Bug 1663443

Summary: java FIPS and FUTURE policies incorrectly disable DHE_RSA and ECDHE_RSA ciphersuites
Product: Red Hat Enterprise Linux 8 Reporter: Mohammad Rizwan <myusuf>
Component: crypto-policiesAssignee: Tomas Mraz <tmraz>
Status: CLOSED CURRENTRELEASE QA Contact: Ondrej Moriš <omoris>
Severity: urgent Docs Contact:
Priority: urgent    
Version: 8.0CC: ahughes, ascheel, cheimes, dpunia, edewata, ksiddiqu, mbalao, mthacker, myusuf, nmavrogi, omoris, pvoborni, rcritten, rhcs-maint, tscherf, wchadwic, xdong
Target Milestone: rcKeywords: Regression, TestBlocker
Target Release: 8.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: crypto-policies-20181217-4.git9a35207.el8 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-13 22:48:47 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1652753, 1656418    

Description Mohammad Rizwan 2019-01-04 11:14:00 UTC 
Description of problem:
ipa-server-install fails in FIPS mode for [1/28]: configuring certificate server instance

Version-Release number of selected component (if applicable):
  ipa-server-4.7.1-7.module+el8+2555+b334d87b.x86_64                            
  ipa-server-dns-4.7.1-7.module+el8+2555+b334d87b.noarch

How reproducible:
always

Steps to Reproduce:
1. Enable fips mode and install ipa-server

Actual results:
[..]
  [1/5]: Making sure custodia container exists
  [2/5]: Generating ipa-custodia config file
  [3/5]: Generating ipa-custodia keys
  [4/5]: starting ipa-custodia 
  [5/5]: configuring ipa-custodia to start on boot
Done configuring ipa-custodia.
Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes
  [1/28]: configuring certificate server instance
Failed to configure CA instance: CalledProcessError(Command ['/usr/sbin/pkispawn', '-s', 'CA', '-f', '/tmp/tmppdbjeyia'] returned non-zero exit status 1: 'pkispawn      : ERROR    Server unreachable due to SSL error: [SSL: SSLV3_ALERT_HANDSHAKE_FAILURE] sslv3 alert handshake failure (_ssl.c:872)\nconfiguration : ERROR    Server failed to restart\n')
See the installation logs and the following files/directories for more information:
  /var/log/pki/pki-tomcat
  [error] RuntimeError: CA configuration failed.
CA configuration failed.
The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information

Expected results:
ipa-server-install success.

Additional info:
Similar bug is on ON_QA for different issue : https://bugzilla.redhat.com/show_bug.cgi?id=1656418
Comment 5 Rob Crittenden 2019-01-04 13:23:07 UTC 
It is failing during bootstrapping. Only the temporary server cert has been issued at the point of failure.
Comment 8 Deepak Punia 2019-01-08 05:15:26 UTC 
DS/CA Installation are getting failed after enabling the fips at hardware level.
Below is the detail logs

Working fine before configuring fips:-
# dscreate from-file rhel8-ds.inf
Starting installation...
Created symlink /etc/systemd/system/multi-user.target.wants/dirsrv → /usr/lib/systemd/system/dirsrv@.service.
Completed installation for master

After configuring fips on rhel8 ds installation is not working
# df /boot
Filesystem     1K-blocks   Used Available Use% Mounted on
/dev/sda1        1038336 171500    866836  17% /boot

# blkid ​ /dev/sda1
/dev/sda1: UUID="88a7f134-6f62-445e-8c6b-0a9aae0f3478" TYPE="xfs" PARTUUID="6b4463b1-01"

# grub2-mkconfig -o /boot/grub2/grub.cfg
Generating grub configuration file ...
done
# reboot

# sysctl crypto.fips_enabled
crypto.fips_enabled = 1
# /usr/sbin/getenforce
Enforcing

# dscreate from-file rhel8-ds.inf
Starting installation...
Created symlink /etc/systemd/system/multi-user.target.wants/dirsrv → /usr/lib/systemd/system/dirsrv@.service.
Error: {'desc': "Can't contact LDAP server"}

after disabling the fips :-
[root@dell-pr5820-01 hsm_setup]# sysctl crypto.fips_enabled
crypto.fips_enabled = 0
[root@dell-pr5820-01 hsm_setup]#
[root@dell-pr5820-01 hsm_setup]# dscreate from-file rhel8-ds.inf
Starting installation...
Created symlink /etc/systemd/system/multi-user.target.wants/dirsrv → /usr/lib/systemd/system/dirsrv@.service.
Completed installation for master

Attached is the config file and debug logs
Comment 19 Ondrej Moriš 2019-01-23 09:14:48 UTC 
Acceptance Criteria:

 * IPA server can be installed in FIPS mode.
Comment 20 Tomas Mraz 2019-01-23 09:33:31 UTC 
(In reply to Ondrej Moriš from comment #19)
> Acceptance Criteria:
> 
>  * IPA server can be installed in FIPS mode.

I believe this is too broad AC.

I'd suggest AC:

  * java -Djava.security.properties=../outputs/FIPS-java.txt CipherList lists the DHE_RSA and ECDHE_RSA ciphersuites (and the same for FUTURE policy)