Uploaded image for project: 'Red Hat 3scale API Management'
  1. Red Hat 3scale API Management
  2. THREESCALE-5725

Make porta compatible with FIPS-enabled Openshift

XMLWordPrintable

    • Not Started
    • Not Started
    • Not Started
    • Not Started
    • Not Started
    • Not Started
    • Engineering
    • 0% To Do, 100% In Progress, 0% Done

      After installing 3scale via Operator on Openshift, system-master returns an empty response to "http://token@system-maste/master/api/proxy/configs/production.json"
      In the logs:

      [c3a40a01-96e5-4ae1-9dd1-dabd1db6f7f0] [system-master] [10.179.12.244] Started GET "/master/api/proxy/configs/production.json" for 10.179.12.244 at 2020-07-28 16:09:34 +0000
[c3a40a01-96e5-4ae1-9dd1-dabd1db6f7f0] [system-master] [10.179.12.244] Processing by Master::Api::Proxy::ConfigsController#index as JSON
[c3a40a01-96e5-4ae1-9dd1-dabd1db6f7f0] [system-master] [10.179.12.244]   Parameters: {"environment"=>"production"}
[c3a40a01-96e5-4ae1-9dd1-dabd1db6f7f0] [system-master] [10.179.12.244] PermissionEnforcer: level = ro
[c3a40a01-96e5-4ae1-9dd1-dabd1db6f7f0] [system-master] [10.179.12.244]   'master/api/proxy/configs/index' file doesn't exist, so no dependencies
[c3a40a01-96e5-4ae1-9dd1-dabd1db6f7f0] [system-master] [10.179.12.244]   Couldn't find template for digesting: master/api/proxy/configs/index
md5_dgst.c(82): OpenSSL internal error, assertion failed: Digest MD5 forbidden in FIPS mode!
E, [2020-07-28T16:09:35.838647 #1] ERROR -- : reaped #<Process::Status: pid 599 SIGABRT (signal 6) (core dumped)> worker=1
[e493e56b-b19d-4b19-96da-0a9f6a64c4fe] [system-master] [10.179.12.244] Started GET "/master/api/proxy/configs/admin/api/services.json" for 10.179.12.244 at 2020-07-28 16:09:35 +0000
I, [2020-07-28T16:09:35.852982 #616]  INFO -- : worker=1 ready
[e493e56b-b19d-4b19-96da-0a9f6a64c4fe] [system-master] [10.179.12.244]   
[e493e56b-b19d-4b19-96da-0a9f6a64c4fe] [system-master] [10.179.12.244] ActionController::RoutingError (No route matches [GET] "/master/api/proxy/configs/admin/api/services.json"):
[e493e56b-b19d-4b19-96da-0a9f6a64c4fe] [system-master] [10.179.12.244]

      The requirement is to be able to use 3scale with FIPS mode enabled.

      Notes

      In the past Java was an opt-in model, so they had to configure to run in FIPS. Now with RHEL 8, and OS is in FIPS mode, OpenJDK will swap the providers it is using. You have to specifically opt out. https://github.com/RedHatGov/fips-openjdk-rhel. FAQ for Engineering FAQs on FIPS

      For an explanation of why THREESCALE-6316 is a requirement for this issue, please see this comment. The following statement is part of that comment.

      It’s worth mentioning that nobody in the team is familiar with FIPS so there is a lot of uncertainty. It’s quite likely that other matters will arise.

      It's important to understand this uncertainty. In other words, we know that an upgrade to 5.2 is necessary to run 3scale on OCP with FIPS mode enabled. However, we cannot be sure of what else is necessary until we finish the upgrade.
      Other resource:
      https://github.com/rails/rails/issues/31203#issuecomment-381449887

      See also the description of this PR https://github.com/3scale/porta/pull/2601

            Unassigned Unassigned
            rhn-support-cpalmier Carlo Palmieri (Inactive)
            Aleksandar Kostadinov Aleksandar Kostadinov
            Votes:
            15 Vote for this issue
            Watchers:
            32 Start watching this issue

              Created:
              Updated:
              Resolved: