Pulp

This is for FIPS.

This is not exclusive to FIPS testing. We should have these settings enabled when we run all our tests. This work can start now.

Sounds good.

My understanding is that this issue is required for FIPS, though. Is this correct?

It's not required but it would be helpful. We need to make sure that ssl connections work when we start testing in FIPS-enabled environments.

Hi,

I followed the instructions given here: https://docs.pulpproject.org/user-guide/qpid.html and I tried the script pulp-qpid-ssl-cfg and it runs and generates the proposed files but after editing the configuration files the system does not work.

Details:

Fedora 26
Pulp 2.16.1

Attempt 1:

1. Run the script pulp-qpid-ssl-cfg and generated the files
2. Verified that the permissions for certificate files generated are right (644 for public 600 for private)
3. Changes the configuration files as mentioned in the docs
4. Restarted all the services

Results:

When trying to run Pulp Admin it raises ApacheServerError with no further details.

Attempt 2:

Following Brian suggestion I debugged qpid isolated with

$ qpid-tool --sasl-service-name=broker --ssl-certificate=/etc/pki/pulp/qpid/ca.crt --ssl-key=/etc/pki/pulp/qpid/client.crt --broker=FQDN:5671
Management Tool for QPID
qpid: Failed to connect:  Exception during connection setup: error - [Errno 111] Connection refused

Then examining the qpid system logs:

$ journalctl -t qpidd -l --no-pager -f
[Security] error Failed to initialise SSL plugin: Failed: NSS error [-8015] (/builddir/build/BUILD/qpid-cpp-1.37.0/src/qpid/sys/ssl/util.cpp:100)

Attempt 3:

1. Then I tried to generated the certificates manually

2. Then I followed the instructions here: http://qpid.apache.org/releases/qpid-cpp-1.38.0/cpp-broker/book/chap-Messaging_User_Guide-Security.html#sect-Messaging_User_Guide-Security-Encryption_using_SSL

Results:

The same as before

Note Documentation looks like to be outdated:

Item 7 says Make sure the qpid-cpp-server-ssl RPM is installed but this package doesn't exists anymore and looks like it is now replaced by https://fedora.pkgs.org/26/fedora-x86_64/qpid-cpp-server-1.36.0-1.fc26.x86_64.rpm.html

Questions:

Is that script still supposed to be working?

Update:

One more time following bmbouter suggestion (thanks) we found the root cause.

The script pulp-qpid-ssl-cfg is generating the legacy format for NSS database, we should use the new format[1]

$ sudo -H -u qpidd certutil -L -d /etc/pki/pulp/qpid/nss/cert8.db 
certutil: function failed: SEC_ERROR_LEGACY_DATABASE: The certificate/key database is in an old, unsupported format.

[1] http://wiki.mozilla.org/NSS:Roadmap#SQLite-Based_Shareable_Certificate_and_Key_Databases

I have solved this issue and got qpidd running qith SSL on fedora 26

The problems I've found in the pulp-qpid-ssl-cfg script provided in https://github.com/pulp/pulp/blob/2-master/server/bin/pulp-qpid-ssl-cfg

• Using wrong ca certificate path. (generating a new certificate in /etc/pki/pulp/qpid when it is already existing in /etc/pki/pulp)
• Setting wrong permissions to nss database and certs folder
• Creating the nss database inside existing /etc/pki/pulp directory ending in a conflict of permission for users apache and qpidd
• Passing wrong/outdated arguments to certutil and pk2util ending with a corrupted/wrong format certs database
• Showing wrong post run notes o how to set the pulp/server.conf file

I applied the solutions in a new script in pulp-qe-tools repository: https://github.com/PulpQE/pulp-qe-tools/blob/master/pulp2/scripts/pulp-qpid-ssl-cfg

The next step will be including this in our automation job and converting that script to ansible playbook