Known Issues

Permissions on `/etc/sicura`

On Sicura systems prior to Sicura 6.4, permissions on /etc/sicura were too restrictive for the sicura-console user to read license keys and configuration.

If it is not possible to upgrade Sicura to 6.4 or later (or to upgrade the sicura-sicura Puppet module to at least version 4.8.1), as a workaround set an ACL on the /etc/sicura directory with the following command:

setfacl -m u:sicura-console:rx /etc/sicura

Running in FIPS mode

PostgreSQL 10 and later supports SCRAM-SHA-256 in leiu of md5. PostgreSQL 10 ships with the recommended installation platform, RHEL 8.

Manual configuration

Follow the Install instructions as normal except:

Change the 'sed' command s|ident|md5 to s|ident|scram-sha-256
Run echo password_encryption=scram-sha-256 >> /var/lib/pgsql/data/postgresql.conf before starting postgres

Puppet configuration

In hiera, set postgresql::server::password_encryption: 'scram-sha-256'
In sicura_console/manifests/db.pp, update it to include:

class { 'postgresql::globals':
  pg_hba_conf_defaults => false,
}

postgresql::server::pg_hba_rule {
  # Here, duplicate the out-of-the-box pg_hba.conf settings, 
  # pass a variable for the auth_method, where applicable 
  # allowing both md5 or scram-sha-256.
}

Note: Even after these changes to your environment you still may experience some non-idempotent issues with postgres.

Permissions on /etc/sicura​

Running in FIPS mode​

Manual configuration​

Puppet configuration​

Permissions on `/etc/sicura`

Running in FIPS mode

Manual configuration

Puppet configuration