As customers transition to RHEL9 and begin adopting FIPS-140-2/FIPS-140-3 Security Requirements, more issues will arise related to interoperability with older RHEL systems. Although FIPS-140-2/FIPS-140-3 directly impact RHEL9, this isn't true for topologies or deployments where RHEL9 coexists with RHEL8 and RHEL7 systems. Therefore, the security requirements also affect older RHEL systems that are part of the same deployment.

Customers with existing RHEL7 deployments will start adding RHEL8/9 replicas/clients, causing some interoperability issues as the new RHEL systems are more restricted (enrolling clients, adding replicas, vault operations…)

One example of an interoperability issue involves IdM Vault, which uses PKCS1v15 for key archival/retrieval operations. In RHEL9 in FIPS mode, PKCS1v15 is no longer allowed and must be replaced by RSA-OAEP. This affects both IPA and PKI components. While this issue was addressed for RHEL9 and RHEL8, PKI fixes were not propagated to RHEL7.9, resulting in the KRA not supporting RSA-OAEP operations.

This ticket is a request for backporting the following commits to RHEL7.9-z:

pki-core component:

• a457f6036b Tue Jan 16 13:31:49 2024 +0700 Jack Magne Fix Bug 2122409 - pki-tomcat/kra unable to decrypt when using RSA-OAEP padding in RHEL9 with FIPS enabled

jss component:

• d3c91fd3 Mon Aug 29 16:22:05 2022 -0700 Jack Magne Fix Bug 2100807 - pki-tomcat/kra unable to decrypt when using RSA-OAEP padding in RHEL9 with FIPS enabled.

If RSA-OAEP support is added in PKI/KRA, interoperability between RHEL7 and RHEL8/9 will be possible, thereby avoiding complex situations where customers are deploying a mix of RHEL7, 8, and 9 systems.