Bug 1303175
Summary: | Installation: allow customization of cipher list before actual installation | |||
---|---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Matthew Harmsen <mharmsen> | |
Component: | pki-core | Assignee: | Endi Sukma Dewata <edewata> | |
Status: | CLOSED ERRATA | QA Contact: | Asha Akkiangady <aakkiang> | |
Severity: | unspecified | Docs Contact: | Marc Muehlfeld <mmuehlfe> | |
Priority: | unspecified | |||
Version: | 7.3 | CC: | arubin, edewata, pbokoc, rpattath | |
Target Milestone: | rc | |||
Target Release: | --- | |||
Hardware: | Unspecified | |||
OS: | Unspecified | |||
Whiteboard: | ||||
Fixed In Version: | pki-core-10.3.2-3.el7 | Doc Type: | Enhancement | |
Doc Text: |
Certificate System now supports setting SSL ciphers for individual installation
Previously, if an existing Certificate Server had customized cipher set that did not overlap with the default ciphers used during the installation, a new instance could not be installed to work with existing instances. With this update, Certificate System enables you to customize the SSL cipher using a two-step installation, which avoids this problem. To set the ciphers during a Certificate System instance installation:
1. Prepare a deployment configuration file that includes the "pki_skip_configuration=True" option.
2. Pass the deployment configuration file to the "pkispawn" command to start the initial part of the installation.
3. Set the ciphers in the "sslRangeCiphers" option in the `/var/lib/pki/<instance>/conf/server.xml` file.
4. Replace the "pki_skip_configuration=True" option with "pki_skip_installation=True" in the deployment configuration file.
5. Run the same "pkispawn" command to complete the installation.
|
Story Points: | --- | |
Clone Of: | ||||
: | 1373962 (view as bug list) | Environment: | ||
Last Closed: | 2016-11-04 05:22:48 UTC | Type: | --- | |
Regression: | --- | Mount Type: | --- | |
Documentation: | --- | CRM: | ||
Verified Versions: | Category: | --- | ||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
Cloudforms Team: | --- | Target Upstream Version: | ||
Embargoed: | ||||
Bug Depends On: | ||||
Bug Blocks: | 1373962 |
Description
Matthew Harmsen
2016-01-29 18:44:10 UTC
fixed by edewata: This can be done without adding new parameters: http://pki.fedoraproject.org/wiki/Custom_Installation#Customizing_TLS_cipher_list [root@auto-hv-02-guest05 ~]# rpm -qi pki-ca Name : pki-ca Version : 10.3.3 Release : 8.el7 Architecture: noarch Install Date: Sun 04 Sep 2016 05:27:32 PM EDT Group : System Environment/Daemons Size : 2430595 License : GPLv2 Signature : (none) Source RPM : pki-core-10.3.3-8.el7.src.rpm Build Date : Tue 30 Aug 2016 03:23:27 PM EDT Build Host : ppc-015.build.eng.bos.redhat.com Relocations : (not relocatable) Packager : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla> Vendor : Red Hat, Inc. URL : http://pki.fedoraproject.org/ Summary : Certificate System - Certificate Authority Followed http://pki.fedoraproject.org/wiki/Custom_Installation#Customizing_TLS_cipher_list to customize cipher list before CA configuration. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2016-2396.html |