Issue

Description of problem: fapolicyd prevents PKI CA from installing on a FIPS + STIG + HSM environment Version-Release number of selected component (if applicable): fapolicyd-1.0.2-6.el8.x86_64 redhat-pki-ca-10.11.4-1.module+el8pki+14819+092aa4b5.noarch How reproducible: Always Steps to Reproduce: 1. Set up a FIPS + STIG + HSM environment 2. Install CA Actual results: It fails on HSM but succeeds on a non HSM environment Workaround - Stop fapolicyd and install CA. It succeeds on an HSM environment Expected results: Should succeed Additional info: /etc/fapolicyd/fapolicyd.rules contains: allow perm=open dir=/usr/lib/jvm/ : dir=/var/lib/pki/topology-02-CA/work/Catalina/localhost/ allow perm=open dir=/usr/lib/jvm/ : dir=/var/lib/pki/topology-02-KRA/work/Catalina/localhost/ allow perm=open dir=/usr/lib/jvm/ : dir=/var/lib/pki/topology-02-OCSP/work/Catalina/localhost/ allow perm=open dir=/usr/lib/jvm/ : dir=/var/lib/pki/topology-02-TKS/work/Catalina/localhost/ allow perm=open dir=/usr/lib/jvm/ : dir=/var/lib/pki/topology-02-TPS/work/Catalina/localhost/ allow perm=open dir=/usr/lib/jvm/ : dir=/usr/share/tomcat/bin/ ftype=application/java-archive CA pkispawn logs: DEBUG: Command: modutil -dbdir /etc/pki/topology-02-CA/alias -rawlist INFO: Output: library= name="NSS Internal PKCS #11 Module" NSS="Flags=internal,critical trustOrder=75 cipherOrder=100 slotParams=(1= {slotFlags=[ECC,RSA,DSA,DH,RC2,RC4,DES,RANDOM,SHA1,MD5,MD2,SSL,TLS,AES,Camellia,SEED,SHA256,SHA512] askpw=any timeout=30} )" parameters="configdir=/etc/pki/topology-02-CA/alias certPrefix= keyPrefix= secmod=secmod.db flags=readOnly " INFO: Adding module nfast: /opt/nfast/toolkits/pkcs11/libcknfast.so DEBUG: Command: modutil -dbdir /etc/pki/topology-02-CA/alias -nocertdb -add nfast -libfile /opt/nfast/toolkits/pkcs11/libcknfast.so -force ERROR: Failed to add module "nfast". Probable cause : "A PKCS #11 module returned CKR_FUNCTION_FAILED, indicating that the requested function could not be performed. Trying the same operation again might succeed.". CalledProcessError: Command '['modutil', '-dbdir', '/etc/pki/topology-02-CA/alias', '-nocertdb', '-add', 'nfast', '-libfile', '/opt/nfast/toolkits/pkcs11/libcknfast.so', '-force']' returned non-zero exit status 22. File "/usr/lib/python3.6/site-packages/pki/server/pkispawn.py", line 575, in main scriptlet.spawn(deployer) File "/usr/lib/python3.6/site-packages/pki/server/deployment/scriptlets/security_databases.py", line 106, in spawn deployer.mdict['pki_hsm_libfile']) File "/usr/lib/python3.6/site-packages/pki/nssdb.py", line 451, in add_module check=True) File "/usr/lib64/python3.6/subprocess.py", line 438, in run output=stdout, stderr=stderr) Installation failed: Command failed: modutil -dbdir /etc/pki/topology-02-CA/alias -nocertdb -add nfast -libfile /opt/nfast/toolkits/pkcs11/libcknfast.so -force Please check pkispawn logs in /var/log/pki/pki-ca-spawn.20220519154244.log

Release Notes

No. of Comments

Resolution

Cannot Reproduce