Bug 1591766

Summary: Ansible Tower support for FIPS mode
Product: Red Hat Ansible Tower and Controller Reporter: Bradley Scalio <bscalio>
Component: SecurityAssignee: James Laska <jlaska>
Status: CLOSED DEFERRED QA Contact:
Severity: urgent Docs Contact:
Priority: unspecified    
Version: unspecifiedCC: awestbro, casmith, degts, jlaska, jreznik, lwojcik, notting, swells
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-06-18 17:10:20 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
Error during install of Ansible Tower none

Description Bradley Scalio 2018-06-15 13:37:51 UTC 
Created attachment 1451927 [details]
Error during install of Ansible Tower

Description of problem:

    Ansible Tower is not supported on FIPS-mode enabled hosts.

Version-Release number of selected component (if applicable): 

    Current (3.2.5) 

How reproducible:  

    Repeatable and Reproducible

Steps to Reproduce:

    1. Install Ansible Tower

Actual results:

    -- Tower fails to install

Expected results:

   -- Tower installs and runs for all components and features
Comment 4 Shawn Wells 2018-06-15 13:58:21 UTC 
Making BZ public. Unsure why it was marked internal.
Comment 5 Shawn Wells 2018-06-15 14:01:42 UTC 
Note there are many sub elements in this:

- When making SAML assertions, Ansible must use FIPS validated random numbers in the generation of SessionIndex in the SAML element AuthnStatement

- Ansible must utilize FIPS-validated cryptographic modules when generating hashes

- When protecting information, such as through Ansible Vault, FIPS validated crypto must be used

- Ansible must utilize FIPS validated cryptographic modules when signing application components/files/objects


Open question to engineering.... how would you like this to be broken down? Should this BZ become a parent/tracker bug, with subelements linked to it? Something else?
Comment 6 Bill Nottingham 2018-06-18 17:10:20 UTC 
You've got the wrong links, this is tracked here: https://github.com/ansible/tower/issues/644. In any case, this has been discussed, and BZ is not what is used for tracking Tower issues.

If someone from the PubSec team wants access to the Tower issue repo, let us know.
Comment 7 Calvin Smith 2018-06-18 18:57:35 UTC 
Link is dead, please fix for people who are interested in tracking this case.
Comment 8 Bill Nottingham 2018-06-18 19:16:46 UTC 
Link is not dead, it's a private GitHub repo. Standard way for customers to track RFEs is through support.