Bug 1591766 - Ansible Tower support for FIPS mode
Summary: Ansible Tower support for FIPS mode
Keywords:
Status: CLOSED DEFERRED
Alias: None
Product: Red Hat Ansible Tower and Controller
Classification: Red Hat
Component: Security
Version: unspecified
Hardware: All
OS: Linux
unspecified
urgent
Target Milestone: ---
Assignee: James Laska
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-06-15 13:37 UTC by Bradley Scalio
Modified: 2019-10-24 19:33 UTC (History)
8 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-06-18 17:10:20 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)
Error during install of Ansible Tower (7.77 KB, text/plain)
2018-06-15 13:37 UTC, Bradley Scalio
no flags Details

Description Bradley Scalio 2018-06-15 13:37:51 UTC
Created attachment 1451927 [details]
Error during install of Ansible Tower

Description of problem:

    Ansible Tower is not supported on FIPS-mode enabled hosts.

Version-Release number of selected component (if applicable): 

    Current (3.2.5) 

How reproducible:  

    Repeatable and Reproducible

Steps to Reproduce:

    1. Install Ansible Tower

Actual results:

    -- Tower fails to install

Expected results:

   -- Tower installs and runs for all components and features

Comment 4 Shawn Wells 2018-06-15 13:58:21 UTC
Making BZ public. Unsure why it was marked internal.

Comment 5 Shawn Wells 2018-06-15 14:01:42 UTC
Note there are many sub elements in this:

- When making SAML assertions, Ansible must use FIPS validated random numbers in the generation of SessionIndex in the SAML element AuthnStatement

- Ansible must utilize FIPS-validated cryptographic modules when generating hashes

- When protecting information, such as through Ansible Vault, FIPS validated crypto must be used

- Ansible must utilize FIPS validated cryptographic modules when signing application components/files/objects


Open question to engineering.... how would you like this to be broken down? Should this BZ become a parent/tracker bug, with subelements linked to it? Something else?

Comment 6 Bill Nottingham 2018-06-18 17:10:20 UTC
You've got the wrong links, this is tracked here: https://github.com/ansible/tower/issues/644. In any case, this has been discussed, and BZ is not what is used for tracking Tower issues.

If someone from the PubSec team wants access to the Tower issue repo, let us know.

Comment 7 Calvin Smith 2018-06-18 18:57:35 UTC
Link is dead, please fix for people who are interested in tracking this case.

Comment 8 Bill Nottingham 2018-06-18 19:16:46 UTC
Link is not dead, it's a private GitHub repo. Standard way for customers to track RFEs is through support.


Note You need to log in before you can comment on or make changes to this bug.