Bug 1450143
Summary: | CA installation with HSM in FIPS mode fails | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Asha Akkiangady <aakkiang> |
Component: | pki-core | Assignee: | Jack Magne <jmagne> |
Status: | CLOSED ERRATA | QA Contact: | Asha Akkiangady <aakkiang> |
Severity: | unspecified | Docs Contact: | Marc Muehlfeld <mmuehlfe> |
Priority: | unspecified | ||
Version: | 7.4 | CC: | arubin, jmagne, mharmsen |
Target Milestone: | rc | ||
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | pki-core-10.4.1-5.el7 | Doc Type: | Enhancement |
Doc Text: |
Certificate System now supports installing a CA using HSM on FIPS-enabled Red Hat Enterprise Linux
During the installation of a Certificate System Certificate Authority (CA) instance, the installer needs to restart the instance. During this restart, instances on an operating system having the Federal Information Processing Standard (FIPS) mode enabled and using a hardware security module (HSM), need to connect to the non-secure HTTP port instead of the HTTPS port. With this update, it is now possible to install a Certificate System instance on FIPS-enabled Red Hat Enterprise Linux using an HSM.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2017-08-01 22:50:57 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Asha Akkiangady
2017-05-11 16:06:00 UTC
The following patch was tested and checked-in: commit ee5af05036e87a9dad821c9dd8bc0198dac9bd65 Author: Matthew Harmsen <mharmsen> Date: Fri May 12 13:00:54 2017 -0600 Fix CA installation with HSM in FIPS mode Bugzilla Bug #1450143 - CA installation with HSM in FIPS mode fails dogtagpki Pagure Issue #2684 - CA installation with HSM in FIPS mode fails commit 641180a465d7fdf12a978c9c458e39bf6829cac2 Author: Matthew Harmsen mharmsen Date: Tue May 16 12:58:17 2017 -0600 Added FIPS class to pkispawn Bugzilla Bug #1450143 - CA installation with HSM in FIPS mode fails dogtagpki Pagure Issue #2684 - CA installation with HSM in FIPS mode fails commit 4f11d3b2aad075c965bbccb61112d443e36e4c45 Author: Matthew Harmsen mharmsen Date: Mon May 15 15:06:04 2017 -0600 Added runtime requirement on sysctl to pki-core spec file Tested in version: pki-server-10.4.1-9.el7.noarch Installation of CA, KRA, OCSP, TKS and TPS in FIPS as well as in non-FIPS mode are successful on RHEL 7.4. pkispawn provides informatin that the system is FIPS enabled or not. On a FIPS enabled system it shows as follows, pkispawn : INFO ........... FIPS mode is enabled on this operating system. The installation summary on the FIPS enabled operating system shows exclusively that FIPS is enabled. CA: ========================================================================== INSTALLATION SUMMARY ========================================================================== Administrator's username: caadmin Administrator's PKCS #12 file: /opt/RootCA/caadmincert.p12 This CA subsystem of the 'rhcs92-CA-aakkiang' instance has FIPS mode enabled on this operating system. REMINDER: Don't forget to update the appropriate FIPS algorithms in server.xml in the 'rhcs92-CA-aakkiang' instance. To check the status of the subsystem: systemctl status pki-tomcatd To restart the subsystem: systemctl restart pki-tomcatd The URL for the subsystem is: https://xxxxxxxx:8443/ca PKI instances will be enabled upon system boot ========================================================================== KRA: ========================================================================== INSTALLATION SUMMARY ========================================================================== Administrator's username: kraadmin Administrator's PKCS #12 file: /opt/pki-rootKRA-aakkiang/kraadmincert.p12 This KRA subsystem of the 'rhcs92-KRA-aakkiang' instance has FIPS mode enabled on this operating system. REMINDER: Don't forget to update the appropriate FIPS algorithms in server.xml in the 'rhcs92-KRA-aakkiang' instance. To check the status of the subsystem: systemctl status pki-tomcatd To restart the subsystem: systemctl restart pki-tomcatd The URL for the subsystem is: https://xxxxxxxx:31042/kra PKI instances will be enabled upon system boot ========================================================================== OCSP: ========================================================================== INSTALLATION SUMMARY ========================================================================== Administrator's username: ocspadmin Administrator's PKCS #12 file: /opt/pki-rootOCSP-aakkiang/ocspadmincert.p12 This OCSP subsystem of the 'rhcs92-OCSP-aakkiang' instance has FIPS mode enabled on this operating system. REMINDER: Don't forget to update the appropriate FIPS algorithms in server.xml in the 'rhcs92-OCSP-aakkiang' instance. To check the status of the subsystem: systemctl status pki-tomcatd To restart the subsystem: systemctl restart pki-tomcatd The URL for the subsystem is: https://xxxxxxxx:32042/ocsp PKI instances will be enabled upon system boot ========================================================================== TKS: ========================================================================== INSTALLATION SUMMARY ========================================================================== Administrator's username: tksadmin Administrator's PKCS #12 file: /opt/pki-rootTKS-aakkiang/tksadmincert.p12 This TKS subsystem of the 'rhcs92-TKS-aakkiang' instance has FIPS mode enabled on this operating system. REMINDER: Don't forget to update the appropriate FIPS algorithms in server.xml in the 'rhcs92-TKS-aakkiang' instance. To check the status of the subsystem: systemctl status pki-tomcatd To restart the subsystem: systemctl restart pki-tomcatd The URL for the subsystem is: https://xxxxxxxx:23443/tks PKI instances will be enabled upon system boot ========================================================================== TPS: ========================================================================== INSTALLATION SUMMARY ========================================================================== Administrator's username: tpsadmin Administrator's PKCS #12 file: /opt/pki-rootTPS-aakkiang/tpsadmincert.p12 This TPS subsystem of the 'rhcs92-TPS-aakkiang' instance has FIPS mode enabled on this operating system. REMINDER: Don't forget to update the appropriate FIPS algorithms in server.xml in the 'rhcs92-TPS-aakkiang' instance. To check the status of the subsystem: systemctl status pki-tomcatd To restart the subsystem: systemctl restart pki-tomcatd The URL for the subsystem is: https://xxxxxxxx:30964/tps PKI instances will be enabled upon system boot ========================================================================== CA,KRA,OCSP,TKS and TPS installation on a non-FIPS enabled system shows following information: pkispawn : INFO ........... FIPS mode is NOT enabled on this operating system. Marking the bug verified. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2017:2110 |