#2500 Problems with FIPS mode
Closed: Fixed None Opened 7 years ago by mharmsen.

NSS token is hard coded in SigningUnit.java class causing Dogtag install to fail
when system is in FIPS mode.

Steps to Reproduce:

1. Configure system for FIPS
2. Attempt to install Dogtag

Actual results:

Install fails

Expected results:

Install succeeds

Fixed in master:

  • 5be68e38fd77f171331d27ca52a291f06f7c686c

Additional changes in master:

  • 613d8e8281cc336d7e1c8291abedb4b2321f93ec
  • 650b00dc57bb0c51c1e327ec3064531c26f80c43

Cherry-picked to DOGTAG_10_3_BRANCH:

commit 8bef45df5e3d287111df8e0a33519a065e3e7b70
Author: Endi S. Dewata <edewata@redhat.com>
Date:   Tue Nov 1 22:49:22 2016 +0100

    Fixed KRA key recovery via CLI in FIPS mode.

    Based on investigation and solution provided by cfu and jmagne,
    the SecurityDataRecoveryService.serviceRequest() has been modified
    to use EncryptionUnit.unwrap_temp() for key recovery via CLI in
    FIPS mode.

    https://fedorahosted.org/pki/ticket/2500
    (cherry picked from commit 650b00dc57bb0c51c1e327ec3064531c26f80c43)

commit ec165a0d6cd805d1b5d4fbd4fff44ff00bfcaee0
Author: Endi S. Dewata <edewata@redhat.com>
Date:   Sat Oct 29 07:52:36 2016 +0200

    Reformatted SecurityDataRecoveryService.serviceRequest().

    The code in SecurityDataRecoveryService.serviceRequest() has been
    reformatted for clarity.

    https://fedorahosted.org/pki/ticket/2500
    (cherry picked from commit 613d8e8281cc336d7e1c8291abedb4b2321f93ec)

Metadata Update from @mharmsen:
- Issue assigned to edewata
- Issue set to the milestone: 10.3.8

7 years ago

Dogtag PKI is moving from Pagure issues to GitHub issues. This means that existing or new
issues will be reported and tracked through Dogtag PKI's GitHub Issue tracker.

This issue has been cloned to GitHub and is available here:
https://github.com/dogtagpki/pki/issues/2620

If you want to receive further updates on the issue, please navigate to the
GitHub issue and click on Subscribe button.

Thank you for understanding, and we apologize for any inconvenience.

Login to comment on this ticket.

Metadata