Fix CA installation with HSM in FIPS mode

Bugzilla Bug #1450143 - CA installation with HSM in FIPS mode fails dogtagpki Pagure Issue #2684 - CA installation with HSM in FIPS mode fails
author: Matthew Harmsen <mharmsen@redhat.com> 2017-05-12 13:00:54 -0600
committer: Matthew Harmsen <mharmsen@redhat.com> 2017-05-12 17:38:08 -0600
commit: ee5af05036e87a9dad821c9dd8bc0198dac9bd65 (patch)
tree: d4890832a606dc17aeb73220d32fe9f675a6d445 /base/server/python
parent: 4f9978f7c6641590dec6bbbc4ce9987f798974d4 (diff)
download: pki-ee5af05036e87a9dad821c9dd8bc0198dac9bd65.tar.gz
pki-ee5af05036e87a9dad821c9dd8bc0198dac9bd65.tar.xz
pki-ee5af05036e87a9dad821c9dd8bc0198dac9bd65.zip
2 files changed, 16 insertions, 6 deletions
diff --git a/base/server/python/pki/server/deployment/pkihelper.py b/base/server/python/pki/server/deployment/pkihelper.py
index 051778d09..a1345de2c 100644
--- a/base/server/python/pki/server/deployment/pkihelper.py
+++ b/base/server/python/pki/server/deployment/pkihelper.py
@@ -1017,11 +1017,20 @@ class Instance:
                                  extra=config.PKI_INDENTATION_LEVEL_2)
             raise
 
-    def get_instance_status(self):
+    def get_instance_status(self, secure_connection=True):
+        pki_protocol = None
+        pki_port = None
+        if secure_connection:
+            pki_protocol = "https"
+            pki_port = self.mdict['pki_https_port']
+        else:
+            pki_protocol = "http"
+            pki_port = self.mdict['pki_http_port']
+
         connection = pki.client.PKIConnection(
-            protocol='https',
+            protocol=pki_protocol,
             hostname=self.mdict['pki_hostname'],
-            port=self.mdict['pki_https_port'],
+            port=pki_port,
             subsystem=self.mdict['pki_subsystem_type'],
             accept='application/xml',
             trust_env=False)
@@ -1049,11 +1058,11 @@ class Instance:
                 extra=config.PKI_INDENTATION_LEVEL_3)
             return None
 
-    def wait_for_startup(self, timeout):
+    def wait_for_startup(self, timeout, secure_connection=True):
         start_time = datetime.today()
         status = None
         while status != "running":
-            status = self.get_instance_status()
+            status = self.get_instance_status(secure_connection)
             time.sleep(1)
             stop_time = datetime.today()
             if (stop_time - start_time).total_seconds() >= timeout:
diff --git a/base/server/python/pki/server/deployment/scriptlets/finalization.py b/base/server/python/pki/server/deployment/scriptlets/finalization.py
index 941691c42..75bb80e2b 100644
--- a/base/server/python/pki/server/deployment/scriptlets/finalization.py
+++ b/base/server/python/pki/server/deployment/scriptlets/finalization.py
@@ -58,7 +58,8 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
         if config.str2bool(deployer.mdict['pki_restart_configured_instance']):
             deployer.systemd.restart()
             # wait for startup
-            status = deployer.instance.wait_for_startup(60)
+            # (must use 'http' protocol due to potential FIPS configuration)
+            status = deployer.instance.wait_for_startup(60, False)
             if status is None:
                 config.pki_log.error(
                     "server failed to restart",
author	Matthew Harmsen <mharmsen@redhat.com>	2017-05-12 13:00:54 -0600
committer	Matthew Harmsen <mharmsen@redhat.com>	2017-05-12 17:38:08 -0600
commit	ee5af05036e87a9dad821c9dd8bc0198dac9bd65 (patch)
tree	d4890832a606dc17aeb73220d32fe9f675a6d445 /base/server/python
parent	4f9978f7c6641590dec6bbbc4ce9987f798974d4 (diff)
download	pki-ee5af05036e87a9dad821c9dd8bc0198dac9bd65.tar.gz pki-ee5af05036e87a9dad821c9dd8bc0198dac9bd65.tar.xz pki-ee5af05036e87a9dad821c9dd8bc0198dac9bd65.zip