Bug 1411428
Summary: | Unable to create a CA clone in FIPS | ||||||
---|---|---|---|---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Standa Laznicka <slaznick> | ||||
Component: | pki-core | Assignee: | RHCS Maintainers <rhcs-maint> | ||||
Status: | CLOSED ERRATA | QA Contact: | Asha Akkiangady <aakkiang> | ||||
Severity: | high | Docs Contact: | Petr Bokoc <pbokoc> | ||||
Priority: | urgent | ||||||
Version: | 7.3 | CC: | akahat, edewata, gkapoor, mharmsen, pbokoc | ||||
Target Milestone: | rc | ||||||
Target Release: | --- | ||||||
Hardware: | Unspecified | ||||||
OS: | Unspecified | ||||||
Whiteboard: | |||||||
Fixed In Version: | pki-core-10.4.0-1.el7 | Doc Type: | Bug Fix | ||||
Doc Text: |
CA clone installation in FIPS mode no longer fails
Previously, installing a CA clone or a Key Recovery Authority (KRA) failed in FIPS mode due to an inconsistency in handling internal NSS token names. With this update, the code that handles the token name has been consolidated to ensure that all token names are handled consistently. T allows the KRA and CA clone installation to complete properly in FIPS mode.
|
Story Points: | --- | ||||
Clone Of: | Environment: | ||||||
Last Closed: | 2017-08-01 22:48:25 UTC | Type: | Bug | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Bug Depends On: | |||||||
Bug Blocks: | 1125174, 1427443 | ||||||
Attachments: |
|
Description
Standa Laznicka
2017-01-09 17:08:39 UTC
Hi, in bug #1382066 the code was fixed to recognize the full name of the internal token (i.e. Internal Key Storage Token) which is used in FIPS mode in addition to the short name (i.e. internal): https://bugzilla.redhat.com/show_bug.cgi?id=1382066#c7 Apparently there are additional places that need to be fixed which are only exposed under this test scenario. Upstream ticket: https://fedorahosted.org/pki/ticket/2556 *** Bug 1412132 has been marked as a duplicate of this bug. *** Fixed in master: * 2fa7bc707a558da1b0c4d748d0805bdd0b60168c I tested this bug on pki 10.4.1-8.el7 version. It worked as expected. I follow following steps to verify the bug: 1. Installed CA with dual step installation with modification of sslRangeCiphers in server.xml file. 2. I follow above installation procedure with the clone and I able to create the clone successfully. Verifying this bug. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2017:2110 |