[Pki-devel] [PATCH] - Added FIPS class to pkispawn
Matthew Harmsen
mharmsen at redhat.com
Tue May 16 02:47:45 UTC 2017
Please review the attached patches for:
* Bugzilla Bug #1450143 - CA installation with HSM in FIPS mode fails
<https://bugzilla.redhat.com/show_bug.cgi?id=1450143>
Thanks,
-- Matt
P. S. - The patches were tested on a FIPS-enabled box, and the output
looks similar to the following:
pkispawn : INFO ... finalizing
'pki.server.deployment.scriptlets.finalization'
pkispawn : INFO ....... executing 'systemctl enable
pki-tomcatd.target'
Created symlink from
/etc/systemd/system/multi-user.target.wants/pki-tomcatd.target to
/usr/lib/systemd/system/pki-tomcatd.target.
pkispawn : INFO ....... executing 'systemctl daemon-reload'
pkispawn : INFO ....... executing 'systemctl restart
pki-tomcatd at pki-tomcat.service'
*pkispawn : INFO ........... FIPS mode is enabled on this
operating system.*
pkispawn : DEBUG ........... No connection - server may still
be down
pkispawn : DEBUG ........... No connection - exception thrown:
('Connection aborted.', error(111, 'Connection refused'))
pkispawn : DEBUG ........... No connection - server may still
be down
pkispawn : DEBUG ........... No connection - exception thrown:
('Connection aborted.', error(111, 'Connection refused'))
pkispawn : DEBUG ........... <?xml version="1.0"
encoding="UTF-8"
standalone="no"?><XMLResponse><State>1</State><Type>CA</Type><Status>running</Status><Version>10.4.1-4.el7</Version></XMLResponse>
pkispawn : INFO ....... rm -rf /opt/RootCA/ca
pkispawn : INFO END spawning subsystem 'CA' of instance
'pki-tomcat'
pkispawn : INFO ... archiving configuration into
'/var/log/pki/pki-tomcat/ca/archive/spawn_deployment.cfg.20170515223006'
pkispawn : INFO ....... cp -p
/etc/sysconfig/pki/tomcat/pki-tomcat/ca/deployment.cfg
/var/log/pki/pki-tomcat/ca/archive/spawn_deployment.cfg.20170515223006
pkispawn : DEBUG ........... chmod 660
/var/log/pki/pki-tomcat/ca/archive/spawn_deployment.cfg.20170515223006
pkispawn : DEBUG ........... chown 17:17
/var/log/pki/pki-tomcat/ca/archive/spawn_deployment.cfg.20170515223006
pkispawn : INFO ... archiving manifest into
'/var/log/pki/pki-tomcat/ca/archive/spawn_manifest.20170515223006'
pkispawn : INFO ....... cp -p
/etc/sysconfig/pki/tomcat/pki-tomcat/ca/manifest
/var/log/pki/pki-tomcat/ca/archive/spawn_manifest.20170515223006
pkispawn : DEBUG ........... chmod 660
/var/log/pki/pki-tomcat/ca/archive/spawn_manifest.20170515223006
pkispawn : DEBUG ........... chown 17:17
/var/log/pki/pki-tomcat/ca/archive/spawn_manifest.20170515223006
==========================================================================
INSTALLATION SUMMARY
==========================================================================
Administrator's username: caadmin
Administrator's PKCS #12 file:
/opt/RootCA/caadmincert.p12
* This CA subsystem of the 'pki-tomcat' instance**
** has FIPS mode enabled on this operating system.**
****
** REMINDER: Don't forget to update the appropriate FIPS**
** algorithms in server.xml in the
'pki-tomcat' instance.**
***
To check the status of the subsystem:
systemctl status pki-tomcatd at pki-tomcat.service
To restart the subsystem:
systemctl restart pki-tomcatd at pki-tomcat.service
The URL for the subsystem is:
https://pki.example.com:8443/ca
PKI instances will be enabled upon system boot
==========================================================================
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pki-devel/attachments/20170515/6f27869c/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: pki-core-Added-FIPS-class-to-pkispawn.patch
Type: text/x-patch
Size: 6735 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/pki-devel/attachments/20170515/6f27869c/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: pki-core-Added-runtime-requirement-on-sysctl-to-pki-core-spec.patch
Type: text/x-patch
Size: 692 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/pki-devel/attachments/20170515/6f27869c/attachment-0001.bin>
More information about the Pki-devel
mailing list