Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 1509553 - RHV-M 4.0 .p12 keys go missing after reboot following enabling fips=1 in grub
Summary: RHV-M 4.0 .p12 keys go missing after reboot following enabling fips=1 in grub
Keywords:
Status: CLOSED WORKSFORME
Alias: None
Product: Red Hat Enterprise Virtualization Manager
Classification: Red Hat
Component: ovirt-engine
Version: 4.1.2
Hardware: x86_64
OS: Linux
medium
high
Target Milestone: ovirt-4.3.0
: ---
Assignee: Yedidyah Bar David
QA Contact: Pavel Stehlik
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-11-04 15:09 UTC by Robert McSwain
Modified: 2018-05-02 07:35 UTC (History)
12 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-12-03 09:06:23 UTC
oVirt Team: Integration


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Bugzilla 1466047 None None None Never

Internal Links: 1466047

Description Robert McSwain 2017-11-04 15:09:43 UTC
Environment:
rhevm-4.1.2.3-0.1.el7.noarch                                Fri Jun 23 08:44:18 2017

Presumed cause:
Enabling FIPS compliance on the manager by adding "fips=1" to grub and rebuilding.

Current Troubleshooting:
Attempting to enable auditd to monitor these files: https://access.redhat.com/solutions/10107

Current Workaround:
This is fixed by running the following commands for (see private comment #1 for exact details)

[root@mgr keys]#./pki-enroll-pkcs12.sh --name=$NAME --password=mypass --subject={Appropriate Country, Organization, and Common Name in the format of --subject=/C=$Country/O=$Organization/CN=$CommonName}

[root@mgr keys]#./pki-enroll-request.sh --name=$NAME --password=mypass --subject={Appropriate Country, Organization, and Common Name in the format of --subject=/C=$Country/O=$Organization/CN=$CommonName} --days=1800

Note: For each pki-enroll-pkcs12.sh and pki-enroll-request.sh, the --name= is engine, jboss, apache, websocket-proxy for each $NAME

Comment 6 Yedidyah Bar David 2017-11-15 07:23:43 UTC
Did we manage to reproduce this? I played a bit with fips on an engine machine, a few months ago, and didn't encounter current bug or any similar issue.

To re-create pki, you can remove '/etc/pki/ovirt-engine/ca.pem' and run 'engine-setup'. This will break connection to your hosts. Didn't review comment 0 workaround, it might cause other issues.

Comment 7 Robert McSwain 2017-12-01 17:31:32 UTC
I have not been able to reproduce this in my tests and have not been able to find any other record of what was done other than adding fips=1 to the kernel line. Given that the issue recurs so frequently, I expect a rebuild is the only permanent fix to this issue.

Comment 8 Yedidyah Bar David 2017-12-03 09:06:23 UTC
OK, closing for now. Please reopen with more details if reproducible.

Please note that this does not mean that FIPS mode is supported, see bug 1466047.


Note You need to log in before you can comment on or make changes to this bug.