Ticket was cloned from Red Hat Bugzilla (product Red Hat Directory Server): Bug 951708
Please note that this Bug is private and may not be accessible as it contains confidential Red Hat customer information.
Description of problem: Customer has an issue where he is not able to connect to the Admin server over HTTPS with SSL enabled on the server when the FIPS mode is turned on, on the admin servers certificate DB using modutil. === modutil -dbdir /location/of/dirsrv/instance -fips true === But when he uses modutil on the admin servers certificate DB and disable fips mode but keeps the directory servers certificate DB in fips mode, the configuration tab works without issue. This is a new deployment, there were no changes other than now trying to enable full SSL throughout the console. The admin server is local to the directory server and is not remote. The admin and directory server are both running, can query against them but cannot open the configuration tab when FIPS mode is enabled on the admin servers certificate database. Customer would like to enable FIPS mode on his admin servers certificate database, and still have the ability to use the admin servers configuration tab, and the purpose in doing this to use SSL/TLS in the console and require the use of users certificates for login. The OS is not in FIPS mode. Version-Release number of selected component (if applicable): RHDS 8.2 running on RHEL 5.7 How reproducible:100% Steps to Reproduce: 1. I received a server certificate from a Third-party. 2. I installed the Adminisitration server and a directory server instance on the same machine. 3. I shut down the server and update the certificate DB using modutil to enable fips mode for both the admin server and the directory server. 4. I add the server certificate to both DBs as well as the CAs and CRLs 5. I open the IDM console select Directory Server > Configuraton > Encryption 6. I enable SSL, Select Use this cipher Family: RSA, select the NSS FIPS 140-2 Certificate DB, select the server certificate, select Allow client authentication, select Check hostname... 7. I restart dirsrv and dirsrv-admin 8. I open the IDM console, select Directory Server, Configuration, Encryption then enable Use SSL in Console 9. I open the Administration Server > Configuration > Encryption 10. I enable SSL for this server, select Use this cipher Family: RSA, select the NSS FIPS 140-2 Certificate DB, select the server certificate 11. Select Configuration DS and check Secure Connection 12. Select User DS and set to use secure connection 13. Stop dirsrv, restart dirsrv-admin, start dirsrv 14. I open the IDM console, select Directory Server, all tabs and actions work (except for manage Certificates, Token error) 15. I open the Administration Server, select Configuration and I get a 500 error. 16. I disable FIPS mode on the admin servers certificate DB, update the DB name and restart the service 17. I open the Administration Server and everything works 18. I update the Administration Server's cipher settings to not check any SSL 2.0 ciphers, uncheck all SSL 3.0 ciphers, and select all under TLS 19. I restart dirsrv and dirsrv-admin 20. I open the IDM console, select Directory Server, all tabs and actions work (except for manage Certificates, Token error) 21. I open the Administration Server, select Configuration and I get a 500 error and the error message from my initial post. 22. I update the Administration Server's cipher settings to not check any SSL 2.0 ciphers, check only 3DES FIPS in SSL 3.0 ciphers, and select all under TLS 23. I restart dirsrv and dirsrv-admin 24. I open the IDM console, select Directory Server, all tabs and actions work (except for manage Certificates, Token error) 25. I open the Administration Server, all tabs and actions work (except for manage Certificates, Token error) Actual results: Opening the Administration Server, select Configuration and I get a 500 error Expected results: Use of the configuration tab with FIPS mode on. Additional info: *This customer is in a secure environment*
Could reproduce the problem with the latest admin server / Console.
Fix suggestions from Rich:
1) I see cipher suites are hardcoded and set in this class. idm-console-framework/src/com/netscape/management/client/security/CipherPreferenceDialog.java I don't see any FIPS mode checking and excluding non-FIPS ciphers effort there as we do in ssl.c in the server code. Can we do the same on Console? For instance, Console could be located any host even on Windows and connect to the server remotely. Can we still get the information? Or the knowledge about FIPS enabled or not on the server side should be manually handled by the Console user? For instance, we should prepare a button on Console to set FIPS enabled? Then, we drop non-FIPS approved ciphers?
1) I see cipher suites are hardcoded and set in this class. idm-console-framework/src/com/netscape/management/client/security/CipherPreferenceDialog.java
I don't see any FIPS mode checking and excluding non-FIPS ciphers effort there as we do in ssl.c in the server code. Can we do the same on Console? For instance, Console could be located any host even on Windows and connect to the server remotely. Can we still get the information? Or the knowledge about FIPS enabled or not on the server side should be manually handled by the Console user? For instance, we should prepare a button on Console to set FIPS enabled? Then, we drop non-FIPS approved ciphers?
Yes. You could use the security CGI or perhaps the sec-activate CGI. You may have to add another command to these to return both the currently configured cipher list from nss.conf, and the allowed cipher list from NSS itself.
2) Do we have an Java API that tells us if a cipher suite is FIPS approved or not? Something equivalent to this API... SSL_GetCipherSuiteInfo((PRUint16)_conf_ciphers[idx].num, &info, sizeof info)) { if (info.isFIPS) { ... }
I don't think so, and at any rate, it is server dependent, not console dependent, so this information would have to be returned in the same manner as in 1) above and probably by the same CGI.
git patch file (master) 0001-Ticket-47493-Configuration-Tab-does-not-work-with-FI.patch
Reviewed by Mark (Thank you!!)
Pushed to master: d077f9a..c9b6de5 master -> master commit c9b6de5743e2fd7c965a1b8e99c3942b6734aed7
git patch file (adminserver master) -- FIPS support (security.c) 0001-Ticket-47493-Configuration-Tab-does-not-work-with-FI.2.patch
Pushed to master: 6b0e745..8fc8d1d master -> master commit 8fc8d1dca1546a285dd7505a8ecb6602c748ac8b
Metadata Update from @nhosoi: - Issue assigned to nhosoi - Issue set to the milestone: 389-admin,console 1.1.36
389-ds-base is moving from Pagure to Github. This means that new issues and pull requests will be accepted only in 389-ds-base's github repository.
This issue has been cloned to Github and is available here: - https://github.com/389ds/389-ds-base/issues/830
If you want to receive further updates on the issue, please navigate to the github issue and click on subscribe button.
subscribe
Thank you for understanding. We apologize for all inconvenience.
Metadata Update from @spichugi: - Issue close_status updated to: wontfix (was: Fixed)
Login to comment on this ticket.