Bug 1450143 - CA installation with HSM in FIPS mode fails
Summary: CA installation with HSM in FIPS mode fails
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: pki-core
Version: 7.4
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Jack Magne
QA Contact: Asha Akkiangady
Marc Muehlfeld
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-05-11 16:06 UTC by Asha Akkiangady
Modified: 2017-08-01 22:50 UTC (History)
3 users (show)

Fixed In Version: pki-core-10.4.1-5.el7
Doc Type: Enhancement
Doc Text:
Certificate System now supports installing a CA using HSM on FIPS-enabled Red Hat Enterprise Linux During the installation of a Certificate System Certificate Authority (CA) instance, the installer needs to restart the instance. During this restart, instances on an operating system having the Federal Information Processing Standard (FIPS) mode enabled and using a hardware security module (HSM), need to connect to the non-secure HTTP port instead of the HTTPS port. With this update, it is now possible to install a Certificate System instance on FIPS-enabled Red Hat Enterprise Linux using an HSM.
Clone Of:
Environment:
Last Closed: 2017-08-01 22:50:57 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2017:2110 normal SHIPPED_LIVE pki-core bug fix and enhancement update 2017-08-01 19:36:59 UTC

Description Asha Akkiangady 2017-05-11 16:06:00 UTC
Description of problem:
pkispawn CA with HSM and RHEL 7.4 in FIPS mode fails.

Version-Release number of selected component (if applicable):
pki-ca-10.4.1-4.el7.noarch

How reproducible:
Always

Steps to Reproduce:
1. RHEL 7.4 server system is in FIPS mode and has the latest available selinux-policy-3.13.1-148.el7.noarch 
2. Selinux is set to permissive due to https://bugzilla.redhat.com/show_bug.cgi?id=1447436#c5
3. pkispawn CA with HSM. 

Actual results:
pkispawn    : INFO     ... finalizing 'pki.server.deployment.scriptlets.finalization'
pkispawn    : INFO     ....... executing 'systemctl enable pki-tomcatd.target'
Created symlink from /etc/systemd/system/multi-user.target.wants/pki-tomcatd.target to /usr/lib/systemd/system/pki-tomcatd.target.
pkispawn    : INFO     ....... executing 'systemctl daemon-reload'
pkispawn    : INFO     ....... executing 'systemctl restart pki-tomcatd@rhcs92-CA-aakkiang.service'
pkispawn    : DEBUG    ........... No connection - server may still be down
pkispawn    : DEBUG    ........... No connection - exception thrown: ('Connection aborted.', error(111, 'Connection refused'))
pkispawn    : DEBUG    ........... No connection - server may still be down
pkispawn    : DEBUG    ........... No connection - exception thrown: ('Connection aborted.', error(111, 'Connection refused'))
...
pkispawn    : DEBUG    ........... No connection - server may still be down
pkispawn    : DEBUG    ........... No connection - exception thrown: [SSL: SSLV3_ALERT_BAD_RECORD_MAC] sslv3 alert bad record mac (_ssl.c:579)
pkispawn    : DEBUG    ........... No connection - server may still be down
pkispawn    : DEBUG    ........... No connection - exception thrown: [SSL: SSLV3_ALERT_BAD_RECORD_MAC] sslv3 alert bad record mac (_ssl.c:579)
pkispawn    : ERROR    ... server failed to restart
pkispawn    : DEBUG    ....... Error Type: RuntimeError
pkispawn    : DEBUG    ....... Error Message: server failed to restart
pkispawn    : DEBUG    .......   File "/usr/sbin/pkispawn", line 500, in main
    scriptlet.spawn(deployer)
  File "/usr/lib/python2.7/site-packages/pki/server/deployment/scriptlets/finalization.py", line 66, in spawn
    raise RuntimeError("server failed to restart")

Installation failed: server failed to restart


Debug log has this:
[11/May/2017:11:51:21][localhost-startStop-1]: CMSEngine: checking request serial number ranges for the CA
[11/May/2017:11:51:21][localhost-startStop-1]: Serial Management not enabled. Returning ..
[11/May/2017:11:51:21][localhost-startStop-1]: CMSEngine: checking certificate serial number ranges
[11/May/2017:11:51:21][localhost-startStop-1]: Serial Management not enabled. Returning ..
[11/May/2017:11:51:22][http-bio-8443-exec-1]: SignedAuditEventFactory: create() message created for eventType=ACCESS_SESSION_ESTABLISH_FAILURE

[11/May/2017:11:51:23][http-bio-8443-exec-2]: SignedAuditEventFactory: create() message created for eventType=ACCESS_SESSION_ESTABLISH_FAILURE
.....

[11/May/2017:11:52:03][http-bio-8443-exec-17]: SignedAuditEventFactory: create() message created for eventType=ACCESS_SESSION_ESTABLISH_FAILURE

[11/May/2017:11:52:04][http-bio-8443-exec-18]: SignedAuditEventFactory: create() message created for eventType=ACCESS_SESSION_ESTABLISH_FAILURE

[11/May/2017:11:56:21][Timer-0]: SessionTimer: run()



Shows following SELinux denials:
----
time->Thu May 11 11:49:45 2017
type=PROCTITLE msg=audit(1494517785.103:131): proctitle=2F7573722F6C69622F6A766D2F6A72652D312E382E302D6F70656E6A646B2F62696E2F6A617661002D4452455354454153595F4C49423D2F7573722F73686172652F6A6176612F72657374656173792D62617365002D446A6176612E6C6962726172792E706174683D2F7573722F6C696236342F6E757877646F672D6A6E69
type=SYSCALL msg=audit(1494517785.103:131): arch=c000003e syscall=2 success=yes exit=74 a0=7f6c907265e0 a1=80000 a2=7f6c90714b60 a3=6b6362696c2f3131 items=0 ppid=1 pid=14057 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.131-7.b12.el7.x86_64/jre/bin/java" subj=system_u:system_r:tomcat_t:s0 key=(null)
type=AVC msg=audit(1494517785.103:131): avc:  denied  { open } for  pid=14057 comm="java" path="/opt/nfast/toolkits/pkcs11/libcknfast.so" dev="dm-0" ino=33571641 scontext=system_u:system_r:tomcat_t:s0 tcontext=unconfined_u:object_r:pki_common_t:s0 tclass=file
type=AVC msg=audit(1494517785.103:131): avc:  denied  { read } for  pid=14057 comm="java" name="libcknfast.so" dev="dm-0" ino=33571641 scontext=system_u:system_r:tomcat_t:s0 tcontext=unconfined_u:object_r:pki_common_t:s0 tclass=file
----
time->Thu May 11 11:49:45 2017
type=PROCTITLE msg=audit(1494517785.103:132): proctitle=2F7573722F6C69622F6A766D2F6A72652D312E382E302D6F70656E6A646B2F62696E2F6A617661002D4452455354454153595F4C49423D2F7573722F73686172652F6A6176612F72657374656173792D62617365002D446A6176612E6C6962726172792E706174683D2F7573722F6C696236342F6E757877646F672D6A6E69
type=SYSCALL msg=audit(1494517785.103:132): arch=c000003e syscall=5 success=yes exit=0 a0=4a a1=7f6c99f889c0 a2=7f6c99f889c0 a3=6b6362696c2f3131 items=0 ppid=1 pid=14057 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.131-7.b12.el7.x86_64/jre/bin/java" subj=system_u:system_r:tomcat_t:s0 key=(null)
type=AVC msg=audit(1494517785.103:132): avc:  denied  { getattr } for  pid=14057 comm="java" path="/opt/nfast/toolkits/pkcs11/libcknfast.so" dev="dm-0" ino=33571641 scontext=system_u:system_r:tomcat_t:s0 tcontext=unconfined_u:object_r:pki_common_t:s0 tclass=file
----
time->Thu May 11 11:49:45 2017
type=PROCTITLE msg=audit(1494517785.104:133): proctitle=2F7573722F6C69622F6A766D2F6A72652D312E382E302D6F70656E6A646B2F62696E2F6A617661002D4452455354454153595F4C49423D2F7573722F73686172652F6A6176612F72657374656173792D62617365002D446A6176612E6C6962726172792E706174683D2F7573722F6C696236342F6E757877646F672D6A6E69
type=SYSCALL msg=audit(1494517785.104:133): arch=c000003e syscall=9 success=yes exit=140103743201280 a0=0 a1=49c8c0 a2=5 a3=802 items=0 ppid=1 pid=14057 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.131-7.b12.el7.x86_64/jre/bin/java" subj=system_u:system_r:tomcat_t:s0 key=(null)
type=AVC msg=audit(1494517785.104:133): avc:  denied  { execute } for  pid=14057 comm="java" path="/opt/nfast/toolkits/pkcs11/libcknfast.so" dev="dm-0" ino=33571641 scontext=system_u:system_r:tomcat_t:s0 tcontext=unconfined_u:object_r:pki_common_t:s0 tclass=file
----
time->Thu May 11 11:49:45 2017
type=PROCTITLE msg=audit(1494517785.105:134): proctitle=2F7573722F6C69622F6A766D2F6A72652D312E382E302D6F70656E6A646B2F62696E2F6A617661002D4452455354454153595F4C49423D2F7573722F73686172652F6A6176612F72657374656173792D62617365002D446A6176612E6C6962726172792E706174683D2F7573722F6C696236342F6E757877646F672D6A6E69
type=SYSCALL msg=audit(1494517785.105:134): arch=c000003e syscall=42 success=yes exit=0 a0=4a a1=7f6c99f88890 a2=6e a3=7f6c99f88570 items=0 ppid=1 pid=14057 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.131-7.b12.el7.x86_64/jre/bin/java" subj=system_u:system_r:tomcat_t:s0 key=(null)
type=AVC msg=audit(1494517785.105:134): avc:  denied  { connectto } for  pid=14057 comm="java" path="/opt/nfast/sockets/nserver" scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:system_r:initrc_t:s0 tclass=unix_stream_socket
----
time->Thu May 11 11:49:51 2017
type=PROCTITLE msg=audit(1494517791.745:135): proctitle=2F7573722F6C69622F6A766D2F6A72652D312E382E302D6F70656E6A646B2F62696E2F6A617661002D4452455354454153595F4C49423D2F7573722F73686172652F6A6176612F72657374656173792D62617365002D446A6176612E6C6962726172792E706174683D2F7573722F6C696236342F6E757877646F672D6A6E69
type=SYSCALL msg=audit(1494517791.745:135): arch=c000003e syscall=257 success=yes exit=75 a0=ffffffffffffff9c a1=7f6c901343b0 a2=90800 a3=0 items=0 ppid=1 pid=14057 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.131-7.b12.el7.x86_64/jre/bin/java" subj=system_u:system_r:tomcat_t:s0 key=(null)
type=AVC msg=audit(1494517791.745:135): avc:  denied  { read } for  pid=14057 comm="java" name="local" dev="dm-0" ino=69042662 scontext=system_u:system_r:tomcat_t:s0 tcontext=unconfined_u:object_r:pki_common_t:s0 tclass=dir
----
time->Thu May 11 11:50:46 2017
type=PROCTITLE msg=audit(1494517846.608:136): proctitle=2F7573722F6C69622F6A766D2F6A72652D312E382E302D6F70656E6A646B2F62696E2F6A617661002D4452455354454153595F4C49423D2F7573722F73686172652F6A6176612F72657374656173792D62617365002D446A6176612E6C6962726172792E706174683D2F7573722F6C696236342F6E757877646F672D6A6E69
type=SYSCALL msg=audit(1494517846.608:136): arch=c000003e syscall=2 success=yes exit=127 a0=7f6c5c361660 a1=241 a2=1b6 a3=24 items=0 ppid=1 pid=14057 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.131-7.b12.el7.x86_64/jre/bin/java" subj=system_u:system_r:tomcat_t:s0 key=(null)
type=AVC msg=audit(1494517846.608:136): avc:  denied  { write open } for  pid=14057 comm="java" path="/opt/nfast/kmdata/local/key_pkcs11_ucdf32e4c01b41d2f7a653126c9f2f75700a1ce00a-3903fbe33a4e077beaa209a403a2930e48cb6ce3.new" dev="dm-0" ino=67518191 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:pki_common_t:s0 tclass=file
type=AVC msg=audit(1494517846.608:136): avc:  denied  { create } for  pid=14057 comm="java" name="key_pkcs11_ucdf32e4c01b41d2f7a653126c9f2f75700a1ce00a-3903fbe33a4e077beaa209a403a2930e48cb6ce3.new" scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:pki_common_t:s0 tclass=file
type=AVC msg=audit(1494517846.608:136): avc:  denied  { add_name } for  pid=14057 comm="java" name="key_pkcs11_ucdf32e4c01b41d2f7a653126c9f2f75700a1ce00a-3903fbe33a4e077beaa209a403a2930e48cb6ce3.new" scontext=system_u:system_r:tomcat_t:s0 tcontext=unconfined_u:object_r:pki_common_t:s0 tclass=dir
type=AVC msg=audit(1494517846.608:136): avc:  denied  { write } for  pid=14057 comm="java" name="local" dev="dm-0" ino=69042662 scontext=system_u:system_r:tomcat_t:s0 tcontext=unconfined_u:object_r:pki_common_t:s0 tclass=dir
----
time->Thu May 11 11:50:46 2017
type=PROCTITLE msg=audit(1494517846.608:137): proctitle=2F7573722F6C69622F6A766D2F6A72652D312E382E302D6F70656E6A646B2F62696E2F6A617661002D4452455354454153595F4C49423D2F7573722F73686172652F6A6176612F72657374656173792D62617365002D446A6176612E6C6962726172792E706174683D2F7573722F6C696236342F6E757877646F672D6A6E69
type=SYSCALL msg=audit(1494517846.608:137): arch=c000003e syscall=5 success=yes exit=0 a0=7f a1=7f6c4fef6ef0 a2=7f6c4fef6ef0 a3=1 items=0 ppid=1 pid=14057 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.131-7.b12.el7.x86_64/jre/bin/java" subj=system_u:system_r:tomcat_t:s0 key=(null)
type=AVC msg=audit(1494517846.608:137): avc:  denied  { getattr } for  pid=14057 comm="java" path="/opt/nfast/kmdata/local/key_pkcs11_ucdf32e4c01b41d2f7a653126c9f2f75700a1ce00a-3903fbe33a4e077beaa209a403a2930e48cb6ce3.new" dev="dm-0" ino=67518191 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:pki_common_t:s0 tclass=file
----
time->Thu May 11 11:50:46 2017
type=PROCTITLE msg=audit(1494517846.609:138): proctitle=2F7573722F6C69622F6A766D2F6A72652D312E382E302D6F70656E6A646B2F62696E2F6A617661002D4452455354454153595F4C49423D2F7573722F73686172652F6A6176612F72657374656173792D62617365002D446A6176612E6C6962726172792E706174683D2F7573722F6C696236342F6E757877646F672D6A6E69
type=SYSCALL msg=audit(1494517846.609:138): arch=c000003e syscall=82 success=yes exit=0 a0=7f6c5c361660 a1=7f6c5c358b50 a2=fffffffffffffef0 a3=7f6c4fef6d60 items=0 ppid=1 pid=14057 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.131-7.b12.el7.x86_64/jre/bin/java" subj=system_u:system_r:tomcat_t:s0 key=(null)
type=AVC msg=audit(1494517846.609:138): avc:  denied  { rename } for  pid=14057 comm="java" name="key_pkcs11_ucdf32e4c01b41d2f7a653126c9f2f75700a1ce00a-3903fbe33a4e077beaa209a403a2930e48cb6ce3.new" dev="dm-0" ino=67518191 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:pki_common_t:s0 tclass=file
type=AVC msg=audit(1494517846.609:138): avc:  denied  { remove_name } for  pid=14057 comm="java" name="key_pkcs11_ucdf32e4c01b41d2f7a653126c9f2f75700a1ce00a-3903fbe33a4e077beaa209a403a2930e48cb6ce3.new" dev="dm-0" ino=67518191 scontext=system_u:system_r:tomcat_t:s0 tcontext=unconfined_u:object_r:pki_common_t:s0 tclass=dir
----
time->Thu May 11 11:50:46 2017
type=PROCTITLE msg=audit(1494517846.650:139): proctitle=2F7573722F6C69622F6A766D2F6A72652D312E382E302D6F70656E6A646B2F62696E2F6A617661002D4452455354454153595F4C49423D2F7573722F73686172652F6A6176612F72657374656173792D62617365002D446A6176612E6C6962726172792E706174683D2F7573722F6C696236342F6E757877646F672D6A6E69
type=SYSCALL msg=audit(1494517846.650:139): arch=c000003e syscall=2 success=yes exit=127 a0=7f6c5c35cbe0 a1=0 a2=1b6 a3=24 items=0 ppid=1 pid=14057 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.131-7.b12.el7.x86_64/jre/bin/java" subj=system_u:system_r:tomcat_t:s0 key=(null)
type=AVC msg=audit(1494517846.650:139): avc:  denied  { read } for  pid=14057 comm="java" name="key_pkcs11_ucdf32e4c01b41d2f7a653126c9f2f75700a1ce00a-3903fbe33a4e077beaa209a403a2930e48cb6ce3" dev="dm-0" ino=67518191 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:pki_common_t:s0 tclass=file
----
time->Thu May 11 11:50:46 2017
type=PROCTITLE msg=audit(1494517846.650:140): proctitle=2F7573722F6C69622F6A766D2F6A72652D312E382E302D6F70656E6A646B2F62696E2F6A617661002D4452455354454153595F4C49423D2F7573722F73686172652F6A6176612F72657374656173792D62617365002D446A6176612E6C6962726172792E706174683D2F7573722F6C696236342F6E757877646F672D6A6E69
type=SYSCALL msg=audit(1494517846.650:140): arch=c000003e syscall=82 success=yes exit=0 a0=7f6c5c35df30 a1=7f6c5c35cbe0 a2=7f6c5c000078 a3=7a items=0 ppid=1 pid=14057 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.131-7.b12.el7.x86_64/jre/bin/java" subj=system_u:system_r:tomcat_t:s0 key=(null)
type=AVC msg=audit(1494517846.650:140): avc:  denied  { unlink } for  pid=14057 comm="java" name="key_pkcs11_ucdf32e4c01b41d2f7a653126c9f2f75700a1ce00a-3903fbe33a4e077beaa209a403a2930e48cb6ce3" dev="dm-0" ino=67518191 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:pki_common_t:s0 tclass=file
----
time->Thu May 11 11:51:06 2017
type=PROCTITLE msg=audit(1494517866.457:144): proctitle=2F7573722F6C69622F6A766D2F6A72652D312E382E302D6F70656E6A646B2F62696E2F6A617661002D4452455354454153595F4C49423D2F7573722F73686172652F6A6176612F72657374656173792D62617365002D446A6176612E6C6962726172792E706174683D2F7573722F6C696236342F6E757877646F672D6A6E69
type=SYSCALL msg=audit(1494517866.457:144): arch=c000003e syscall=42 success=yes exit=0 a0=4a a1=7fbe6c118890 a2=6e a3=7fbe6c118570 items=0 ppid=1 pid=14476 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.131-7.b12.el7.x86_64/jre/bin/java" subj=system_u:system_r:tomcat_t:s0 key=(null)
type=AVC msg=audit(1494517866.457:144): avc:  denied  { connectto } for  pid=14476 comm="java" path="/opt/nfast/sockets/nserver" scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:system_r:initrc_t:s0 tclass=unix_stream_socket
----
time->Thu May 11 11:51:13 2017
type=PROCTITLE msg=audit(1494517873.406:146): proctitle=2F7573722F6C69622F6A766D2F6A72652D312E382E302D6F70656E6A646B2F62696E2F6A617661002D4452455354454153595F4C49423D2F7573722F73686172652F6A6176612F72657374656173792D62617365002D446A6176612E6C6962726172792E706174683D2F7573722F6C696236342F6E757877646F672D6A6E69
type=SYSCALL msg=audit(1494517873.406:146): arch=c000003e syscall=5 success=yes exit=0 a0=4c a1=7fbe6c118ab0 a2=7fbe6c118ab0 a3=0 items=0 ppid=1 pid=14476 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.131-7.b12.el7.x86_64/jre/bin/java" subj=system_u:system_r:tomcat_t:s0 key=(null)
type=AVC msg=audit(1494517873.406:146): avc:  denied  { getattr } for  pid=14476 comm="java" path="/opt/nfast/kmdata/local/key_pkcs11_ucdf32e4c01b41d2f7a653126c9f2f75700a1ce00a-3903fbe33a4e077beaa209a403a2930e48cb6ce3" dev="dm-0" ino=69219270 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:pki_common_t:s0 tclass=file
----
time->Thu May 11 11:51:13 2017
type=PROCTITLE msg=audit(1494517873.406:145): proctitle=2F7573722F6C69622F6A766D2F6A72652D312E382E302D6F70656E6A646B2F62696E2F6A617661002D4452455354454153595F4C49423D2F7573722F73686172652F6A6176612F72657374656173792D62617365002D446A6176612E6C6962726172792E706174683D2F7573722F6C696236342F6E757877646F672D6A6E69
type=SYSCALL msg=audit(1494517873.406:145): arch=c000003e syscall=2 success=yes exit=76 a0=7fbe64160c20 a1=0 a2=1b6 a3=24 items=0 ppid=1 pid=14476 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.131-7.b12.el7.x86_64/jre/bin/java" subj=system_u:system_r:tomcat_t:s0 key=(null)
type=AVC msg=audit(1494517873.406:145): avc:  denied  { open } for  pid=14476 comm="java" path="/opt/nfast/kmdata/local/key_pkcs11_ucdf32e4c01b41d2f7a653126c9f2f75700a1ce00a-3903fbe33a4e077beaa209a403a2930e48cb6ce3" dev="dm-0" ino=69219270 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:pki_common_t:s0 tclass=file
type=AVC msg=audit(1494517873.406:145): avc:  denied  { read } for  pid=14476 comm="java" name="key_pkcs11_ucdf32e4c01b41d2f7a653126c9f2f75700a1ce00a-3903fbe33a4e077beaa209a403a2930e48cb6ce3" dev="dm-0" ino=69219270 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:pki_common_t:s0 tclass=file


Expected results:
pkispawn should be successful.

Additional info:

Comment 2 Matthew Harmsen 2017-05-12 23:48:16 UTC
The following patch was tested and checked-in:

commit ee5af05036e87a9dad821c9dd8bc0198dac9bd65
Author: Matthew Harmsen <mharmsen@redhat.com>
Date:   Fri May 12 13:00:54 2017 -0600

    Fix CA installation with HSM in FIPS mode
    
    Bugzilla Bug #1450143 - CA installation with HSM in FIPS mode fails
    dogtagpki Pagure Issue #2684 - CA installation with HSM in FIPS mode fails

Comment 3 Matthew Harmsen 2017-05-16 19:02:20 UTC
commit 641180a465d7fdf12a978c9c458e39bf6829cac2
Author: Matthew Harmsen mharmsen@redhat.com
Date: Tue May 16 12:58:17 2017 -0600

Added FIPS class to pkispawn

Bugzilla Bug #1450143 - CA installation with HSM in FIPS mode fails
dogtagpki Pagure Issue #2684 - CA installation with HSM in FIPS mode fails

commit 4f11d3b2aad075c965bbccb61112d443e36e4c45
Author: Matthew Harmsen mharmsen@redhat.com
Date: Mon May 15 15:06:04 2017 -0600

Added runtime requirement on sysctl to pki-core spec file

Comment 5 Asha Akkiangady 2017-06-16 15:01:22 UTC
Tested in version: pki-server-10.4.1-9.el7.noarch
Installation of CA, KRA, OCSP, TKS and TPS in FIPS as well as in non-FIPS mode are successful on RHEL 7.4.
pkispawn provides informatin that the system is FIPS enabled or not.

On a FIPS enabled system it shows as follows,
pkispawn    : INFO     ........... FIPS mode is enabled on this operating system.

The installation summary on the FIPS enabled operating system shows exclusively that FIPS is enabled.

CA:
    ==========================================================================
                                INSTALLATION SUMMARY
    ==========================================================================

      Administrator's username:             caadmin
      Administrator's PKCS #12 file:
            /opt/RootCA/caadmincert.p12

      This CA subsystem of the 'rhcs92-CA-aakkiang' instance
      has FIPS mode enabled on this operating system.

      REMINDER:  Don't forget to update the appropriate FIPS
                 algorithms in server.xml in the 'rhcs92-CA-aakkiang' instance.

      To check the status of the subsystem:
            systemctl status pki-tomcatd@rhcs92-CA-aakkiang.service

      To restart the subsystem:
            systemctl restart pki-tomcatd@rhcs92-CA-aakkiang.service

      The URL for the subsystem is:
            https://xxxxxxxx:8443/ca

      PKI instances will be enabled upon system boot

    ==========================================================================

KRA:

==========================================================================
                                INSTALLATION SUMMARY
    ==========================================================================

      Administrator's username:             kraadmin
      Administrator's PKCS #12 file:
            /opt/pki-rootKRA-aakkiang/kraadmincert.p12

      This KRA subsystem of the 'rhcs92-KRA-aakkiang' instance
      has FIPS mode enabled on this operating system.

      REMINDER:  Don't forget to update the appropriate FIPS
                 algorithms in server.xml in the 'rhcs92-KRA-aakkiang' instance.

      To check the status of the subsystem:
            systemctl status pki-tomcatd@rhcs92-KRA-aakkiang.service

      To restart the subsystem:
            systemctl restart pki-tomcatd@rhcs92-KRA-aakkiang.service

      The URL for the subsystem is:
            https://xxxxxxxx:31042/kra

      PKI instances will be enabled upon system boot

    ==========================================================================

OCSP:

==========================================================================
                                INSTALLATION SUMMARY
    ==========================================================================

      Administrator's username:             ocspadmin
      Administrator's PKCS #12 file:
            /opt/pki-rootOCSP-aakkiang/ocspadmincert.p12

      This OCSP subsystem of the 'rhcs92-OCSP-aakkiang' instance
      has FIPS mode enabled on this operating system.

      REMINDER:  Don't forget to update the appropriate FIPS
                 algorithms in server.xml in the 'rhcs92-OCSP-aakkiang' instance.

      To check the status of the subsystem:
            systemctl status pki-tomcatd@rhcs92-OCSP-aakkiang.service

      To restart the subsystem:
            systemctl restart pki-tomcatd@rhcs92-OCSP-aakkiang.service

      The URL for the subsystem is:
            https://xxxxxxxx:32042/ocsp

      PKI instances will be enabled upon system boot

    ==========================================================================

TKS:
    ==========================================================================
                                INSTALLATION SUMMARY
    ==========================================================================

      Administrator's username:             tksadmin
      Administrator's PKCS #12 file:
            /opt/pki-rootTKS-aakkiang/tksadmincert.p12

      This TKS subsystem of the 'rhcs92-TKS-aakkiang' instance
      has FIPS mode enabled on this operating system.

      REMINDER:  Don't forget to update the appropriate FIPS
                 algorithms in server.xml in the 'rhcs92-TKS-aakkiang' instance.

      To check the status of the subsystem:
            systemctl status pki-tomcatd@rhcs92-TKS-aakkiang.service

      To restart the subsystem:
            systemctl restart pki-tomcatd@rhcs92-TKS-aakkiang.service

      The URL for the subsystem is:
            https://xxxxxxxx:23443/tks

      PKI instances will be enabled upon system boot

    ==========================================================================

TPS:

    ==========================================================================
                                INSTALLATION SUMMARY
    ==========================================================================

      Administrator's username:             tpsadmin
      Administrator's PKCS #12 file:
            /opt/pki-rootTPS-aakkiang/tpsadmincert.p12

      This TPS subsystem of the 'rhcs92-TPS-aakkiang' instance
      has FIPS mode enabled on this operating system.

      REMINDER:  Don't forget to update the appropriate FIPS
                 algorithms in server.xml in the 'rhcs92-TPS-aakkiang' instance.

      To check the status of the subsystem:
            systemctl status pki-tomcatd@rhcs92-TPS-aakkiang.service

      To restart the subsystem:
            systemctl restart pki-tomcatd@rhcs92-TPS-aakkiang.service

      The URL for the subsystem is:
            https://xxxxxxxx:30964/tps

      PKI instances will be enabled upon system boot

    ==========================================================================

CA,KRA,OCSP,TKS and TPS installation on a non-FIPS enabled system shows following information:
pkispawn    : INFO     ........... FIPS mode is NOT enabled on this operating system.


Marking the bug verified.

Comment 8 errata-xmlrpc 2017-08-01 22:50:57 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:2110


Note You need to log in before you can comment on or make changes to this bug.