Bug 1404172
Summary: | Unable to install subordinate CA with HSM in FIPS mode | ||||||
---|---|---|---|---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Marcel Kolaja <mkolaja> | ||||
Component: | pki-core | Assignee: | RHCS Maintainers <rhcs-maint> | ||||
Status: | CLOSED ERRATA | QA Contact: | Asha Akkiangady <aakkiang> | ||||
Severity: | unspecified | Docs Contact: | |||||
Priority: | urgent | ||||||
Version: | 7.3 | CC: | arubin, cfu, edewata, gkapoor, mharmsen, nkinder, pbokoc | ||||
Target Milestone: | rc | Keywords: | ZStream | ||||
Target Release: | --- | ||||||
Hardware: | Unspecified | ||||||
OS: | Unspecified | ||||||
Whiteboard: | |||||||
Fixed In Version: | pki-core-10.3.3-15.el7_3 | Doc Type: | Bug Fix | ||||
Doc Text: |
Previously, subordinate certificate authority (sub-CA) installation failed due to a bug in the Network Security Services (NSS) library, which generated the "SEC_ERROR_TOKEN_NOT_LOGGED_IN" error. This update adds a workaround for this problem to the installer which allows the installation to proceed. If the error is still displayed, it can now be ignored.
|
Story Points: | --- | ||||
Clone Of: | 1395817 | Environment: | |||||
Last Closed: | 2017-01-17 18:26:31 UTC | Type: | --- | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Bug Depends On: | 1395817 | ||||||
Bug Blocks: | |||||||
Attachments: |
|
Description
Marcel Kolaja
2016-12-13 09:25:04 UTC
Subordinate CA installation with hsm in FIPS mode is successful, but shows failure message while changing the certificate trust as reported in https://bugzilla.redhat.com/show_bug.cgi?id=1395817#c8 The error message is fine since the actual NSS bug has not been fixed yet. The change in PKI is a workaround for that problem. See also: https://bugzilla.redhat.com/show_bug.cgi?id=1395817#c9 Hello Endi, Here is my server.xml. <server.xml> sslRangeCiphers="-TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,-TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,-TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,-TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,-TLS_DHE_DSS_WITH_AES_128_CBC_SHA,-TLS_DHE_DSS_WITH_AES_256_CBC_SHA,-TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_DHE_RSA_WITH_AES_128_CBC_SHA,+TLS_DHE_RSA_WITH_AES_256_CBC_SHA,+TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,+TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,+TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,-TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,-TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,-TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,-TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,-TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,+TLS_RSA_WITH_AES_128_CBC_SHA256,+TLS_RSA_WITH_AES_256_CBC_SHA256,-TLS_RSA_WITH_AES_128_GCM_SHA256,-TLS_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_RSA_WITH_AES_128_CBC_SHA,-TLS_RSA_WITH_AES_256_CBC_SHA" </server.xml> I have restarted instance after i disable these ciphers which are bydefault enabled but since it was not listed in document(http://pki.fedoraproject.org/wiki/SSL#FIPS_SSL_Configuration) so i have disabled them. <default enabled ciphers disabled> +TLS_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_RSA_WITH_AES_128_CBC_SHA,+TLS_RSA_WITH_AES_256_CBC_SHA </default enabled ciphers disabled> and again i try to install subCA.It fails. <debug logs> [06/Jan/2017:00:54:07][http-bio-32443-exec-3]: Resolving security domain URL https://csqa4-guest04.idm.lab.eng.rdu.redhat.com:31443 [06/Jan/2017:00:54:07][http-bio-32443-exec-3]: Getting security domain cert chain [06/Jan/2017:00:54:07][http-bio-32443-exec-3]: ConfigurationUtils.importCertChain() [06/Jan/2017:00:54:07][http-bio-32443-exec-3]: ConfigurationUtils: GET https://csqa4-guest04.idm.lab.eng.rdu.redhat.com:31443/ca/admin/ca/getCertChain javax.ws.rs.ProcessingException: Unable to invoke request at org.jboss.resteasy.client.jaxrs.engines.ApacheHttpClient4Engine.invoke(ApacheHttpClient4Engine.java:287) at org.jboss.resteasy.client.jaxrs.internal.ClientInvocation.invoke(ClientInvocation.java:407) at org.jboss.resteasy.client.jaxrs.internal.ClientInvocation.invoke(ClientInvocation.java:442) at org.jboss.resteasy.client.jaxrs.internal.ClientInvocationBuilder.get(ClientInvocationBuilder.java:165) </debug logs> Geetika, Could you verify that you can connect via SSL to the ExternalCA (e.g. by running pki ca-user-find command)? It's possible you also need to configure the same ciphers on the SubCA during installation. This can be done using the two-step installation: http://pki.fedoraproject.org/wiki/Two-Step_Installation So prepare 2 copies of SubCA deployment configuration. Add pki_skip_configuration=True to the first one and pki_skip_installation=True to the second one. Run the first step, add the ciphers into server.xml, then run the second step. Hi Endi, Yes both the other subsystem installation and subca installation with fips=1 works with two step installation.Like for RootCA, we enable ciphers after installation that way it didn't work with subCA.SubCA with 2 step installation works.Do you think we need to document it? For FIPS enabled subca installation always work with 2 step installation. Also, with FIPS mode enabled, why we disabling below ciphers +TLS_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_RSA_WITH_AES_128_CBC_SHA,+TLS_RSA_WITH_AES_256_CBC_SHA. Thanks Geetika I think the instruction at http://pki.fedoraproject.org/wiki/SSL#FIPS_SSL_Configuration gives out ciphers supported by the Tales HSM in FIPS mode. An HSM in FIPS mode is compliant to FIPS 140-2 level 3 (v.s. level 2 in software token provided by NSS). Marking the bug verified as per comment 11, subca two step install worked fine in FIPS mode with Thales HSM when configured with ciphers documented in http://pki.fedoraproject.org/wiki/SSL#FIPS_SSL_Configuration. The requirement of two step installation procedure for subca as well as other subsystems in FIPS mode should be documented, bug https://bugzilla.redhat.com/show_bug.cgi?id=1411495 Created attachment 1238982 [details]
config_files
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2017-0093.html |