freeipa

FreeIPA is an integrated Identity and Authentication solution for Linux/UNIX networked environments.  |  http://www.freeipa.org/

#5695 [RFE] FreeIPA on FIPS enabled systems

Created 2 years ago by pvoborni
Modified a year ago

FreeIPA doesn't work in FIPS mode.

Currently ipactl start prints: Cannot start IPA server in FIPS mode".

This ticket should track a progress in enabling it.

Applies only to RHEL based OSes.

master:

  • 8db5b27 Unify password generation across FreeIPA
  • fb7c111 ipa_generate_password algorithm change

master:

  • 721105c Generate sha256 ssh pubkey fingerprints for hosts

master:

  • 08c7170 Remove is_fips_enabled checks in installers and ipactl

master:

  • 0b9b6b5 Add FIPS-token password of HTTPD NSS database

master:

  • ca457eb Add password to certutil calls in NSSDatabase
  • b20b048 custodiainstance: don't use IPA-specific CertDB

master:

  • 3372ad2 Add fips_mode variable to env
  • 7292890 test_config: fix tests for env.fips_mode
  • 62e884f check_remote_version: update exception and docstring
  • 397ca71 replicainstall: add context manager for rpc client
  • cf25ea7 FIPS: perform replica installation check

master:

  • 728a6bd Remove ra_db argument from CAInstance init
  • a39effe Remove DM password files after successfull pkispawn run

master:

  • e2d1b21 Remove md5_fingerprints from IPA

Please write all changes (like removal of MD5 fingerprints, etc) that affects UI or users into releases notes filed in ticket.

And also design page.

a year ago

Metadata Update from @pvoborni:
- Issue assigned to tkrizek
- Issue set to the milestone: FreeIPA 4.5

master:

  • dfd560a Remove NSSConnection from the Python RPC module
  • 2a1494c Move RA agent certificate file export to a different location
  • 1e89d28 Don't run kra.configure_instance if not necessary
  • 6b074ad Move publishing of CA cert to cainstance creation on master
  • 0a54fac Remove NSSConnection from Dogtag
  • afea026 Remove pkcs12 handling functions from CertDB
  • 2a9d1fb Remove NSSConnection from otptoken plugin
  • 76e8d7b Remove ipapython.nsslib as it is not used anymore
  • 595f9b6 Workaround for certmonger's "Subject" representations
  • 51a2b13 Refactor certmonger for OpenSSL certificates
  • 24b134c Added a PEMFileHandler for Custodia store
  • 5ab85b3 Moving ipaCert from HTTPD_ALIAS_DIR
a year ago

Metadata Update from @jcholast:
- Custom field affects_doc reset
- Custom field component reset
- Custom field design reset
- Custom field on_review reset
- Custom field rhbz reset
- Custom field type reset
- Issue close_status updated to: None
- Issue set to the milestone: None (was: FreeIPA 4.5)

master:

  • 770d4cd Env setitem: replace assert with exception
  • 5055b34 test_config: fix fips_mode key in Env
a year ago

Metadata Update from @mbasti:
- Custom field affects_doc reset
- Custom field tester adjusted to wanted

master:

  • 052de43 Fix replica with --setup-ca issues
a year ago

Metadata Update from @jcholast:
- Custom field affects_doc reset

master:

  • 88fd936 Remove NSPRError exception from platform tasks
a year ago

Metadata Update from @mbasti:
- Custom field affects_doc reset

a year ago

Metadata Update from @mbasti:
- Custom field affects_doc reset
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1125174

a year ago

Metadata Update from @mbasti:
- Custom field affects_doc reset

a year ago

Metadata Update from @mbasti:
- Custom field affects_doc reset
- Custom field keywords adjusted to test

master:

a year ago

Metadata Update from @jcholast:
- Custom field affects_doc reset

a year ago

Metadata Update from @mbasti:
- Custom field affects_doc reset
- Issue set to the milestone: FreeIPA 4.5

a year ago

Metadata Update from @mbasti:
- Custom field affects_doc reset
- Custom field keywords reset

a year ago

Metadata Update from @tkrizek:
- Custom field changelog adjusted to FreeIPA can be installed on FIPS enabled systems, Replaced MD5 fingerprints with SHA256, Added fips_mode variable to env that indicates whether FIPS is turned on the server
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)

Login to comment on this ticket.

https://bugzilla.redhat.com/show_bug.cgi?id=1125174

wanted

FreeIPA can be installed on FIPS enabled systems, Replaced MD5 fingerprints with SHA256, Added fips_mode variable to env that indicates whether FIPS is turned on the server

cancel