The Identity, Policy and Audit system
5 files modified
7 files added
554 ■■■■■ changed files
SOURCES/0038-Add-a-notice-to-restart-ipa-services-after-certs-are.patch 59 ●●●●● patch | view | raw | blame | history
SOURCES/0039-Fix-OTP-validation-in-FIPS-mode.patch 93 ●●●●● patch | view | raw | blame | history
SOURCES/0040-Increase-the-default-token-key-size.patch 34 ●●●●● patch | view | raw | blame | history
SOURCES/0041-Revert-Don-t-allow-OTP-or-RADIUS-in-FIPS-mode.patch 86 ●●●●● patch | view | raw | blame | history
SOURCES/0042-Log-errors-from-NSS-during-FIPS-OTP-key-import.patch 59 ●●●●● patch | view | raw | blame | history
SOURCES/0043-ipa-replica-install-make-sure-that-certmonger-picks-.patch 111 ●●●●● patch | view | raw | blame | history
SOURCES/0044-replica-install-pass-ip-address-to-client-install.patch 38 ●●●●● patch | view | raw | blame | history
SOURCES/1001-Change-branding-to-IPA-and-Identity-Management.patch 20 ●●●● patch | view | raw | blame | history
SOURCES/1002-Package-copy-schema-to-ca.py.patch 12 ●●●● patch | view | raw | blame | history
SOURCES/1003-Revert-Increased-mod_wsgi-socket-timeout.patch 4 ●●●● patch | view | raw | blame | history
SOURCES/1004-Remove-csrgen.patch 14 ●●●● patch | view | raw | blame | history
SPECS/ipa.spec 24 ●●●●● patch | view | raw | blame | history
SOURCES/0038-Add-a-notice-to-restart-ipa-services-after-certs-are.patch
New file
@@ -0,0 +1,59 @@
From accc490a5f1db734c94e739d9b9638d44d60d21c Mon Sep 17 00:00:00 2001
From: Aleksei Slaikovskii <aslaikov@redhat.com>
Date: Mon, 23 Oct 2017 11:17:32 +0200
Subject: [PATCH] Add a notice to restart ipa services after certs are
 installed
Adding notice for user to restart services after
ipa-server-certinstall.
https://pagure.io/freeipa/issue/7016
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
---
 install/tools/man/ipa-server-certinstall.1  | 3 ++-
 ipaserver/install/ipa_server_certinstall.py | 5 +++++
 2 files changed, 7 insertions(+), 1 deletion(-)
diff --git a/install/tools/man/ipa-server-certinstall.1 b/install/tools/man/ipa-server-certinstall.1
index 35cd8c6c711119d7c782c6a89ac78b4894cec073..00fd03b6bc2184ec2bbc099fd9799551c07d2390 100644
--- a/install/tools/man/ipa-server-certinstall.1
+++ b/install/tools/man/ipa-server-certinstall.1
@@ -28,7 +28,8 @@ PKCS#12 is a file format used to safely transport SSL certificates and public/pr
 They may be generated and managed using the NSS pk12util command or the OpenSSL pkcs12 command.
-The service(s) are not automatically restarted. In order to use the newly installed certificate(s) you will need to manually restart the Directory and/or Apache servers.
+The service(s) are not automatically restarted. In order to use the newly installed certificate(s) you will need to manually restart the Directory, Apache and/or Krb5kdc servers.
+
 .SH "OPTIONS"
 .TP
 \fB\-d\fR, \fB\-\-dirsrv\fR
diff --git a/ipaserver/install/ipa_server_certinstall.py b/ipaserver/install/ipa_server_certinstall.py
index 9c8f6e81a802e1a87bab1fd15f729e10676fe3a3..ec283705a4038239ddf0c6bacaac200936ed04e8 100644
--- a/ipaserver/install/ipa_server_certinstall.py
+++ b/ipaserver/install/ipa_server_certinstall.py
@@ -17,6 +17,7 @@
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 #
+from __future__ import print_function
 import os
 import os.path
@@ -121,6 +122,10 @@ class ServerCertInstall(admintool.AdminTool):
         if self.options.kdc:
             self.install_kdc_cert()
+        print(
+            "Please restart ipa services after installing certificate "
+            "(ipactl restart)")
+
         api.Backend.ldap2.disconnect()
     def install_dirsrv_cert(self):
--
2.14.3
SOURCES/0039-Fix-OTP-validation-in-FIPS-mode.patch
New file
@@ -0,0 +1,93 @@
From 20ab0c731eea95327c8c2dc296461b612c6e98ae Mon Sep 17 00:00:00 2001
From: Nathaniel McCallum <npmccallum@redhat.com>
Date: Wed, 21 Feb 2018 23:39:55 -0500
Subject: [PATCH] Fix OTP validation in FIPS mode
NSS doesn't allow keys to be loaded directly in FIPS mode. To work around
this, we encrypt the input key using an ephemeral key and then unwrap the
encrypted key.
https://pagure.io/freeipa/issue/7168
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
---
 daemons/ipa-slapi-plugins/libotp/hotp.c | 47 +++++++++++++++++++++++++++++++--
 1 file changed, 45 insertions(+), 2 deletions(-)
diff --git a/daemons/ipa-slapi-plugins/libotp/hotp.c b/daemons/ipa-slapi-plugins/libotp/hotp.c
index 619bc63ab1bee99d71c2f0fb887809762107c94c..0c9de96d37183e597867b736d6324db60fa1b3bb 100644
--- a/daemons/ipa-slapi-plugins/libotp/hotp.c
+++ b/daemons/ipa-slapi-plugins/libotp/hotp.c
@@ -46,6 +46,7 @@
 #include <time.h>
 #include <nss.h>
+#include <blapit.h>
 #include <pk11pub.h>
 #include <hasht.h>
 #include <prnetdb.h>
@@ -66,6 +67,49 @@ static const struct {
     { }
 };
+static PK11SymKey *
+import_key(PK11SlotInfo *slot, CK_MECHANISM_TYPE mech, SECItem *key)
+{
+    uint8_t ct[(key->len / AES_BLOCK_SIZE + 1) * AES_BLOCK_SIZE];
+    uint8_t iv[AES_BLOCK_SIZE] = {};
+    SECItem ivitem = { .data = iv, .len = sizeof(iv), .type = siBuffer };
+    SECItem ctitem = { .data = ct, .len = sizeof(ct), .type = siBuffer };
+    PK11SymKey *ekey = NULL;
+    PK11SymKey *skey = NULL;
+
+    /* Try to import the key directly. */
+    skey = PK11_ImportSymKey(slot, mech, PK11_OriginUnwrap,
+                             CKA_SIGN, key, NULL);
+    if (skey)
+        return skey;
+
+    /* If we get here, we are probably in FIPS mode. Let's encrypt the key so
+     * that we can unseal it instead of loading it directly. */
+
+    /* Generate an ephemeral key. */
+    ekey = PK11_TokenKeyGenWithFlags(slot, CKM_AES_CBC_PAD, NULL,
+                                     AES_128_KEY_LENGTH, NULL,
+                                     CKF_ENCRYPT | CKF_UNWRAP,
+                                     PK11_ATTR_SESSION |
+                                     PK11_ATTR_PRIVATE |
+                                     PK11_ATTR_SENSITIVE, NULL);
+    if (!ekey)
+        goto egress;
+
+    /* Encrypt the input key. */
+    if (PK11_Encrypt(ekey, CKM_AES_CBC_PAD, &ivitem, ctitem.data, &ctitem.len,
+                     ctitem.len, key->data, key->len) != SECSuccess)
+        goto egress;
+
+    /* Unwrap the input key. */
+    skey = PK11_UnwrapSymKey(ekey, CKM_AES_CBC_PAD, &ivitem,
+                             &ctitem, mech, CKA_SIGN, key->len);
+
+egress:
+    PK11_FreeSymKey(ekey);
+    return skey;
+}
+
 /*
  * This code is mostly cargo-cult taken from here:
  *   http://www.mozilla.org/projects/security/pki/nss/tech-notes/tn5.html
@@ -90,8 +134,7 @@ static bool hmac(SECItem *key, CK_MECHANISM_TYPE mech, const SECItem *in,
         }
     }
-    symkey = PK11_ImportSymKey(slot, mech, PK11_OriginUnwrap,
-                               CKA_SIGN, key, NULL);
+    symkey = import_key(slot, mech, key);
     if (symkey == NULL)
         goto done;
--
2.14.3
SOURCES/0040-Increase-the-default-token-key-size.patch
New file
@@ -0,0 +1,34 @@
From ab2eaf607dd3746dd239595315dbaaebade06320 Mon Sep 17 00:00:00 2001
From: Nathaniel McCallum <npmccallum@redhat.com>
Date: Thu, 22 Feb 2018 14:04:10 -0500
Subject: [PATCH] Increase the default token key size
The previous default token key size would fail in FIPS mode for the sha384
and sha512 algorithms. With the updated key size, the default will work in
all cases.
https://pagure.io/freeipa/issue/7168
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
---
 ipaserver/plugins/otptoken.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/ipaserver/plugins/otptoken.py b/ipaserver/plugins/otptoken.py
index c66f0980f0fc2ed49b4224be40a18ce528a6da7b..a6e423f949659d8157c8471d0fbc3ee8a299ac98 100644
--- a/ipaserver/plugins/otptoken.py
+++ b/ipaserver/plugins/otptoken.py
@@ -72,7 +72,7 @@ TOKEN_TYPES = {
 }
 # NOTE: For maximum compatibility, KEY_LENGTH % 5 == 0
-KEY_LENGTH = 20
+KEY_LENGTH = 35
 class OTPTokenKey(Bytes):
     """A binary password type specified in base32."""
--
2.14.3
SOURCES/0041-Revert-Don-t-allow-OTP-or-RADIUS-in-FIPS-mode.patch
New file
@@ -0,0 +1,86 @@
From 6d813f6b03811a285c3c6dae85942c0086b619a6 Mon Sep 17 00:00:00 2001
From: Nathaniel McCallum <npmccallum@redhat.com>
Date: Mon, 26 Feb 2018 09:48:22 -0500
Subject: [PATCH] Revert "Don't allow OTP or RADIUS in FIPS mode"
This reverts commit 16a952a0a44a0ebee97029ea1d2f6b7593dd2622.
OTP now works in FIPS mode. RADIUS can be made to be compliant by wrapping
traffic in a VPN.
https://pagure.io/freeipa/issue/7168
https://pagure.io/freeipa/issue/7243
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
---
 ipaserver/plugins/baseuser.py |  3 ---
 ipaserver/plugins/config.py   | 16 ----------------
 2 files changed, 19 deletions(-)
diff --git a/ipaserver/plugins/baseuser.py b/ipaserver/plugins/baseuser.py
index bb8a73ded0fed135d5829ec0b0829a936f2196fb..bf24dbf542d3b481671dfe4e8cee14a2edcc26e0 100644
--- a/ipaserver/plugins/baseuser.py
+++ b/ipaserver/plugins/baseuser.py
@@ -32,7 +32,6 @@ from .baseldap import (
     add_missing_object_class)
 from ipaserver.plugins.service import (
    validate_certificate, validate_realm, normalize_principal)
-from ipaserver.plugins.config import check_fips_auth_opts
 from ipalib.request import context
 from ipalib import _
 from ipalib.constants import PATTERN_GROUPUSER_NAME
@@ -478,7 +477,6 @@ class baseuser_add(LDAPCreate):
                             **options):
         assert isinstance(dn, DN)
         set_krbcanonicalname(entry_attrs)
-        check_fips_auth_opts(fips_mode=self.api.env.fips_mode, **options)
         self.obj.convert_usercertificate_pre(entry_attrs)
     def post_common_callback(self, ldap, dn, entry_attrs, *keys, **options):
@@ -602,7 +600,6 @@ class baseuser_mod(LDAPUpdate):
         assert isinstance(dn, DN)
         add_sshpubkey_to_attrs_pre(self.context, attrs_list)
-        check_fips_auth_opts(fips_mode=self.api.env.fips_mode, **options)
         self.check_namelength(ldap, **options)
         self.check_mail(entry_attrs)
diff --git a/ipaserver/plugins/config.py b/ipaserver/plugins/config.py
index c9033fa8e7a2a0bfe77464fa4f9c62278bd814f6..ce15e6096f5b84dc45ee21d5aecc73ecf86eba07 100644
--- a/ipaserver/plugins/config.py
+++ b/ipaserver/plugins/config.py
@@ -85,20 +85,6 @@ EXAMPLES:
 register = Registry()
-
-def check_fips_auth_opts(fips_mode, **options):
-    """
-    OTP and RADIUS are not allowed in FIPS mode since they use MD5
-    checksums (OTP uses our RADIUS responder daemon ipa-otpd).
-    """
-    if 'ipauserauthtype' in options and fips_mode:
-        if ('otp' in options['ipauserauthtype'] or
-                'radius' in options['ipauserauthtype']):
-            raise errors.InvocationError(
-                'OTP and RADIUS authentication in FIPS is '
-                'not yet supported')
-
-
 @register()
 class config(LDAPObject):
     """
@@ -412,8 +398,6 @@ class config_mod(LDAPUpdate):
     def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options):
         assert isinstance(dn, DN)
-        check_fips_auth_opts(fips_mode=self.api.env.fips_mode, **options)
-
         if 'ipadefaultprimarygroup' in entry_attrs:
             group=entry_attrs['ipadefaultprimarygroup']
             try:
--
2.14.3
SOURCES/0042-Log-errors-from-NSS-during-FIPS-OTP-key-import.patch
New file
@@ -0,0 +1,59 @@
From b9194a0292ce57418b3c9f5faf2ee5509f0fb749 Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Thu, 1 Mar 2018 14:25:55 -0500
Subject: [PATCH] Log errors from NSS during FIPS OTP key import
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
---
 daemons/ipa-slapi-plugins/libotp/hotp.c | 16 ++++++++++++++--
 1 file changed, 14 insertions(+), 2 deletions(-)
diff --git a/daemons/ipa-slapi-plugins/libotp/hotp.c b/daemons/ipa-slapi-plugins/libotp/hotp.c
index 0c9de96d37183e597867b736d6324db60fa1b3bb..1b9110ebf89a705c9c670d4d33fc7ed615ad25f3 100644
--- a/daemons/ipa-slapi-plugins/libotp/hotp.c
+++ b/daemons/ipa-slapi-plugins/libotp/hotp.c
@@ -49,7 +49,9 @@
 #include <blapit.h>
 #include <pk11pub.h>
 #include <hasht.h>
+#include <prerror.h>
 #include <prnetdb.h>
+#include <syslog.h>
 struct digest_buffer {
     uint8_t buf[SHA512_LENGTH];
@@ -93,17 +95,27 @@ import_key(PK11SlotInfo *slot, CK_MECHANISM_TYPE mech, SECItem *key)
                                      PK11_ATTR_SESSION |
                                      PK11_ATTR_PRIVATE |
                                      PK11_ATTR_SENSITIVE, NULL);
-    if (!ekey)
+    if (!ekey) {
+        syslog(LOG_ERR, "libotp: in FIPS, PK11_TokenKeyGenWithFlags failed: %d",
+               PR_GetError());
         goto egress;
+    }
     /* Encrypt the input key. */
     if (PK11_Encrypt(ekey, CKM_AES_CBC_PAD, &ivitem, ctitem.data, &ctitem.len,
-                     ctitem.len, key->data, key->len) != SECSuccess)
+                     ctitem.len, key->data, key->len) != SECSuccess) {
+        syslog(LOG_ERR, "libotp: in FIPS, PK11_Encrypt failed: %d",
+               PR_GetError());
         goto egress;
+    }
     /* Unwrap the input key. */
     skey = PK11_UnwrapSymKey(ekey, CKM_AES_CBC_PAD, &ivitem,
                              &ctitem, mech, CKA_SIGN, key->len);
+    if (!skey) {
+        syslog(LOG_ERR, "libotp: in FIPS, PK11_UnwrapSymKey failed: %d",
+               PR_GetError());
+    }
 egress:
     PK11_FreeSymKey(ekey);
--
2.14.3
SOURCES/0043-ipa-replica-install-make-sure-that-certmonger-picks-.patch
New file
@@ -0,0 +1,111 @@
From 13d111faedfd5cbd0a7382e566edda7bd9ffc7ad Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud <flo@redhat.com>
Date: Wed, 14 Mar 2018 16:13:17 +0100
Subject: [PATCH] ipa-replica-install: make sure that certmonger picks the
 right master
During ipa-replica-install, http installation first creates a service
principal for http/hostname (locally on the soon-to-be-replica), then
waits for this entry to be replicated on the master picked for the
install.
In a later step, the installer requests a certificate for HTTPd. The local
certmonger first tries the master defined in xmlrpc_uri (which is
pointing to the soon-to-be-replica), but fails because the service is not
up yet. Then certmonger tries to find a master by using the DNS and looking
for a ldap service. This step can pick a different master, where the
principal entry has not always be replicated yet.
As the certificate request adds the principal if it does not exist, we can
end by re-creating the principal and have a replication conflict.
The replication conflict later causes kerberos issues, preventing
from installing a new replica.
The proposed fix forces xmlrpc_uri to point to the same master as the one
picked for the installation, in order to make sure that the master already
contains the principal entry.
https://pagure.io/freeipa/issue/7041
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
---
 ipaserver/install/server/replicainstall.py | 42 +++++++++++++++++++++++++++---
 1 file changed, 39 insertions(+), 3 deletions(-)
diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py
index 6aa1157133423e854514de61a69810433e436d2f..5a37aea0ac913d5c9cb88346345ba5760a9e923d 100644
--- a/ipaserver/install/server/replicainstall.py
+++ b/ipaserver/install/server/replicainstall.py
@@ -194,7 +194,16 @@ def install_dns_records(config, options, remote_api):
                          'on master: %s', str(e))
-def create_ipa_conf(fstore, config, ca_enabled):
+def create_ipa_conf(fstore, config, ca_enabled, master=None):
+    """
+    Create /etc/ipa/default.conf master configuration
+    :param fstore: sysrestore file store used for backup and restore of
+                   the server configuration
+    :param config: replica config
+    :param ca_enabled: True if the topology includes a CA
+    :param master: if set, the xmlrpc_uri parameter will use the provided
+                   master instead of this host
+    """
     # Save client file on Domain Level 1
     target_fname = paths.IPA_DEFAULT_CONF
     fstore.backup_file(target_fname)
@@ -203,8 +212,12 @@ def create_ipa_conf(fstore, config, ca_enabled):
     ipaconf.setOptionAssignment(" = ")
     ipaconf.setSectionNameDelimiters(("[", "]"))
-    xmlrpc_uri = 'https://{0}/ipa/xml'.format(
-                    ipautil.format_netloc(config.host_name))
+    if master:
+        xmlrpc_uri = 'https://{0}/ipa/xml'.format(
+            ipautil.format_netloc(master))
+    else:
+        xmlrpc_uri = 'https://{0}/ipa/xml'.format(
+                        ipautil.format_netloc(config.host_name))
     ldapi_uri = 'ldapi://%2fvar%2frun%2fslapd-{0}.socket\n'.format(
                     installutils.realm_to_serverid(config.realm_name))
@@ -1431,6 +1444,25 @@ def install(installer):
     # we now need to enable ssl on the ds
     ds.enable_ssl()
+    if promote:
+        # We need to point to the master when certmonger asks for
+        # HTTP certificate.
+        # During http installation, the HTTP/hostname principal is created
+        # locally then the installer waits for the entry to appear on the
+        # master selected for the installation.
+        # In a later step, the installer requests a SSL certificate through
+        # Certmonger (and the op adds the principal if it does not exist yet).
+        # If xmlrpc_uri points to the soon-to-be replica,
+        # the httpd service is not ready yet to handle certmonger requests
+        # and certmonger tries to find another master. The master can be
+        # different from the one selected for the installation, and it is
+        # possible that the principal has not been replicated yet. This
+        # may lead to a replication conflict.
+        # This is why we need to force the use of the same master by
+        # setting xmlrpc_uri
+        create_ipa_conf(fstore, config, ca_enabled,
+                        master=config.master_host_name)
+
     install_http(
         config,
         auto_redirect=not options.no_ui_redirect,
@@ -1439,6 +1471,10 @@ def install(installer):
         ca_is_configured=ca_enabled,
         ca_file=cafile)
+    if promote:
+        # Need to point back to ourself after the cert for HTTP is obtained
+        create_ipa_conf(fstore, config, ca_enabled)
+
     otpd = otpdinstance.OtpdInstance()
     otpd.create_instance('OTPD', config.host_name,
                          ipautil.realm_to_suffix(config.realm_name))
--
2.14.3
SOURCES/0044-replica-install-pass-ip-address-to-client-install.patch
New file
@@ -0,0 +1,38 @@
From d1506d6a44b4c4b85772cd0764113f2b20a147fe Mon Sep 17 00:00:00 2001
From: Stanislav Laznicka <slaznick@redhat.com>
Date: Fri, 6 Apr 2018 09:10:20 +0200
Subject: [PATCH] replica-install: pass --ip-address to client install
In replica DL1 installation, the --ip-address option was not passed
down to the ipa-client-install script (when not promoting client).
This resulted in creating DNS records for all of the host's interface
IP adresses instead of just those specified.
This patch passes all the --ip-address options down to the client
installation script.
https://pagure.io/freeipa/issue/7405
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
---
 ipaserver/install/server/replicainstall.py | 4 ++++
 1 file changed, 4 insertions(+)
diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py
index 5a37aea0ac913d5c9cb88346345ba5760a9e923d..42e4615ad2dc1f604f5d8d14f8e57e3e4674bcb9 100644
--- a/ipaserver/install/server/replicainstall.py
+++ b/ipaserver/install/server/replicainstall.py
@@ -942,6 +942,10 @@ def ensure_enrolled(installer):
         args.append("--mkhomedir")
     if installer.force_join:
         args.append("--force-join")
+    if installer.ip_addresses:
+        for ip in installer.ip_addresses:
+            # installer.ip_addresses is of type [CheckedIPAddress]
+            args.extend(("--ip-address", str(ip)))
     try:
         # Call client install script
--
2.14.3
SOURCES/1001-Change-branding-to-IPA-and-Identity-Management.patch
@@ -1,4 +1,4 @@
From 70850c65eaefffc73d4f39cd9cc5490a6a5bb785 Mon Sep 17 00:00:00 2001
From 0efc9d0a7e4c04d44eee4c408d426f91dc76be9c Mon Sep 17 00:00:00 2001
From: Jan Cholasta <jcholast@redhat.com>
Date: Tue, 14 Mar 2017 15:48:07 +0000
Subject: [PATCH] Change branding to IPA and Identity Management
@@ -113,7 +113,7 @@
 ipa\-client\-install \- Configure an IPA client
 .SH "SYNOPSIS"
diff --git a/client/man/ipa-getkeytab.1 b/client/man/ipa-getkeytab.1
index 08f6ec40d362b88a974e6ec735ed37c271e01882..3db48cc9204908dc63fdee6b3917331da43cd424 100644
index 39ff0d5da85b5a641328a512feeb06bc9c1ab9d7..bf1e72a3672a72554f9563a41d4eeed88bfd272b 100644
--- a/client/man/ipa-getkeytab.1
+++ b/client/man/ipa-getkeytab.1
@@ -17,7 +17,7 @@
@@ -125,7 +125,7 @@
 .SH "NAME"
 ipa\-getkeytab \- Get a keytab for a Kerberos principal
 .SH "SYNOPSIS"
@@ -112,7 +112,7 @@ GSSAPI or EXTERNAL.
@@ -117,7 +117,7 @@ GSSAPI or EXTERNAL.
 \fB\-r\fR
 Retrieve mode. Retrieve an existing key from the server instead of generating a
 new one. This is incompatibile with the \-\-password option, and will work only
@@ -545,7 +545,7 @@
 ipa\-replica\-conncheck \- Check a replica\-master network connection before installation
 .SH "SYNOPSIS"
diff --git a/install/tools/man/ipa-replica-install.1 b/install/tools/man/ipa-replica-install.1
index 7d241324818dd3a5294da5e84b67a19d0d9a31b6..f1ed8860d7ecebd7a23d60a621adea0947eca9da 100644
index a1284135ac67de2b67b322aec3f6bbfb05f1a8ec..4301128afc65780ab73654d8c213a4f8ce4763a2 100644
--- a/install/tools/man/ipa-replica-install.1
+++ b/install/tools/man/ipa-replica-install.1
@@ -1,7 +1,7 @@
@@ -566,7 +566,7 @@
 
 If you're starting with an existing IPA client, simply run ipa\-replica\-install to have it promoted into a replica.
 
@@ -229,7 +229,7 @@ ldapmodify command info the directory server.
@@ -232,7 +232,7 @@ ldapmodify command info the directory server.
 .TP
 \fB\-\-add\-agents\fR
 Add IPA masters to the list that allows to serve information about
@@ -615,7 +615,7 @@
 ipa\-restore \- Restore an IPA master
 .SH "SYNOPSIS"
diff --git a/install/tools/man/ipa-server-certinstall.1 b/install/tools/man/ipa-server-certinstall.1
index 35cd8c6c711119d7c782c6a89ac78b4894cec073..7ba159b29d005337d806b38b7c35de07a2d5d71e 100644
index 00fd03b6bc2184ec2bbc099fd9799551c07d2390..aa9bb7b8567beadcd068e03f7de21043373af281 100644
--- a/install/tools/man/ipa-server-certinstall.1
+++ b/install/tools/man/ipa-server-certinstall.1
@@ -16,7 +16,7 @@
@@ -998,7 +998,7 @@
     '''
 
diff --git a/ipaserver/install/server/install.py b/ipaserver/install/server/install.py
index 97cbc6d8c84ee8fc21b6f8983c7897dc5d30c42d..eb42d1aa905a30ddc83de5a145d4e8d1348fbab9 100644
index 422474fa915b4876530f304ef9424f6b31cf26cc..8f2cca4f6096fc4093f180c84da7888e8710765a 100644
--- a/ipaserver/install/server/install.py
+++ b/ipaserver/install/server/install.py
@@ -373,7 +373,7 @@ def install_check(installer):
@@ -1011,10 +1011,10 @@
     print("This includes:")
     if setup_ca:
diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py
index 6aa1157133423e854514de61a69810433e436d2f..1b3fdb238db46e6cd15dccb7d8d88b08f70d3066 100644
index 42e4615ad2dc1f604f5d8d14f8e57e3e4674bcb9..7726b782f36f884e098ca4a5f5a136f7742e5e97 100644
--- a/ipaserver/install/server/replicainstall.py
+++ b/ipaserver/install/server/replicainstall.py
@@ -601,7 +601,7 @@ def check_domain_level_is_supported(current):
@@ -614,7 +614,7 @@ def check_domain_level_is_supported(current):
     above_upper_bound = current > constants.MAX_DOMAIN_LEVEL
 
     if under_lower_bound or above_upper_bound:
@@ -1046,5 +1046,5 @@
 """) + _("""
 To enable the binddn run the following command to set the password:
-- 
2.9.5
2.14.3
SOURCES/1002-Package-copy-schema-to-ca.py.patch
@@ -1,4 +1,4 @@
From 0cb701b1b4492b8e7234991eef30b5ac77dbd328 Mon Sep 17 00:00:00 2001
From 154c041a95be7e6cdbcc8e116ff0fc2a785d730f Mon Sep 17 00:00:00 2001
From: Jan Cholasta <jcholast@redhat.com>
Date: Tue, 14 Mar 2017 16:07:15 +0000
Subject: [PATCH] Package copy-schema-to-ca.py
@@ -10,10 +10,10 @@
 2 files changed, 5 insertions(+), 2 deletions(-)
diff --git a/freeipa.spec.in b/freeipa.spec.in
index a8b5ce81fcf9bdb61cd3707e6b68b6f2196e0776..5fc0982188da4f7a3a1438bd5c67aac7bed195a8 100644
index 80ae98c5515f64a8df8d981ad5e91b05c84e31c1..86189d56ded05dac695d3a7a19f726e197979dc5 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -1293,6 +1293,7 @@ fi
@@ -1292,6 +1292,7 @@ fi
 # END
 %dir %{_usr}/share/ipa
 %{_usr}/share/ipa/wsgi.py*
@@ -22,10 +22,10 @@
 %{_usr}/share/ipa/*.uldif
 %{_usr}/share/ipa/*.template
diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
index 62f79b28000b015edb66f4c39a270097ab3ed666..d876c5b385a250f3bd9c2689f9794ef7f89720a6 100644
index 20635eae22268ff72de73b8b9c430050114bb45b..190f8d851b3567638f8a41e2a4ce10e40e2ec1af 100644
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -1311,9 +1311,11 @@ def replica_ca_install_check(config, promote):
@@ -1321,9 +1321,11 @@ def replica_ca_install_check(config, promote):
     else:
         root_logger.critical(
             'The master CA directory server does not have necessary schema. '
@@ -40,5 +40,5 @@
 
 
-- 
2.9.5
2.14.3
SOURCES/1003-Revert-Increased-mod_wsgi-socket-timeout.patch
@@ -1,4 +1,4 @@
From cf83189d36e1615444b83dc2bf3b27fad215b322 Mon Sep 17 00:00:00 2001
From c96e727aff6be11c1d90c7b693b77f36d6deeaac Mon Sep 17 00:00:00 2001
From: Jan Cholasta <jcholast@redhat.com>
Date: Wed, 22 Jun 2016 13:53:46 +0200
Subject: [PATCH] Revert "Increased mod_wsgi socket-timeout"
@@ -24,5 +24,5 @@
 WSGIScriptAlias /ipa /usr/share/ipa/wsgi.py
 WSGIScriptReloading Off
-- 
2.9.5
2.14.3
SOURCES/1004-Remove-csrgen.patch
@@ -1,4 +1,4 @@
From f6463c332aebb40be39bcfdf458f20f1dc3d2bbe Mon Sep 17 00:00:00 2001
From 4f3522e47d1a1c26dc8283c6aa4fc72a33d7133e Mon Sep 17 00:00:00 2001
From: Jan Cholasta <jcholast@redhat.com>
Date: Thu, 16 Mar 2017 09:44:21 +0000
Subject: [PATCH] Remove csrgen
@@ -75,7 +75,7 @@
 delete mode 100644 ipatests/test_ipaclient/test_csrgen.py
diff --git a/freeipa.spec.in b/freeipa.spec.in
index 5fc0982188da4f7a3a1438bd5c67aac7bed195a8..03ab5d374279ad62d536ac5da636b7654671bcb9 100644
index 86189d56ded05dac695d3a7a19f726e197979dc5..3cefeeced78de60ced36759acce5ab5c1a0ddd0d 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -198,7 +198,6 @@ BuildRequires:  python-sssdconfig
@@ -94,7 +94,7 @@
 BuildRequires:  python3-augeas
 %endif # with_python3
 %endif # with_lint
@@ -545,7 +543,6 @@ Requires: %{name}-client-common = %{version}-%{release}
@@ -544,7 +542,6 @@ Requires: %{name}-client-common = %{version}-%{release}
 Requires: %{name}-common = %{version}-%{release}
 Requires: python2-ipalib = %{version}-%{release}
 Requires: python-dns >= 1.15
@@ -102,7 +102,7 @@
 
 %description -n python2-ipaclient
 IPA is an integrated solution to provide centrally managed Identity (users,
@@ -568,7 +565,6 @@ Requires: %{name}-client-common = %{version}-%{release}
@@ -567,7 +564,6 @@ Requires: %{name}-client-common = %{version}-%{release}
 Requires: %{name}-common = %{version}-%{release}
 Requires: python3-ipalib = %{version}-%{release}
 Requires: python3-dns >= 1.15
@@ -110,7 +110,7 @@
 
 %description -n python3-ipaclient
 IPA is an integrated solution to provide centrally managed Identity (users,
@@ -1434,13 +1430,6 @@ fi
@@ -1433,13 +1429,6 @@ fi
 %{python_sitelib}/ipaclient/remote_plugins/*.py*
 %dir %{python_sitelib}/ipaclient/remote_plugins/2_*
 %{python_sitelib}/ipaclient/remote_plugins/2_*/*.py*
@@ -124,7 +124,7 @@
 %{python_sitelib}/ipaclient-*.egg-info
 
 
@@ -1465,13 +1454,6 @@ fi
@@ -1464,13 +1453,6 @@ fi
 %dir %{python3_sitelib}/ipaclient/remote_plugins/2_*
 %{python3_sitelib}/ipaclient/remote_plugins/2_*/*.py
 %{python3_sitelib}/ipaclient/remote_plugins/2_*/__pycache__/*.py*
@@ -1649,5 +1649,5 @@
-            _script = generator.csr_script(
-                principal, {}, 'example', 'identity')
-- 
2.9.5
2.14.3
SPECS/ipa.spec
@@ -72,7 +72,7 @@
Name:           ipa
Version:        %{IPA_VERSION}
Release:        10%{?dist}
Release:        10%{?dist}.1
Summary:        The Identity, Policy and Audit system
Group:          System Environment/Base
@@ -125,6 +125,13 @@
Patch0035:    0035-WebUI-change-validator-of-page-size-settings.patch
Patch0036:    0036-WebUI-fix-jslint-error.patch
Patch0037:    0037-ipa-advise-for-smartcards-updated.patch 
Patch0038:    0038-Add-a-notice-to-restart-ipa-services-after-certs-are.patch
Patch0039:    0039-Fix-OTP-validation-in-FIPS-mode.patch
Patch0040:    0040-Increase-the-default-token-key-size.patch
Patch0041:    0041-Revert-Don-t-allow-OTP-or-RADIUS-in-FIPS-mode.patch
Patch0042:    0042-Log-errors-from-NSS-during-FIPS-OTP-key-import.patch
Patch0043:    0043-ipa-replica-install-make-sure-that-certmonger-picks-.patch
Patch0044:    0044-replica-install-pass-ip-address-to-client-install.patch
Patch1001:      1001-Change-branding-to-IPA-and-Identity-Management.patch
Patch1002:      1002-Package-copy-schema-to-ca.py.patch
@@ -1689,9 +1696,22 @@
%changelog
* Tue Apr 10 2018 CentOS Sources <bugs@centos.org> - 4.5.4-10.el7.centos
* Mon May 14 2018 CentOS Sources <bugs@centos.org> - 4.5.4-10.el7.centos.1
- Roll in CentOS Branding
* Tue Apr 10 2018 Florence Blanc-Renaud <frenaud@redhat.com> - 4.5.4-11.el7
- Resolves: #1565519 Clarify the need to restart services in ipa-server-certinstall(1)
  - Add a notice to restart ipa services after certs are installed
- Resolves: #1564390 OTP and Radius Authentication does not work in FIPS mode
  - Fix OTP validation in FIPS mode
  - Increase the default token key size
  - Revert "Don't allow OTP or RADIUS in FIPS mode"
  - Log errors from NSS during FIPS OTP key import
- Resolves: #1565520 ipa client pointing to replica shows KDC has no support for encryption type
  - ipa-replica-install: make sure that certmonger picks the right master
- Resolves: #1565605 DNS records updated with all IPAddresses of an interface when IPA server/replica try to install with Specific IP address of that interface
  - replica-install: pass --ip-address to client install
* Wed Feb 07 2018 Florence Blanc-Renaud <frenaud@redhat.com> - 4.5.4-10.el7
- Resolves: #1540361 ipa-advise for smartcards is out-of-date
  - ipa-advise for smartcards updated