Bug 1673296 - ipa-server-install fails in FIPS mode [NEEDINFO]
Summary: ipa-server-install fails in FIPS mode
Keywords:
Status: VERIFIED
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: pki-core
Version: 8.0
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: rc
: 8.0
Assignee: Endi Sukma Dewata
QA Contact: Asha Akkiangady
Lucie Maňásková
URL:
Whiteboard:
: 1707009 (view as bug list)
Depends On:
Blocks: 1615765 1679810
TreeView+ depends on / blocked
 
Reported: 2019-02-07 09:53 UTC by Mohammad Rizwan
Modified: 2019-07-09 07:50 UTC (History)
11 users (show)

Fixed In Version: pki-core-10.6-8010020190613214740.8ba0ffbe
Doc Type: Bug Fix
Doc Text:
.IdM server does not work in FIPS Due to an incomplete implementation of the SSL connector for Tomcat, an Identity Management (IdM) server with a certificate server installed does not work on machines with the FIPS mode enabled.
Clone Of:
Environment:
Last Closed:
Type: Bug
lmanasko: needinfo? (edewata)


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Bugzilla 1663443 None CLOSED java FIPS and FUTURE policies incorrectly disable DHE_RSA and ECDHE_RSA ciphersuites 2019-08-26 15:50:54 UTC

Description Mohammad Rizwan 2019-02-07 09:53:15 UTC
Description of problem:


Version-Release number of selected component (if applicable):
ipa-server-4.7.1-10.module+el8+2699+a 
ipa-server-common-4.7.1-10.module+el8
pki-ca-10.6.9-2.module+el8+2728+a4ad6
pki-base-10.6.9-2.module+el8+2728+a4a 

How reproducible:
always


Steps to Reproduce:
1. Enable fips mode and install ipa-server

Actual results:
[..]
Configuring ipa-custodia
  [1/5]: Making sure custodia container exists
  [2/5]: Generating ipa-custodia config file
  [3/5]: Generating ipa-custodia keys
  [4/5]: starting ipa-custodia 
  [5/5]: configuring ipa-custodia to start on boot
Done configuring ipa-custodia.
Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes
  [1/28]: configuring certificate server instance
Failed to configure CA instance: CalledProcessError(Command ['/usr/sbin/pkispawn', '-s', 'CA', '-f', '/tmp/tmp62qcd027'] returned non-zero exit status 1: 'pkispawn      : ERROR    Server unreachable due to SSL error: [SSL: SSLV3_ALERT_HANDSHAKE_FAILURE] sslv3 alert handshake failure (_ssl.c:877)\nconfiguration : ERROR    Server failed to restart\npkispawn      : ERROR    Exception: server failed to restart\n  File "/usr/lib/python3.6/site-packages/pki/server/pkispawn.py", line 549, in main\n    scriptlet.spawn(deployer)\n  File "/usr/lib/python3.6/site-packages/pki/server/deployment/scriptlets/configuration.py", line 672, in spawn\n    raise Exception("server failed to restart")\n\n')
See the installation logs and the following files/directories for more information:
  /var/log/pki/pki-tomcat
  [error] RuntimeError: CA configuration failed.
CA configuration failed.
The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information
:: [ 04:18:22 ] :: [   FAIL   ] :: Command ' /usr/sbin/ipa-server-install --setup-dns  --auto-forwarders --reverse-zone=34.19.10.in-addr.arpa. --allow-zone-overlap --hostname=ipaqavmf.testrelm.test -r TESTRELM.TEST -n testrelm.test -p Secret123 -a Secret123 --ip-address=10.19.34.120 -U' (Expected 0, got 1)

Expected results:
ipa-server-install success


Additional info:
Similar bug[1] was opened, but that didn't resolved the ipa issue.

[1] https://bugzilla.redhat.com/show_bug.cgi?id=1663443

Comment 2 Endi Sukma Dewata 2019-02-07 15:15:28 UTC
Moving to pki-core since the failure happens during PKI installation.
See also:
https://bugzilla.redhat.com/show_bug.cgi?id=1663443#c5

Comment 3 Kaleem 2019-02-07 15:22:35 UTC
Endi,

I have provided qa_ack for this. We need a blocker+ for this with justification, lets get that after all acks, so provide dev_ack

Comment 16 Alex Scheel 2019-05-13 18:25:01 UTC
*** Bug 1707009 has been marked as a duplicate of this bug. ***

Comment 19 Geetika Kapoor 2019-07-08 11:17:59 UTC
Test Environment :

# rpm -qa pki-* nss jss
pki-server-10.7.1-2.module+el8.1.0+3386+52d02a00.noarch
jss-4.6.0-2.module+el8.1.0+3370+6d076660.x86_64
nss-3.41.0-5.el8.x86_64
pki-servlet-4.0-api-9.0.7-16.module+el8.1.0+3366+6dfb954c.noarch
pki-symkey-10.7.1-2.module+el8.1.0+3386+52d02a00.x86_64
pki-base-java-10.7.1-2.module+el8.1.0+3386+52d02a00.noarch
pki-servlet-engine-9.0.7-16.module+el8.1.0+3366+6dfb954c.noarch
pki-kra-10.7.1-2.module+el8.1.0+3386+52d02a00.noarch
pki-tools-10.7.1-2.module+el8.1.0+3386+52d02a00.x86_64
pki-base-10.7.1-2.module+el8.1.0+3386+52d02a00.noarch
pki-ca-10.7.1-2.module+el8.1.0+3386+52d02a00.noarch


Test Steps :

1.Make sure fips is enabled.

# cat /proc/sys/crypto/fips_enabled
1
# sysctl crypto.fips_enabled
crypto.fips_enabled = 1


Test Cases :

1. Install CA/KRA with internal.
-- Make sure CA/KRA install works.
-- try to sign certificates > Result: worked
2. Install CA/KRA with HSM.
-- Make sure CA/KRA install works with HSM
-- try to sign certificates > Result: worked
3. Installation without FIPS is taken care in CI/CD pipelines.
-- Automated Jobs
-- https://gitlab.cee.redhat.com/idm/pki-pytest-ansible/-/jobs/779539


Note You need to log in before you can comment on or make changes to this bug.