<html> <head> <meta http-equiv="content-type" content="text/html; charset=utf-8"> </head> <body bgcolor="#FFFFFF" text="#000000"> Please review the attached patches for: <ul> <li><a moz-do-not-send="true" href="https://bugzilla.redhat.com/show_bug.cgi?id=1450143">Bugzilla Bug #1450143 - CA installation with HSM in FIPS mode fails</a></li> </ul> Thanks, -- Matt P. S. - The patches were tested on a FIPS-enabled box, and the output looks similar to the following: <blockquote> pkispawn : INFO ... finalizing 'pki.server.deployment.scriptlets.finalization' pkispawn : INFO ....... executing 'systemctl enable pki-tomcatd.target' Created symlink from /etc/systemd/system/multi-user.target.wants/pki-tomcatd.target to /usr/lib/systemd/system/pki-tomcatd.target. pkispawn : INFO ....... executing 'systemctl daemon-reload' pkispawn : INFO ....... executing 'systemctl restart <a class="moz-txt-link-abbreviated" href="mailto:pki-tomcatd@pki-tomcat.service">pki-tomcatd@pki-tomcat.service</a>' pkispawn : INFO ........... FIPS mode is enabled on this operating system. pkispawn : DEBUG ........... No connection - server may still be down pkispawn : DEBUG ........... No connection - exception thrown: ('Connection aborted.', error(111, 'Connection refused')) pkispawn : DEBUG ........... No connection - server may still be down pkispawn : DEBUG ........... No connection - exception thrown: ('Connection aborted.', error(111, 'Connection refused')) pkispawn : DEBUG ........... <?xml version="1.0" encoding="UTF-8" standalone="no"?><XMLResponse><State>1</State><Type>CA</Type><Status>running</Status><Version>10.4.1-4.el7</Version></XMLResponse> pkispawn : INFO ....... rm -rf /opt/RootCA/ca pkispawn : INFO END spawning subsystem 'CA' of instance 'pki-tomcat' pkispawn : INFO ... archiving configuration into '/var/log/pki/pki-tomcat/ca/archive/spawn_deployment.cfg.20170515223006' pkispawn : INFO ....... cp -p /etc/sysconfig/pki/tomcat/pki-tomcat/ca/deployment.cfg /var/log/pki/pki-tomcat/ca/archive/spawn_deployment.cfg.20170515223006 pkispawn : DEBUG ........... chmod 660 /var/log/pki/pki-tomcat/ca/archive/spawn_deployment.cfg.20170515223006 pkispawn : DEBUG ........... chown 17:17 /var/log/pki/pki-tomcat/ca/archive/spawn_deployment.cfg.20170515223006 pkispawn : INFO ... archiving manifest into '/var/log/pki/pki-tomcat/ca/archive/spawn_manifest.20170515223006' pkispawn : INFO ....... cp -p /etc/sysconfig/pki/tomcat/pki-tomcat/ca/manifest /var/log/pki/pki-tomcat/ca/archive/spawn_manifest.20170515223006 pkispawn : DEBUG ........... chmod 660 /var/log/pki/pki-tomcat/ca/archive/spawn_manifest.20170515223006 pkispawn : DEBUG ........... chown 17:17 /var/log/pki/pki-tomcat/ca/archive/spawn_manifest.20170515223006 ========================================================================== INSTALLATION SUMMARY ========================================================================== Administrator's username: caadmin Administrator's PKCS #12 file: /opt/RootCA/caadmincert.p12 This CA subsystem of the 'pki-tomcat' instance has FIPS mode enabled on this operating system. REMINDER: Don't forget to update the appropriate FIPS algorithms in server.xml in the 'pki-tomcat' instance. To check the status of the subsystem: systemctl status <a class="moz-txt-link-abbreviated" href="mailto:pki-tomcatd@pki-tomcat.service">pki-tomcatd@pki-tomcat.service</a> To restart the subsystem: systemctl restart <a class="moz-txt-link-abbreviated" href="mailto:pki-tomcatd@pki-tomcat.service">pki-tomcatd@pki-tomcat.service</a> The URL for the subsystem is: <a class="moz-txt-link-freetext" href="https://pki.example.com:8443/ca">https://pki.example.com:8443/ca</a> PKI instances will be enabled upon system boot ========================================================================== </blockquote> </body> </html>