Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-4888

Generate AES SHA-2 HMAC keys on deployed IPA instances in FIPS mode

Details

    • sst_idm_ipa
    • ssg_idm
    • False
    • Hide

      None

      Show
      None
    • Unspecified
    • 2024-Q1-Bravo-S1, 2024-Q1-Bravo-S3, 2024-Q1-Bravo-S4
    • Known Issue
    • Hide
      .Adding a RHEL 9 replica in FIPS mode to an IdM deployment in FIPS mode that was initialized with RHEL 8.6 or earlier fails

      The default RHEL 9 FIPS cryptographic policy aiming to comply with FIPS 140-3 does not allow the use of the AES HMAC-SHA1 encryption types' key derivation function as defined by RFC3961, section 5.1.

      This constraint is a blocker when adding a RHEL 9 Identity Management (IdM) replica in FIPS mode to a RHEL 8 IdM environment in FIPS mode in which the first server was installed on a RHEL 8.6 system or earlier. This is because there are no common encryption types between RHEL 9 and the previous RHEL versions, which commonly use the AES HMAC-SHA1 encryption types but do not use the AES HMAC-SHA2 encryption types.

      You can view the encryption type of your IdM master key by entering the following command on the server:

      [subs="quotes"]
      ----
      # kadmin.local getprinc K/M | grep -E '^Key:'
      ----

      To work around the problem, enable the use of AES HMAC-SHA1 on the RHEL 9 replica:

      [subs="quotes"]
      ----
      update-crypto-policies --set FIPS:AD-SUPPORT
      ----

      WARNING:: This workaround might violate FIPS compliance.

      As a result, adding the RHEL 9 replica to the IdM deployment proceeds correctly.

      Note that there is ongoing work to provide a procedure to generate missing AES HMAC-SHA2-encrypted Kerberos keys on RHEL 7 and RHEL 8 servers. This will achieve FIPS 140-3 compliance on the RHEL 9 replica. However, this process will not be fully automated, because the design of Kerberos key cryptography makes it impossible to convert existing keys to different encryption types. The only way is to ask users to renew their passwords.
      Show
      .Adding a RHEL 9 replica in FIPS mode to an IdM deployment in FIPS mode that was initialized with RHEL 8.6 or earlier fails The default RHEL 9 FIPS cryptographic policy aiming to comply with FIPS 140-3 does not allow the use of the AES HMAC-SHA1 encryption types' key derivation function as defined by RFC3961, section 5.1. This constraint is a blocker when adding a RHEL 9 Identity Management (IdM) replica in FIPS mode to a RHEL 8 IdM environment in FIPS mode in which the first server was installed on a RHEL 8.6 system or earlier. This is because there are no common encryption types between RHEL 9 and the previous RHEL versions, which commonly use the AES HMAC-SHA1 encryption types but do not use the AES HMAC-SHA2 encryption types. You can view the encryption type of your IdM master key by entering the following command on the server: [subs="quotes"] ---- # kadmin.local getprinc K/M | grep -E '^Key:' ---- To work around the problem, enable the use of AES HMAC-SHA1 on the RHEL 9 replica: [subs="quotes"] ---- update-crypto-policies --set FIPS:AD-SUPPORT ---- WARNING:: This workaround might violate FIPS compliance. As a result, adding the RHEL 9 replica to the IdM deployment proceeds correctly. Note that there is ongoing work to provide a procedure to generate missing AES HMAC-SHA2-encrypted Kerberos keys on RHEL 7 and RHEL 8 servers. This will achieve FIPS 140-3 compliance on the RHEL 9 replica. However, this process will not be fully automated, because the design of Kerberos key cryptography makes it impossible to convert existing keys to different encryption types. The only way is to ask users to renew their passwords.
    • Done

    Description

      Description of problem:

      The RHEL 9 client configured for FIPS fails to join an IPA realm if the IPA server was created in FIPS.

      The RHEL 9 client NOT configured for FIPS will successfully join an IPA realm if the IPA server was created in FIPS.

      The RHEL 9 client configured for FIPS will successfully an IPA realm of the IPA server was not created it FIPS.

      Version-Release number of selected component (if applicable):

      ipa-client-4.9.8-7.el9_0.x86_64

      How reproducible:

      To replicate the problem, follow the following instructions. I have replicated this issue many times. We have hundreds of nodes set with FIPS enabled. Only the RHEL 9.0 systems will not join the IPA realm.

      1. Create a RHEL 9.0 system
      2. Enable FIPS: fips-mode-setup --enable
      3. Reboot
      4. login
      5. ipa-client-setup -N (enter username, password, etc.)
      6. The node fails to join the IPA realm
      7. Disable FIPS: fips-mode-setup --disable
      6. Reboot
      7. Login
      8. ipa-client-setup -N (enter username, password, etc.)
      9. Node joins the IPA realm with no error.

      Steps to Reproduce:
      1.
      2.
      3.

      Actual results:

      Expected results:

      Additional info:

      Attachments

        Activity

          People

            jrische@redhat.com Julien Rische
            rhn-support-abroy Abhijit Roy
            Julien Rische Julien Rische
            Michal Polovka Michal Polovka
            Filip Hanzelka Filip Hanzelka
            Votes:
            0 Vote for this issue
            Watchers:
            5 Start watching this issue

            Dates

              Created:
              Updated: