|
 |
ad7e68 |
From 1a7e9b493fc3cfbbd74ab9009fa840c5dcb55c8c Mon Sep 17 00:00:00 2001
|
|
|
ad7e68 |
From: jmagne <jmagne@redhat.com>
|
|
|
ad7e68 |
Date: Thu, 16 Sep 2021 15:48:37 -0700
|
|
|
ad7e68 |
Subject: [PATCH] Fix Bug 2001576 - pki instance creation fails for IPA server
|
|
|
ad7e68 |
in FIPS mode (RHEL-8.5) (#3742)
|
|
|
ad7e68 |
|
|
|
ad7e68 |
It looks like this is an issue in FIPS mode because when we restart the subsystem, there is a pki command
|
|
|
ad7e68 |
that runs before the server runs. In order for this command to succeed, we must alter the python script that
|
|
|
ad7e68 |
runs pki commands to add the following switch to turn off fips mode in java: "-Dcom.redhat.fips=false".
|
|
|
ad7e68 |
|
|
|
ad7e68 |
This allows the JSS proivder to be selected instead of a differnt one which doesn't work for us, when we are in
|
|
|
ad7e68 |
fips mode.
|
|
|
ad7e68 |
---
|
|
|
ad7e68 |
base/common/python/pki/cli/main.py | 11 ++++++++++-
|
|
|
ad7e68 |
base/common/share/etc/pki.conf | 10 ++++++++++
|
|
|
ad7e68 |
2 files changed, 20 insertions(+), 1 deletion(-)
|
|
|
ad7e68 |
|
|
|
ad7e68 |
diff --git a/base/common/python/pki/cli/main.py b/base/common/python/pki/cli/main.py
|
|
|
ad7e68 |
index b0ae6c6fc..bc215aaa4 100644
|
|
|
ad7e68 |
--- a/base/common/python/pki/cli/main.py
|
|
|
ad7e68 |
+++ b/base/common/python/pki/cli/main.py
|
|
|
ad7e68 |
@@ -98,6 +98,7 @@ class PKICLI(pki.cli.CLI):
|
|
|
ad7e68 |
|
|
|
ad7e68 |
java_path = os.getenv('PKI_JAVA_PATH')
|
|
|
ad7e68 |
java_home = os.getenv('JAVA_HOME')
|
|
|
ad7e68 |
+ java_fips_cmd = os.getenv('JAVA_FIPS_ENABLED')
|
|
|
ad7e68 |
pki_lib = os.getenv('PKI_LIB')
|
|
|
ad7e68 |
logging_config = os.getenv('PKI_LOGGING_CONFIG')
|
|
|
ad7e68 |
|
|
|
ad7e68 |
@@ -113,7 +114,15 @@ class PKICLI(pki.cli.CLI):
|
|
|
ad7e68 |
cmd.extend(['/usr/bin/env', 'java'])
|
|
|
ad7e68 |
|
|
|
ad7e68 |
cmd.extend([
|
|
|
ad7e68 |
- '-cp', pki_lib + '/*',
|
|
|
ad7e68 |
+ '-cp', pki_lib + '/*'
|
|
|
ad7e68 |
+ ])
|
|
|
ad7e68 |
+
|
|
|
ad7e68 |
+ if java_fips_cmd is not None:
|
|
|
ad7e68 |
+ cmd.extend([
|
|
|
ad7e68 |
+ java_fips_cmd
|
|
|
ad7e68 |
+ ])
|
|
|
ad7e68 |
+
|
|
|
ad7e68 |
+ cmd.extend([
|
|
|
ad7e68 |
'-Djava.util.logging.config.file=' + logging_config,
|
|
|
ad7e68 |
'com.netscape.cmstools.cli.MainCLI'
|
|
|
ad7e68 |
])
|
|
|
ad7e68 |
diff --git a/base/common/share/etc/pki.conf b/base/common/share/etc/pki.conf
|
|
|
ad7e68 |
index 17615b042..fd40ece3b 100644
|
|
|
ad7e68 |
--- a/base/common/share/etc/pki.conf
|
|
|
ad7e68 |
+++ b/base/common/share/etc/pki.conf
|
|
|
ad7e68 |
@@ -14,6 +14,16 @@ export JAVA_HOME
|
|
|
ad7e68 |
PKI_JAVA_PATH=${PKI_JAVA_PATH}
|
|
|
ad7e68 |
export PKI_JAVA_PATH
|
|
|
ad7e68 |
|
|
|
ad7e68 |
+# JVM options
|
|
|
ad7e68 |
+#
|
|
|
ad7e68 |
+# Command switch we want to tell java to observer fips mode
|
|
|
ad7e68 |
+# For the moment we want this to be false even if we really are
|
|
|
ad7e68 |
+# in fips mode, because we want the jss prover instead of the sun
|
|
|
ad7e68 |
+# fips provider to be selected.
|
|
|
ad7e68 |
+JAVA_FIPS_ENABLED="-Dcom.redhat.fips=false" # Disable FIPS mode
|
|
|
ad7e68 |
+
|
|
|
ad7e68 |
+export JAVA_FIPS_ENABLED
|
|
|
ad7e68 |
+
|
|
|
ad7e68 |
# JNI jar file location
|
|
|
ad7e68 |
JNI_JAR_DIR=/usr/lib/java
|
|
|
ad7e68 |
export JNI_JAR_DIR
|
|
|
ad7e68 |
--
|
|
|
ad7e68 |
2.31.1
|
|
|
ad7e68 |
|