Bug 1412211 - Unable to set up KRA in FIPS
Summary: Unable to set up KRA in FIPS
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: pki-core
Version: 7.3
Hardware: Unspecified
OS: Unspecified
Target Milestone: rc
: ---
Assignee: RHCS Maintainers
QA Contact: Asha Akkiangady
Depends On:
Blocks: 1125174 1427443
TreeView+ depends on / blocked
Reported: 2017-01-11 14:28 UTC by Standa Laznicka
Modified: 2020-10-04 21:20 UTC (History)
4 users (show)

Fixed In Version: pki-core-10.4.0-1.el7
Doc Type: No Doc Update
Doc Text:
see BZ#1411428 for doc text.
Clone Of:
Last Closed: 2017-08-01 22:48:25 UTC
Target Upstream Version:

Attachments (Terms of Use)
pkispawn, debug and config files (19.39 KB, application/zip)
2017-01-11 14:28 UTC, Standa Laznicka
no flags Details

System ID Private Priority Status Summary Last Updated
Github dogtagpki pki issues 2676 0 None None None 2020-10-04 21:20:11 UTC
Red Hat Product Errata RHBA-2017:2110 0 normal SHIPPED_LIVE pki-core bug fix and enhancement update 2017-08-01 19:36:59 UTC

Description Standa Laznicka 2017-01-11 14:28:08 UTC
Created attachment 1239458 [details]
pkispawn, debug and config files

Description of problem:
After successfully setting up CA in FIPS, KRA fails to install using pkispawn.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. Set up a CA under FIPS using FreeIPA settings (for the details of CA settings see https://github.com/freeipa/freeipa/blob/master/ipaserver/install/cainstance.py#L453)
2. Try to set up KRA on the same host with the config file from the attachment: `pkispawn -s KRA -f kra_config.txt`

Actual results:
pkispawn fails with "SystemConfigService:updateCloneConfiguration: tokenName=Internal Key Storage Token

Expected results:
KRA subsystem is successfully installed.

Additional info:
Seems like the same issue as in https://bugzilla.redhat.com/show_bug.cgi?id=1411428 and https://bugzilla.redhat.com/show_bug.cgi?id=1382066

Comment 2 Endi Sukma Dewata 2017-01-16 16:48:58 UTC
Hi, this is probably similar to bug #1411428, but the problem happens while retrieving a certificate from the internal token.

Comment 3 Matthew Harmsen 2017-01-16 17:15:05 UTC
Upstream ticket:

Comment 5 Endi Sukma Dewata 2017-01-26 00:21:14 UTC
Fixed in master:
* 97ac6024c813621856b3cbfc8207416a46855108
* 48cefdea31e62d49c8b728576d29e0f298141a04

Comment 7 Sumedh Sidhaye 2017-05-15 07:06:07 UTC
Build used for verification:

[root@cisco-c210-01 ~]# rpm -qi pki-base
Name        : pki-base
Version     : 10.4.1
Release     : 4.el7
Architecture: noarch
Install Date: Monday 15 May 2017 02:07:34 AM EDT
Group       : System Environment/Base
Size        : 2086209
License     : GPLv2
Signature   : RSA/SHA256, Tuesday 09 May 2017 11:33:58 PM EDT, Key ID 199e2f91fd431d51
Source RPM  : pki-core-10.4.1-4.el7.src.rpm
Build Date  : Tuesday 09 May 2017 09:23:16 PM EDT
Build Host  : ppc-021.build.eng.bos.redhat.com
Relocations : (not relocatable)
Packager    : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>
Vendor      : Red Hat, Inc.
URL         : http://pki.fedoraproject.org/
Summary     : Certificate System - PKI Framework

[root@cisco-c210-01 ~]# !24
sysctl -a | grep fips_enabled
crypto.fips_enabled = 1
sysctl: reading key "net.ipv6.conf.all.stable_secret"
sysctl: reading key "net.ipv6.conf.default.stable_secret"
sysctl: reading key "net.ipv6.conf.enp17s0.stable_secret"
sysctl: reading key "net.ipv6.conf.enp18s0.stable_secret"
sysctl: reading key "net.ipv6.conf.ens1f0.stable_secret"
sysctl: reading key "net.ipv6.conf.ens1f1.stable_secret"
sysctl: reading key "net.ipv6.conf.lo.stable_secret"

pkispawn for KRA succeeds when FIPS is enabled on the system.

Log file: /var/log/pki/pki-kra-spawn.20170515022638.log
Installing KRA into /var/lib/pki/pki-tomcat.
Storing deployment configuration into /etc/sysconfig/pki/tomcat/pki-tomcat/kra/deployment.cfg.

                                INSTALLATION SUMMARY

      Administrator's username:             kraadmin

      To check the status of the subsystem:
            systemctl status pki-tomcatd@pki-tomcat.service

      To restart the subsystem:
            systemctl restart pki-tomcatd@pki-tomcat.service

      The URL for the subsystem is:

      PKI instances will be enabled upon system boot


Comment 8 errata-xmlrpc 2017-08-01 22:48:25 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.