Bug 1630361
Summary: | PKINIT fails in FIPS mode | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Florence Blanc-Renaud <frenaud> |
Component: | ipa | Assignee: | IPA Maintainers <ipa-maint> |
Status: | CLOSED ERRATA | QA Contact: | ipa-qe <ipa-qe> |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | 7.4 | CC: | cpelland, mkosek, ndehadra, nsoman, pvoborni, rcritten, tscherf |
Target Milestone: | rc | ||
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | ipa-4.6.4-10.el7 | Doc Type: | If docs needed, set a value |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2018-10-30 11:00:22 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Florence Blanc-Renaud
2018-09-18 13:02:16 UTC
Fixed upstream master: ba8cbb8 Ensure that public cert and CA bundle are readable 1434f2a Always make ipa.p11-kit world-readable 89b2137 Make /etc/httpd/alias world readable & executable c2eb0f1 Fix permission of public files in upgrader ipa-4-6: fc63ad8 Ensure that public cert and CA bundle are readable 9576e3c Always make ipa.p11-kit world-readable b76b50d Make /etc/httpd/alias world readable & executable 8164fba Fix permission of public files in upgrader I fixed the title to match the issue being solved here. As for the umask errors, I assume those rather resolved rather in Bug 1485217. Version: pki-server-10.5.9-6.el7.noarch ipa-server-4.6.4-10.el7.x86_64 Verified the bug on the basis of following steps: 1. Setup RHEL 7.6 system in FIPS mode. 2. run command 'umask 077' on this system. 3. Install IPA server in FIPS mode. 4. Check file perfissions related with ipa 5. Check IPA UI login 6. run command 'kinit -n' Result: --------- 1. After step3, ipa-server installation is successful 2. File permissions are setup correctly. 3. Login to ipa-server UI successful 4. 'kinit -n' command is successful Console: ===================== Before install: --------------- [root@vm-idm-022 ~]# rpm -q ipa-server ipa-server-4.6.4-10.el7.x86_64 [root@vm-idm-022 ~]# umask 077 [root@vm-idm-022 ~]# ipa-server-install After install: ------------- [root@vm-idm-022 ~]# tail -1 /var/log/ipaserver-install.log 2018-09-20T12:12:11Z INFO The ipa-server-install command was successful [root@vm-idm-022 ~]# ls -l /var/lib/ipa-client/pki/ca-bundle.pem -rw-r--r--. 1 root root 1298 Sep 20 17:41 /var/lib/ipa-client/pki/ca-bundle.pem [root@vm-idm-022 ~]# ls -l /etc/pki/ca-trust/source/ipa.p11-kit -rw-r--r--. 1 root root 2505 Sep 20 17:41 /etc/pki/ca-trust/source/ipa.p11-kit [root@vm-idm-022 ~]# ls -ld /etc/httpd/alias/ drwxr-x---. 2 root apache 198 Sep 20 17:39 /etc/httpd/alias/ [root@vm-idm-022 ~]# ls -l /etc/ipa/ca.crt -rw-r--r--. 1 root root 1298 Sep 20 17:37 /etc/ipa/ca.crt [root@vm-idm-022 ~]# rpm -q ipa-server ipa-server-4.6.4-10.el7.x86_64 [root@vm-idm-022 ~]# cat /proc/sys/crypto/fips_enabled 1 [root@vm-idm-022 ~]# Login UI successful [root@vm-idm-022 ~]# kinit -n [root@vm-idm-022 ~]# klist Ticket cache: KEYRING:persistent:0:krb_ccache_nRruePb Default principal: WELLKNOWN/ANONYMOUS@WELLKNOWN:ANONYMOUS Valid starting Expires Service principal 09/20/2018 17:48:25 09/21/2018 17:48:24 krbtgt/TESTRELM.TEST [root@vm-idm-022 ~]# Also, verified the same on Replica system with similar results. Thus on the basis of above observations marking the status of bug to 'VERIFIED' Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2018:3187 |