Bug 1536938
| Summary: | KRA ECC installation fails with HSM and FIPS enabled | ||||||
|---|---|---|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Sumedh Sidhaye <ssidhaye> | ||||
| Component: | pki-core | Assignee: | RHCS Maintainers <rhcs-maint> | ||||
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Asha Akkiangady <aakkiang> | ||||
| Severity: | unspecified | Docs Contact: | |||||
| Priority: | unspecified | ||||||
| Version: | 7.5 | CC: | cfu, gkapoor, mharmsen, ssidhaye | ||||
| Target Milestone: | rc | ||||||
| Target Release: | --- | ||||||
| Hardware: | Unspecified | ||||||
| OS: | Unspecified | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2018-02-02 17:08:59 UTC | Type: | Bug | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Attachments: |
|
||||||
no promise that I can look at it this week, but when reporting bugs, please always include: * environment: HSM? FIPS? (this you supplied, that's good) * configuration: e.g. - for installation: What was the pkispawn config file you used when configuring? - for regular operation: What's the relevant configuration (CS.cfg, etc.) - call out attention to things you changed for the configuration * logs: all relevant logs (which you probably have supplied. I did not look, because there is no point of looking unless I know how the system was installed) * Anything you think might help finally, the procedure to reproduce. I can't speak for others, but normally, if I take a quick look and don't find all the things I need, then I skip on to other matters. Since this bug appears to have affected CA for you, please provide the above listed for the CA case, as that should be easiest to look at and reproduce. thanks. Here is the procedure I am following: I am using a FIPS enabled environment with HSM. 1. run pkispawn CA with --skip-configuration 2. Change sslRangeCiphers 3. run pkispawn CA with --skip-installation I am using the attached config file for CA. Earlier I followed the same procedure (with build 10.5.1-5) and I was able to setup the instance, but it is now failing. Matt, I tried your suggestion for a 1 step install, and I was able to setup CA and KRA. Thanks. It seems that for ECC installation with HSM+FIPS we do not need the 2 step installation. What I am curious about is that how did the 2 step install for build # 10.5.1-5 work for CA installation. Matt, should we close this bug since we have an updated procedure to install instances with ECC using HSM+FIPS? (In reply to Sumedh Sidhaye from comment #10) > Matt, should we close this bug since we have an updated procedure to install > instances with ECC using HSM+FIPS? Sumedh and Geetika, Great news! Sumedh, hold off on closing this bug, as Geetika was encountering an RSA FIPS issue that she has attached to this bug. I have made a suggestion to her, and if it works, this bug can be closed. Geetika, if my suggestion does not fix the issue, please move this information to another new bug, as your instance uses RSA rather than ECC. Once this is done, then this bug can be closed as it refers to ECC and works according to the new procedure (which I will update on the Wiki). Thanks, -- Matt I'm guessing that CMC installation is tested separately? Please coordinate with Geetika so that installation with both CMC (for CC eval) and non-CMC (for the general public) are tested. Thanks! Yes, it's being tested with both CMC and non-CMC scenarios. |
Created attachment 1384202 [details] pkispawn log Description of problem: KRA ECC installation is failing with HSM and FIPS enabled. This is a 2 step installation. Version-Release number of selected component (if applicable): root@csqa4-guest01 ~ # pki --version PKI Command-Line Interface 10.5.1-5.1.el7 How reproducible: Always Steps to Reproduce: 1. Run KRA pkispawn using --skip-configuration param 2. Change ssl range ciphers 3. Run KRA pkispawn using --skip-installation param Actual results: Step 2 of KRA installation fails with the following error : ERROR: Unable to access security domain: [SSL: TLSV1_ALERT_INTERNAL_ERROR] tlsv1 alert internal error (_ssl.c:579) Expected results: Step 2 of KRA installation should succeed. Additional info: CA ECC 2 step setup is working fine. I am attaching the entire pkispawn log for refernce. The above error is only shown on the command line after which pkispawn fails.