Bug 1419179
| Summary: | nssdb not created correctly in a fips environment when password is not set | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Eugene Keck <ekeck> |
| Component: | nss | Assignee: | Daiki Ueno <dueno> |
| Status: | CLOSED ERRATA | QA Contact: | Alicja Kario <hkario> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 7.3 | CC: | cww, dueno, ekeck, hkario, kengert, omoris, rrelyea, szidek |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | nss-3.34.0-0.1.beta1.el7 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2018-04-10 09:25:43 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 1420851 | ||
|
Description
Eugene Keck
2017-02-03 20:02:09 UTC
Hm, I do not see the difference between FIPS and non-FIPS environment. Steps from the description give the same result in non-FIPS mode. Kai, is an user expected to set password (even an empty one) after creating NSS DB via modutil? That is 1. modutil -dbdir /tmp -create 2. modutil -dbdir /tmp -changepw It looks like an authentication is required by default after DB creation (regardless of FIPS mode). ------------------------------------------------------ BTW: Setting empty password works for me in FIPS mode: # modutil -dbdir /tmp/ -create WARNING: Performing this operation while the browser is running could cause corruption of your security databases. If the browser is currently running, you should exit browser before continuing this operation. Type 'q <enter>' to abort, or <enter> to continue: # modutil -dbdir /tmp/ -chkfips true FIPS mode enabled. # modutil -dbdir /tmp/ -changepw "NSS FIPS 140-2 Certificate DB" WARNING: Performing this operation while the browser is running could cause corruption of your security databases. If the browser is currently running, you should exit browser before continuing this operation. Type 'q <enter>' to abort, or <enter> to continue: Enter new password: Re-enter new password: Token "NSS FIPS 140-2 Certificate DB" password changed successfully. # certutil -d /tmp/ -K certutil: Checking token "NSS FIPS 140-2 Certificate DB" in slot "NSS FIPS 140-2 User Private Key Services" certutil: no keys found So NSS has 2 modes: FIPS Level 1 and FIPS level 2. In FIPS level 2 you must authenticate to the token before you can do almost anything. In FIPS level 1 you don't need to authenticate to the token. NSS determines whether or not you are in FIPS level 1 mode by whether or not the database has a password. In FIPS mode you can move from Level 1 to Level 2 (by setting the password), but you can't move from level 2 to level 1. It looks like everything Eugene has mentioned is consistant with that behavior. The only issue is modutil -create doesn't produce a database without a password. My guess is modutil is creating an uninitialized database which requires sso pin login. I'm guessing this implies to softoken that the database is in FIPS Level 2 mode. We can deal with this in 2 ways: 1) document you can't use modutil to create a FIPS level 1 database. or 2) modify modutil -create to initialize the database at creation time the same way certutil works today. We need a bug filed upstream that requests and implements the enhancement for modutil. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHEA-2018:0679 |