Bug 1400149 - pkispawn fails to create CA subsystem on FIPS enabled system
Summary: pkispawn fails to create CA subsystem on FIPS enabled system
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: pki-core
Version: 7.3
Hardware: Unspecified
OS: Unspecified
Target Milestone: rc
: ---
Assignee: Endi Sukma Dewata
QA Contact: Asha Akkiangady
Petr Bokoc
Depends On:
Blocks: 1125174
TreeView+ depends on / blocked
Reported: 2016-11-30 14:41 UTC by Standa Laznicka
Modified: 2020-10-04 21:20 UTC (History)
14 users (show)

Fixed In Version: pki-core-10.4.1-8.el7
Doc Type: Bug Fix
Doc Text:
"pkispawn" no longer generates passwords consisting only of digits Previously, "pkispawn" could generate a random password for NSS database consisting only digits. Such passwords are not FIPS-compliant. With this update, the installer has been modified to generate FIPS-compliant random passwords which consist of a mix of digits, lowercase letters, uppercase letters, and certain punctuation marks.
Clone Of:
Last Closed: 2017-08-01 22:48:25 UTC
Target Upstream Version:

Attachments (Terms of Use)
Failing pkispawn configuration (1.58 KB, text/plain)
2016-11-30 14:41 UTC, Standa Laznicka
no flags Details

System ID Private Priority Status Summary Last Updated
Github dogtagpki pki issues 2676 0 None closed pkispawn fails to create PKI subsystem on FIPS enabled system 2021-01-06 18:29:21 UTC
Red Hat Product Errata RHBA-2017:2110 0 normal SHIPPED_LIVE pki-core bug fix and enhancement update 2017-08-01 19:36:59 UTC

Description Standa Laznicka 2016-11-30 14:41:02 UTC
Created attachment 1226356 [details]
Failing pkispawn configuration

Description of problem:
Running pkispawn -s CA with the config file from the attachment ends up in pkispawn error.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. Setup your system for FIPS
2. run pkispawn with the given config (you can run ipa-server-install to make it easier for you)

Actual results:
CA subsystem installation fails.

Expected results:
CA subsystem installation succeeds.

Additional info:
From what I've gathered, the trouble is with generating 'pki_pin', which is then stored to 'pki_shared_pfile' which is used to access the /etc/pki/pki-tomcat/alias NSS database. However, 'pki_pin' is just a number and NSS databases in FIPS mode require at least one non-alphanumeric character.

Comment 2 Matthew Harmsen 2016-12-05 17:54:16 UTC
Upstream ticket:

Comment 5 Endi Sukma Dewata 2017-04-11 18:35:57 UTC
Fixed in master:
* 9e3551fdb2c8d1f1bd7ad57249752c8ad6aece32

Comment 7 Geetika Kapoor 2017-06-01 13:08:03 UTC
Tested on: pki-ca-10.4.1-6.el7.noarch

kra-clone-prepare fails if the password have "=" in password.conf






Comment 8 Endi Sukma Dewata 2017-06-01 17:27:20 UTC
The kra-clone-prepare calls pki CLI which reads the password.conf to export KRA certificates and keys from the NSS database into a PKCS #12 file. The problem is the pki CLI treats the "=" in the file as delimiter for token name and password, so the password is parsed incorrectly.

One possible solution is to provide separate pki CLI parameters for a password file containing just a single password (without token name), and for a password.conf which may contain multiple token names and passwords.

Comment 9 Endi Sukma Dewata 2017-06-01 20:50:08 UTC
Another possibility is not to use equal sign in random passwords.

Comment 10 Red Hat Bugzilla Rules Engine 2017-06-02 17:11:27 UTC
Quality Engineering Management has reviewed and declined this request. You may appeal this decision by reopening this request.

Comment 11 Endi Sukma Dewata 2017-06-02 17:19:26 UTC
Excluded equal sign from random password:

* https://github.com/dogtagpki/pki/commit/03235ab51d102ba722e71adf00d2f721c77cd222

Comment 13 Asha Akkiangady 2017-06-19 17:59:13 UTC
Tested in version: pki-server-10.4.1-9.el7.noarch

RHCS subsystems CA, KRA, OCSP, TKS and TPS installed successfully on a FIPS and non-FIPS RHEL 7.4 systems with the auto generated FIPS compliant passwords. Sanity tests looks good for each subsystem.

Marking the bug verified.

Comment 14 errata-xmlrpc 2017-08-01 22:48:25 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.