Bug 1566617
Summary: | Key generation during token enrollment fails in FIPS/non-HSM environment | ||||||
---|---|---|---|---|---|---|---|
Product: | Red Hat Enterprise Linux 8 | Reporter: | Roshni <rpattath> | ||||
Component: | pki-core | Assignee: | RHCS Maintainers <rhcs-maint> | ||||
Status: | CLOSED WONTFIX | QA Contact: | Asha Akkiangady <aakkiang> | ||||
Severity: | unspecified | Docs Contact: | |||||
Priority: | unspecified | ||||||
Version: | 8.3 | CC: | ascheel, cfu, jmagne, mharmsen, sveerank | ||||
Target Milestone: | rc | ||||||
Target Release: | --- | ||||||
Hardware: | Unspecified | ||||||
OS: | Unspecified | ||||||
Whiteboard: | |||||||
Fixed In Version: | Doc Type: | If docs needed, set a value | |||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2021-01-08 07:28:44 UTC | Type: | Bug | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Attachments: |
|
Per RHEL 7.5.z/7.6/8.0 Triage: 7.6 jmagne: Important to get this working, because a customer might want this scenario. Moved to RHEL 7.7. After evaluating this issue, there are no plans to address it further or fix it in an upcoming release. Therefore, it is being closed. If plans change such that this issue will be fixed in an upcoming release, then the bug can be reopened. The needinfo request[s] on this closed bug have been removed as they have been unresolved for 500 days |
Created attachment 1420916 [details] KRA CS.cfg Description of problem: Key generation during token enrollment fails in FIPS/non-HSM environment Version-Release number of selected component (if applicable): [root@auto-hv-01-guest06 ~]# rpm -q pki-ca pki-ca-10.5.1-11.el7.noarch [root@auto-hv-01-guest06 ~]# rpm -q pki-tps pki-tps-10.5.1-11.el7pki.x86_64 How reproducible: always Steps to Reproduce: 1. Enable FIPS on the machine 2. Create a TMS environment, TPS configured with server-side key generation enabled. 3. Enroll a tpsclient or smartcard token Actual results: Enrollment fails. Signing cert is generated but key generation for encryption cert fails. KRA debug log snippet: [11/Apr/2018:15:01:19][http-bio-21443-exec-5]: authorization search base: cn=Data Recovery Manager Agents,ou=groups,o=topology-KRA-KRA [11/Apr/2018:15:01:19][http-bio-21443-exec-5]: authorization search filter: (uniquemember=uid=TPS-auto-hv-01-guest06.idmqe.lab.eng.bos.redhat.com-25443,ou=people,o=topology-KRA-KRA) [11/Apr/2018:15:01:19][http-bio-21443-exec-5]: authorization result: true [11/Apr/2018:15:01:19][http-bio-21443-exec-5]: returnConn: mNumConns now 3 [11/Apr/2018:15:01:19][http-bio-21443-exec-5]: evaluated expression: group="Data Recovery Manager Agents" to be true [11/Apr/2018:15:01:19][http-bio-21443-exec-5]: DirAclAuthz: authorization passed [11/Apr/2018:15:01:19][http-bio-21443-exec-5]: SignedAuditLogger: event AUTHZ [11/Apr/2018:15:01:19][http-bio-21443-exec-5]: SignedAuditLogger: event ROLE_ASSUME [11/Apr/2018:15:01:19][http-bio-21443-exec-5]: GenerateKeyPairServlet: processServerSideKeyGen would be called [11/Apr/2018:15:01:19][http-bio-21443-exec-5]: processServerSideKeyGen begins: [11/Apr/2018:15:01:19][http-bio-21443-exec-5]: Repository: in getNextSerialNumber. [11/Apr/2018:15:01:19][http-bio-21443-exec-5]: Repository: checkRange mLastSerialNo=6 [11/Apr/2018:15:01:19][http-bio-21443-exec-5]: Repository: getNextSerialNumber: returning retSerial 6 [11/Apr/2018:15:01:19][http-bio-21443-exec-5]: GenericPolicyProcessor: apply begins [11/Apr/2018:15:01:19][http-bio-21443-exec-5]: GenericPolicyProcessor: apply not ProfileRequest. op=netkeyKeygen [11/Apr/2018:15:01:19][http-bio-21443-exec-5]: GenericPolicyProcessor: apply begins [11/Apr/2018:15:01:19][http-bio-21443-exec-5]: GenericPolicyProcessor: apply not ProfileRequest. op=netkeyKeygen [11/Apr/2018:15:01:19][http-bio-21443-exec-5]: SignedAuditLogger: event RANDOM_GENERATION [11/Apr/2018:15:01:19][http-bio-21443-exec-5]: NetkeyKeygenService: serviceRequest archival requested for serverSideKeyGen [11/Apr/2018:15:01:19][http-bio-21443-exec-5]: SignedAuditLogger: event SERVER_SIDE_KEYGEN_REQUEST [11/Apr/2018:15:01:19][http-bio-21443-exec-5]: NetkeyKeygenService: wrapped_des_key specialDecoded [11/Apr/2018:15:01:19][http-bio-21443-exec-5]: NetkeyKeygenService: serviceRequest: key type = RSA [11/Apr/2018:15:01:19][http-bio-21443-exec-5]: NetkeyKeygenService: got keygenToken [11/Apr/2018:15:01:19][http-bio-21443-exec-5]: NetkeyKeygenService: about to generate key pair [11/Apr/2018:15:01:19][http-bio-21443-exec-5]: NetkeyKeygenService: key pair is to be generated on slot: NSS FIPS 140-2 User Private Key [11/Apr/2018:15:01:19][http-bio-21443-exec-5]: NetkeyKeygenService: found config store: kra.keygen [11/Apr/2018:15:01:19][http-bio-21443-exec-5]: NetkeyKeygenService: setting temporaryPairs to true [11/Apr/2018:15:01:19][http-bio-21443-exec-5]: NetkeyKeygenService: key pair generation begins [11/Apr/2018:15:01:19][http-bio-21443-exec-5]: KRAService serviceRequest EBaseException:Token Error: org.mozilla.jss.crypto.TokenException: Keypair Generation failed on token with error: -8190 : [11/Apr/2018:15:01:19][http-bio-21443-exec-5]: processServerSideKeygen finished Expected results: Token enrollment with server-side key generation should be successful Additional info: Attaching KRA CS.cfg Using default TPS CS.cfg