Bug 1400149 – pkispawn fails to create CA subsystem on FIPS enabled system

Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.

Bug 1400149 - pkispawn fails to create CA subsystem on FIPS enabled system

Summary:	pkispawn fails to create CA subsystem on FIPS enabled system

Status:	CLOSED ERRATA

Aliases:	None

Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	pki-core (Show other bugs)
Sub Component:
Version:	7.3
Hardware:	Unspecified Unspecified

Priority	unspecified Severity urgent
Target Milestone:	rc
Target Release:	---
Assigned To:	Endi Sukma Dewata
QA Contact:	Asha Akkiangady
Docs Contact:	Petr Bokoc

URL:
Whiteboard:
Keywords:	Reopened

Depends On:
Blocks:	1125174
	Show dependency tree / graph

Reported:	2016-11-30 09:41 EST by Stanislav Laznicka
Modified:	2017-08-01 18:48 EDT (History)
CC List:	14 users (show)

See Also:
Fixed In Version:	pki-core-10.4.1-8.el7
Doc Type:	Bug Fix
Doc Text:	"pkispawn" no longer generates passwords consisting only of digits Previously, "pkispawn" could generate a random password for NSS database consisting only digits. Such passwords are not FIPS-compliant. With this update, the installer has been modified to generate FIPS-compliant random passwords which consist of a mix of digits, lowercase letters, uppercase letters, and certain punctuation marks.
Story Points:	---
Clone Of:
Environment:
Last Closed:	2017-08-01 18:48:25 EDT
Type:	Bug
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Failing pkispawn configuration (1.58 KB, text/plain) 2016-11-30 09:41 EST, Stanislav Laznicka	no flags	Details
Add an attachment (proposed patch, testcase, etc.)

External Trackers
Tracker	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2017:2110	normal	SHIPPED_LIVE	pki-core bug fix and enhancement update	2017-08-01 15:36:59 EDT

Groups: None (edit)

Description Stanislav Laznicka 2016-11-30 09:41:02 EST

Created attachment 1226356 [details]
Failing pkispawn configuration

Description of problem:
Running pkispawn -s CA with the config file from the attachment ends up in pkispawn error.

Version-Release number of selected component (if applicable):
pki-base-10.3.3-14.el7_3


How reproducible:
Always


Steps to Reproduce:
1. Setup your system for FIPS
2. run pkispawn with the given config (you can run ipa-server-install to make it easier for you)

Actual results:
CA subsystem installation fails.

Expected results:
CA subsystem installation succeeds.

Additional info:
From what I've gathered, the trouble is with generating 'pki_pin', which is then stored to 'pki_shared_pfile' which is used to access the /etc/pki/pki-tomcat/alias NSS database. However, 'pki_pin' is just a number and NSS databases in FIPS mode require at least one non-alphanumeric character.

Comment 2 Matthew Harmsen 2016-12-05 12:54:16 EST

Upstream ticket:
https://fedorahosted.org/pki/ticket/2556

Comment 5 Endi Sukma Dewata 2017-04-11 14:35:57 EDT

Fixed in master:
* 9e3551fdb2c8d1f1bd7ad57249752c8ad6aece32

Comment 7 Geetika Kapoor 2017-06-01 09:08:03 EDT

Tested on: pki-ca-10.4.1-6.el7.noarch

kra-clone-prepare fails if the password have "=" in password.conf

    password.conf:

    #internal=YoYEw1lgY6'4

    internal=Z?t9:f/0B%+=

    internaldb=Secret123

    replicationdb=1156996686

Comment 8 Endi Sukma Dewata 2017-06-01 13:27:20 EDT

The kra-clone-prepare calls pki CLI which reads the password.conf to export KRA certificates and keys from the NSS database into a PKCS #12 file. The problem is the pki CLI treats the "=" in the file as delimiter for token name and password, so the password is parsed incorrectly.

One possible solution is to provide separate pki CLI parameters for a password file containing just a single password (without token name), and for a password.conf which may contain multiple token names and passwords.

Comment 9 Endi Sukma Dewata 2017-06-01 16:50:08 EDT

Another possibility is not to use equal sign in random passwords.

Comment 10 Red Hat Bugzilla Rules Engine 2017-06-02 13:11:27 EDT

Quality Engineering Management has reviewed and declined this request. You may appeal this decision by reopening this request.

Comment 11 Endi Sukma Dewata 2017-06-02 13:19:26 EDT

Excluded equal sign from random password:

* https://github.com/dogtagpki/pki/commit/03235ab51d102ba722e71adf00d2f721c77cd222

Comment 13 Asha Akkiangady 2017-06-19 13:59:13 EDT

Tested in version: pki-server-10.4.1-9.el7.noarch

RHCS subsystems CA, KRA, OCSP, TKS and TPS installed successfully on a FIPS and non-FIPS RHEL 7.4 systems with the auto generated FIPS compliant passwords. Sanity tests looks good for each subsystem.


Marking the bug verified.

Comment 14 errata-xmlrpc 2017-08-01 18:48:25 EDT

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:2110

Note You need to log in before you can comment on or make changes to this bug.