Bug 1411428 - Unable to create a CA clone in FIPS
Summary: Unable to create a CA clone in FIPS
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: pki-core
Version: 7.3
Hardware: Unspecified
OS: Unspecified
Target Milestone: rc
: ---
Assignee: RHCS Maintainers
QA Contact: Asha Akkiangady
Petr Bokoc
: 1412132 (view as bug list)
Depends On:
Blocks: 1125174 1427443
TreeView+ depends on / blocked
Reported: 2017-01-09 17:08 UTC by Standa Laznicka
Modified: 2020-10-04 21:20 UTC (History)
5 users (show)

Fixed In Version: pki-core-10.4.0-1.el7
Doc Type: Bug Fix
Doc Text:
CA clone installation in FIPS mode no longer fails Previously, installing a CA clone or a Key Recovery Authority (KRA) failed in FIPS mode due to an inconsistency in handling internal NSS token names. With this update, the code that handles the token name has been consolidated to ensure that all token names are handled consistently. T allows the KRA and CA clone installation to complete properly in FIPS mode.
Clone Of:
Last Closed: 2017-08-01 22:48:25 UTC
Target Upstream Version:

Attachments (Terms of Use)
Install output, configuration, debug and log files (23.01 KB, application/zip)
2017-01-09 17:08 UTC, Standa Laznicka
no flags Details

System ID Private Priority Status Summary Last Updated
Github dogtagpki pki issues 2676 0 None None None 2020-10-04 21:20:06 UTC
Red Hat Product Errata RHBA-2017:2110 0 normal SHIPPED_LIVE pki-core bug fix and enhancement update 2017-08-01 19:36:59 UTC

Description Standa Laznicka 2017-01-09 17:08:39 UTC
Created attachment 1238830 [details]
Install output, configuration, debug and log files

Description of problem:
When trying to set up a clone using pkispawn with the attached configuration in FIPS, pkispawn fails with NoSuchTokenException.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. Set up a master server and a future replica to use FIPS.
2. Set up a master CA on a server using pkispawn
3. Try to create a clone of the server from 1. using `pkispawn -s CA -f pkispawn_config_repl.txt`

Actual results:
The installation fails with "org.mozilla.jss.NoSuchTokenException".

Expected results:
The installation of the clone passes.

Additional info:
Might (but does not have to be) be related to https://bugzilla.redhat.com/show_bug.cgi?id=1382066.

Comment 2 Endi Sukma Dewata 2017-01-16 16:36:13 UTC
Hi, in bug #1382066 the code was fixed to recognize the full name of the internal token (i.e. Internal Key Storage Token) which is used in FIPS mode in addition to the short name (i.e. internal):

Apparently there are additional places that need to be fixed which are only exposed under this test scenario.

Comment 3 Matthew Harmsen 2017-01-16 17:18:46 UTC
Upstream ticket:

Comment 4 Endi Sukma Dewata 2017-01-26 00:27:36 UTC
*** Bug 1412132 has been marked as a duplicate of this bug. ***

Comment 5 Endi Sukma Dewata 2017-01-27 16:58:32 UTC
Fixed in master:
* 2fa7bc707a558da1b0c4d748d0805bdd0b60168c

Comment 7 Amol K 2017-06-08 09:54:08 UTC
I tested this bug on pki 10.4.1-8.el7 version. It worked as expected. 

I follow following steps to verify the bug:

1. Installed CA with dual step installation with modification of sslRangeCiphers in server.xml file.

2. I follow above installation procedure with the clone and I able to create the clone successfully.

Verifying this bug.

Comment 9 errata-xmlrpc 2017-08-01 22:48:25 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.