Description of problem:
Identity Management in RHEL-7.0 does not work well with FIPS mode, several issues were reported in RHEL-6.6 testing:
- ipa-client-install fails unless /etc/pki/nssdb/ is properly pre-configured. This should be fixed either by Bug 852023 or upstream ticket https://fedorahosted.org/freeipa/ticket/4140
- FIPS mode needs to be enabled manually for Apache mod_nss
- user-show SSH pubkey processing reports Internal Error in FIPS mode (user-show SSH pubkey processing crashes in FIPS mode)
- PKI does not return expected results on certificate requests
To support FIPS mode properly, IPA will need to be able to:
1) Detect when running in FIPS mode
2) Update appropriate configuration if needed
3) Fall back in functions that use unsupported crypto
Until we decide to support running in FIPS mode (when there is a value), we decided to at least give clear error message before installation or starting IPA services that it does not run in FIPS mode.
RHEL-6.7: Bug 1131571
RHEL-7.1: Bug 1131570
*** Bug 1308973 has been marked as a duplicate of this bug. ***
*** Bug 1364196 has been marked as a duplicate of this bug. ***
For composing future release notes:
Commit in comment 16 is changing a way how SSH Pub Keys Fingerprints are generated. Fingerprint is changed to be a sha256 hash instead of MD5 hash.
Moving to modified state. This was practically implemented in 4.5.
Note there is a know bug which will be fixed in bug 1438679
Verified using IPA version :: ipa-server-4.5.0-13.el7.x86_64
Test area covered following things -
1. Basic IPA Master, Replica and Client installation with FIPS enabled
2. Replica Promotion related scenarios
3. Sub CA related scenarios
4. Backup and restore scenarios
5. CA-less related scenarios
6. KRA related scenarios
7. Client with and without FIPS installation
8. Vault related scenarios
9. With Domain level 0
10. Help and man page verification
Test coverage will also covers -
2. Windows AD related scenarios
3. Smart Card
Please note that Red Hat officially released public RHEL-7.4 Beta this week, as announced here:
The new RHEL-7.4 release includes a lot of new IdM functionality, including this RFE. Highlights can be found in RHEL-7.4 Release Notes, especially in the Authentication & Interoperability chapter:
IdM Engineering team would like to encourage everyone interested in this new functionality (and especially customers or community members requesting it) to try Beta and provide us with your feedback!
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory, and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.