Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-30556

Package bind-dyndb-ldap: remove dependency on package openssl-pkcs11

    • bind-dyndb-ldap-11.10-28.el10
    • None
    • Important
    • 1
    • rhel-sst-idm-ipa
    • ssg_idm
    • 30
    • 31
    • 3
    • False
    • Hide

      None

      Show
      None
    • Yes
    • 2024-Q4-Alpha-S4
    • Approved Exception
    • Known Issue
    • Hide
      .The IdM server functions only partially or not at all

      In this release, changes introduced by OpenSSL have impacted the integrated DNS functionality within Identity Management (IdM). Most notably, the OpenSSL PKCS #11 engine is replaced by a new `pkcs11-provider`. This shift affects multiple components in IdM, including `ipa`, `bind`, `bind-dyndb-ldap`, `softhsm`, and `python-cryptography`.

      The transition from the `openssl-pkcs11` engine to the `pkcs11-provider` changes the way these components interact with security modules. As a result, all IdM components relying on the previous OpenSSL engine require updates to remain compatible with the new `pkcs11-provider`.

      To support the new `pkcs11-provider`, a migration to Bind 9.20 is necessary. Bind 9.20 is the first version that provides compatibility with the `pkcs11-provider`, but it also introduces substantial architectural changes. These changes require a major rewrite of the `bind-dyndb-ldap` plugin to ensure that it continues functioning properly with the updated Bind and OpenSSL configurations.

      Consequently, the IdM server functions only partially or not at all in RHEL 10-Beta. Specifically, you cannot install the `ipa-server-dns` package, and the embedded DNS server cannot be configured using the `--setup-dns` option. Until the necessary updates to `bind-dyndb-ldap` and other impacted components are completed, the integrated DNS feature remains unavailable.
      Show
      .The IdM server functions only partially or not at all In this release, changes introduced by OpenSSL have impacted the integrated DNS functionality within Identity Management (IdM). Most notably, the OpenSSL PKCS #11 engine is replaced by a new `pkcs11-provider`. This shift affects multiple components in IdM, including `ipa`, `bind`, `bind-dyndb-ldap`, `softhsm`, and `python-cryptography`. The transition from the `openssl-pkcs11` engine to the `pkcs11-provider` changes the way these components interact with security modules. As a result, all IdM components relying on the previous OpenSSL engine require updates to remain compatible with the new `pkcs11-provider`. To support the new `pkcs11-provider`, a migration to Bind 9.20 is necessary. Bind 9.20 is the first version that provides compatibility with the `pkcs11-provider`, but it also introduces substantial architectural changes. These changes require a major rewrite of the `bind-dyndb-ldap` plugin to ensure that it continues functioning properly with the updated Bind and OpenSSL configurations. Consequently, the IdM server functions only partially or not at all in RHEL 10-Beta. Specifically, you cannot install the `ipa-server-dns` package, and the embedded DNS server cannot be configured using the `--setup-dns` option. Until the necessary updates to `bind-dyndb-ldap` and other impacted components are completed, the integrated DNS feature remains unavailable.
    • Done
    • All
    • None

      Dear colleagues,

      Your component is dependent on the package openssl-pkcs11 which is going to be removed in RHEL-10 beta. The replacing package is pkcs11-provider

      Engines are not FIPS compatible and corresponding API is deprecated since OpenSSL 3.0.

      We kindly ask you to implement patches or apply compiling options to eliminate the dependency on the openssl-pkcs11 package. We kindly ask you to add this work to the nearest sprint.

      Feel free to reach the Crypto team if you have any problems with the necessary changes.

              twoerner Thomas Woerner
              dbelyavs@redhat.com Dmitry Belyavskiy
              Rafael Jeffman Rafael Jeffman
              Sudhir Menon Sudhir Menon
              Filip Hanzelka Filip Hanzelka
              Votes:
              0 Vote for this issue
              Watchers:
              12 Start watching this issue

                Created:
                Updated: