[Pki-devel] [PATCH] - Added FIPS class to pkispawn

Matthew Harmsen mharmsen at redhat.com
Tue May 16 02:47:45 UTC 2017 

Please review the attached patches for:

  * Bugzilla Bug #1450143 - CA installation with HSM in FIPS mode fails
    <https://bugzilla.redhat.com/show_bug.cgi?id=1450143>

Thanks,
-- Matt

P. S. - The patches were tested on a FIPS-enabled box, and the output 
looks similar to the following:

    pkispawn    : INFO     ... finalizing
    'pki.server.deployment.scriptlets.finalization'
    pkispawn    : INFO     ....... executing 'systemctl enable
    pki-tomcatd.target'
    Created symlink from
    /etc/systemd/system/multi-user.target.wants/pki-tomcatd.target to
    /usr/lib/systemd/system/pki-tomcatd.target.
    pkispawn    : INFO     ....... executing 'systemctl daemon-reload'
    pkispawn    : INFO     ....... executing 'systemctl restart
    pki-tomcatd at pki-tomcat.service'
    *pkispawn    : INFO     ........... FIPS mode is enabled on this
    operating system.*
    pkispawn    : DEBUG    ........... No connection - server may still
    be down
    pkispawn    : DEBUG    ........... No connection - exception thrown:
    ('Connection aborted.', error(111, 'Connection refused'))
    pkispawn    : DEBUG    ........... No connection - server may still
    be down
    pkispawn    : DEBUG    ........... No connection - exception thrown:
    ('Connection aborted.', error(111, 'Connection refused'))
    pkispawn    : DEBUG    ........... <?xml version="1.0"
    encoding="UTF-8"
    standalone="no"?><XMLResponse><State>1</State><Type>CA</Type><Status>running</Status><Version>10.4.1-4.el7</Version></XMLResponse>
    pkispawn    : INFO     ....... rm -rf /opt/RootCA/ca
    pkispawn    : INFO     END spawning subsystem 'CA' of instance
    'pki-tomcat'
    pkispawn    : INFO     ... archiving configuration into
    '/var/log/pki/pki-tomcat/ca/archive/spawn_deployment.cfg.20170515223006'
    pkispawn    : INFO     ....... cp -p
    /etc/sysconfig/pki/tomcat/pki-tomcat/ca/deployment.cfg
    /var/log/pki/pki-tomcat/ca/archive/spawn_deployment.cfg.20170515223006
    pkispawn    : DEBUG    ........... chmod 660
    /var/log/pki/pki-tomcat/ca/archive/spawn_deployment.cfg.20170515223006
    pkispawn    : DEBUG    ........... chown 17:17
    /var/log/pki/pki-tomcat/ca/archive/spawn_deployment.cfg.20170515223006
    pkispawn    : INFO     ... archiving manifest into
    '/var/log/pki/pki-tomcat/ca/archive/spawn_manifest.20170515223006'
    pkispawn    : INFO     ....... cp -p
    /etc/sysconfig/pki/tomcat/pki-tomcat/ca/manifest
    /var/log/pki/pki-tomcat/ca/archive/spawn_manifest.20170515223006
    pkispawn    : DEBUG    ........... chmod 660
    /var/log/pki/pki-tomcat/ca/archive/spawn_manifest.20170515223006
    pkispawn    : DEBUG    ........... chown 17:17
    /var/log/pki/pki-tomcat/ca/archive/spawn_manifest.20170515223006

    ==========================================================================
                                     INSTALLATION SUMMARY
    ==========================================================================

           Administrator's username:             caadmin
           Administrator's PKCS #12 file:
                 /opt/RootCA/caadmincert.p12

    *      This CA subsystem of the 'pki-tomcat' instance**
    **      has FIPS mode enabled on this operating system.**
    ****
    **      REMINDER:  Don't forget to update the appropriate FIPS**
    **                         algorithms in server.xml in the
    'pki-tomcat' instance.**
    ***
           To check the status of the subsystem:
                 systemctl status pki-tomcatd at pki-tomcat.service

           To restart the subsystem:
                 systemctl restart pki-tomcatd at pki-tomcat.service

           The URL for the subsystem is:
                 https://pki.example.com:8443/ca

           PKI instances will be enabled upon system boot

    ==========================================================================

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pki-devel/attachments/20170515/6f27869c/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: pki-core-Added-FIPS-class-to-pkispawn.patch
Type: text/x-patch
Size: 6735 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/pki-devel/attachments/20170515/6f27869c/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: pki-core-Added-runtime-requirement-on-sysctl-to-pki-core-spec.patch
Type: text/x-patch
Size: 692 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/pki-devel/attachments/20170515/6f27869c/attachment-0001.bin>

More information about the Pki-devel mailing list