05-24 16:57:26 UTC | Keywords | Regression | |
| Red Hat One Jira (issues.redhat.com) | 2022-05-24 17:19:41 UTC | Link ID | Red Hat Issue Tracker FREEIPA-8303 | |
| Red Hat One Jira (issues.redhat.com) | 2022-05-24 17:19:45 UTC | Link ID | Red Hat Issue Tracker RHELPLAN-123222 | |
| Trivino | 2022-05-25 08:57:38 UTC | Assignee | frenaud | ftrivino |
| CC | ftrivino | |||
| Trivino | 2022-05-25 20:16:56 UTC | CC | dbelyavs | |
| Flags | needinfo?(dbelyavs) | |||
| Dmitry Belyavskiy | 2022-05-25 20:36:01 UTC | Flags | needinfo?(dbelyavs) | |
| Hubert Kario | 2022-05-27 14:55:47 UTC | CC | hkario | |
| Trivino | 2022-06-02 16:43:59 UTC | Status | NEW | ASSIGNED |
| Mohammad Rizwan | 2022-06-20 12:09:29 UTC | Blocks | 2091421 | |
| Trivino | 2022-06-24 10:50:23 UTC | Depends On | 2100807 | |
| Jack Magne | 2022-07-28 15:18:12 UTC | CC | jmagne | |
| Jack Magne | 2022-08-03 20:48:25 UTC | Flags | needinfo?(ftrivino) needinfo?(dbelyavs) | |
| Dmitry Belyavskiy | 2022-08-04 07:26:29 UTC | Flags | needinfo?(dbelyavs) | |
| Asha Akkiangady | 2022-08-26 17:57:43 UTC | CC | aakkiang | |
| Flags | needinfo?(ftrivino) | |||
| Trivino | 2022-08-29 11:38:54 UTC | Keywords | Triaged | |
| Jack Magne | 2022-08-29 23:51:50 UTC | Depends On | 2122409 | |
| Trivino | 2022-08-31 09:20:02 UTC | Blocks | 2122919 | |
| Jack Magne | 2022-09-01 21:43:43 UTC | Depends On | 2123513 | |
| Ganna Kaihorodova | 2022-09-09 08:20:03 UTC | Version | 9.1 | 9.2 |
| CC | gkaihoro | |||
| Florence Blanc-Renaud | 2022-09-16 06:40:07 UTC | Flags | needinfo?(ftrivino) | |
| CC | frenaud | |||
| Trivino | 2022-09-21 10:42:21 UTC | Doc Text | Cause: OpenSSL RSA-PKCS1v15 padding encryption is blocked with FIPS mode Consequence: Support for PKCS#1 v1.5 padding was removed from FIPS as it will not be allowed in FIPS mode after 2023. None of the FIPS certified modules in RHEL will support it as a FIPS approved mechanism. This means that IPA Vaults are broken as we are currently using PKCS1v15 padding for wrapping the session key with the transport certificate. Workaround (if any): 1) Configure KRA (CS.cfg) with “keyWrap.useOAEP=true” and restart the service "systemctl restart pki-tomcatd@pki-tomcat.service" 2) Use RSA-OAEP instead of PKCS1v15 (FreeIPA/Vault client plugin): /usr/lib/python3.10/site-packages/ipaclient/plugins/vault.py Replace padding.PKCS1v15() by: padding.OAEP( mgf=padding.MGF1(algorithm=hashes.SHA256()), algorithm=hashes.SHA256(), label=None ) | |
| Doc Type | If docs needed, set a value | Known Issue | ||
| Flags | needinfo?(ftrivino) needinfo?(ftrivino) needinfo?(ftrivino) | |||
| Gabi Fialová | 2022-09-26 07:22:01 UTC | CC | gfialova | |
| Docs Contact | fhanzelk | |||
| Gabi Fialová | 2022-09-26 07:23:16 UTC | CC | fhanzelk | |
| Flags | needinfo?(fhanzelk) | |||
| Filip Hanzelka | 2022-10-03 08:29:22 UTC | Doc Text | Cause: OpenSSL RSA-PKCS1v15 padding encryption is blocked with FIPS mode Consequence: Support for PKCS#1 v1.5 padding was removed from FIPS as it will not be allowed in FIPS mode after 2023. None of the FIPS certified modules in RHEL will support it as a FIPS approved mechanism. This means that IPA Vaults are broken as we are currently using PKCS1v15 padding for wrapping the session key with the transport certificate. Workaround (if any): 1) Configure KRA (CS.cfg) with “keyWrap.useOAEP=true” and restart the service "systemctl restart pki-tomcatd@pki-tomcat.service" 2) Use RSA-OAEP instead of PKCS1v15 (FreeIPA/Vault client plugin): /usr/lib/python3.10/site-packages/ipaclient/plugins/vault.py Replace padding.PKCS1v15() by: padding.OAEP( mgf=padding.MGF1(algorithm=hashes.SHA256()), algorithm=hashes.SHA256(), label=None ) | .IdM Vault encryption and decryption fails in FIPS mode The OpenSSL RSA-PKCS1v15 padding encryption is blocked if FIPS mode is enabled. As a consequence, Identity Management (IdM) Vaults fail to work correctly as IdM is currently using the PKCS1v15 padding for wrapping the session key with the transport certificate. To work around the problem, configure IdM to use the RSA-OAEP padding encryption instead: . Add the `keyWrap.useOAEP=true` line to the `/var/lib/pki/pki-tomcat/conf/ca/CS.cfg` file. . Restart the PKI server: + ---- # systemctl restart pki-tomcatd@pki-tomcat.service ---- . In the `/usr/lib/python3.10/site-packages/ipaclient/plugins/vault.py` file, replace the `padding.PKCS1v15()` line with the following lines: + ---- padding.OAEP( mgf=padding.MGF1(algorithm=hashes.SHA256()), algorithm=hashes.SHA256(), label=None ) ---- As a result, standard, symmetric, and asymmetric vaults work correctly in IdM if FIPS mode is enabled. |
| Flags | needinfo?(fhanzelk) | |||
| Gabi Fialová | 2022-10-03 15:54:15 UTC | CC | gfialova | |
| Filip Hanzelka | 2022-10-06 12:38:17 UTC | Doc Text | .IdM Vault encryption and decryption fails in FIPS mode The OpenSSL RSA-PKCS1v15 padding encryption is blocked if FIPS mode is enabled. As a consequence, Identity Management (IdM) Vaults fail to work correctly as IdM is currently using the PKCS1v15 padding for wrapping the session key with the transport certificate. To work around the problem, configure IdM to use the RSA-OAEP padding encryption instead: . Add the `keyWrap.useOAEP=true` line to the `/var/lib/pki/pki-tomcat/conf/ca/CS.cfg` file. . Restart the PKI server: + ---- # systemctl restart pki-tomcatd@pki-tomcat.service ---- . In the `/usr/lib/python3.10/site-packages/ipaclient/plugins/vault.py` file, replace the `padding.PKCS1v15()` line with the following lines: + ---- padding.OAEP( mgf=padding.MGF1(algorithm=hashes.SHA256()), algorithm=hashes.SHA256(), label=None ) ---- As a result, standard, symmetric, and asymmetric vaults work correctly in IdM if FIPS mode is enabled. | .IdM Vault encryption and decryption fails in FIPS mode The OpenSSL RSA-PKCS1v15 padding encryption is blocked if FIPS mode is enabled. Consequetly, Identity Management (IdM) Vaults fail to work correctly as IdM is currently using the PKCS1v15 padding for wrapping the session key with the transport certificate. |
| Gabi Fialová | 2022-10-10 18:56:27 UTC | Doc Text | .IdM Vault encryption and decryption fails in FIPS mode The OpenSSL RSA-PKCS1v15 padding encryption is blocked if FIPS mode is enabled. Consequetly, Identity Management (IdM) Vaults fail to work correctly as IdM is currently using the PKCS1v15 padding for wrapping the session key with the transport certificate. | .IdM Vault encryption and decryption fails in FIPS mode The OpenSSL RSA-PKCS1v15 padding encryption is blocked if FIPS mode is enabled. Consequently, Identity Management (IdM) Vaults fail to work correctly as IdM is currently using the PKCS1v15 padding for wrapping the session key with the transport certificate. |
| Gabi Fialová | 2022-10-14 11:56:48 UTC | CC | gfialova | |
| Pasi Karkkainen | 2023-02-05 15:13:09 UTC | CC | pasik | |
| Leos Pol | 2023-02-13 08:52:26 UTC | Blocks | 2144442 | |
| Varun Mylaraiah | 2023-02-23 13:28:19 UTC | QA Contact | ipa-qe | mvarun |
| Chris Kelley | 2023-04-04 21:21:40 UTC | Depends On | 2184514 | |
| Florence Blanc-Renaud | 2023-04-21 09:08:02 UTC | Flags | needinfo?(sumenon) | |
| CC | sumenon | |||
| Sudhir Menon | 2023-04-21 12:37:29 UTC | Flags | needinfo?(sumenon) | |
| CongLi | 2023-08-11 07:00:20 UTC | Blocks | 2209174 |
Back to bug 2089907