Bug 1849914

Summary: FreeIPA - Utilize 256-bit AJP connector passwords
Product: Red Hat Enterprise Linux 8 Reporter: Christian Heimes <cheimes>
Component: ipaAssignee: Thomas Woerner <twoerner>
Status: CLOSED ERRATA QA Contact: ipa-qe <ipa-qe>
Severity: unspecified Docs Contact:
Priority: urgent    
Version: 8.3CC: ascheel, frenaud, ksiddiqu, rcritten, tscherf
Target Milestone: rcKeywords: Regression, TestBlocker, WorkAround
Target Release: 8.3   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ipa-4.8.7-3 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-11-04 02:51:04 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1845447    
Bug Blocks: 1793411, 1842946    

Description Christian Heimes 2020-06-23 07:17:11 UTC 
This bug is created as a clone of upstream ticket:
https://pagure.io/freeipa/issue/8372

### Request for enhancement

As an admin, I wish all passwords utilized in an IPA environment to be at least 128 or 256 bits. Importantly, this should include the AJP connector secret shared by Tomcat and httpd.

### Issue

Currently, when Dogtag PKI 10.9 generates an AJP secret (during the initial `pkispawn`), we generate a [~75 bit](https://github.com/dogtagpki/pki/blob/737fc097afb42c0b48fe362e970591099dfed2c7/base/common/python/pki/__init__.py#L217-L218) password. Because this is static and not rotated, it probably makes sense to use a more secure AJP connector password. PKI has exposed the `pki_ajp_secret` configuration value that allows IPA to generate and specify their preferred password.

#### Steps to Reproduce

1. Grab Dogtag 10.9.
2. Install a fresh IPA server.
3. Realize that the password is 12 alpha-numeric-with-punctation characters. 

#### Actual behavior

75 bit password.

#### Expected behavior

256-bit password.

#### Version/Release/Distribution

All branches prior to https://github.com/freeipa/freeipa/pull/4819 

#### Additional info:
Comment 1 Christian Heimes 2020-06-23 07:21:38 UTC 
Fixed upstream
master:
https://pagure.io/freeipa/c/c5e9bd61d6a0a8fc8f06592b9cf14bd576404d51
https://pagure.io/freeipa/c/3ecea7800ab7d44f47ef26264dfb8c33aadeca49
Comment 2 Christian Heimes 2020-06-23 07:26:42 UTC 
*** Bug 1849146 has been marked as a duplicate of this bug. ***
Comment 3 Florence Blanc-Renaud 2020-06-23 08:22:32 UTC 
Fixed upstream
ipa-4-8:
https://pagure.io/freeipa/c/be48983558a560dadad410a70a4a1684565ed481
https://pagure.io/freeipa/c/1e804bf19da4ee274e735fd49452d4df5d73a002
Comment 8 Kaleem 2020-07-10 10:45:23 UTC 
Verified based on pytest-run attached (pytest-run.log). Also runner.log has been attached to show machine is in FIPS mode and also IPA version.

Snippet from attached files.

IPA Version:
------------
2020-07-08T23:24:56+0000 ok: [master.testrelm.test] => (item=ipa-server) => 
2020-07-08T23:24:56+0000   msg:
2020-07-08T23:24:56+0000   - arch: x86_64
2020-07-08T23:24:56+0000     epoch: null
2020-07-08T23:24:56+0000     name: ipa-server
2020-07-08T23:24:56+0000     release: 4.module+el8.3.0+7221+eedbd403
2020-07-08T23:24:56+0000     source: rpm
2020-07-08T23:24:56+0000     version: 4.8.7

--------------------------------
2020-07-08T23:23:16+0000 TASK [Check FIPS crypto-policies is enabled] ***********************************
2020-07-08T23:23:17+0000 changed: [master.testrelm.test]
2020-07-08T23:23:18+0000 changed: [runner.testrelm.test]


============================= test session starts ==============================
platform linux -- Python 3.6.8, pytest-3.4.2, py-1.5.3, pluggy-0.6.0 -- /usr/libexec/platform-python
cachedir: ../../../../../home/cloud-user/.pytest_cache
metadata: {'Python': '3.6.8', 'Platform': 'Linux-4.18.0-222.el8.x86_64-x86_64-with-redhat-8.3-Ootpa', 'Packages': {'pytest': '3.4.2', 'py': '1.5.3', 'pluggy': '0.6.0'}, 'Plugins': {'metadata': '1.10.0', 'html': '1.22.1', 'sourceorder': '0.5', 'multihost': '3.0'}}
rootdir: /usr/lib/python3.6/site-packages/ipatests, inifile:
plugins: metadata-1.10.0, html-1.22.1, sourceorder-0.5, multihost-3.0
collecting ... collected 4 items

test_integration/test_automember.py::TestAutounmembership::test_modify_user_entry_unmembership PASSED [ 25%]
test_integration/test_automember.py::TestAutounmembership::test_modify_host_entry_unmembership PASSED [ 50%]
test_integration/test_automember.py::TestAutounmembership::test_modify_user_entry_unmembership_disabled PASSED [ 75%]
test_integration/test_automember.py::TestAutounmembership::test_modify_host_entry_unmembership_disabled PASSED [100%]

--------------- generated xml file: /home/cloud-user/junit.xml ----------------
----------- generated html file: file:///home/cloud-user/report.html -----------
========================== 4 passed in 567.71 seconds ==========================
Comment 11 errata-xmlrpc 2020-11-04 02:51:04 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: idm:DL1 and idm:client security, bug fix, and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2020:4670