Bug 1400149

Summary: pkispawn fails to create CA subsystem on FIPS enabled system
Product: Red Hat Enterprise Linux 7 Reporter: Standa Laznicka <slaznick>
Component: pki-coreAssignee: Endi Sukma Dewata <edewata>
Status: CLOSED ERRATA QA Contact: Asha Akkiangady <aakkiang>
Severity: urgent Docs Contact: Petr Bokoc <pbokoc>
Priority: unspecified    
Version: 7.3CC: aakkiang, alee, arubin, cfu, cheimes, edewata, ftweedal, gkapoor, jmagne, mharmsen, nkinder, pbokoc, pvoborni, rrelyea
Target Milestone: rcKeywords: Reopened
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Fixed In Version: pki-core-10.4.1-8.el7 Doc Type: Bug Fix
Doc Text:
"pkispawn" no longer generates passwords consisting only of digits Previously, "pkispawn" could generate a random password for NSS database consisting only digits. Such passwords are not FIPS-compliant. With this update, the installer has been modified to generate FIPS-compliant random passwords which consist of a mix of digits, lowercase letters, uppercase letters, and certain punctuation marks.
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-08-01 22:48:25 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On:    
Bug Blocks: 1125174    
Description Flags
Failing pkispawn configuration none

Description Standa Laznicka 2016-11-30 14:41:02 UTC
Created attachment 1226356 [details]
Failing pkispawn configuration

Description of problem:
Running pkispawn -s CA with the config file from the attachment ends up in pkispawn error.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. Setup your system for FIPS
2. run pkispawn with the given config (you can run ipa-server-install to make it easier for you)

Actual results:
CA subsystem installation fails.

Expected results:
CA subsystem installation succeeds.

Additional info:
From what I've gathered, the trouble is with generating 'pki_pin', which is then stored to 'pki_shared_pfile' which is used to access the /etc/pki/pki-tomcat/alias NSS database. However, 'pki_pin' is just a number and NSS databases in FIPS mode require at least one non-alphanumeric character.

Comment 2 Matthew Harmsen 2016-12-05 17:54:16 UTC
Upstream ticket:

Comment 5 Endi Sukma Dewata 2017-04-11 18:35:57 UTC
Fixed in master:
* 9e3551fdb2c8d1f1bd7ad57249752c8ad6aece32

Comment 7 Geetika Kapoor 2017-06-01 13:08:03 UTC
Tested on: pki-ca-10.4.1-6.el7.noarch

kra-clone-prepare fails if the password have "=" in password.conf






Comment 8 Endi Sukma Dewata 2017-06-01 17:27:20 UTC
The kra-clone-prepare calls pki CLI which reads the password.conf to export KRA certificates and keys from the NSS database into a PKCS #12 file. The problem is the pki CLI treats the "=" in the file as delimiter for token name and password, so the password is parsed incorrectly.

One possible solution is to provide separate pki CLI parameters for a password file containing just a single password (without token name), and for a password.conf which may contain multiple token names and passwords.

Comment 9 Endi Sukma Dewata 2017-06-01 20:50:08 UTC
Another possibility is not to use equal sign in random passwords.

Comment 10 Red Hat Bugzilla Rules Engine 2017-06-02 17:11:27 UTC
Quality Engineering Management has reviewed and declined this request. You may appeal this decision by reopening this request.

Comment 11 Endi Sukma Dewata 2017-06-02 17:19:26 UTC
Excluded equal sign from random password:

* https://github.com/dogtagpki/pki/commit/03235ab51d102ba722e71adf00d2f721c77cd222

Comment 13 Asha Akkiangady 2017-06-19 17:59:13 UTC
Tested in version: pki-server-10.4.1-9.el7.noarch

RHCS subsystems CA, KRA, OCSP, TKS and TPS installed successfully on a FIPS and non-FIPS RHEL 7.4 systems with the auto generated FIPS compliant passwords. Sanity tests looks good for each subsystem.

Marking the bug verified.

Comment 14 errata-xmlrpc 2017-08-01 22:48:25 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.