Bug 1404172

Summary: Unable to install subordinate CA with HSM in FIPS mode
Product: Red Hat Enterprise Linux 7 Reporter: Marcel Kolaja <mkolaja>
Component: pki-coreAssignee: RHCS Maintainers <rhcs-maint>
Status: CLOSED ERRATA QA Contact: Asha Akkiangady <aakkiang>
Severity: unspecified Docs Contact:
Priority: urgent    
Version: 7.3CC: arubin, cfu, edewata, gkapoor, mharmsen, nkinder, pbokoc
Target Milestone: rcKeywords: ZStream
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: pki-core-10.3.3-15.el7_3 Doc Type: Bug Fix
Doc Text:
Previously, subordinate certificate authority (sub-CA) installation failed due to a bug in the Network Security Services (NSS) library, which generated the "SEC_ERROR_TOKEN_NOT_LOGGED_IN" error. This update adds a workaround for this problem to the installer which allows the installation to proceed. If the error is still displayed, it can now be ignored.
 Story Points: ---
Clone Of: 1395817 Environment:
Last Closed: 2017-01-17 18:26:31 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1395817    
Bug Blocks:    
Attachments:
Description Flags
config_files none

Description Marcel Kolaja 2016-12-13 09:25:04 UTC 
This bug has been copied from bug #1395817 and has been proposed
to be backported to 7.3 z-stream (EUS).
Comment 4 Asha Akkiangady 2017-01-04 20:38:52 UTC 
Subordinate CA installation with hsm in FIPS mode is successful, but shows failure message while changing the certificate trust as reported in https://bugzilla.redhat.com/show_bug.cgi?id=1395817#c8
Comment 5 Endi Sukma Dewata 2017-01-05 07:13:16 UTC 
The error message is fine since the actual NSS bug has not been fixed yet. The change in PKI is a workaround for that problem. See also:
https://bugzilla.redhat.com/show_bug.cgi?id=1395817#c9
Comment 9 Geetika Kapoor 2017-01-06 06:06:34 UTC 
Hello Endi,

Here is my server.xml.

<server.xml>

sslRangeCiphers="-TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,-TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,-TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,-TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,-TLS_DHE_DSS_WITH_AES_128_CBC_SHA,-TLS_DHE_DSS_WITH_AES_256_CBC_SHA,-TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_DHE_RSA_WITH_AES_128_CBC_SHA,+TLS_DHE_RSA_WITH_AES_256_CBC_SHA,+TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,+TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,+TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,-TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,-TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,-TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,-TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,-TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,+TLS_RSA_WITH_AES_128_CBC_SHA256,+TLS_RSA_WITH_AES_256_CBC_SHA256,-TLS_RSA_WITH_AES_128_GCM_SHA256,-TLS_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_RSA_WITH_AES_128_CBC_SHA,-TLS_RSA_WITH_AES_256_CBC_SHA"

</server.xml>

I have restarted instance after i disable these ciphers which are bydefault enabled but since it was not listed in document(http://pki.fedoraproject.org/wiki/SSL#FIPS_SSL_Configuration) so i have disabled them.

<default enabled ciphers disabled>
+TLS_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_RSA_WITH_AES_128_CBC_SHA,+TLS_RSA_WITH_AES_256_CBC_SHA
</default enabled ciphers disabled>

and again i try to install subCA.It fails.

<debug logs>

[06/Jan/2017:00:54:07][http-bio-32443-exec-3]: Resolving security domain URL https://csqa4-guest04.idm.lab.eng.rdu.redhat.com:31443
[06/Jan/2017:00:54:07][http-bio-32443-exec-3]: Getting security domain cert chain
[06/Jan/2017:00:54:07][http-bio-32443-exec-3]: ConfigurationUtils.importCertChain()
[06/Jan/2017:00:54:07][http-bio-32443-exec-3]: ConfigurationUtils: GET https://csqa4-guest04.idm.lab.eng.rdu.redhat.com:31443/ca/admin/ca/getCertChain
javax.ws.rs.ProcessingException: Unable to invoke request
        at org.jboss.resteasy.client.jaxrs.engines.ApacheHttpClient4Engine.invoke(ApacheHttpClient4Engine.java:287)
        at org.jboss.resteasy.client.jaxrs.internal.ClientInvocation.invoke(ClientInvocation.java:407)
        at org.jboss.resteasy.client.jaxrs.internal.ClientInvocation.invoke(ClientInvocation.java:442)
        at org.jboss.resteasy.client.jaxrs.internal.ClientInvocationBuilder.get(ClientInvocationBuilder.java:165)

</debug logs>
Comment 10 Endi Sukma Dewata 2017-01-07 08:21:00 UTC 
Geetika,

Could you verify that you can connect via SSL to the ExternalCA (e.g. by running pki ca-user-find command)?

It's possible you also need to configure the same ciphers on the SubCA during installation. This can be done using the two-step installation:
http://pki.fedoraproject.org/wiki/Two-Step_Installation

So prepare 2 copies of SubCA deployment configuration. Add pki_skip_configuration=True to the first one and pki_skip_installation=True to the second one. Run the first step, add the ciphers into server.xml, then run the second step.
Comment 11 Geetika Kapoor 2017-01-09 08:46:41 UTC 
Hi Endi,

Yes both the other subsystem installation and subca installation with fips=1 works with two step installation.Like for RootCA, we enable ciphers after installation that way it didn't work with subCA.SubCA with 2 step installation works.Do you think we need to document it? For FIPS enabled subca installation always work with 2 step installation.
Also, with FIPS mode enabled,  why we disabling below ciphers 
+TLS_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_RSA_WITH_AES_128_CBC_SHA,+TLS_RSA_WITH_AES_256_CBC_SHA.

Thanks
Geetika
Comment 12 Christina Fu 2017-01-09 19:32:55 UTC 
I think the instruction at http://pki.fedoraproject.org/wiki/SSL#FIPS_SSL_Configuration gives out ciphers supported by the Tales HSM in FIPS mode.  An HSM in FIPS mode is compliant to FIPS 140-2 level 3 (v.s. level 2 in software token provided by NSS).
Comment 13 Asha Akkiangady 2017-01-09 20:40:56 UTC 
Marking the bug verified as per comment 11, subca two step install worked fine in FIPS mode with Thales HSM when configured with ciphers documented in http://pki.fedoraproject.org/wiki/SSL#FIPS_SSL_Configuration.

The requirement of two step installation procedure for subca as well as other subsystems in FIPS mode should be documented, bug https://bugzilla.redhat.com/show_bug.cgi?id=1411495
Comment 14 Geetika Kapoor 2017-01-10 06:01:23 UTC 
Created attachment 1238982 [details]
config_files
Comment 16 errata-xmlrpc 2017-01-17 18:26:31 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2017-0093.html