Bug 1454603

Summary: Unable to install IPA server due to pkispawn error
Product: Red Hat Enterprise Linux 7 Reporter: Abhijeet Kasurde <akasurde>
Component: pki-coreAssignee: Matthew Harmsen <mharmsen>
Status: CLOSED ERRATA QA Contact: Abhijeet Kasurde <akasurde>
Severity: unspecified Docs Contact:
Priority: urgent    
Version: 7.4CC: arubin, ksiddiqu, mbasti, mharmsen, pvoborni, rcritten, tscherf
Target Milestone: rcKeywords: TestBlocker
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: pki-core-10.4.1-6.el7 Doc Type: No Doc Update
Doc Text:
undefined
 Story Points: ---
Clone Of: Environment:
Last Closed: 2017-08-01 22:52:53 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Abhijeet Kasurde 2017-05-23 07:18:04 UTC 
Description of problem:
IPA server installation fails due to pkispawn with following error


    ==========================================================================
                                INSTALLATION SUMMARY
    ==========================================================================

      Administrator's username:             admin
      Administrator's PKCS #12 file:
            /root/ca-agent.p12

      Administrator's certificate nickname:
            ipa-ca-agent
      Administrator's certificate database:
            /var/lib/ipa/tmp-lQulqs

2017-05-23T06:59:07Z DEBUG stderr=Notice: Trust flag u is set automatically if the private key is present.
Created symlink from /etc/systemd/system/multi-user.target.wants/pki-tomcatd.target to /usr/lib/systemd/system/pki-tomcatd.target.
Traceback (most recent call last):
  File "/usr/sbin/pkispawn", line 838, in <module>
    main(sys.argv)
  File "/usr/sbin/pkispawn", line 579, in main
    print_final_install_information(parser.mdict)
  File "/usr/sbin/pkispawn", line 798, in print_final_install_information
    if mdict['pki_fips_mode_enabled']:
KeyError: 'pki_fips_mode_enabled'

2017-05-23T06:59:07Z CRITICAL Failed to configure CA instance: Command '/usr/sbin/pkispawn -s CA -f /tmp/tmplJR0qR' returned non-zero exit status 1
2017-05-23T06:59:07Z CRITICAL See the installation logs and the following files/directories for more information:
2017-05-23T06:59:07Z CRITICAL   /var/log/pki/pki-tomcat


[root@ipaserver01 ~]# rpm -qa ipa-server pki-server 
pki-server-10.4.1-5.el7.noarch
ipa-server-4.5.0-13.el7.x86_64
[root@ipaserver01 ~]# cat /proc/sys/crypto/fips_enabled 
0
[root@ipaserver01 ~]# sestatus 
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   permissive
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Max kernel policy version:      28


Version-Release number of selected component (if applicable):
pki-server-10.4.1-5.el7.noarch
ipa-server-4.5.0-13.el7.x86_64


How reproducible:
100%

Steps to Reproduce:
1. Install IPA server without FIPS enabled mode with Pki-server version 10.4.1.5

Actual results:
IPA server installation fails due to pkispawn's keyerror

Expected results:
Installation should succeed
Comment 2 Abhijeet Kasurde 2017-05-23 07:23:24 UTC 
IPA server installation works with pki-server-10.4.1-4.el7.noarch.
Comment 3 Martin Bašti 2017-05-23 08:20:51 UTC 
Moving to pki-core because traceback is in pkispawn not in IPA
Comment 6 Matthew Harmsen 2017-05-23 19:07:59 UTC 
To fix this, we will simply always check for FIPS in the initialization scriptlet:


diff --git a/base/server/python/pki/server/deployment/scriptlets/initialization.py b/base/server/python/pki/server/deployment/scriptlets/initialization.py
index 0e31543..4dc4e9a 100644
--- a/base/server/python/pki/server/deployment/scriptlets/initialization.py
+++ b/base/server/python/pki/server/deployment/scriptlets/initialization.py
@@ -42,6 +42,8 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
         # ALWAYS establish 'uid' and 'gid'
         deployer.identity.set_uid(deployer.mdict['pki_user'])
         deployer.identity.set_gid(deployer.mdict['pki_group'])
+        # ALWAYS check FIPS mode
+        deployer.fips.is_fips_enabled()
         # ALWAYS initialize HSMs (when and if present)
         deployer.hsm.initialize()
         if config.str2bool(deployer.mdict['pki_skip_installation']):
Comment 8 Abhijeet Kasurde 2017-05-24 08:33:47 UTC 
Verified using PKI server :: pki-server-10.4.1-6.el7.noarch in both FIPS and non-FIPS enabled environments.

Marking BZ as verified.
Comment 9 errata-xmlrpc 2017-08-01 22:52:53 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:2110