Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-58067

ipa replica installation fails in FIPS mode on rhel10

XMLWordPrintable

    • ipa-4.12.2-2.el10
    • No
    • None
    • 1
    • sst_idm_ipa
    • ssg_idm
    • 6
    • None
    • QE ack, Dev ack
    • False
    • Hide

      None

      Show
      None
    • Yes
    • 2024-Q3-Alpha-S6
    • Pass
    • Automated
    • Known Issue
    • Hide
      Cause (the user action or circumstances that trigger the bug): in FIPS mode, IPA replica installation fails in RHEL 10.0.beta.
      Consequence (what the user experience is when the bug occurs): Unable to add a RHEL 10.0.beta replica to the topology.
      Workaround (if available): None
      Result (mandatory if the workaround does not solve the problem completely):
      Show
      Cause (the user action or circumstances that trigger the bug): in FIPS mode, IPA replica installation fails in RHEL 10.0.beta. Consequence (what the user experience is when the bug occurs): Unable to add a RHEL 10.0.beta replica to the topology. Workaround (if available): None Result (mandatory if the workaround does not solve the problem completely):
    • Proposed
    • None

      What were you trying to do that didn't work?

      Installation of a replica in FIPS mode is failing in RHEL10.

      What is the impact of this issue to you?

      Replica deployment allows to load-balance IPA services and provide high availability. Without a replica the topology has a single point of failure.

      Please provide the package NVR for which the bug is seen:

      ipa-server-4.12.0-1.el10.x86_64

      How reproducible is this bug?:

      Always

      Steps to reproduce

      1. Install an IPA server in FIPS mode: fips-mode-setup --enable;reboot;ipa-server-install --domain ipa.test --realm IPA.TEST --setup-dns --auto-forwarders -a Secret123 -p Secret123 -U
      2. Install an IPA replica in FIPS mode: fips-mode-setup --enable; reboot; ipa-replica-install --domain ipa.test --realm IPA.TEST --server server.ipa.test --principal admin --password Secret123 -U

      Expected results

      Replica installation should succeed

      Actual results

      Even with python-cryptography fix for RHEL-40210, the replica installation fails in the step exchanging the RA key between server and replica through custodia. See details in https://pagure.io/freeipa/issue/9577

            frenaud@redhat.com Florence Renaud
            frenaud@redhat.com Florence Renaud
            Florence Renaud Florence Renaud
            Sudhir Menon Sudhir Menon
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

              Created:
              Updated: