Loading...

XML

Word

Printable

Type: Bug
Resolution: Unresolved
Priority: Normal
Fix Version/s: rhel-10.0
Affects Version/s: rhel-10.0
Component/s: ipa
Labels:
- commit
- fixed_upstream

Fixed in Build:
ipa-4.12.2-2.el10
Regression:
No
Severity:
Important
Epic Link:
FREEIPA-11520
sprint_count:
2

Pool Team:

rhel-sst-idm-ipa
Sub-System Group:

ssg_idm

Dev Target Milestone:
6
Internal Target Milestone:
8
Story Points:
1
ACKs Check:

QE ack, Dev ack
Blocked:
False
Blocked Reason:

Hide

None

Show
None
Product Documentation Required:
Yes
Sprint:
2024-Q3-Alpha-S6, 2024-Q4-Alpha-S1

Preliminary Testing:
Pass
Errata Link:
https://errata.engineering.redhat.com/advisory/139322
Test Coverage:

Automated

Release Note Type:
Known Issue
Release Note Text:

Hide
.Installing an IdM replica fails in FIPS mode

In RHEL 10-beta, the installation of an Identity Management (IdM) replica fails in FIPS mode. The installation fails when the import of the Registration Authority (RA) key is attempted.

Show
.Installing an IdM replica fails in FIPS mode In RHEL 10-beta, the installation of an Identity Management (IdM) replica fails in FIPS mode. The installation fails when the import of the Registration Authority (RA) key is attempted.
Release Note Status:
Done

Experience:

PX Review Complete:
SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

Planning:
None

What were you trying to do that didn't work?

Installation of a replica in FIPS mode is failing in RHEL10.

What is the impact of this issue to you?

Replica deployment allows to load-balance IPA services and provide high availability. Without a replica the topology has a single point of failure.

Please provide the package NVR for which the bug is seen:

ipa-server-4.12.0-1.el10.x86_64

How reproducible is this bug?:

Always

Steps to reproduce

Install an IPA server in FIPS mode: fips-mode-setup --enable;reboot;ipa-server-install --domain ipa.test --realm IPA.TEST --setup-dns --auto-forwarders -a Secret123 -p Secret123 -U
Install an IPA replica in FIPS mode: fips-mode-setup --enable; reboot; ipa-replica-install --domain ipa.test --realm IPA.TEST --server server.ipa.test --principal admin --password Secret123 -U

Expected results

Replica installation should succeed

Actual results

Even with python-cryptography fix for RHEL-40210, the replica installation fails in the step exchanging the RA key between server and replica through custodia. See details in https://pagure.io/freeipa/issue/9577

relates to

RHEL-40210 ipa replication installation fails in FIPS mode on rhel10

Release Pending

links to

freeipa pagure 9577

RHBA-2024:139322 ipa bug fix and enhancement update

Assignee:: Florence Renaud

Reporter:: Florence Renaud

Developer:: Florence Renaud

QA Contact:: Sudhir Menon

Doc Contact:: Filip Hanzelka

Votes:: 0 Vote for this issue

Watchers:: 7 Start watching this issue

Created:: 2024/09/09 2:17 PM

Updated:: 2025/01/09 6:33 PM

Dev Target end:: 2024/09/30

Target end:: 2024/10/14

Next Planned Release Date:: 2025/05/13

Details

Description

What were you trying to do that didn't work?

What is the impact of this issue to you?

Please provide the package NVR for which the bug is seen:

How reproducible is this bug?:

Steps to reproduce

Expected results

Actual results

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates