#47493 Configuration Tab does not work with FIPS mode enabled
Closed: wontfix None Opened 10 years ago by rmeggins.

Ticket was cloned from Red Hat Bugzilla (product Red Hat Directory Server): Bug 951708

Please note that this Bug is private and may not be accessible as it contains confidential Red Hat customer information.

Description of problem: Customer has an issue where he is not able to connect
to the Admin server over HTTPS with SSL enabled on the server when the FIPS
mode is turned on, on the admin servers certificate DB using modutil.
===
modutil -dbdir /location/of/dirsrv/instance -fips true
===

But when he uses modutil on the admin servers certificate DB and disable fips
mode but keeps the directory servers certificate DB in fips mode, the
configuration tab works without issue.

This is a new deployment, there were no changes other than now trying to enable
full SSL throughout the console.  The admin server is local to the directory
server and is not remote.

The admin and directory server are both running, can query against them but
cannot open the configuration tab when FIPS mode is enabled on the admin
servers certificate database.

Customer would like to enable FIPS mode on his admin servers certificate
database, and still have the ability to use the admin servers configuration
tab, and the purpose in doing this to use SSL/TLS in the console and require
the use of users certificates for login.

The OS is not in FIPS mode.


Version-Release number of selected component (if applicable):
RHDS 8.2 running on RHEL 5.7

How reproducible:100%


Steps to Reproduce:
1. I received a server certificate from a Third-party.
2. I installed the Adminisitration server and a directory server instance on
the same machine.
3. I shut down the server and update the certificate DB using modutil to enable
fips mode for both the admin server and the directory server.
4. I add the server certificate to both DBs as well as the CAs and CRLs
5. I open the IDM console select Directory Server > Configuraton > Encryption
6. I enable SSL, Select Use this cipher Family: RSA, select the NSS FIPS 140-2
Certificate DB, select the server certificate, select Allow client
authentication, select Check hostname...
7. I restart dirsrv and dirsrv-admin
8. I open the IDM console, select Directory Server, Configuration, Encryption
then enable Use SSL in Console
9. I open the Administration Server > Configuration > Encryption
10. I enable SSL for this server, select Use this cipher Family: RSA, select
the NSS FIPS 140-2 Certificate DB, select the server certificate
11. Select Configuration DS and check Secure Connection
12. Select User DS and set to use secure connection
13. Stop dirsrv, restart dirsrv-admin, start dirsrv
14. I open the IDM console, select Directory Server, all tabs and actions work
(except for manage Certificates, Token error)
15. I open the Administration Server, select Configuration and I get a 500
error.
16. I disable FIPS mode on the admin servers certificate DB, update the DB name
and restart the service
17. I open the Administration Server and everything works
18. I update the Administration Server's cipher settings to not check any SSL
2.0 ciphers, uncheck all SSL 3.0 ciphers, and select all under TLS
19. I restart dirsrv and dirsrv-admin
20. I open the IDM console, select Directory Server, all tabs and actions work
(except for manage Certificates, Token error)
21. I open the Administration Server, select Configuration and I get a 500
error and the error message from my initial post.
22. I update the Administration Server's cipher settings to not check any SSL
2.0 ciphers, check only 3DES FIPS in SSL 3.0 ciphers, and select all under TLS
23. I restart dirsrv and dirsrv-admin
24. I open the IDM console, select Directory Server, all tabs and actions work
(except for manage Certificates, Token error)
25. I open the Administration Server, all tabs and actions work (except for
manage Certificates, Token error)

Actual results:
Opening the Administration Server, select Configuration and I get a 500 error

Expected results:
Use of the configuration tab with FIPS mode on.

Additional info:
*This customer is in a secure environment*

Could reproduce the problem with the latest admin server / Console.

Fix suggestions from Rich:

1) I see cipher suites are hardcoded and set in this class.
idm-console-framework/src/com/netscape/management/client/security/CipherPreferenceDialog.java

I don't see any FIPS mode checking and excluding non-FIPS ciphers effort there as we do in ssl.c in the server code. Can we do the same on Console? For instance, Console could be located any host even on Windows and connect to the server remotely. Can we still get the information? Or the knowledge about FIPS enabled or not on the server side should be manually handled by the Console user? For instance, we should prepare a button on Console to set FIPS enabled? Then, we drop non-FIPS approved ciphers?

Yes. You could use the security CGI or perhaps the sec-activate CGI. You may have to add another command to these to return both the currently configured cipher list from nss.conf, and the allowed cipher list from NSS itself.

2) Do we have an Java API that tells us if a cipher suite is FIPS approved or not? Something equivalent to this API...
SSL_GetCipherSuiteInfo((PRUint16)_conf_ciphers[idx].num, &info, sizeof info)) {
if (info.isFIPS) { ... }

I don't think so, and at any rate, it is server dependent, not console dependent, so this information would have to be returned in the same manner as in 1) above and probably by the same CGI.

Reviewed by Mark (Thank you!!)

Pushed to master:
d077f9a..c9b6de5 master -> master
commit c9b6de5743e2fd7c965a1b8e99c3942b6734aed7

git patch file (adminserver master) -- FIPS support (security.c)
0001-Ticket-47493-Configuration-Tab-does-not-work-with-FI.2.patch

Reviewed by Mark (Thank you!!)

Pushed to master:
6b0e745..8fc8d1d master -> master
commit 8fc8d1dca1546a285dd7505a8ecb6602c748ac8b

Metadata Update from @nhosoi:
- Issue assigned to nhosoi
- Issue set to the milestone: 389-admin,console 1.1.36

7 years ago

389-ds-base is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in 389-ds-base's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/389ds/389-ds-base/issues/830

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.

Metadata Update from @spichugi:
- Issue close_status updated to: wontfix (was: Fixed)

3 years ago

Login to comment on this ticket.

Metadata