1404172 – Unable to install subordinate CA with HSM in FIPS mode

Bug 1404172 - Unable to install subordinate CA with HSM in FIPS mode

Summary: Unable to install subordinate CA with HSM in FIPS mode

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	pki-core
Sub Component:
Version:	7.3
Hardware:	Unspecified
OS:	Unspecified
Priority:	urgent
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	RHCS Maintainers
QA Contact:	Asha Akkiangady
Docs Contact:
URL:
Whiteboard:
Depends On:	1395817
Blocks:
TreeView+	depends on / blocked

Reported:	2016-12-13 09:25 UTC by Marcel Kolaja
Modified:	2017-01-17 18:26 UTC (History)
CC List:	7 users (show)
Fixed In Version:	pki-core-10.3.3-15.el7_3
Doc Type:	Bug Fix
Doc Text:	Previously, subordinate certificate authority (sub-CA) installation failed due to a bug in the Network Security Services (NSS) library, which generated the "SEC_ERROR_TOKEN_NOT_LOGGED_IN" error. This update adds a workaround for this problem to the installer which allows the installation to proceed. If the error is still displayed, it can now be ignored.
Clone Of:	1395817
Environment:
Last Closed:	2017-01-17 18:26:31 UTC
Target Upstream Version:

Attachments	(Terms of Use)
config_files (30.00 KB, application/x-tar) 2017-01-10 06:01 UTC, Geetika Kapoor	no flags	Details
View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2017:0093	0	normal	SHIPPED_LIVE	pki-core bug fix update	2017-01-17 22:56:43 UTC

Description Marcel Kolaja 2016-12-13 09:25:04 UTC

This bug has been copied from bug #1395817 and has been proposed
to be backported to 7.3 z-stream (EUS).

Comment 4 Asha Akkiangady 2017-01-04 20:38:52 UTC

Subordinate CA installation with hsm in FIPS mode is successful, but shows failure message while changing the certificate trust as reported in https://bugzilla.redhat.com/show_bug.cgi?id=1395817#c8

Comment 5 Endi Sukma Dewata 2017-01-05 07:13:16 UTC

The error message is fine since the actual NSS bug has not been fixed yet. The change in PKI is a workaround for that problem. See also:
https://bugzilla.redhat.com/show_bug.cgi?id=1395817#c9

Comment 9 Geetika Kapoor 2017-01-06 06:06:34 UTC

Hello Endi,

Here is my server.xml.

<server.xml>

sslRangeCiphers="-TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,-TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,-TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,-TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,-TLS_DHE_DSS_WITH_AES_128_CBC_SHA,-TLS_DHE_DSS_WITH_AES_256_CBC_SHA,-TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_DHE_RSA_WITH_AES_128_CBC_SHA,+TLS_DHE_RSA_WITH_AES_256_CBC_SHA,+TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,+TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,+TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,-TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,-TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,-TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,-TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,-TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,+TLS_RSA_WITH_AES_128_CBC_SHA256,+TLS_RSA_WITH_AES_256_CBC_SHA256,-TLS_RSA_WITH_AES_128_GCM_SHA256,-TLS_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_RSA_WITH_AES_128_CBC_SHA,-TLS_RSA_WITH_AES_256_CBC_SHA"

</server.xml>

I have restarted instance after i disable these ciphers which are bydefault enabled but since it was not listed in document(http://pki.fedoraproject.org/wiki/SSL#FIPS_SSL_Configuration) so i have disabled them.

<default enabled ciphers disabled>
+TLS_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_RSA_WITH_AES_128_CBC_SHA,+TLS_RSA_WITH_AES_256_CBC_SHA
</default enabled ciphers disabled>

and again i try to install subCA.It fails.

<debug logs>

[06/Jan/2017:00:54:07][http-bio-32443-exec-3]: Resolving security domain URL https://csqa4-guest04.idm.lab.eng.rdu.redhat.com:31443
[06/Jan/2017:00:54:07][http-bio-32443-exec-3]: Getting security domain cert chain
[06/Jan/2017:00:54:07][http-bio-32443-exec-3]: ConfigurationUtils.importCertChain()
[06/Jan/2017:00:54:07][http-bio-32443-exec-3]: ConfigurationUtils: GET https://csqa4-guest04.idm.lab.eng.rdu.redhat.com:31443/ca/admin/ca/getCertChain
javax.ws.rs.ProcessingException: Unable to invoke request
        at org.jboss.resteasy.client.jaxrs.engines.ApacheHttpClient4Engine.invoke(ApacheHttpClient4Engine.java:287)
        at org.jboss.resteasy.client.jaxrs.internal.ClientInvocation.invoke(ClientInvocation.java:407)
        at org.jboss.resteasy.client.jaxrs.internal.ClientInvocation.invoke(ClientInvocation.java:442)
        at org.jboss.resteasy.client.jaxrs.internal.ClientInvocationBuilder.get(ClientInvocationBuilder.java:165)

</debug logs>

Comment 10 Endi Sukma Dewata 2017-01-07 08:21:00 UTC

Geetika,

Could you verify that you can connect via SSL to the ExternalCA (e.g. by running pki ca-user-find command)?

It's possible you also need to configure the same ciphers on the SubCA during installation. This can be done using the two-step installation:
http://pki.fedoraproject.org/wiki/Two-Step_Installation

So prepare 2 copies of SubCA deployment configuration. Add pki_skip_configuration=True to the first one and pki_skip_installation=True to the second one. Run the first step, add the ciphers into server.xml, then run the second step.

Comment 11 Geetika Kapoor 2017-01-09 08:46:41 UTC

Hi Endi,

Yes both the other subsystem installation and subca installation with fips=1 works with two step installation.Like for RootCA, we enable ciphers after installation that way it didn't work with subCA.SubCA with 2 step installation works.Do you think we need to document it? For FIPS enabled subca installation always work with 2 step installation.
Also, with FIPS mode enabled,  why we disabling below ciphers 
+TLS_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_RSA_WITH_AES_128_CBC_SHA,+TLS_RSA_WITH_AES_256_CBC_SHA.

Thanks
Geetika

Comment 12 Christina Fu 2017-01-09 19:32:55 UTC

I think the instruction at http://pki.fedoraproject.org/wiki/SSL#FIPS_SSL_Configuration gives out ciphers supported by the Tales HSM in FIPS mode.  An HSM in FIPS mode is compliant to FIPS 140-2 level 3 (v.s. level 2 in software token provided by NSS).

Comment 13 Asha Akkiangady 2017-01-09 20:40:56 UTC

Marking the bug verified as per comment 11, subca two step install worked fine in FIPS mode with Thales HSM when configured with ciphers documented in http://pki.fedoraproject.org/wiki/SSL#FIPS_SSL_Configuration.

The requirement of two step installation procedure for subca as well as other subsystems in FIPS mode should be documented, bug https://bugzilla.redhat.com/show_bug.cgi?id=1411495

Comment 14 Geetika Kapoor 2017-01-10 06:01:23 UTC

Created attachment 1238982 [details]
config_files

Comment 16 errata-xmlrpc 2017-01-17 18:26:31 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2017-0093.html

Note You need to log in before you can comment on or make changes to this bug.