Bug 1567910 - IPA install with external-CA is failing when FIPS mode enabled.
Summary: IPA install with external-CA is failing when FIPS mode enabled.
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: pki-core
Version: 7.5
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: rc
: ---
Assignee: Endi Sukma Dewata
QA Contact: ipa-qe
URL:
Whiteboard:
Depends On:
Blocks: 1572548
TreeView+ depends on / blocked
 
Reported: 2018-04-16 12:20 UTC by Mohammad Rizwan
Modified: 2020-10-04 21:43 UTC (History)
11 users (show)

Fixed In Version:
Doc Type: No Doc Update
Doc Text:
undefined
Clone Of:
: 1572548 (view as bug list)
Environment:
Last Closed: 2018-10-30 11:07:04 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Github dogtagpki pki issues 3115 None None None 2020-10-04 21:43:09 UTC
Red Hat Product Errata RHBA-2018:3195 None None None 2018-10-30 11:08:05 UTC

Description Mohammad Rizwan 2018-04-16 12:20:12 UTC
Description of problem:
IPA server install failing with external-ca when FIPS mode enabled in 7.5.1. It was passing in 7.5.

Version-Release number of selected component (if applicable):
ipa-server-4.5.4-10.el7_5.1.x86_64

How reproducible:
always

Steps to Reproduce:
1. Install ipa with --external-ca option
2. sign the csr using external-ca
3. Proceed to install ipa-server with external-cert signed in step2

Actual results:
ipa install fail due to:
exception: RuntimeError: CA configuration failed.

Expected results:
ipa install success

Additional info:

Comment 6 Standa Laznicka 2018-04-17 12:05:53 UTC
Endi, Fraser,

In the pkispawn log I am seeing the following:

"""
2018-04-16 06:41:38 pkispawn    : INFO     ....... validating signing certificate
2018-04-16 06:41:39 pkispawn    : DEBUG    ....... Error Type: CalledProcessError
2018-04-16 06:41:39 pkispawn    : DEBUG    ....... Error Message: Command '['pki-server', 'subsystem-cert-validate', '-i', 'pki-tomcat', 'ca', 'signing']' returned non-zero exit status 1
2018-04-16 06:41:39 pkispawn    : DEBUG    .......   File "/usr/sbin/pkispawn", line 533, in main
    scriptlet.spawn(deployer)
  File "/usr/lib/python2.7/site-packages/pki/server/deployment/scriptlets/configuration.py", line 1060, in spawn
    self.validate_system_certs(deployer, nssdb, subsystem)
  File "/usr/lib/python2.7/site-packages/pki/server/deployment/scriptlets/configuration.py", line 798, in validate_system_certs
    self.validate_system_cert(deployer, nssdb, subsystem, 'signing')
  File "/usr/lib/python2.7/site-packages/pki/server/deployment/scriptlets/configuration.py", line 793, in validate_system_cert
    subsystem.validate_system_cert(tag)
  File "/usr/lib/python2.7/site-packages/pki/server/__init__.py", line 211, in validate_system_cert
    stderr=subprocess.STDOUT)
  File "/usr/lib64/python2.7/subprocess.py", line 575, in check_output
    raise CalledProcessError(retcode, cmd, output=output)
"""

It seems that the validation of the signing cert failed for some reason pkispawn keeps for himself. Did PKI in FIPS RHEL 7.5.1 add some harder requirements for these use cases?

Comment 7 Endi Sukma Dewata 2018-04-17 16:21:10 UTC
Mohammad, could you run this command and provide the output? Thanks.

 $ pki-server subsystem-cert-validate -i pki-tomcat -v ca signing

Comment 8 Mohammad Rizwan 2018-04-18 06:23:23 UTC
[root@master ~]# pki-server subsystem-cert-validate -i pki-tomcat -v ca signing
{'certusage': 'SSLCA', 'nickname': 'caSigningCert cert-pki-ca', 'request': 'MIICrzCCAZcCAQAwODEWMBQGA1UEChMNVEVTVFJFTE0uVEVTVDEeMBwGA1UEAxMVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzGfFxEIOOR5iikEp8TU3BpLhb3/FmyFkq26Mp4lF/VNhAW+dsVnekPHxQLBzdgp114gu2TNJudwiWUkNUGd+eyGsyZJwqQwzOSH3RrOcp/kfd50Az+t8fq4+9cmg2H84FksI1y6o8JRVT4sPyo/aEVcpFarTtCoH+j2OFTQ3yjDFFZtcBzByJQvgNHqFDGwMXdvnHQ0kFYXoLSDOEopa0IGF4CSVsK9mgIA9xJa1FUeMHc3DR71JTqQyjuLI5wuboplgaPkzfx1KknKX6+/CiHxsTNCz8S4P5VubOx9OUOSUNjAHuPZ097V/hdyQH5a9AYayyWwU/ykRfEpDsL2uYQIDAQABoDIwMAYJKoZIhvcNAQkOMSMwITAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBxjANBgkqhkiG9w0BAQsFAAOCAQEAXzP7UOiq1tlGIY3eW+j2IkkiZdNS9/+m8XgXIwMnJO2HjOt3j9RNJv7I6FdvmlCLtEK4tdBe+KgU8mGV9wjIMioRKJr4LNIHnrfFLEXMffLbteUJ0cXTlrUGgxmZqOq7AKOJTCJ2FFBlmr9CV8tTPSGE5mDNjBq0ZhXV0+ZymtuFmEUOfjdzHmdY5itrutaIju5M/3oO1KSiZeImMK9Im0MBp498q+CWwwfmCpnIFWxvHItciUL2Rpzu3tORUP0xJGPeVdjnG43XJzEydamhApHQ0jDbnnLSa/T/5oHCKzb+Kf2skyqMInzTNnLrlmVvyzNk1lXLmaEisjyTd4sxiQ==', 'not_before': 1523875293000.0, 'token': 'Internal Key Storage Token', 'not_after': 1531737693000.0, 'serial_number': 2906561457, 'issuer': u'CN=Test_CA', 'data': 'MIIDETCCAfmgAwIBAgIFAK0+m7EwDQYJKoZIhvcNAQELBQAwEjEQMA4GA1UEAwwHVGVzdF9DQTAeFw0xODA0MTYxMDQxMzNaFw0xODA3MTYxMDQxMzNaMDgxFjAUBgNVBAoTDVRFU1RSRUxNLlRFU1QxHjAcBgNVBAMTFUNlcnRpZmljYXRlIEF1dGhvcml0eTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMxnxcRCDjkeYopBKfE1NwaS4W9/xZshZKtujKeJRf1TYQFvnbFZ3pDx8UCwc3YKddeILtkzSbncIllJDVBnfnshrMmScKkMMzkh90aznKf5H3edAM/rfH6uPvXJoNh/OBZLCNcuqPCUVU+LD8qP2hFXKRWq07QqB/o9jhU0N8owxRWbXAcwciUL4DR6hQxsDF3b5x0NJBWF6C0gzhKKWtCBheAklbCvZoCAPcSWtRVHjB3Nw0e9SU6kMo7iyOcLm6KZYGj5M38dSpJyl+vvwoh8bEzQs/EuD+VbmzsfTlDklDYwB7j2dPe1f4XckB+WvQGGsslsFP8pEXxKQ7C9rmECAwEAAaNIMEYwEQYJYIZIAYb4QgEBBAQDAgAHMBMGA1UdDgQMBAouf0d9m8JqFnc5MA8GA1UdEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgLEMA0GCSqGSIb3DQEBCwUAA4IBAQAnn7zUpcCgcKqM5ik50ossHcFYIYFnwYQo9rwdykTnooogYlkY4jgJpps590eTTtN2uKpzDZPhwZo+uSUS0HDPzsaASG4idtEcEFDkrU40cSwl0Zr9uWjKbUm+v0SYgAt8szqSmlTpGf50ZcwgFQp0F2nOx6RdzoOdmH0WiRm+/NRiGXUSJXj5OaT0FmyWYxEiyMcIsX0tUaAz2MEVIlFuAEAjJ1RfhEOueRiYRrd5niUucaeqvHUu7wMO1pdy8fnObjdS2v31vdGw5j8js4TWh/V3V4104/M4jJJKRt5zdiG5QEk4POauuNICdOolfXayUn4xNhsINQAKj5ytSe1b', 'id': 'signing', 'subject': u'CN=Certificate Authority,O=TESTRELM.TEST'}
  Cert ID: signing
  Nickname: caSigningCert cert-pki-ca
  Usage: SSLCA
  Token: Internal Key Storage Token
Command: pki -d /var/lib/pki/pki-tomcat/alias --token Internal Key Storage Token -C /tmp/tmpfvldwj client-cert-validate Internal Key Storage Token:caSigningCert cert-pki-ca --certusage SSLCA
  Status: ERROR: ObjectNotFoundException: Certificate not found: Internal Key Storage Token:caSigningCert cert-pki-ca

-----------------
Validation failed
-----------------

Comment 11 Endi Sukma Dewata 2018-04-23 19:09:03 UTC
I'm not aware of specific FIPS requirements imposed by PKI, but I'm not the expert in that area. Usually such requirements are imposed by NSS.

Comment 13 Endi Sukma Dewata 2018-04-24 01:59:50 UTC
Apparently it's caused by token name normalization problem in PKI.
I opened this upstream ticket: https://pagure.io/dogtagpki/issue/2997

Comment 14 Matthew Harmsen 2018-04-25 00:17:38 UTC
Per RHEL 7.5.z/7.6/8.0 Triage: 10.5.z

Comment 19 Endi Sukma Dewata 2018-04-26 18:45:02 UTC
The fix can be verified with the procedure provided in the original bug description, either with IPA or without IPA.

Comment 22 Nikhil Dehadrai 2018-07-20 11:32:26 UTC
IPA-server Version: ipa-server-4.6.4-2.el7.x86_64

Verified the bug on teh basis of following points:
1. Verified that IAP-server installation for EXTERNAL-CA is Successful in FIPS mode.
2. Verified that IPA-server installation is successful in FIPS mode.
3. Verified that IPA-Server installation for EXTERNAL-CA is successful in non-FIPS mode.

Thus on the basis of above observation, marking the status of bug to 'VERIFIED'.

Comment 25 errata-xmlrpc 2018-10-30 11:07:04 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:3195


Note You need to log in before you can comment on or make changes to this bug.