Bug 1412211
| Summary: | Unable to set up KRA in FIPS | ||||||
|---|---|---|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Standa Laznicka <slaznick> | ||||
| Component: | pki-core | Assignee: | RHCS Maintainers <rhcs-maint> | ||||
| Status: | CLOSED ERRATA | QA Contact: | Asha Akkiangady <aakkiang> | ||||
| Severity: | high | Docs Contact: | |||||
| Priority: | urgent | ||||||
| Version: | 7.3 | CC: | edewata, mharmsen, pbokoc, ssidhaye | ||||
| Target Milestone: | rc | ||||||
| Target Release: | --- | ||||||
| Hardware: | Unspecified | ||||||
| OS: | Unspecified | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | pki-core-10.4.0-1.el7 | Doc Type: | No Doc Update | ||||
| Doc Text: |
see BZ#1411428 for doc text.
|
Story Points: | --- | ||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2017-08-01 22:48:25 UTC | Type: | Bug | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Bug Depends On: | |||||||
| Bug Blocks: | 1125174, 1427443 | ||||||
| Attachments: |
|
||||||
|
Description
Standa Laznicka
2017-01-11 14:28:08 UTC
Hi, this is probably similar to bug #1411428, but the problem happens while retrieving a certificate from the internal token. Upstream ticket: https://fedorahosted.org/pki/ticket/2556 Fixed in master: * 97ac6024c813621856b3cbfc8207416a46855108 * 48cefdea31e62d49c8b728576d29e0f298141a04 Build used for verification: [root@cisco-c210-01 ~]# rpm -qi pki-base Name : pki-base Version : 10.4.1 Release : 4.el7 Architecture: noarch Install Date: Monday 15 May 2017 02:07:34 AM EDT Group : System Environment/Base Size : 2086209 License : GPLv2 Signature : RSA/SHA256, Tuesday 09 May 2017 11:33:58 PM EDT, Key ID 199e2f91fd431d51 Source RPM : pki-core-10.4.1-4.el7.src.rpm Build Date : Tuesday 09 May 2017 09:23:16 PM EDT Build Host : ppc-021.build.eng.bos.redhat.com Relocations : (not relocatable) Packager : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla> Vendor : Red Hat, Inc. URL : http://pki.fedoraproject.org/ Summary : Certificate System - PKI Framework [root@cisco-c210-01 ~]# !24 sysctl -a | grep fips_enabled crypto.fips_enabled = 1 sysctl: reading key "net.ipv6.conf.all.stable_secret" sysctl: reading key "net.ipv6.conf.default.stable_secret" sysctl: reading key "net.ipv6.conf.enp17s0.stable_secret" sysctl: reading key "net.ipv6.conf.enp18s0.stable_secret" sysctl: reading key "net.ipv6.conf.ens1f0.stable_secret" sysctl: reading key "net.ipv6.conf.ens1f1.stable_secret" sysctl: reading key "net.ipv6.conf.lo.stable_secret" -----pkispawn---- pkispawn for KRA succeeds when FIPS is enabled on the system. Log file: /var/log/pki/pki-kra-spawn.20170515022638.log Installing KRA into /var/lib/pki/pki-tomcat. Storing deployment configuration into /etc/sysconfig/pki/tomcat/pki-tomcat/kra/deployment.cfg. ========================================================================== INSTALLATION SUMMARY ========================================================================== Administrator's username: kraadmin To check the status of the subsystem: systemctl status pki-tomcatd To restart the subsystem: systemctl restart pki-tomcatd The URL for the subsystem is: https://cisco-c210-01.rhts.eng.bos.redhat.com:8443/kra PKI instances will be enabled upon system boot ========================================================================== Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2017:2110 |