Bug 1404172 - Unable to install subordinate CA with HSM in FIPS mode
Summary: Unable to install subordinate CA with HSM in FIPS mode
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: pki-core
Version: 7.3
Hardware: Unspecified
OS: Unspecified
Target Milestone: rc
: ---
Assignee: RHCS Maintainers
QA Contact: Asha Akkiangady
Depends On: 1395817
TreeView+ depends on / blocked
Reported: 2016-12-13 09:25 UTC by Marcel Kolaja
Modified: 2017-01-17 18:26 UTC (History)
7 users (show)

Fixed In Version: pki-core-10.3.3-15.el7_3
Doc Type: Bug Fix
Doc Text:
Previously, subordinate certificate authority (sub-CA) installation failed due to a bug in the Network Security Services (NSS) library, which generated the "SEC_ERROR_TOKEN_NOT_LOGGED_IN" error. This update adds a workaround for this problem to the installer which allows the installation to proceed. If the error is still displayed, it can now be ignored.
Clone Of: 1395817
Last Closed: 2017-01-17 18:26:31 UTC
Target Upstream Version:

Attachments (Terms of Use)
config_files (30.00 KB, application/x-tar)
2017-01-10 06:01 UTC, Geetika Kapoor
no flags Details

System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2017:0093 0 normal SHIPPED_LIVE pki-core bug fix update 2017-01-17 22:56:43 UTC

Description Marcel Kolaja 2016-12-13 09:25:04 UTC
This bug has been copied from bug #1395817 and has been proposed
to be backported to 7.3 z-stream (EUS).

Comment 4 Asha Akkiangady 2017-01-04 20:38:52 UTC
Subordinate CA installation with hsm in FIPS mode is successful, but shows failure message while changing the certificate trust as reported in https://bugzilla.redhat.com/show_bug.cgi?id=1395817#c8

Comment 5 Endi Sukma Dewata 2017-01-05 07:13:16 UTC
The error message is fine since the actual NSS bug has not been fixed yet. The change in PKI is a workaround for that problem. See also:

Comment 9 Geetika Kapoor 2017-01-06 06:06:34 UTC
Hello Endi,

Here is my server.xml.




I have restarted instance after i disable these ciphers which are bydefault enabled but since it was not listed in document(http://pki.fedoraproject.org/wiki/SSL#FIPS_SSL_Configuration) so i have disabled them.

<default enabled ciphers disabled>
</default enabled ciphers disabled>

and again i try to install subCA.It fails.

<debug logs>

[06/Jan/2017:00:54:07][http-bio-32443-exec-3]: Resolving security domain URL https://csqa4-guest04.idm.lab.eng.rdu.redhat.com:31443
[06/Jan/2017:00:54:07][http-bio-32443-exec-3]: Getting security domain cert chain
[06/Jan/2017:00:54:07][http-bio-32443-exec-3]: ConfigurationUtils.importCertChain()
[06/Jan/2017:00:54:07][http-bio-32443-exec-3]: ConfigurationUtils: GET https://csqa4-guest04.idm.lab.eng.rdu.redhat.com:31443/ca/admin/ca/getCertChain
javax.ws.rs.ProcessingException: Unable to invoke request
        at org.jboss.resteasy.client.jaxrs.engines.ApacheHttpClient4Engine.invoke(ApacheHttpClient4Engine.java:287)
        at org.jboss.resteasy.client.jaxrs.internal.ClientInvocation.invoke(ClientInvocation.java:407)
        at org.jboss.resteasy.client.jaxrs.internal.ClientInvocation.invoke(ClientInvocation.java:442)
        at org.jboss.resteasy.client.jaxrs.internal.ClientInvocationBuilder.get(ClientInvocationBuilder.java:165)

</debug logs>

Comment 10 Endi Sukma Dewata 2017-01-07 08:21:00 UTC

Could you verify that you can connect via SSL to the ExternalCA (e.g. by running pki ca-user-find command)?

It's possible you also need to configure the same ciphers on the SubCA during installation. This can be done using the two-step installation:

So prepare 2 copies of SubCA deployment configuration. Add pki_skip_configuration=True to the first one and pki_skip_installation=True to the second one. Run the first step, add the ciphers into server.xml, then run the second step.

Comment 11 Geetika Kapoor 2017-01-09 08:46:41 UTC
Hi Endi,

Yes both the other subsystem installation and subca installation with fips=1 works with two step installation.Like for RootCA, we enable ciphers after installation that way it didn't work with subCA.SubCA with 2 step installation works.Do you think we need to document it? For FIPS enabled subca installation always work with 2 step installation.
Also, with FIPS mode enabled,  why we disabling below ciphers 


Comment 12 Christina Fu 2017-01-09 19:32:55 UTC
I think the instruction at http://pki.fedoraproject.org/wiki/SSL#FIPS_SSL_Configuration gives out ciphers supported by the Tales HSM in FIPS mode.  An HSM in FIPS mode is compliant to FIPS 140-2 level 3 (v.s. level 2 in software token provided by NSS).

Comment 13 Asha Akkiangady 2017-01-09 20:40:56 UTC
Marking the bug verified as per comment 11, subca two step install worked fine in FIPS mode with Thales HSM when configured with ciphers documented in http://pki.fedoraproject.org/wiki/SSL#FIPS_SSL_Configuration.

The requirement of two step installation procedure for subca as well as other subsystems in FIPS mode should be documented, bug https://bugzilla.redhat.com/show_bug.cgi?id=1411495

Comment 14 Geetika Kapoor 2017-01-10 06:01:23 UTC
Created attachment 1238982 [details]

Comment 16 errata-xmlrpc 2017-01-17 18:26:31 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.