[Pki-devel] [PATCH] - CA installation with HSM in FIPS mode fails

Fri, 12 May 2017 16:25:07 -0700 

Please review the attached patch for:

 * Bugizilla Bug #1450143 - CA installation with HSM in FIPS mode fails
   <https://bugzilla.redhat.com/show_bug.cgi?id=1450143>

Thanks,
-- Matt


From 20ae6dad5c8bd30eb016d7680a1ad48defff629a Mon Sep 17 00:00:00 2001
From: Matthew Harmsen <mharm...@redhat.com>
Date: Fri, 12 May 2017 13:00:54 -0600
Subject: [PATCH] Fix CA installation with HSM in FIPS mode

Bugzilla Bug #1450143 - CA installation with HSM in FIPS mode fails
dogtagpki Pagure Issue #2684 - CA installation with HSM in FIPS mode fails
---
 base/server/python/pki/server/deployment/pkihelper.py | 19 ++++++++++++++-----
 .../pki/server/deployment/scriptlets/finalization.py  |  3 ++-
 2 files changed, 16 insertions(+), 6 deletions(-)

diff --git a/base/server/python/pki/server/deployment/pkihelper.py b/base/server/python/pki/server/deployment/pkihelper.py
index 051778d..e503bbc 100644
--- a/base/server/python/pki/server/deployment/pkihelper.py
+++ b/base/server/python/pki/server/deployment/pkihelper.py
@@ -1017,11 +1017,20 @@ class Instance:
                                  extra=config.PKI_INDENTATION_LEVEL_2)
             raise
 
-    def get_instance_status(self):
+    def get_instance_status(self, secure_connection=True):
+        pki_protocol = None
+        pki_port = None
+        if secure_connection:
+            pki_protocol = "https"
+            pki_port = self.mdict['pki_https_port']
+        else:
+            pki_protocol = "http"
+            pki_port = self.mdict['pki_http_port']
+
         connection = pki.client.PKIConnection(
-            protocol='https',
+            protocol=pki_protocol,
             hostname=self.mdict['pki_hostname'],
-            port=self.mdict['pki_https_port'],
+            port=pki_port,
             subsystem=self.mdict['pki_subsystem_type'],
             accept='application/xml',
             trust_env=False)
@@ -1049,11 +1058,11 @@ class Instance:
                 extra=config.PKI_INDENTATION_LEVEL_3)
             return None
 
-    def wait_for_startup(self, timeout):
+    def wait_for_startup(self, timeout, secure_connection=True):
         start_time = datetime.today()
         status = None
         while status != "running":
-            status = self.get_instance_status()
+            status = self.get_instance_status(secure_connection)
             time.sleep(1)
             stop_time = datetime.today()
             if (stop_time - start_time).total_seconds() >= timeout:
diff --git a/base/server/python/pki/server/deployment/scriptlets/finalization.py b/base/server/python/pki/server/deployment/scriptlets/finalization.py
index 941691c..75bb80e 100644
--- a/base/server/python/pki/server/deployment/scriptlets/finalization.py
+++ b/base/server/python/pki/server/deployment/scriptlets/finalization.py
@@ -58,7 +58,8 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
         if config.str2bool(deployer.mdict['pki_restart_configured_instance']):
             deployer.systemd.restart()
             # wait for startup
-            status = deployer.instance.wait_for_startup(60)
+            # (must use 'http' protocol due to potential FIPS configuration)
+            status = deployer.instance.wait_for_startup(60, False)
             if status is None:
                 config.pki_log.error(
                     "server failed to restart",
-- 
2.9.3


_______________________________________________
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

Reply via email to