Bug 1388581
| Summary: | Replication stops working only when fips mode is set to true | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Marcel Kolaja <mkolaja> |
| Component: | 389-ds-base | Assignee: | Noriko Hosoi <nhosoi> |
| Status: | CLOSED ERRATA | QA Contact: | Viktor Ashirov <vashirov> |
| Severity: | urgent | Docs Contact: | |
| Priority: | urgent | ||
| Version: | 7.3 | CC: | enewland, hkario, mmuehlfe, mreynolds, msauton, nhosoi, nkinder, rmeggins, spichugi |
| Target Milestone: | rc | Keywords: | ZStream |
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | 389-ds-base-1.3.5.10-12.el7_3 | Doc Type: | Bug Fix |
| Doc Text: |
When FIPS mode is enabled in the network security services (NSS) database, the token name changes. This prevents the server from reverse decoding the replication manager's password. Consequently, replication sessions using SSL or TLS to a replica server fail. This patch prepares Directory Manager to fix the problem. However, the bug in the nss package will be fixed in a future update of NSS.
|
Story Points: | --- |
| Clone Of: | 1378209 | Environment: | |
| Last Closed: | 2016-12-06 17:04:13 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1378209 | ||
| Bug Blocks: | |||
|
Description
Marcel Kolaja
2016-10-25 17:32:03 UTC
Build tested: 389-ds-base-1.3.5.10-12.el7_3.x86_64 Verification steps: 1. Install Directory Server and setup SSL MMR 2. Enable FIPS mode from the directory with DB [root@qeos-230 slapd-M1]# modutil -dbdir . -fips true WARNING: Performing this operation while the browser is running could cause corruption of your security databases. If the browser is currently running, you should exit browser before continuing this operation. Type 'q <enter>' to abort, or <enter> to continue: FIPS mode enabled. 3. Restart the server: [root@qeos-230 slapd-M1]# restart-dirsrv Restarting instance "M1" Restarting instance "M2" 4. Check that replication is working: [root@qeos-230 slapd-M1]# ldapmodify -H ldaps://localhost:1616 -D "cn=directory manager" -w Secret123.com dn: uid=new_user,ou=People,dc=passsync,dc=com changetype: add objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetorgperson uid: new_user sn: new_user cn: new_user [root@qeos-230 slapd-M1]# ldapsearch -H ldaps://localhost:1626 -D "cn=directory manager" -w Secret123 -b "uid=new_user,ou=People,dc=passsync,dc=com" # new_user, People, passsync.com dn: uid=new_user,ou=People,dc=passsync,dc=com objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetorgperson uid: new_user sn: new_user cn: new_user [root@qeos-230 slapd-M1]# ldapmodify -H ldaps://localhost:1626 -D "cn=directory manager" -w Secret123.com dn: uid=new_user2,ou=People,dc=passsync,dc=com changetype: add objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetorgperson uid: new_user2 sn: new_user2 cn: new_user2 [root@qeos-230 slapd-M1]# ldapsearch -H ldaps://localhost:1616 -D "cn=directory manager" -w Secret123 -b "uid=new_user,ou=People,dc=passsync,dc=com" # new_user, People, passsync.com dn: uid=new_user2,ou=People,dc=passsync,dc=com objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetorgperson uid: new_user2 sn: new_user2 cn: new_user2 5. Check logs for the error: [root@qeos-230 slapd-M1]# grep -i "Decoding of the credentials failed" /var/log/dirsrv/slapd-M1/errors [root@qeos-230 slapd-M1]# echo $? 1 [root@qeos-230 slapd-M1]# grep -i "Decoding of the credentials failed" /var/log/dirsrv/slapd-M2/errors [root@qeos-230 slapd-M1]# echo $? 1 No error was logged. Replication is working. Marking as VERIFIED. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2016-2879.html |