-
Bug
-
Resolution: Cannot Reproduce
-
Undefined
-
None
-
rhel-8.4.0
-
None
-
None
-
rhel-security-special-projects
-
ssg_security
-
None
-
False
-
False
-
-
None
-
None
-
None
-
None
-
If docs needed, set a value
-
-
Unspecified
-
None
-
0
Description of problem:
fapolicyd prevents PKI CA from installing on a FIPS + STIG + HSM environment
Version-Release number of selected component (if applicable):
fapolicyd-1.0.2-6.el8.x86_64
redhat-pki-ca-10.11.4-1.module+el8pki+14819+092aa4b5.noarch
How reproducible:
Always
Steps to Reproduce:
1. Set up a FIPS + STIG + HSM environment
2. Install CA
Actual results:
It fails on HSM but succeeds on a non HSM environment
Workaround - Stop fapolicyd and install CA. It succeeds on an HSM environment
Expected results:
Should succeed
Additional info:
/etc/fapolicyd/fapolicyd.rules contains:
allow perm=open dir=/usr/lib/jvm/ : dir=/var/lib/pki/topology-02-CA/work/Catalina/localhost/
allow perm=open dir=/usr/lib/jvm/ : dir=/var/lib/pki/topology-02-KRA/work/Catalina/localhost/
allow perm=open dir=/usr/lib/jvm/ : dir=/var/lib/pki/topology-02-OCSP/work/Catalina/localhost/
allow perm=open dir=/usr/lib/jvm/ : dir=/var/lib/pki/topology-02-TKS/work/Catalina/localhost/
allow perm=open dir=/usr/lib/jvm/ : dir=/var/lib/pki/topology-02-TPS/work/Catalina/localhost/
allow perm=open dir=/usr/lib/jvm/ : dir=/usr/share/tomcat/bin/ ftype=application/java-archive
CA pkispawn logs:
DEBUG: Command: modutil -dbdir /etc/pki/topology-02-CA/alias -rawlist
INFO: Output: library= name="NSS Internal PKCS #11 Module" NSS="Flags=internal,critical trustOrder=75 cipherOrder=100 slotParams=(1=
)" parameters="configdir=/etc/pki/topology-02-CA/alias certPrefix= keyPrefix= secmod=secmod.db flags=readOnly "
INFO: Adding module nfast: /opt/nfast/toolkits/pkcs11/libcknfast.so
DEBUG: Command: modutil -dbdir /etc/pki/topology-02-CA/alias -nocertdb -add nfast -libfile /opt/nfast/toolkits/pkcs11/libcknfast.so -force
ERROR: Failed to add module "nfast". Probable cause : "A PKCS #11 module returned CKR_FUNCTION_FAILED, indicating that the requested function could not be performed. Trying the same operation again might succeed.".
CalledProcessError: Command '['modutil', '-dbdir', '/etc/pki/topology-02-CA/alias', '-nocertdb', '-add', 'nfast', '-libfile', '/opt/nfast/toolkits/pkcs11/libcknfast.so', '-force']' returned non-zero exit status 22.
File "/usr/lib/python3.6/site-packages/pki/server/pkispawn.py", line 575, in main
scriptlet.spawn(deployer)
File "/usr/lib/python3.6/site-packages/pki/server/deployment/scriptlets/security_databases.py", line 106, in spawn
deployer.mdict['pki_hsm_libfile'])
File "/usr/lib/python3.6/site-packages/pki/nssdb.py", line 451, in add_module
check=True)
File "/usr/lib64/python3.6/subprocess.py", line 438, in run
output=stdout, stderr=stderr)
Installation failed: Command failed: modutil -dbdir /etc/pki/topology-02-CA/alias -nocertdb -add nfast -libfile /opt/nfast/toolkits/pkcs11/libcknfast.so -force
Please check pkispawn logs in /var/log/pki/pki-ca-spawn.20220519154244.log
- external trackers
