Hello people,
I wonder if there are configurations with disa stig on rhel8 that are known to be incompatible with ipa server. I have been testing fresh installation on hardened OS and run into problems. Installer nicely informs about too tight umask and after correcting that, everything is completed without problems. Adding first user is successful but login to ipa server with it fails, /var/log/secure reports errors about unknown user. Since this might be just the first problem to solve with hardening, I was hoping there would be information available about using stig with ipa. My googlefoo didnt bring good results so any help is appreciated.
Br, Risto
On Fri, Mar 3, 2023, 15:16 Rob Crittenden via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote:
Алексей Иванов via FreeIPA-users wrote:
Greetings,
During installation process I used following pki_override.cfg file
[DEFAULT] pki_admin_key_algorithm=SHA512withRSA pki_admin_key_size=8192 pki_audit_signing_key_algorithm=SHA512withRSA pki_audit_signing_key_size=8192 pki_audit_signing_key_type=rsa pki_audit_signing_signing_algorithm=SHA512withRSA pki_ssl_server_key_algorithm=SHA512withRSA pki_ssl_server_key_size=8192 pki_sslserver_signing_algorithm=SHA512withRSA pki_subsystem_key_algorithm=SHA512withRSA pki_subsystem_signing_algorithm=SHA512withRSA pki_subsystem_key_size=8192 [CA] pki_ca_signing_key_size=8192 pki_ca_signing_key_algorithm=SHA512withRSA pki_ca_signing_signing_algorithm=SHA512withRSA pki_ocsp_signing_key_algorithm=SHA512withRSA pki_ocsp_signing_key_size=8192 pki_ocsp_signing_signing_algorithm=SHA512withRSA [KRA] pki_storage_key_algorithm=SHA512withRSA pki_storage_key_size=8192 pki_storage_signing_algorithm=SHA512withRSA pki_transport_key_algorithm=SHA512withRSA pki_transport_key_size=8192 pki_transport_signing_algorithm=SHA512withRSA [OCSP] pki_ocsp_signing_key_algorithm=SHA512withRSA pki_ocsp_signing_key_size=8192 pki_ocsp_signing_signing_algorithm=SHA512hRSA
This lead to the following error when I'm trying to add subCA
Request failed with status 400: Non-2xx response from CA REST API: 400. Failed to issue CA certificate. Final status: rejected. Additional info: Key Parameters 1024,2048,3072,4096,nistp256,nistp384,nistp521 Not Matched
By default we have three certificate profiles caIPAserviceCert, KDCs_PKINIT_Certs, IECUserRoles but changing them does not fix this error. Could you please tell me where I can find a subCA certificate template?
Look in /var/log/pki/pki-tomcat/ca/debug-<date> and it should tell you the profile it used.
At one point subCA keys were hardcoded at 2048. I don't know if that is still the case.
8k keys everywhere are going to tank performance, particularly the 8k server-cert key.
rob _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue