Bugzilla (bugzilla.redhat.com) will be under maintenance for infrastructure upgrades and will not be unavailable on July 31st between 12:30 AM - 05:30 AM UTC. We appreciate your understanding and patience. You can follow status.redhat.com for details.
Bug 1663443 - java FIPS and FUTURE policies incorrectly disable DHE_RSA and ECDHE_RSA ciphersuites
Summary: java FIPS and FUTURE policies incorrectly disable DHE_RSA and ECDHE_RSA ciphe...
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: crypto-policies
Version: 8.0
Hardware: Unspecified
OS: Unspecified
urgent
urgent
Target Milestone: rc
: 8.0
Assignee: Tomas Mraz
QA Contact: Ondrej Moriš
URL:
Whiteboard:
Depends On:
Blocks: 1652753 1656418
TreeView+ depends on / blocked
 
Reported: 2019-01-04 11:14 UTC by Mohammad Rizwan
Modified: 2020-11-14 12:18 UTC (History)
17 users (show)

Fixed In Version: crypto-policies-20181217-4.git9a35207.el8
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-06-13 22:48:47 UTC
Type: Bug
Target Upstream Version:


Attachments (Terms of Use)

Description Mohammad Rizwan 2019-01-04 11:14:00 UTC
Description of problem:
ipa-server-install fails in FIPS mode for [1/28]: configuring certificate server instance

Version-Release number of selected component (if applicable):
  ipa-server-4.7.1-7.module+el8+2555+b334d87b.x86_64                            
  ipa-server-dns-4.7.1-7.module+el8+2555+b334d87b.noarch

How reproducible:
always

Steps to Reproduce:
1. Enable fips mode and install ipa-server

Actual results:
[..]
  [1/5]: Making sure custodia container exists
  [2/5]: Generating ipa-custodia config file
  [3/5]: Generating ipa-custodia keys
  [4/5]: starting ipa-custodia 
  [5/5]: configuring ipa-custodia to start on boot
Done configuring ipa-custodia.
Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes
  [1/28]: configuring certificate server instance
Failed to configure CA instance: CalledProcessError(Command ['/usr/sbin/pkispawn', '-s', 'CA', '-f', '/tmp/tmppdbjeyia'] returned non-zero exit status 1: 'pkispawn      : ERROR    Server unreachable due to SSL error: [SSL: SSLV3_ALERT_HANDSHAKE_FAILURE] sslv3 alert handshake failure (_ssl.c:872)\nconfiguration : ERROR    Server failed to restart\n')
See the installation logs and the following files/directories for more information:
  /var/log/pki/pki-tomcat
  [error] RuntimeError: CA configuration failed.
CA configuration failed.
The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information

Expected results:
ipa-server-install success.

Additional info:
Similar bug is on ON_QA for different issue : https://bugzilla.redhat.com/show_bug.cgi?id=1656418

Comment 5 Rob Crittenden 2019-01-04 13:23:07 UTC
It is failing during bootstrapping. Only the temporary server cert has been issued at the point of failure.

Comment 8 Deepak Punia 2019-01-08 05:15:26 UTC
DS/CA Installation are getting failed after enabling the fips at hardware level.
Below is the detail logs

Working fine before configuring fips:-
# dscreate from-file rhel8-ds.inf
Starting installation...
Created symlink /etc/systemd/system/multi-user.target.wants/dirsrv@master.service → /usr/lib/systemd/system/dirsrv@.service.
Completed installation for master

After configuring fips on rhel8 ds installation is not working
# df /boot
Filesystem     1K-blocks   Used Available Use% Mounted on
/dev/sda1        1038336 171500    866836  17% /boot

# blkid ​ /dev/sda1
/dev/sda1: UUID="88a7f134-6f62-445e-8c6b-0a9aae0f3478" TYPE="xfs" PARTUUID="6b4463b1-01"

# grub2-mkconfig -o /boot/grub2/grub.cfg
Generating grub configuration file ...
done
# reboot

# sysctl crypto.fips_enabled
crypto.fips_enabled = 1
# /usr/sbin/getenforce
Enforcing

# dscreate from-file rhel8-ds.inf
Starting installation...
Created symlink /etc/systemd/system/multi-user.target.wants/dirsrv@master.service → /usr/lib/systemd/system/dirsrv@.service.
Error: {'desc': "Can't contact LDAP server"}

after disabling the fips :-
[root@dell-pr5820-01 hsm_setup]# sysctl crypto.fips_enabled
crypto.fips_enabled = 0
[root@dell-pr5820-01 hsm_setup]#
[root@dell-pr5820-01 hsm_setup]# dscreate from-file rhel8-ds.inf
Starting installation...
Created symlink /etc/systemd/system/multi-user.target.wants/dirsrv@master.service → /usr/lib/systemd/system/dirsrv@.service.
Completed installation for master

Attached is the config file and debug logs

Comment 19 Ondrej Moriš 2019-01-23 09:14:48 UTC
Acceptance Criteria:

 * IPA server can be installed in FIPS mode.

Comment 20 Tomas Mraz 2019-01-23 09:33:31 UTC
(In reply to Ondrej Moriš from comment #19)
> Acceptance Criteria:
> 
>  * IPA server can be installed in FIPS mode.

I believe this is too broad AC.

I'd suggest AC:

  * java -Djava.security.properties=../outputs/FIPS-java.txt CipherList lists the DHE_RSA and ECDHE_RSA ciphersuites (and the same for FUTURE policy)


Note You need to log in before you can comment on or make changes to this bug.