Setting Up pgAdmin4 on Red Hat Enterprise Linux 7 with FIPS Mode Enabled

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

Setting Up pgAdmin4 on Red Hat Enterprise Linux 7 with FIPS Mode Enabled

Deaderick, David

Configuration:

Red Hat Enterprise Linux 7.7 system with FIPS mode enabled

# openssl version

OpenSSL 1.0.2k-fips  26 Jan 2017

 

]# cat /proc/sys/crypto/fips_enabled

1

 

PostgreSQL and pgAdmin4 installed from the latest yum repositories

rpm –import https://download.postgresql.org/pub/repos/yum/RPM-GPG-KEY-PGDG-12

yum install https://download.postgresql.org/pub/repos/yum/reporpms/EL-7-x86_64/pgdg-redhat-repo-latest.noarch.rpm

yum install postgresql12-server postgresql12-docs postgresql12-contrib pgadmin4 mod_ssl

 

Issue:

When I run the setup command:

# /usr/pgadmin4/bin/pgadmin4-web-setup.sh

 

I receive the following output:

NOTE: Configuring authentication for SERVER mode.

 

Enter the email address and password to use for the initial pgAdmin user account:

 

Email address: [hidden email]

Password:

Retype password:

Traceback (most recent call last):

  File "/usr/lib/python2.7/site-packages/pgadmin4-web/setup.py", line 413, in <module>

    setup_db()

  File "/usr/lib/python2.7/site-packages/pgadmin4-web/setup.py", line 347, in setup_db

    app = create_app()

  File "/usr/lib/python2.7/site-packages/pgadmin4-web/pgadmin/__init__.py", line 330, in create_app

    db_upgrade(app)

  File "/usr/lib/python2.7/site-packages/pgadmin4-web/pgadmin/setup/db_upgrade.py", line 25, in db_upgrade

    flask_migrate.upgrade(migration_folder)

  File "/usr/lib/python2.7/site-packages/pgadmin4-web/flask_migrate/__init__.py", line 95, in wrapped

    f(*args, **kwargs)

  File "/usr/lib/python2.7/site-packages/pgadmin4-web/flask_migrate/__init__.py", line 280, in upgrade

    command.upgrade(config, revision, sql=sql, tag=tag)

  File "/usr/lib/python2.7/site-packages/pgadmin4-web/alembic/command.py", line 254, in upgrade

    script.run_env()

  File "/usr/lib/python2.7/site-packages/pgadmin4-web/alembic/script/base.py", line 425, in run_env

    util.load_python_file(self.dir, 'env.py')

  File "/usr/lib/python2.7/site-packages/pgadmin4-web/alembic/util/pyfiles.py", line 81, in load_python_file

    module = load_module_py(module_id, path)

  File "/usr/lib/python2.7/site-packages/pgadmin4-web/alembic/util/compat.py", line 141, in load_module_py

    mod = imp.load_source(module_id, path, fp)

  File "/usr/lib/python2.7/site-packages/pgadmin4-web/pgadmin/setup/../../migrations/env.py", line 94, in <module>

    run_migrations_online()

  File "/usr/lib/python2.7/site-packages/pgadmin4-web/pgadmin/setup/../../migrations/env.py", line 87, in run_migrations_online

    context.run_migrations()

  File "<string>", line 8, in run_migrations

  File "/usr/lib/python2.7/site-packages/pgadmin4-web/alembic/runtime/environment.py", line 836, in run_migrations

    self.get_context().run_migrations(**kw)

  File "/usr/lib/python2.7/site-packages/pgadmin4-web/alembic/runtime/migration.py", line 330, in run_migrations

    step.migration_fn(**kw)

  File "/usr/lib/python2.7/site-packages/pgadmin4-web/migrations/versions/fdc58d9bd449_.py", line 122, in upgrade

    Security(current_app, user_datastore, register_blueprint=False)

  File "/usr/lib/python2.7/site-packages/pgadmin4-web/flask_security/core.py", line 469, in __init__

    self._state = self.init_app(app, datastore, **kwargs)

  File "/usr/lib/python2.7/site-packages/pgadmin4-web/flask_security/core.py", line 504, in init_app

    anonymous_user=anonymous_user)

  File "/usr/lib/python2.7/site-packages/pgadmin4-web/flask_security/core.py", line 332, in _get_state

    hashing_context=_get_hashing_context(app),

  File "/usr/lib/python2.7/site-packages/pgadmin4-web/flask_security/core.py", line 313, in _get_hashing_context

    deprecated=deprecated)

  File "/usr/lib/python2.7/site-packages/pgadmin4-web/passlib/context.py", line 1401, in __init__

    self.load(kwds)

  File "/usr/lib/python2.7/site-packages/pgadmin4-web/passlib/context.py", line 1592, in load

    config = _CryptConfig(source)

  File "/usr/lib/python2.7/site-packages/pgadmin4-web/passlib/context.py", line 634, in __init__

    self._init_scheme_list(source.get((None,None,"schemes")))

  File "/usr/lib/python2.7/site-packages/pgadmin4-web/passlib/context.py", line 652, in _init_scheme_list

    handler = get_crypt_handler(elem)

  File "/usr/lib/python2.7/site-packages/pgadmin4-web/passlib/registry.py", line 350, in get_crypt_handler

    mod = __import__(modname, fromlist=[modattr], level=0)

  File "/usr/lib/python2.7/site-packages/pgadmin4-web/passlib/handlers/digests.py", line 72, in <module>

    hex_md5     = create_hex_hash("md5")

  File "/usr/lib/python2.7/site-packages/pgadmin4-web/passlib/handlers/digests.py", line 55, in create_hex_hash

    info = lookup_hash(digest)

  File "/usr/lib/python2.7/site-packages/pgadmin4-web/passlib/crypto/digest.py", line 298, in lookup_hash

    info = HashInfo(const, name_list)

  File "/usr/lib/python2.7/site-packages/pgadmin4-web/passlib/crypto/digest.py", line 403, in __init__

    hash = const()

ValueError: error:060800A3:digital envelope routines:EVP_DigestInit_ex:disabled for fips

Error setting up server mode. Please examine the output above.

 

Investigation:

Issue appears to be related to a default of the prohibited hash algorithm  md5.

I have searched the web, read the FAQs and documentation without finding any definitive answers.

After stepping through the python code with pdb, it appears something is trying to create an md5 hash for the default password.

 

Questions:

  1. Is it possible to setup pgAdmin4 (4.18) on a RHEL7 system with FIPS mode enabled?
  2. Where can I find guidance on setting up pgAdmin4 on a FIPS enabled system?

 

Thank you,

David A. Deaderick III

Infrastructure Engineering IT Specialist

Capacity and Performance Engineering (005OP2D)

VA OI&T Enterprise Program Management Office

Office: (727) 502-1313 (Tue Wed Thu)

Office: (941) 359-2010 (Mon Fri)

Mobile: (727) 417-7593