#5695 [RFE] FreeIPA on FIPS enabled systems
Closed: fixed 5 years ago Opened 6 years ago by pvoborni.

FreeIPA doesn't work in FIPS mode.

Currently ipactl start prints: Cannot start IPA server in FIPS mode".

This ticket should track a progress in enabling it.


Applies only to RHEL based OSes.

master:

  • 8db5b27 Unify password generation across FreeIPA
  • fb7c111 ipa_generate_password algorithm change

master:

  • 721105c Generate sha256 ssh pubkey fingerprints for hosts

master:

  • 08c7170 Remove is_fips_enabled checks in installers and ipactl

master:

  • 0b9b6b5 Add FIPS-token password of HTTPD NSS database

master:

  • ca457eb Add password to certutil calls in NSSDatabase
  • b20b048 custodiainstance: don't use IPA-specific CertDB

master:

  • 3372ad2 Add fips_mode variable to env
  • 7292890 test_config: fix tests for env.fips_mode
  • 62e884f check_remote_version: update exception and docstring
  • 397ca71 replicainstall: add context manager for rpc client
  • cf25ea7 FIPS: perform replica installation check

master:

  • 728a6bd Remove ra_db argument from CAInstance init
  • a39effe Remove DM password files after successfull pkispawn run

master:

  • e2d1b21 Remove md5_fingerprints from IPA

Please write all changes (like removal of MD5 fingerprints, etc) that affects UI or users into releases notes filed in ticket.

Metadata Update from @pvoborni:
- Issue assigned to tkrizek
- Issue set to the milestone: FreeIPA 4.5

5 years ago

master:

  • dfd560a Remove NSSConnection from the Python RPC module
  • 2a1494c Move RA agent certificate file export to a different location
  • 1e89d28 Don't run kra.configure_instance if not necessary
  • 6b074ad Move publishing of CA cert to cainstance creation on master
  • 0a54fac Remove NSSConnection from Dogtag
  • afea026 Remove pkcs12 handling functions from CertDB
  • 2a9d1fb Remove NSSConnection from otptoken plugin
  • 76e8d7b Remove ipapython.nsslib as it is not used anymore
  • 595f9b6 Workaround for certmonger's "Subject" representations
  • 51a2b13 Refactor certmonger for OpenSSL certificates
  • 24b134c Added a PEMFileHandler for Custodia store
  • 5ab85b3 Moving ipaCert from HTTPD_ALIAS_DIR

Metadata Update from @jcholast:
- Custom field affects_doc reset
- Custom field component reset
- Custom field design reset
- Custom field on_review reset
- Custom field rhbz reset
- Custom field type reset
- Issue close_status updated to: None
- Issue set to the milestone: None (was: FreeIPA 4.5)

5 years ago

master:

  • 770d4cd Env setitem: replace assert with exception
  • 5055b34 test_config: fix fips_mode key in Env

Metadata Update from @mbasti:
- Custom field affects_doc reset
- Custom field tester adjusted to wanted

5 years ago

master:

  • 052de43 Fix replica with --setup-ca issues

Metadata Update from @jcholast:
- Custom field affects_doc reset

5 years ago

master:

  • 88fd936 Remove NSPRError exception from platform tasks

Metadata Update from @mbasti:
- Custom field affects_doc reset

5 years ago

Metadata Update from @mbasti:
- Custom field affects_doc reset
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1125174

5 years ago

Metadata Update from @mbasti:
- Custom field affects_doc reset

5 years ago

Metadata Update from @mbasti:
- Custom field affects_doc reset
- Custom field keywords adjusted to test

5 years ago

master:

Metadata Update from @jcholast:
- Custom field affects_doc reset

5 years ago

Metadata Update from @mbasti:
- Custom field affects_doc reset
- Issue set to the milestone: FreeIPA 4.5

5 years ago

Metadata Update from @mbasti:
- Custom field affects_doc reset
- Custom field keywords reset

5 years ago

Metadata Update from @tkrizek:
- Custom field changelog adjusted to FreeIPA can be installed on FIPS enabled systems, Replaced MD5 fingerprints with SHA256, Added fips_mode variable to env that indicates whether FIPS is turned on the server
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)

5 years ago

Login to comment on this ticket.

Metadata