2016164 – IdM Install fails on RHEL 8.5 Beta when DISA STIG is applied

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 2016164 - IdM Install fails on RHEL 8.5 Beta when DISA STIG is applied

Summary: IdM Install fails on RHEL 8.5 Beta when DISA STIG is applied

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 8
Classification:	Red Hat
Component:	pki-core
Sub Component:
Version:	8.5
Hardware:	All
OS:	Linux
Priority:	urgent
Severity:	high
Target Milestone:	rc
Target Release:	---
Assignee:	Marco Fargetta
QA Contact:	idm-cs-qe-bugs
Docs Contact:	Florian Delehaye
URL:
Whiteboard:
Duplicates (1):	2168264 (view as bug list)
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2021-10-20 19:59 UTC by Mike Ralph
Modified:	2023-09-18 04:27 UTC (History)
CC List:	17 users (show)
Fixed In Version:	pki-core-10.6-8080020230203154518.c5b4fe3c
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2023-05-16 08:36:02 UTC
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)
ipaserver-install log (387.65 KB, text/plain) 2021-10-20 19:59 UTC, Mike Ralph	no flags	Details
View All

Links
System	ID	Priority	Status	Summary	Last Updated
Red Hat Issue Tracker	RHCS-3434	None	None	None	2022-11-18 09:53:59 UTC
Red Hat Issue Tracker	RHCS-3435	None	None	None	2022-11-18 09:55:49 UTC
Red Hat Issue Tracker	RHELPLAN-100405	None	None	None	2021-10-20 20:01:41 UTC
Red Hat Product Errata	RHBA-2023:2826	None	None	None	2023-05-16 08:36:38 UTC

Description Mike Ralph 2021-10-20 19:59:06 UTC

Created attachment 1835336 [details]
ipaserver-install log

Description of problem:
  - IdM fails to install on RHEL 8.5 BETA when DISA STIG is applied.
Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes
  [1/28]: configuring certificate server instance
Failed to configure CA instance
See the installation logs and the following files/directories for more information:
  /var/log/pki/pki-tomcat
  [error] RuntimeError: CA configuration failed.
CA configuration failed.


Version-Release number of selected component (if applicable):
  - RHEL 8.5 BETA


How reproducible:
  - Always

Steps to Reproduce:
1. Install RHEL 8.5 BETA
2. Run "ipa-server-install --mkhomedir --setup-dns --no-forwarders --reverse-zone=110.168.192.in-addr.arpa --no-dnssec-validation --allow-zone-overlap --setup-adtrust --netbios-name=BETA --setup-kra"


Actual results:
  - Install fails during "Configuring certificate server (pki-tomcatd)" phase.

Expected results:
  - Install succeeds.

Additional info:
  - attached ipaserver-install.log

Comment 1 Rob Crittenden 2021-10-20 20:11:02 UTC

Can you also attach /var/log/pki/pki-tomcat/ca/debug?

And the output of journalctl -u pki-tomcatd@pki-tomcat

Comment 2 Mike Ralph 2021-10-21 12:49:23 UTC

(In reply to Rob Crittenden from comment #1)
> Can you also attach /var/log/pki/pki-tomcat/ca/debug?
> 
> And the output of journalctl -u pki-tomcatd@pki-tomcat

# journalctl -u pki-tomcatd@pki-tomcat
-- Logs begin at Thu 2021-10-21 08:37:46 EDT, end at Thu 2021-10-21 08:46:34 EDT. --
Oct 21 08:43:43 idms.beta.example.com systemd[1]: Starting PKI Tomcat Server pki-tomcat...
Oct 21 08:43:45 idms.beta.example.com java[2471]: usr/lib/api/apiutil.c Could not open /run/lock/opencryptoki/LCK..APIlock
Oct 21 08:43:47 idms.beta.example.com pki-server[2465]: ProviderException: Initialization failed
Oct 21 08:43:47 idms.beta.example.com systemd[1]: pki-tomcatd: Control process exited, code=exited status=255
Oct 21 08:43:47 idms.beta.example.com systemd[1]: pki-tomcatd: Failed with result 'exit-code'.
Oct 21 08:43:47 idms.beta.example.com systemd[1]: Failed to start PKI Tomcat Server pki-tomcat.

The only things that are in /var/log/pki/pki-tomcat/ca/ are the archive and signedAudit directories.

Comment 3 Mike Ralph 2021-10-21 13:50:49 UTC

I have tried this with just FIPS enabled, no STIG, and it still fails.
# journalctl -u pki-tomcatd@pki-tomcat
-- Logs begin at Thu 2021-10-21 09:39:05 EDT, end at Thu 2021-10-21 09:49:14 EDT. --
Oct 21 09:47:06 idm.beta.example.com systemd[1]: Starting PKI Tomcat Server pki-tomcat...
Oct 21 09:47:08 idm.beta.example.com java[2371]: usr/lib/api/apiutil.c Could not open /run/lock/opencryptoki/LCK..APIlock
Oct 21 09:47:09 idm.beta.example.com pki-server[2367]: ProviderException: Initialization failed
Oct 21 09:47:09 idm.beta.example.com systemd[1]: pki-tomcatd: Control process exited, code=exited status=255
Oct 21 09:47:09 idm.beta.example.com systemd[1]: pki-tomcatd: Failed with result 'exit-code'.
Oct 21 09:47:09 idm.beta.example.com systemd[1]: Failed to start PKI Tomcat Server pki-tomcat.

There is still no debug file in /var/log/pki/pki-tomcat/ca/ and only the same two directories as above.

Comment 4 Rob Crittenden 2021-10-21 13:54:57 UTC

Re-assigning product since it is the CA that is failing to start.

Comment 5 Mike Ralph 2021-10-21 16:05:58 UTC

Here is where it fails when i have -d option with ipa-server-install
-----------------------------------------
INFO: Creating /etc/pki/pki-tomcat/Catalina/localhost/ca.xml
INFO: Starting PKI server
DEBUG: Command: systemctl start pki-tomcatd
Job for pki-tomcatd failed because the control process exited with error code.
See "systemctl status pki-tomcatd" and "journalctl -xe" for details.
CalledProcessError: Command '['systemctl', 'start', 'pki-tomcatd']' returned non-zero exit status 1.
  File "/usr/lib/python3.6/site-packages/pki/server/pkispawn.py", line 575, in main
    scriptlet.spawn(deployer)
  File "/usr/lib/python3.6/site-packages/pki/server/deployment/scriptlets/configuration.py", line 702, in spawn
    timeout=deployer.request_timeout)
  File "/usr/lib/python3.6/site-packages/pki/server/__init__.py", line 335, in start
    subprocess.check_call(cmd)
  File "/usr/lib64/python3.6/subprocess.py", line 311, in check_call
    raise CalledProcessError(retcode, cmd)


Failed to configure CA instance
See the installation logs and the following files/directories for more information:
  /var/log/pki/pki-tomcat
Traceback (most recent call last):
  File "/usr/lib/python3.6/site-packages/ipaserver/install/service.py", line 635, in start_creation
    run_step(full_msg, method)
  File "/usr/lib/python3.6/site-packages/ipaserver/install/service.py", line 621, in run_step
    method()
  File "/usr/lib/python3.6/site-packages/ipaserver/install/cainstance.py", line 629, in __spawn_instance
    nolog_list=nolog_list
  File "/usr/lib/python3.6/site-packages/ipaserver/install/dogtaginstance.py", line 213, in spawn_instance
    self.handle_setup_error(e)
  File "/usr/lib/python3.6/site-packages/ipaserver/install/dogtaginstance.py", line 567, in handle_setup_error
    ) from None
RuntimeError: CA configuration failed.

  [error] RuntimeError: CA configuration failed.
  [error] RuntimeError: CA configuration failed.
Removing /root/.dogtag/pki-tomcat/ca
  File "/usr/lib/python3.6/site-packages/ipapython/admintool.py", line 180, in execute
    return_value = self.run()
  File "/usr/lib/python3.6/site-packages/ipapython/install/cli.py", line 342, in run
    return cfgr.run()
  File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 360, in run
    return self.execute()
  File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 386, in execute
    for rval in self._executor():
  File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 431, in __runner
    exc_handler(exc_info)
  File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 460, in _handle_execute_exception
    self._handle_exception(exc_info)
  File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 450, in _handle_exception
    six.reraise(*exc_info)
  File "/usr/lib/python3.6/site-packages/six.py", line 693, in reraise
    raise value
  File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 421, in __runner
    step()
  File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 418, in <lambda>
    step = lambda: next(self.__gen)
  File "/usr/lib/python3.6/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from
    six.reraise(*exc_info)
  File "/usr/lib/python3.6/site-packages/six.py", line 693, in reraise
    raise value
  File "/usr/lib/python3.6/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from
    value = gen.send(prev_value)
  File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 655, in _configure
    next(executor)
  File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 431, in __runner
    exc_handler(exc_info)
  File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 460, in _handle_execute_exception
    self._handle_exception(exc_info)
  File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 518, in _handle_exception
    self.__parent._handle_exception(exc_info)
  File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 450, in _handle_exception
    six.reraise(*exc_info)
  File "/usr/lib/python3.6/site-packages/six.py", line 693, in reraise
    raise value
  File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 515, in _handle_exception
    super(ComponentBase, self)._handle_exception(exc_info)
  File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 450, in _handle_exception
    six.reraise(*exc_info)
  File "/usr/lib/python3.6/site-packages/six.py", line 693, in reraise
    raise value
  File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 421, in __runner
    step()
  File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 418, in <lambda>
    step = lambda: next(self.__gen)
  File "/usr/lib/python3.6/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from
    six.reraise(*exc_info)
  File "/usr/lib/python3.6/site-packages/six.py", line 693, in reraise
    raise value
  File "/usr/lib/python3.6/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from
    value = gen.send(prev_value)
  File "/usr/lib/python3.6/site-packages/ipapython/install/common.py", line 65, in _install
    for unused in self._installer(self.parent):
  File "/usr/lib/python3.6/site-packages/ipaserver/install/server/__init__.py", line 575, in main
    master_install(self)
  File "/usr/lib/python3.6/site-packages/ipaserver/install/server/install.py", line 275, in decorated
    func(installer)
  File "/usr/lib/python3.6/site-packages/ipaserver/install/server/install.py", line 909, in install
    ca.install_step_0(False, None, options, custodia=custodia)
  File "/usr/lib/python3.6/site-packages/ipaserver/install/ca.py", line 355, in install_step_0
    pki_config_override=options.pki_config_override,
  File "/usr/lib/python3.6/site-packages/ipaserver/install/cainstance.py", line 503, in configure_instance
    self.start_creation(runtime=runtime)
  File "/usr/lib/python3.6/site-packages/ipaserver/install/service.py", line 635, in start_creation
    run_step(full_msg, method)
  File "/usr/lib/python3.6/site-packages/ipaserver/install/service.py", line 621, in run_step
    method()
  File "/usr/lib/python3.6/site-packages/ipaserver/install/cainstance.py", line 629, in __spawn_instance
    nolog_list=nolog_list
  File "/usr/lib/python3.6/site-packages/ipaserver/install/dogtaginstance.py", line 213, in spawn_instance
    self.handle_setup_error(e)
  File "/usr/lib/python3.6/site-packages/ipaserver/install/dogtaginstance.py", line 567, in handle_setup_error
    ) from None

The ipa-server-install command failed, exception: RuntimeError: CA configuration failed.
CA configuration failed.

Comment 7 Zachary Thompson 2021-11-18 22:44:32 UTC

@
CC: zthompso

Comment 8 richard.wiggins.ctr 2021-11-26 04:31:52 UTC

Hello,

11/24/2021 -
We are having the same issue with running either ipa-server-install or ipa-replica-install on RHEL8.5 ipa-server 4.9.6 when selecting the DISA STIG security profile.

11/25/2021 -
Today I ran a lab running either ipa-server-install and ipa-replica-install on multiple VM with different configurations:

The ipa-server-install or ipa-replica-install fails at -

Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes
[1/28]: configuring certificate server instance
Failed to configure CA instance
See the installation logs and the following files/directories for more information:
/var/log/pki/pki-tomcat
[error] RuntimeError: CA configuration failed.
CA configuration failed.

when FIPS mode is not enabled, but DISA STIG is selected under Security Profile.
when FIPS mode is enabled and DISA STIG is selected under Security Profile.
-----------------------------------------------------------------------------------------------------

The installation succeeds if;

FIPS mode is not enabled and DISA STIG is not selected under Security Profile.
FIPS mode is enabled and DISA STIG is not selected under Security Profile.

a review of /var/log/pki/pki-tomcat/ca/debug.2021-11-24.log has repeated instances of

"java.security.AccessControlException: access denied: ("java.io.FilePermission" "/var/run/pki/tomcat/pki-tomcat.pid" "read")

Hope this helps some. We are in an "air-gapped" network so I cannot export the logs, the ipaserver-install.log and ipareplica-install.log do not contain failures,
so I reviewed the debug log to find it full of the errors listed above.

Thank you,
Rick

Comment 11 Mike Ralph 2022-02-21 15:23:08 UTC

To get this installed I had to downgrade the three openjdk packages. They are currently at:
  java-1.8.0-openjdk.x86_64               1:1.8.0.302.b08-0.el8_4
  java-1.8.0-openjdk-devel.x86_64         1:1.8.0.302.b08-0.el8_4
  java-1.8.0-openjdk-headless.x86_64      1:1.8.0.302.b08-0.el8_4

The same three packages were originally at 1:1.8.0.312.b07-1.el8_4 when IdM failed to install.

Comment 12 Zachary Thompson 2022-02-21 15:35:38 UTC

I had attempted this previously rolling it back several versions, this did not work in any of the instances I tested it in with the above conditions, either applying DISA STIG profile at install OR applying it after installation with openscap --remediate.

Comment 13 Mike Ralph 2022-02-21 16:07:45 UTC

(In reply to Zachary Thompson from comment #12)
> I had attempted this previously rolling it back several versions, this did
> not work in any of the instances I tested it in with the above conditions,
> either applying DISA STIG profile at install OR applying it after
> installation with openscap --remediate.

My testing was done with DISA STIG applied at install and downgrading openjdk once from the current release.

Comment 55 Florence Blanc-Renaud 2023-03-22 12:34:38 UTC

*** Bug 2168264 has been marked as a duplicate of this bug. ***

Comment 57 errata-xmlrpc 2023-05-16 08:36:02 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (pki-core:10.6 bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2023:2826

Comment 58 Red Hat Bugzilla 2023-09-18 04:27:21 UTC

The needinfo request[s] on this closed bug have been removed as they have been unresolved for 120 days

Note You need to log in before you can comment on or make changes to this bug.