Running pkispawn -s CA with the config file from the attachment in the associated bug ends up in pkispawn error.
This appears to be the case for CA, KRA, CA clone, etc.
Steps to Reproduce:
1. Setup your system for FIPS 2. run pkispawn with the given config (you can run ipa-server-install to make it easier for you)
Actual results:
PKI subsystem installation fails.
Expected results:
PKI subsystem installation succeeds.
Additional info:
From what I've gathered, the trouble is with generating 'pki_pin', which is then stored to 'pki_shared_pfile' which is used to access the /etc/pki/pki-tomcat/alias NSS database. However, 'pki_pin' is just a number and NSS databases in FIPS mode require at least one non-alphanumeric character.
It should be possible to fix this issue, but we need to investigate the official requirement for FIPS password.
The workaround is to manually specify a FIPS-compliant password in pki_pin in the deployment configuration, for example:
[DEFAULT] pki_pin=Secret.123
Fixing this issue will improve user experience since people installing in FIPS mode probably will encounter this issue before realizing that they need to use a workaround.
Replying to [comment:2 edewata]:
It should be possible to fix this issue, but we need to investigate the official requirement for FIPS password. The workaround is to manually specify a FIPS-compliant password in pki_pin in the deployment configuration, for example: [DEFAULT] pki_pin=Secret.123 Fixing this issue will improve user experience since people installing in FIPS mode probably will encounter this issue before realizing that they need to use a workaround.
See sftk_newPinCheck() in the following file: https://dxr.mozilla.org/nss/source/nss/lib/softoken/fipstokn.c
Linked to Bugzilla bug: https://bugzilla.redhat.com/show_bug.cgi?id=1412211 (Red Hat Enterprise Linux 7)
Linked to Bugzilla bug: https://bugzilla.redhat.com/show_bug.cgi?id=1411428 (Red Hat Enterprise Linux 7)
Linked to Bugzilla bug: https://bugzilla.redhat.com/show_bug.cgi?id=1412132 (Red Hat Enterprise Linux 7)
RHEL bug #1411428 and #1412211 are blockers.
Replying to [comment:10 edewata]:
RHEL bug #1411428 and #1412211 are blockers. ACK
attachment pki-edewata-0916-Updated-CryptoUtil.patch
attachment pki-edewata-0917-Fixed-inconsistent-internal-token-detection.patch
attachment pki-edewata-0918-Replaced-CryptoManager.getTokenByName.patch
The following changes fixed KRA installation issue in FIPS mode (bug #1412211):
The following changes fixed cloning issue in FIPS mode (bug #1411428):
Bug #1412132 is a duplicate of bug #1411428.
The remaining work is to fix the PIN generation.
Metadata Update from @slaznick@redhat.com: - Issue set to the milestone: 10.4
Metadata Update from @mharmsen: - Custom field feature adjusted to '' - Custom field proposedmilestone adjusted to '' - Custom field proposedpriority adjusted to '' - Custom field reviewer adjusted to '' - Custom field version adjusted to '' - Issue assigned to edewata - Issue close_status updated to: None
Metadata Update from @mharmsen: - Issue priority set to: critical (was: blocker)
Added FIPS-compliant password generator: https://review.gerrithub.io/#/c/356183/
Fixed in master: * 9e3551fdb2c8d1f1bd7ad57249752c8ad6aece32
Metadata Update from @edewata: - Issue close_status updated to: fixed - Issue set to the milestone: 10.4.2 (was: 10.4) - Issue status updated to: Closed (was: Open)
Re-opened
Metadata Update from @mharmsen: - Issue set to the milestone: 10.4 (was: 10.4.2) - Issue status updated to: Open (was: Closed)
Patch for excluding equal sign from random password:
Excluded equal sign from random password:
Metadata Update from @edewata: - Issue close_status updated to: fixed - Issue set to the milestone: 10.4.7 (was: 10.4) - Issue status updated to: Closed (was: Open)
Metadata Update from @mharmsen: - Custom field fixedinversion adjusted to pki-core-10.4.7-1.fc27
Dogtag PKI is moving from Pagure issues to GitHub issues. This means that existing or new issues will be reported and tracked through Dogtag PKI's GitHub Issue tracker.
This issue has been cloned to GitHub and is available here: https://github.com/dogtagpki/pki/issues/2676
If you want to receive further updates on the issue, please navigate to the GitHub issue and click on Subscribe button.
Subscribe
Thank you for understanding, and we apologize for any inconvenience.
Log in to comment on this ticket.