Bug 1673296
| Summary: | ipa-server-install fails in FIPS mode | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 8 | Reporter: | Mohammad Rizwan <myusuf> |
| Component: | pki-core | Assignee: | Endi Sukma Dewata <edewata> |
| Status: | CLOSED ERRATA | QA Contact: | Asha Akkiangady <aakkiang> |
| Severity: | high | Docs Contact: | Abhimanyu Jamaiyar <ajamaiya> |
| Priority: | high | ||
| Version: | 8.0 | CC: | abokovoy, csutherl, edewata, gkapoor, jklech, ksiddiqu, mharmsen, pvoborni, rcritten, rharwood, skhandel, tscherf, twoerner |
| Target Milestone: | rc | Keywords: | Regression, TestBlocker |
| Target Release: | 8.0 | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | pki-core-10.6-8010020190613214740.8ba0ffbe | Doc Type: | Bug Fix |
| Doc Text: |
.The IdM server now works correctly in the FIPS mode
Previously, the SSL connector for Tomcat server was incompletely implemented. As a consequence, the Identity Management (IdM) server with an installed certificate server did not work on machines with the FIPS mode enabled. This bug has been fixed by adding `JSSTrustManager` and `JSSKeyManager`. As a result, the IdM server works correctly in the described scenario.
Note that there are several bugs that prevent the IdM server from running in the FIPS mode in RHEL 8. This update fixes just one of them.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2019-11-05 21:06:52 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 1615765, 1679810 | ||
Moving to pki-core since the failure happens during PKI installation. See also: https://bugzilla.redhat.com/show_bug.cgi?id=1663443#c5 Endi, I have provided qa_ack for this. We need a blocker+ for this with justification, lets get that after all acks, so provide dev_ack *** Bug 1707009 has been marked as a duplicate of this bug. *** Test Environment : # rpm -qa pki-* nss jss pki-server-10.7.1-2.module+el8.1.0+3386+52d02a00.noarch jss-4.6.0-2.module+el8.1.0+3370+6d076660.x86_64 nss-3.41.0-5.el8.x86_64 pki-servlet-4.0-api-9.0.7-16.module+el8.1.0+3366+6dfb954c.noarch pki-symkey-10.7.1-2.module+el8.1.0+3386+52d02a00.x86_64 pki-base-java-10.7.1-2.module+el8.1.0+3386+52d02a00.noarch pki-servlet-engine-9.0.7-16.module+el8.1.0+3366+6dfb954c.noarch pki-kra-10.7.1-2.module+el8.1.0+3386+52d02a00.noarch pki-tools-10.7.1-2.module+el8.1.0+3386+52d02a00.x86_64 pki-base-10.7.1-2.module+el8.1.0+3386+52d02a00.noarch pki-ca-10.7.1-2.module+el8.1.0+3386+52d02a00.noarch Test Steps : 1.Make sure fips is enabled. # cat /proc/sys/crypto/fips_enabled 1 # sysctl crypto.fips_enabled crypto.fips_enabled = 1 Test Cases : 1. Install CA/KRA with internal. -- Make sure CA/KRA install works. -- try to sign certificates > Result: worked 2. Install CA/KRA with HSM. -- Make sure CA/KRA install works with HSM -- try to sign certificates > Result: worked 3. Installation without FIPS is taken care in CI/CD pipelines. -- Automated Jobs -- https://gitlab.cee.redhat.com/idm/pki-pytest-ansible/-/jobs/779539 Hi Endi, I have updated the Doc Text. Please review and provide your feedback. Regards, Abhimanyu Jamaiyar Hi, the Doc Text looks fine, but I want to make a note that there are several bugs that prevent IdM from running in FIPS mode in RHEL 8.1, and this is just one of them. I hope the title of the Doc Text would not mislead people to think that this bug fixes all FIPS issues. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2019:3416 |
Description of problem: Version-Release number of selected component (if applicable): ipa-server-4.7.1-10.module+el8+2699+a ipa-server-common-4.7.1-10.module+el8 pki-ca-10.6.9-2.module+el8+2728+a4ad6 pki-base-10.6.9-2.module+el8+2728+a4a How reproducible: always Steps to Reproduce: 1. Enable fips mode and install ipa-server Actual results: [..] Configuring ipa-custodia [1/5]: Making sure custodia container exists [2/5]: Generating ipa-custodia config file [3/5]: Generating ipa-custodia keys [4/5]: starting ipa-custodia [5/5]: configuring ipa-custodia to start on boot Done configuring ipa-custodia. Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes [1/28]: configuring certificate server instance Failed to configure CA instance: CalledProcessError(Command ['/usr/sbin/pkispawn', '-s', 'CA', '-f', '/tmp/tmp62qcd027'] returned non-zero exit status 1: 'pkispawn : ERROR Server unreachable due to SSL error: [SSL: SSLV3_ALERT_HANDSHAKE_FAILURE] sslv3 alert handshake failure (_ssl.c:877)\nconfiguration : ERROR Server failed to restart\npkispawn : ERROR Exception: server failed to restart\n File "/usr/lib/python3.6/site-packages/pki/server/pkispawn.py", line 549, in main\n scriptlet.spawn(deployer)\n File "/usr/lib/python3.6/site-packages/pki/server/deployment/scriptlets/configuration.py", line 672, in spawn\n raise Exception("server failed to restart")\n\n') See the installation logs and the following files/directories for more information: /var/log/pki/pki-tomcat [error] RuntimeError: CA configuration failed. CA configuration failed. The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information :: [ 04:18:22 ] :: [ FAIL ] :: Command ' /usr/sbin/ipa-server-install --setup-dns --auto-forwarders --reverse-zone=34.19.10.in-addr.arpa. --allow-zone-overlap --hostname=ipaqavmf.testrelm.test -r TESTRELM.TEST -n testrelm.test -p Secret123 -a Secret123 --ip-address=10.19.34.120 -U' (Expected 0, got 1) Expected results: ipa-server-install success Additional info: Similar bug[1] was opened, but that didn't resolved the ipa issue. [1] https://bugzilla.redhat.com/show_bug.cgi?id=1663443