1400149 – pkispawn fails to create CA subsystem on FIPS enabled system

Bug 1400149 - pkispawn fails to create CA subsystem on FIPS enabled system

Summary: pkispawn fails to create CA subsystem on FIPS enabled system

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	pki-core
Sub Component:
Version:	7.3
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	urgent
Target Milestone:	rc
Target Release:	---
Assignee:	Endi Sukma Dewata
QA Contact:	Asha Akkiangady
Docs Contact:	Petr Bokoc
URL:
Whiteboard:
Depends On:
Blocks:	1125174
TreeView+	depends on / blocked

Reported:	2016-11-30 14:41 UTC by Standa Laznicka
Modified:	2020-10-04 21:20 UTC (History)
CC List:	14 users (show)
Fixed In Version:	pki-core-10.4.1-8.el7
Doc Type:	Bug Fix
Doc Text:	"pkispawn" no longer generates passwords consisting only of digits Previously, "pkispawn" could generate a random password for NSS database consisting only digits. Such passwords are not FIPS-compliant. With this update, the installer has been modified to generate FIPS-compliant random passwords which consist of a mix of digits, lowercase letters, uppercase letters, and certain punctuation marks.
Clone Of:
Environment:
Last Closed:	2017-08-01 22:48:25 UTC
Target Upstream Version:

Attachments	(Terms of Use)
Failing pkispawn configuration (1.58 KB, text/plain) 2016-11-30 14:41 UTC, Standa Laznicka	no flags	Details
View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Github	dogtagpki pki issues 2676	0	None	closed	pkispawn fails to create PKI subsystem on FIPS enabled system	2021-01-06 18:29:21 UTC
Red Hat Product Errata	RHBA-2017:2110	0	normal	SHIPPED_LIVE	pki-core bug fix and enhancement update	2017-08-01 19:36:59 UTC

Description Standa Laznicka 2016-11-30 14:41:02 UTC

Created attachment 1226356 [details]
Failing pkispawn configuration

Description of problem:
Running pkispawn -s CA with the config file from the attachment ends up in pkispawn error.

Version-Release number of selected component (if applicable):
pki-base-10.3.3-14.el7_3


How reproducible:
Always


Steps to Reproduce:
1. Setup your system for FIPS
2. run pkispawn with the given config (you can run ipa-server-install to make it easier for you)

Actual results:
CA subsystem installation fails.

Expected results:
CA subsystem installation succeeds.

Additional info:
From what I've gathered, the trouble is with generating 'pki_pin', which is then stored to 'pki_shared_pfile' which is used to access the /etc/pki/pki-tomcat/alias NSS database. However, 'pki_pin' is just a number and NSS databases in FIPS mode require at least one non-alphanumeric character.

Comment 2 Matthew Harmsen 2016-12-05 17:54:16 UTC

Upstream ticket:
https://fedorahosted.org/pki/ticket/2556

Comment 5 Endi Sukma Dewata 2017-04-11 18:35:57 UTC

Fixed in master:
* 9e3551fdb2c8d1f1bd7ad57249752c8ad6aece32

Comment 7 Geetika Kapoor 2017-06-01 13:08:03 UTC

Tested on: pki-ca-10.4.1-6.el7.noarch

kra-clone-prepare fails if the password have "=" in password.conf

    password.conf:

    #internal=YoYEw1lgY6'4

    internal=Z?t9:f/0B%+=

    internaldb=Secret123

    replicationdb=1156996686

Comment 8 Endi Sukma Dewata 2017-06-01 17:27:20 UTC

The kra-clone-prepare calls pki CLI which reads the password.conf to export KRA certificates and keys from the NSS database into a PKCS #12 file. The problem is the pki CLI treats the "=" in the file as delimiter for token name and password, so the password is parsed incorrectly.

One possible solution is to provide separate pki CLI parameters for a password file containing just a single password (without token name), and for a password.conf which may contain multiple token names and passwords.

Comment 9 Endi Sukma Dewata 2017-06-01 20:50:08 UTC

Another possibility is not to use equal sign in random passwords.

Comment 10 Red Hat Bugzilla Rules Engine 2017-06-02 17:11:27 UTC

Quality Engineering Management has reviewed and declined this request. You may appeal this decision by reopening this request.

Comment 11 Endi Sukma Dewata 2017-06-02 17:19:26 UTC

Excluded equal sign from random password:

* https://github.com/dogtagpki/pki/commit/03235ab51d102ba722e71adf00d2f721c77cd222

Comment 13 Asha Akkiangady 2017-06-19 17:59:13 UTC

Tested in version: pki-server-10.4.1-9.el7.noarch

RHCS subsystems CA, KRA, OCSP, TKS and TPS installed successfully on a FIPS and non-FIPS RHEL 7.4 systems with the auto generated FIPS compliant passwords. Sanity tests looks good for each subsystem.


Marking the bug verified.

Comment 14 errata-xmlrpc 2017-08-01 22:48:25 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:2110

Note You need to log in before you can comment on or make changes to this bug.