RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1991840 - IPA: usr/lib/api/apiutil.c Could not open /run/lock/opencryptoki/LCK..APIlock
Summary: IPA: usr/lib/api/apiutil.c Could not open /run/lock/opencryptoki/LCK..APIlock
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: opencryptoki
Version: 8.4
Hardware: x86_64
OS: Linux
unspecified
high
Target Milestone: beta
: 8.6
Assignee: Than Ngo
QA Contact: Karel Srot
Šárka Jana
URL:
Whiteboard:
Depends On:
Blocks: 2009328
TreeView+ depends on / blocked
 
Reported: 2021-08-10 07:21 UTC by Deepak Das
Modified: 2022-05-10 16:35 UTC (History)
7 users (show)

Fixed In Version: opencryptoki-3.17.0-1.el8
Doc Type: No Doc Update
Doc Text:
Clone Of:
: 2009328 (view as bug list)
Environment:
Last Closed: 2022-05-10 15:21:16 UTC
Type: Bug
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker RHELPLAN-92992 0 None None None 2021-08-10 07:25:32 UTC
Red Hat Product Errata RHBA-2022:2030 0 None None None 2022-05-10 15:21:27 UTC

Description Deepak Das 2021-08-10 07:21:03 UTC 
Description of problem:

The below error is observed in RHEL 8.4 in customer IPA environment where FIPS is enabled. The error is observed for IPA services. 

But this error can be observed in both FIPS and Non-FIPS environment.

- /var/log/messages

  ----------------------------------------------------------------------------
  Jul  6 12:35:21 ipaserver java[4621]: usr/lib/api/apiutil.c Could not open /run/lock/opencryptoki/LCK..APIlock
  Jul  6 12:37:40 ipaserver sslget[4663]: usr/lib/api/apiutil.c Could not open /run/lock/opencryptoki/LCK..APIlock
  Jul  6 12:37:42 ipaserver dogtag-ipa-renew-agent-submit[4783]: usr/lib/api/apiutil.c Could not open /run/lock/opencryptoki/LCK..APIlock
  Jul  6 12:37:52 ipaserver certutil[5026]: usr/lib/api/apiutil.c Could not open /run/lock/opencryptoki/LCK..APIlock
  Jul  6 12:39:55 ipaserver ns-slapd[5205]: usr/lib/api/apiutil.c Could not open /run/lock/opencryptoki/LCK..APIlock
  ----------------------------------------------------------------------------

- The customer environment is as below. 

  * /etc/redhat-release 
    Red Hat Enterprise Linux release 8.4 (Ootpa)

  * sos_commands/crypto/fips-mode-setup_--check
    FIPS mode is enabled.


1) Issue IPA server contains following files.
   
     - crypto-policies-20210209-1.gitbfb6bed.el8_3.noarch: /etc/crypto-policies/back-ends/nss.config

        ----------------------------------------------------------------------
        library=
        name=Policy
        NSS=flags=policyOnly,moduleDB
        config="disallow=ALL allow=HMAC-SHA256:HMAC-SHA1:HMAC-SHA384:HMAC-SHA512:SECP256R1:SECP384R1:SECP521R1:aes256-gcm:aes256-cbc:aes128-gcm:aes128-
        cbc:SHA256:SHA384:SHA512:SHA224:ECDHE-RSA:ECDHE-ECDSA:DHE-RSA:tls-version-min=tls1.2:dtls-version-min=dtls1.2:DH-MIN=2048:DSA-MIN=2048:RSA-
        MIN=2048"

        name=p11-kit-proxy
        library=p11-kit-proxy.so
        ----------------------------------------------------------------------

     - nss-3.53.1-17.el8_3.x86_64: /etc/crypto-policies/local.d/nss-p11-kit.config

       ---------------------------------
       name=p11-kit-proxy
       library=p11-kit-proxy.so
       ---------------------------------

     $ ls -l etc/crypto-policies/back-ends/nss.config
        -rw-rwxrw-+ 1 yank yank 391 Jun 23 18:05 etc/crypto-policies/back-ends/nss.config  

2) Removing parameters "name=p11-kit-proxy" and "library=p11-kit-proxy.so" resolves the error generation in "/var/log/messages" files.

3) If the file "/etc/crypto-policies/local.d/nss-p11-kit.config" is not present then when the below command is run a soft link file is created.

     # fips-mode-setup --enable

     After above command is run  the file "/etc/crypto-policies/back-ends/nss.config" is create as soft link to "/usr/share/crypto-policies/FIPS/nss.txt"
     which does not have the 2 parameter and no error is observed.

   
     - # cat /usr/share/crypto-policies/FIPS/nss.txt
       ----------------------------------------------------------------------
       library=
       name=Policy
       NSS=flags=policyOnly,moduleDB
       config="disallow=ALL allow=HMAC-SHA256:HMAC-SHA1:HMAC-SHA384:HMAC-SHA512:SECP256R1:SECP384R1:SECP521R1:aes256-gcm:aes256-cbc:aes128-gcm:aes128-
       cbc:SHA256:SHA384:SHA512:SHA224:ECDHE-RSA:ECDHE-ECDSA:DHE-RSA:tls-version-min=tls1.2:dtls-version-min=dtls1.2:DH-MIN=2048:DSA-MIN=2048:RSA-
       MIN=2048"
       ----------------------------------------------------------------------

      $ ls -l /etc/crypto-policies/back-ends/nss.config
         lrwxrwxrwx. 1 root root 39 Jul 28 16:33 /etc/crypto-policies/back-ends/nss.config -> /usr/share/crypto-policies/FIPS/nss.txt

4) As per link [1] it was mentioned that the issue was fixed in IPA 4.8.0 for softHSM but on further review it was only for testing. 
   Please refer PR links [2] and [3]

5) As mentioned in point 2, the error is not observed if the 2 parameter is removed from the file.

    But instead of work around, is there any other method through which we can avoid the error? 


[1]: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org/thread/XFYVC6MUAKYLRIR6H6WM6SD4USLMIG2E/
[2]: https://github.com/freeipa/freeipa/pull/2680
[3]: https://github.com/freeipa/freeipa/pull/2679



Version-Release number of selected component (if applicable):

ipa-server-4.9.2-3.module+el8.4.0+10412+5ecb5b37.x86_64

How reproducible:

Always

Steps to Reproduce:

1. Make sure file "/etc/crypto-policies/local.d/nss-p11-kit.config" is present.

2. Enable FIPS as below.

   # fips-mode-setup --enable
 
3. Reboot the server.

4. Make sure the below is a normal file and has entries entries parameters 
   "name=p11-kit-proxy" and "library=p11-kit-proxy.so" 

   # ls -l /etc/crypto-policies/back-ends/nss.config

   # cat /etc/crypto-policies/back-ends/nss.config

5. Restart IPA service

   # ipactl restart
   # ipactl status

6. Check for the error in "/var/log/messages" file.

   # grep LCK..APIlock /var/log/messages


Actual results:

Error "usr/lib/api/apiutil.c Could not open /run/lock/opencryptoki/LCK..APIlock" is observed for IPA services in "/var/log/messages".

Expected results:

The error should not be observed.

Additional info:

There does not seems to be any impact on IPA performance / operations.
Comment 1 Florence Blanc-Renaud 2021-08-18 18:01:18 UTC 
A few notes on this error message:
- it has no relationship with FIPS mode, can happen also in non-FIPS mode
- it happens as soon as opencryptoki is installed
- it also happens in SElinux permissive mode

Simple reproducer:
1. p11-kit list-modules
   does not produce the log in the journal
2. dnf install -y opencryptoki; p11-kit list-modules
   produces the log in the journal: p11-kit[5645]: usr/lib/api/apiutil.c Could not open /run/lock/opencryptoki/LCK..APIlock

Hence I am moving this issue to opencryptoki component.
Reproduced with opencryptoki-3.15.1-5.el8.x86_64 (rhel 8.4)
Not reproduced with opencryptoki-3.14.0-5.el8.x86_64 (rhel 8.3)

Note: an selinux-policy BZ also mentions this issue (https://bugzilla.redhat.com/show_bug.cgi?id=1894132) but it seems unrelated as there is no AVC in this case
Comment 2 Than Ngo 2021-08-19 18:25:49 UTC 
it looks like the same issue reported at https://bugzilla.redhat.com/show_bug.cgi?id=1894132

*** This bug has been marked as a duplicate of bug 1894132 ***
Comment 5 Florence Blanc-Renaud 2021-08-20 07:03:12 UTC 
Note that manually enabling + starting pkcsslotd fixes the issue:

# systemctl enable --now pkcsslotd
>> creates the /run/lock/opencryptoki/LCK..APIlock file
# p11-kit list-modules
>> does not produce the issue anymore
Comment 6 Than Ngo 2021-08-20 16:05:50 UTC 
I can reproduce this issue with your reproduce. Thanks
Comment 14 Karel Srot 2021-09-10 09:40:51 UTC 
Hi Than
I have tried the provided test package and noticed a regression.
Previously (opencryptoki-3.15.1-6.el8_4.x86_64), with pkcsslotd started I can see opencryptoki tokens listed in p11-kit list-modules output:

# p11-kit list-modules
p11-kit-trust: p11-kit-trust.so
    library-description: PKCS#11 Kit Trust Module
    library-manufacturer: PKCS#11 Kit
    library-version: 0.23
    token: System Trust
        manufacturer: PKCS#11 Kit
        model: p11-kit-trust
        serial-number: 1
        hardware-version: 0.23
        flags:
               token-initialized
    token: Default Trust
        manufacturer: PKCS#11 Kit
        model: p11-kit-trust
        serial-number: 1
        hardware-version: 0.23
        flags:
               write-protected
               token-initialized
opencryptoki: libopencryptoki.so
    library-description: openCryptoki
    library-manufacturer: IBM
    library-version: 3.15

and with opencryptoki-swtok installed I can see:

...
opencryptoki: libopencryptoki.so
    library-description: openCryptoki
    library-manufacturer: IBM
    library-version: 3.15
    token: softtok
        manufacturer: IBM
        model: Soft
        serial-number: 
        flags:
               rng
               login-required
               clock-on-token
               user-pin-to-be-changed
               so-pin-to-be-changed

However, with opencryptoki-3.15.1-7.1.el8_4.x86_64 installed the output is only:

# p11-kit list-modules
p11-kit-trust: p11-kit-trust.so
    library-description: PKCS#11 Kit Trust Module
    library-manufacturer: PKCS#11 Kit
    library-version: 0.23
    token: System Trust
        manufacturer: PKCS#11 Kit
        model: p11-kit-trust
        serial-number: 1
        hardware-version: 0.23
        flags:
               token-initialized
    token: Default Trust
        manufacturer: PKCS#11 Kit
        model: p11-kit-trust
        serial-number: 1
        hardware-version: 0.23
        flags:
               write-protected
               token-initialized

# ls -l /run/lock/opencryptoki/LCK..APIlock
-r--r-----. 1 root pkcs11 0 Sep 10 05:30 /run/lock/opencryptoki/LCK..APIlock
# ls -Z /run/lock/opencryptoki/LCK..APIlock
system_u:object_r:pkcs_slotd_lock_t:s0 /run/lock/opencryptoki/LCK..APIlock


There are not AVCs and it doesn't work SELinux in permissive mode.
Comment 33 errata-xmlrpc 2022-05-10 15:21:16 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (opencryptoki bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2022:2030
Note You need to log in before you can comment on or make changes to this bug.