Please review the attached patches for:

• Bugzilla Bug #1450143 - CA installation with HSM in FIPS mode fails

Thanks,
-- Matt

P. S. - The patches were tested on a FIPS-enabled box, and the output looks similar to the following:

pkispawn    : INFO     ... finalizing 'pki.server.deployment.scriptlets.finalization'
pkispawn    : INFO     ....... executing 'systemctl enable pki-tomcatd.target'
Created symlink from /etc/systemd/system/multi-user.target.wants/pki-tomcatd.target to /usr/lib/systemd/system/pki-tomcatd.target.
pkispawn    : INFO     ....... executing 'systemctl daemon-reload'
pkispawn    : INFO     ....... executing 'systemctl restart pki-tomcatd@pki-tomcat.service'
pkispawn    : INFO     ........... FIPS mode is enabled on this operating system.
pkispawn    : DEBUG    ........... No connection - server may still be down
pkispawn    : DEBUG    ........... No connection - exception thrown: ('Connection aborted.', error(111, 'Connection refused'))
pkispawn    : DEBUG    ........... No connection - server may still be down
pkispawn    : DEBUG    ........... No connection - exception thrown: ('Connection aborted.', error(111, 'Connection refused'))
pkispawn    : DEBUG    ........... <?xml version="1.0" encoding="UTF-8" standalone="no"?><XMLResponse><State>1</State><Type>CA</Type><Status>running</Status><Version>10.4.1-4.el7</Version></XMLResponse>
pkispawn    : INFO     ....... rm -rf /opt/RootCA/ca
pkispawn    : INFO     END spawning subsystem 'CA' of instance 'pki-tomcat'
pkispawn    : INFO     ... archiving configuration into '/var/log/pki/pki-tomcat/ca/archive/spawn_deployment.cfg.20170515223006'
pkispawn    : INFO     ....... cp -p /etc/sysconfig/pki/tomcat/pki-tomcat/ca/deployment.cfg /var/log/pki/pki-tomcat/ca/archive/spawn_deployment.cfg.20170515223006
pkispawn    : DEBUG    ........... chmod 660 /var/log/pki/pki-tomcat/ca/archive/spawn_deployment.cfg.20170515223006
pkispawn    : DEBUG    ........... chown 17:17 /var/log/pki/pki-tomcat/ca/archive/spawn_deployment.cfg.20170515223006
pkispawn    : INFO     ... archiving manifest into '/var/log/pki/pki-tomcat/ca/archive/spawn_manifest.20170515223006'
pkispawn    : INFO     ....... cp -p /etc/sysconfig/pki/tomcat/pki-tomcat/ca/manifest /var/log/pki/pki-tomcat/ca/archive/spawn_manifest.20170515223006
pkispawn    : DEBUG    ........... chmod 660 /var/log/pki/pki-tomcat/ca/archive/spawn_manifest.20170515223006
pkispawn    : DEBUG    ........... chown 17:17 /var/log/pki/pki-tomcat/ca/archive/spawn_manifest.20170515223006

    ==========================================================================
                                INSTALLATION SUMMARY
    ==========================================================================

      Administrator's username:             caadmin
      Administrator's PKCS #12 file:
            /opt/RootCA/caadmincert.p12

      This CA subsystem of the 'pki-tomcat' instance
      has FIPS mode enabled on this operating system.

      REMINDER:  Don't forget to update the appropriate FIPS
                         algorithms in server.xml in the 'pki-tomcat' instance.

      To check the status of the subsystem:
            systemctl status pki-tomcatd@pki-tomcat.service

      To restart the subsystem:
            systemctl restart pki-tomcatd@pki-tomcat.service

      The URL for the subsystem is:
            https://pki.example.com:8443/ca

      PKI instances will be enabled upon system boot

    ==========================================================================