Bug 1638875
Summary: | [RFE] extract key/certs pem file into a private namespace | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 8 | Reporter: | Amy Farley <afarley> |
Component: | 389-ds-base | Assignee: | thierry bordaz <tbordaz> |
Status: | CLOSED ERRATA | QA Contact: | RHDS QE <ds-qe-bugs> |
Severity: | high | Docs Contact: | Marc Muehlfeld <mmuehlfe> |
Priority: | high | ||
Version: | 8.1 | CC: | abokovoy, afarley, bsmejkal, czinda, dpal, mharmsen, mkosek, mreynolds, nkinder, pasik, spichugi, tbordaz, vashirov |
Target Milestone: | pre-dev-freeze | Keywords: | FutureFeature |
Target Release: | 8.3 | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | 389-ds-base-1.4.3.8-2.module+el8.3.0+6591+ebfc9766 | Doc Type: | Enhancement |
Doc Text: |
.Directory Server exports the private key and certificate to a private name space when the service starts
Directory Server uses OpenLDAP libraries for outgoing connections, such as replication agreements. Because these libraries cannot access the network security services (NSS) database directly, Directory Server extracts the private key and certificates from the NSS database on instances with TLS encryption support to enable the OpenLDAP libraries to establish encrypted connections. Previously, Directory Server extracted the private key and certificates to the directory set in the `nsslapd-certdir` parameter in the `cn=config` entry (default: `/etc/dirsrv/slapd-<instance_name>/`). As a consequence, Directory Server stored the `Server-Cert-Key.pem` and `Server-Cert.pem` in this directory. With this enhancement, Directory Server extracts the private key and certificate to a private name space that `systemd` mounts to the `/tmp/` directory. As a result, the security has been increased.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2020-11-04 03:07:13 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1652269, 1683259, 1782896 | ||
Bug Blocks: | 1679810, 1689138, 1701002, 1755139, 1825061 |
Comment 12
mreynolds
2019-03-11 16:24:01 UTC
depends on new selinux policy: https://bugzilla.redhat.com/show_bug.cgi?id=1782896 Upstream ticket related to pem files: https://pagure.io/389-ds-base/issue/50889 Fix pushed upstream (https://pagure.io/389-ds-base/issue/50889) -> POST =============================================================================================== test session starts =============================================================================================== platform linux -- Python 3.6.8, pytest-5.4.3, py-1.8.1, pluggy-0.13.1 -- /usr/bin/python3.6 cachedir: .pytest_cache metadata: {'Python': '3.6.8', 'Platform': 'Linux-4.18.0-205.el8.x86_64-x86_64-with-redhat-8.3-Ootpa', 'Packages': {'pytest': '5.4.3', 'py': '1.8.1', 'pluggy': '0.13.1'}, 'Plugins': {'metadata': '1.9.0', 'html': '2.1.1'}} 389-ds-base: 1.4.3.8-2.module+el8.3.0+6591+ebfc9766 nss: 3.44.0-15.el8 nspr: 4.21.0-2.el8_0 openldap: 2.4.46-11.el8 cyrus-sasl: 2.1.27-5.el8 FIPS: disabled rootdir: /mnt/tests/rhds/tests/upstream/ds/dirsrvtests, inifile: pytest.ini plugins: metadata-1.9.0, html-2.1.1 collected 1 item dirsrvtests/tests/suites/tls/tls_cert_namespace_test.py::test_pem_cert_in_private_namespace PASSED [100%] ========================================================================================= 1 passed in 19.96s ====================================================================================================== Marking as VERIFIED. Thierry, can you please review the release note for this enhancement (see Doc Text field)? Thanks. Thanks Marc, the text looks good to me Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (389-ds:1.4 bug fix and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHEA-2020:4695 The needinfo request[s] on this closed bug have been removed as they have been unresolved for 1000 days |