Loading...

XML

Word

Printable

Type: Bug
Resolution: Unresolved
Priority: Critical
Fix Version/s: None
Affects Version/s: CentOS Stream 10, rhel-10.0.beta
Component/s: bind-dyndb-ldap
Labels:
- rhel-10-pkg-refactoring
- rhel-10-prodact

Regression:
None
Severity:
Important
Epic Link:
FREEIPA-11139

Pool Team:

sst_idm_ipa
Sub-System Group:

ssg_idm

Dev Target Milestone:
30
Internal Target Milestone:
31
Story Points:
13
Blocked:
False
Blocked Reason:

Hide

None

Show
None
Product Documentation Required:
Yes
Sprint:
None
Release Blocker:
Approved Exception

Preliminary Testing:
None
Test Coverage:
None

Release Note Type:
Known Issue
Release Note Text:

Hide
.The IdM server functions only partially or not at all

In this release, changes introduced by OpenSSL have impacted the integrated DNS functionality within Identity Management (IdM). Most notably, the OpenSSL PKCS#11 engine is replaced by a new `pkcs11-provider`. This shift affects multiple components in IdM, including `ipa`, `bind`, `bind-dyndb-ldap`, `softhsm`, and `python-cryptography`.

The transition from the `openssl-pkcs11` engine to the `pkcs11-provider` changes the way these components interact with security modules. As a result, all IdM components relying on the previous OpenSSL engine require updates to remain compatible with the new `pkcs11-provider`.

To support the new `pkcs11-provider`, a migration to Bind 9.20 is necessary. Bind 9.20 is the first version that provides compatibility with the `pkcs11-provider`, but it also introduces substantial architectural changes. These changes require a major rewrite of the `bind-dyndb-ldap` plugin to ensure that it continues functioning properly with the updated Bind and OpenSSL configurations.

Consequently, the IdM server functions only partially or not at all in RHEL 10-Beta. Specifically, you cannot install the `ipa-server-dns` package, and the embedded DNS server cannot be configured using the `--setup-dns` option. Until the necessary updates to `bind-dyndb-ldap` and other impacted components are completed, the integrated DNS feature remains unavailable.

Show
.The IdM server functions only partially or not at all In this release, changes introduced by OpenSSL have impacted the integrated DNS functionality within Identity Management (IdM). Most notably, the OpenSSL PKCS#11 engine is replaced by a new `pkcs11-provider`. This shift affects multiple components in IdM, including `ipa`, `bind`, `bind-dyndb-ldap`, `softhsm`, and `python-cryptography`. The transition from the `openssl-pkcs11` engine to the `pkcs11-provider` changes the way these components interact with security modules. As a result, all IdM components relying on the previous OpenSSL engine require updates to remain compatible with the new `pkcs11-provider`. To support the new `pkcs11-provider`, a migration to Bind 9.20 is necessary. Bind 9.20 is the first version that provides compatibility with the `pkcs11-provider`, but it also introduces substantial architectural changes. These changes require a major rewrite of the `bind-dyndb-ldap` plugin to ensure that it continues functioning properly with the updated Bind and OpenSSL configurations. Consequently, the IdM server functions only partially or not at all in RHEL 10-Beta. Specifically, you cannot install the `ipa-server-dns` package, and the embedded DNS server cannot be configured using the `--setup-dns` option. Until the necessary updates to `bind-dyndb-ldap` and other impacted components are completed, the integrated DNS feature remains unavailable.
Release Note Status:
Done

Experience:
Architecture:

All

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

Planning:
None

Dear colleagues,

Your component is dependent on the package openssl-pkcs11 which is going to be removed in RHEL-10 beta. The replacing package is pkcs11-provider

Engines are not FIPS compatible and corresponding API is deprecated since OpenSSL 3.0.

We kindly ask you to implement patches or apply compiling options to eliminate the dependency on the openssl-pkcs11 package. We kindly ask you to add this work to the nearest sprint.

Feel free to reach the Crypto team if you have any problems with the necessary changes.

blocks

RHEL-33729 Please stop using OpenSSL ENGINE API in bind

In Progress

is blocked by

RHEL-55767 bind: Rebase to next major 9.20

Planning

Assignee:: Thomas Woerner

Reporter:: Dmitry Belyavskiy

Developer:: Rafael Jeffman

QA Contact:: Anuja More

Doc Contact:: Filip Hanzelka

Votes:: 0 Vote for this issue

Watchers:: 8 Start watching this issue

Created:: 2024/03/27 9:04 AM

Updated:: 2024/10/17 9:08 AM

Details

Description

Attachments

Issue Links

Activity

People

Dates