From zach.casper at envieta.com Mon Dec 1 20:33:52 2008 From: zach.casper at envieta.com (Zach Casper) Date: Mon, 1 Dec 2008 15:33:52 -0500 Subject: [Pki-users] ESC Smart Card Management Message-ID: <007601c953f4$25327840$6f9768c0$@casper@envieta.com> I've been attempting to Format a smart card on Fedora 8 with all Dogtag PKI subsystems installed and running. I insert a smart card and press the Format button in ESC which launches the LDAP Authentication dialog. I assme these credentials are the UID and password pair I created fro the pki-tps instance and the url to use would be the http:// :7888 (7889 for secure) Does this sound correct? It does not authenticate and I cannot Format my cards. -- Zach Casper -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: PGP.sig Type: application/pgp-signature Size: 486 bytes Desc: not available URL: From jmagne at redhat.com Mon Dec 1 22:09:03 2008 From: jmagne at redhat.com (Jack Magne) Date: Mon, 01 Dec 2008 14:09:03 -0800 Subject: [Pki-users] ESC Smart Card Management In-Reply-To: <007601c953f4$25327840$6f9768c0$@casper@envieta.com> References: <007601c953f4$25327840$6f9768c0$@casper@envieta.com> Message-ID: <4934607F.8000206@redhat.com> Actually, you have to populate one of your directory servers with some authentication information and configure TPS to access it. Check below for information on how this is done: http://www.redhat.com/docs/manuals/cert-system/7.3/html/Administration_Guide/Administration_Guide-Token_Processing_System-Configuring_LDAP_Authentication.html Zach Casper wrote: > > I?ve been attempting to Format a smart card on Fedora 8 with all > Dogtag PKI subsystems installed and running. > > I insert a smart card and press the Format button in ESC which > launches the LDAP Authentication dialog. I assme these credentials are > the UID and password pair I created fro the pki-tps instance and the > url to use would be the http://:7888 > (7889 for secure) > > Does this sound correct? It does not authenticate and I cannot Format > my cards. > > -- > > Zach Casper > > ------------------------------------------------------------------------ > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3237 bytes Desc: S/MIME Cryptographic Signature URL: From lanjelot at gmail.com Thu Dec 4 10:26:00 2008 From: lanjelot at gmail.com (lanjelot) Date: Thu, 4 Dec 2008 11:26:00 +0100 Subject: [Pki-users] Install DCS on RHEL4 Message-ID: Hi list. I am currently struggling to install DCS on RHEL4 AS update3. And I am actually wondering if I have any chance to succeed. I followed to the PKI_Install_Guide, and so far I have passed the Prerequisites section successfully. But now that I am at the DCS install stage using Yum, trouble is onto me. I have only two repos enabled in my /etc/yum.repos.d directory: - pki.yum (which I downloaded as instructed by the install guide) - fedora.yum (which I have created as follows:) $ cat fedora.yum [fedora] name=Fedora baseurl=http://ftp.lip6.fr/ftp/pub/linux/distributions/fedora/releases/8/Everything/i386/os/ enabled=0 gpgcheck=0 As you see, I am addressing a Fedora8 repository. So I just go like fine let's run yum install pki-ca, but then it fails awfully complaining about "missing dependency" errors, and some "pkg_foo conflicts with pkg_bar", and there are at least 50 of them. So.... I guess I am doing it wrong. Maybe there is a better way to install DCS on RHEL4, but I fail to see one. Can you help me with that? Thanks heaps! PS. I am actually required to stick with RHEL4, I cannot go for a fresh Fedora8+ install. I know it's stupid since I am actually attempting to upgrade to Fedora8 but this is not an option for our customer. From msauton at redhat.com Fri Dec 5 00:13:09 2008 From: msauton at redhat.com (Marc Sauton) Date: Thu, 04 Dec 2008 16:13:09 -0800 Subject: [Pki-users] Install DCS on RHEL4 In-Reply-To: References: Message-ID: <49387215.4050302@redhat.com> As per http://pki.fedoraproject.org/wiki/PKI_Prerequisites We suggest the usage of F8 and F9 for the current code and bits of DogTag. You cannot use the F8 or F9 rpm's on RHEL4, RHEL4 is more likely based from F6 And would have to build from source to get the newest recommended bits of DogTag and all the dependencies, that will be time consuming. (not recommended to use older binaries from F6) There is a RHCS product that had been available for RHEL4. M. lanjelot wrote: > Hi list. > > I am currently struggling to install DCS on RHEL4 AS update3. And I am > actually wondering if I have any chance to succeed. > > I followed to the PKI_Install_Guide, and so far I have passed the > Prerequisites section successfully. But now that I am at the DCS > install stage using Yum, trouble is onto me. > > I have only two repos enabled in my /etc/yum.repos.d directory: > - pki.yum (which I downloaded as instructed by the install guide) > - fedora.yum (which I have created as follows:) > > $ cat fedora.yum > [fedora] > name=Fedora > baseurl=http://ftp.lip6.fr/ftp/pub/linux/distributions/fedora/releases/8/Everything/i386/os/ > enabled=0 > gpgcheck=0 > > > As you see, I am addressing a Fedora8 repository. > > So I just go like fine let's run yum install pki-ca, but then it fails > awfully complaining about "missing dependency" errors, and some > "pkg_foo conflicts with pkg_bar", and there are at least 50 of them. > > So.... I guess I am doing it wrong. Maybe there is a better way to > install DCS on RHEL4, but I fail to see one. Can you help me with > that? > > Thanks heaps! > > PS. I am actually required to stick with RHEL4, I cannot go for a > fresh Fedora8+ install. I know it's stupid since I am actually > attempting to upgrade to Fedora8 but this is not an option for our > customer. > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users > From zach.casper at envieta.com Mon Dec 15 15:48:26 2008 From: zach.casper at envieta.com (Zach Casper) Date: Mon, 15 Dec 2008 10:48:26 -0500 Subject: [Pki-users] ESC Configuration Message-ID: <002001c95ecc$93396000$b9ac2000$@casper@envieta.com> I've been receiving an error from ESC (Smart Card Manager) that states. Smart Card Manager is misconfigured. It then does not allow me to config or enroll. Any advice? I know I need to adjust my URL for the TPS. Is this info stored on the card or in ESC settings? Also, what is the best way to remove the coolkey applet from a card and start over w/ a fresh configuration? -- Zach Casper -------------- next part -------------- An HTML attachment was scrubbed... URL: From Julius.Adewumi at gdc4s.com Mon Dec 15 16:34:11 2008 From: Julius.Adewumi at gdc4s.com (Adewumi, Julius-p99373) Date: Mon, 15 Dec 2008 09:34:11 -0700 Subject: [Pki-users] ESC Configuration In-Reply-To: <002001c95ecc$93396000$b9ac2000$@casper@envieta.com> References: <002001c95ecc$93396000$b9ac2000$@casper@envieta.com> Message-ID: <150446754087724BA4B8F287083846B2036F8B94@AZ25EXM04.gddsi.com> I see same error recently and I know it is due to Phone-home URL that is outdated compared to my current TPS URL. >From the manual I believe the smartcard can be re-configured if the Security Officer mode is entered in the ESC. From: Julius Adewumi @GDC4S.com Ph:480-441-6768 Contract Corp:MTSI ________________________________ From: pki-users-bounces at redhat.com [mailto:pki-users-bounces at redhat.com] On Behalf Of Zach Casper Sent: Monday, December 15, 2008 8:48 AM To: pki-users at redhat.com Subject: [Pki-users] ESC Configuration I've been receiving an error from ESC (Smart Card Manager) that states... Smart Card Manager is misconfigured. It then does not allow me to config or enroll. Any advice? I know I need to adjust my URL for the TPS. Is this info stored on the card or in ESC settings? Also, what is the best way to remove the coolkey applet from a card and start over w/ a fresh configuration? -- Zach Casper -------------- next part -------------- An HTML attachment was scrubbed... URL: From Julius.Adewumi at gdc4s.com Mon Dec 15 16:34:11 2008 From: Julius.Adewumi at gdc4s.com (Adewumi, Julius-p99373) Date: Mon, 15 Dec 2008 09:34:11 -0700 Subject: [Pki-users] ESC Configuration In-Reply-To: <002001c95ecc$93396000$b9ac2000$@casper@envieta.com> References: <002001c95ecc$93396000$b9ac2000$@casper@envieta.com> Message-ID: <150446754087724BA4B8F287083846B2036F8B94@AZ25EXM04.gddsi.com> I see same error recently and I know it is due to Phone-home URL that is outdated compared to my current TPS URL. >From the manual I believe the smartcard can be re-configured if the Security Officer mode is entered in the ESC. From: Julius Adewumi @GDC4S.com Ph:480-441-6768 Contract Corp:MTSI ________________________________ From: pki-users-bounces at redhat.com [mailto:pki-users-bounces at redhat.com] On Behalf Of Zach Casper Sent: Monday, December 15, 2008 8:48 AM To: pki-users at redhat.com Subject: [Pki-users] ESC Configuration I've been receiving an error from ESC (Smart Card Manager) that states... Smart Card Manager is misconfigured. It then does not allow me to config or enroll. Any advice? I know I need to adjust my URL for the TPS. Is this info stored on the card or in ESC settings? Also, what is the best way to remove the coolkey applet from a card and start over w/ a fresh configuration? -- Zach Casper -------------- next part -------------- An HTML attachment was scrubbed... URL: From jmagne at redhat.com Mon Dec 15 19:27:03 2008 From: jmagne at redhat.com (Jack Magne) Date: Mon, 15 Dec 2008 11:27:03 -0800 Subject: [Pki-users] ESC Configuration In-Reply-To: <002001c95ecc$93396000$b9ac2000$@casper@envieta.com> References: <002001c95ecc$93396000$b9ac2000$@casper@envieta.com> Message-ID: <4946AF87.7040707@redhat.com> It sounds like perhaps your ESC user profile has been corrupted somehow. Try this on Fedora I assume: rm -r ~/.redhat/esc re-insert your token The system should pop up the window asking for the phone home URL for your TPS. Zach Casper wrote: > > I?ve been receiving an error from ESC (Smart Card Manager) that states? > > Smart Card Manager is misconfigured. It then does not allow me to > config or enroll. Any advice? > > I know I need to adjust my URL for the TPS. Is this info stored on the > card or in ESC settings? > > Also, what is the best way to remove the coolkey applet from a card > and start over w/ a fresh configuration? > > -- > > Zach Casper > > ------------------------------------------------------------------------ > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3237 bytes Desc: S/MIME Cryptographic Signature URL: From Julius.Adewumi at gdc4s.com Mon Dec 15 23:21:40 2008 From: Julius.Adewumi at gdc4s.com (Adewumi, Julius-p99373) Date: Mon, 15 Dec 2008 16:21:40 -0700 Subject: [Pki-users] ESC Configuration In-Reply-To: <4946AF87.7040707@redhat.com> References: <002001c95ecc$93396000$b9ac2000$@casper@envieta.com> <4946AF87.7040707@redhat.com> Message-ID: <150446754087724BA4B8F287083846B2036F9332@AZ25EXM04.gddsi.com> This assumes ESC is installed on Linux. What is the equivalent if on Windows XP? From: Julius Adewumi @GDC4S.com Ph:480-441-6768 Contract Corp:MTSI -----Original Message----- From: pki-users-bounces at redhat.com [mailto:pki-users-bounces at redhat.com] On Behalf Of Jack Magne Sent: Monday, December 15, 2008 12:27 PM To: Zach Casper Cc: pki-users at redhat.com Subject: Re: [Pki-users] ESC Configuration It sounds like perhaps your ESC user profile has been corrupted somehow. Try this on Fedora I assume: rm -r ~/.redhat/esc re-insert your token The system should pop up the window asking for the phone home URL for your TPS. Zach Casper wrote: > > I've been receiving an error from ESC (Smart Card Manager) that > states... > > Smart Card Manager is misconfigured. It then does not allow me to > config or enroll. Any advice? > > I know I need to adjust my URL for the TPS. Is this info stored on the > card or in ESC settings? > > Also, what is the best way to remove the coolkey applet from a card > and start over w/ a fresh configuration? > > -- > > Zach Casper > > ---------------------------------------------------------------------- > -- > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users > From zach.casper at envieta.com Tue Dec 16 15:59:40 2008 From: zach.casper at envieta.com (Zach Casper) Date: Tue, 16 Dec 2008 10:59:40 -0500 Subject: [Pki-users] LDAP Authentication Message-ID: <001401c95f97$50da6440$f28f2cc0$@casper@envieta.com> We have followed all steps to install/run Fedora Dogtag/FDS using default settings. We have also added users/certificates from within the CA/RA subsystems. We are now to the point we need to format and enroll some smart cards, however, the LDAP Authentication dialog appears and no combination of LDAP User ID/Password work. We've tried cn=Directory Manager, Admin, pkiuser.all without luck. I know we must have users already in FDS but this documentation seems not to exist. How do we either add users in FDS so that we can continue to format and enroll smart cards? Are we missing something? -- Zach Casper Envieta LLC -------------- next part -------------- An HTML attachment was scrubbed... URL: From Julius.Adewumi at gdc4s.com Tue Dec 16 16:47:01 2008 From: Julius.Adewumi at gdc4s.com (Adewumi, Julius-p99373) Date: Tue, 16 Dec 2008 09:47:01 -0700 Subject: [Pki-users] LDAP Authentication In-Reply-To: <001401c95f97$50da6440$f28f2cc0$@casper@envieta.com> References: <001401c95f97$50da6440$f28f2cc0$@casper@envieta.com> Message-ID: <150446754087724BA4B8F287083846B203746E7B@AZ25EXM04.gddsi.com> I ran into some thing like this when I also first began to configure CA etc. Not enough documentation for beginners. I had to get Wireshark and trace what network packets are sent across from client to server and see the LDAP credentials searched for and then I acted accordingly. i.e when I see that the search was for uid=abc, o=TokenUser then I setup such in the Directory Server. Only because I had access to both client and server. Wireshark helped me a lot! From: Julius Adewumi @GDC4S.com Ph:480-441-6768 Contract Corp:MTSI ________________________________ From: pki-users-bounces at redhat.com [mailto:pki-users-bounces at redhat.com] On Behalf Of Zach Casper Sent: Tuesday, December 16, 2008 9:00 AM To: pki-users at redhat.com; 'General discussion list for the Fedora Directory server project.' Subject: [Pki-users] LDAP Authentication We have followed all steps to install/run Fedora Dogtag/FDS using default settings. We have also added users/certificates from within the CA/RA subsystems. We are now to the point we need to format and enroll some smart cards, however, the LDAP Authentication dialog appears and no combination of LDAP User ID/Password work. We've tried cn=Directory Manager, Admin, pkiuser...all without luck. I know we must have users already in FDS but this documentation seems not to exist. How do we either add users in FDS so that we can continue to format and enroll smart cards? Are we missing something? -- Zach Casper Envieta LLC -------------- next part -------------- An HTML attachment was scrubbed... URL: From cfu at redhat.com Tue Dec 16 17:20:55 2008 From: cfu at redhat.com (Christina Fu) Date: Tue, 16 Dec 2008 09:20:55 -0800 Subject: [Pki-users] LDAP Authentication In-Reply-To: <001401c95f97$50da6440$f28f2cc0$@casper@envieta.com> References: <001401c95f97$50da6440$f28f2cc0$@casper@envieta.com> Message-ID: <4947E377.1090808@redhat.com> One of the panels during post-installation configuration for TPS asks you to set up your authentication ldap system. I usually just point it to an existing ldap system I have. The end result of the panel, when I take the defaults, is usually like the following in my CS.cfg file (I'm only listing the ones matters most to me): ... auth.instance.0.authId=ldap1 auth.instance.0.baseDN=dc=sjc,dc=redhat,dc=com auth.instance.0.hostport=localhost:389 ... op.enroll.userKey.auth.id=ldap1 I then need to add an user to the specified ldap system. I use the following ldap modify file, ldapModAddUser.txt: dn: uid=cfu,ou=People,dc=sjc,dc=redhat,dc=com changetype: add objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetorgperson uid: cfu cn: Christina Fu sn: Fu givenName: Christina userPassword: xxxusrpwdxxx then I run ldapmodify: ldapmodify -h localhost -p 389 -D "cn=Directory Manager" -w xxxDMpwdxxx -x -f ldapModAddUser.txt then I'm ready to use uid "cfu" and password "xxxusrpwdxxx" to enroll. Christina Zach Casper wrote: > > We have followed all steps to install/run Fedora Dogtag/FDS using > default settings. > > We have also added users/certificates from within the CA/RA subsystems. > > We are now to the point we need to format and enroll some smart cards, > however, the LDAP Authentication dialog appears and no combination of > LDAP User ID/Password work. > > We?ve tried cn=Directory Manager, Admin, pkiuser?all without luck. > > I know we must have users already in FDS but this documentation seems > not to exist. > > How do we either add users in FDS so that we can continue to format > and enroll smart cards? Are we missing something? > > -- > > Zach Casper > > Envieta LLC > > ------------------------------------------------------------------------ > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users > From Julius.Adewumi at gdc4s.com Wed Dec 17 17:43:20 2008 From: Julius.Adewumi at gdc4s.com (Adewumi, Julius-p99373) Date: Wed, 17 Dec 2008 10:43:20 -0700 Subject: [Pki-users] User-supplied public-key into cert Message-ID: <150446754087724BA4B8F287083846B20376F813@AZ25EXM04.gddsi.com> Is there a way to make CA sign a "user-supplied public-key" certificate, so that the Cert is more or less like an ID card? i.e The CA is not to generate key pairs but to just accept the data and put it in a certificate as public-key for userid. From: Julius Adewumi @GDC4S.com Ph:480-441-6768 Contract Corp:MTSI -------------- next part -------------- An HTML attachment was scrubbed... URL: From msauton at redhat.com Wed Dec 17 18:07:08 2008 From: msauton at redhat.com (Marc Sauton) Date: Wed, 17 Dec 2008 10:07:08 -0800 Subject: [Pki-users] User-supplied public-key into cert In-Reply-To: <150446754087724BA4B8F287083846B20376F813@AZ25EXM04.gddsi.com> References: <150446754087724BA4B8F287083846B20376F813@AZ25EXM04.gddsi.com> Message-ID: <49493FCC.3020601@redhat.com> Adewumi, Julius-p99373 wrote: > > Is there a way to make CA sign a "user-supplied public-key" > certificate, so that the > Unless I misunderstand this request, this is exactly how a RHCS CA instance works upon receiving a client signed csr containing the public key that is going to be a certificate once processed and signed by a CA. > > > Cert is more or less like an ID card? > i.e The CA is not to generate key pairs but to just accept the data > and put it in a certificate as public-key for userid. > The RHCS CA only generate key pairs for its own sub systems during configuration. > > /From: Julius Adewumi/ > /@GDC4S.com/ > /Ph:480-441-6768/ > /Contract Corp:MTSI/ > > > ------------------------------------------------------------------------ > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users > From cfu at redhat.com Wed Dec 17 20:52:22 2008 From: cfu at redhat.com (Christina Fu) Date: Wed, 17 Dec 2008 12:52:22 -0800 Subject: [Pki-users] User-supplied public-key into cert In-Reply-To: <49493FCC.3020601@redhat.com> References: <150446754087724BA4B8F287083846B20376F813@AZ25EXM04.gddsi.com> <49493FCC.3020601@redhat.com> Message-ID: <49496686.2070305@redhat.com> Marc Sauton wrote: > Adewumi, Julius-p99373 wrote: >> >> Is there a way to make CA sign a "user-supplied public-key" >> certificate, so that the >> > Unless I misunderstand this request, this is exactly how a RHCS CA > instance works upon receiving a client signed csr containing the > public key that is going to be a certificate once processed and signed > by a CA. >> >> >> Cert is more or less like an ID card? >> i.e The CA is not to generate key pairs but to just accept the data >> and put it in a certificate as public-key for userid. >> > The RHCS CA only generate key pairs for its own sub systems during > configuration. unless you set up server-side key generation with TPS, then in which case, the DRM will generate the keys for the users. Christina >> >> /From: Julius Adewumi/ >> /@GDC4S.com/ >> /Ph:480-441-6768/ >> /Contract Corp:MTSI/ >> >> >> ------------------------------------------------------------------------ >> >> _______________________________________________ >> Pki-users mailing list >> Pki-users at redhat.com >> https://www.redhat.com/mailman/listinfo/pki-users >> > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users From sean.veale at gdc4s.com Tue Dec 23 17:38:43 2008 From: sean.veale at gdc4s.com (Veale, Sean) Date: Tue, 23 Dec 2008 12:38:43 -0500 Subject: [Pki-users] Support a new Hardware token (smart card) In-Reply-To: <4947E377.1090808@redhat.com> References: <001401c95f97$50da6440$f28f2cc0$@casper@envieta.com> <4947E377.1090808@redhat.com> Message-ID: I have a CS system setup on Red Hat Enterprise 4.5 running CS 7.3 (I'm also going to try this on fedora/dogtag but that is for a another day). Using the gemalto smart cards I've succsefully be able to setup the enterprise security client(ESC) to talk to a token processing system(tps) which in turn talks to a Certificate Authority (CA), data recovery module(drm) and Token key system(TKS) to format and enroll cards. Now I want to see if another hardware token can be used and am a little confused on how to go about doing that. Is sections 8.5 and 9.3 of the CS admin manual the best information aviable on this subject? I do have the Encryption Key(master key I belive in the docs) MAC key and KEK key for the token but I'm not sure how to go about generating the nessary key pairs. Anyone been able to do this and/or know of more information online? Thanks Sean Veale Gdc4s From zach.casper at envieta.com Tue Dec 23 17:51:38 2008 From: zach.casper at envieta.com (Zach Casper) Date: Tue, 23 Dec 2008 12:51:38 -0500 Subject: [Pki-users] ESC Format / Enroll Error Message-ID: <001201c96527$1c706e30$55514a90$@casper@envieta.com> We have an Infineon Smart Card and currently we are unable to Format/Enroll due to the following ESC Error "Formatting of smart card failed. Error: The Smart Card Server cannot upgrade the software on your smart card." And Diagnostics show this error: "Attempting to Format Key, ID: ####### - Key Format failure, Error: 19." This card comes up as "Formatted" because we've manually installed a version of the Dogtag applet prior to using ESC & Dogtag. Any advice on how we can troubleshoot? -- Zach Casper Envieta LLC ---------------------------------------- -------------- next part -------------- An HTML attachment was scrubbed... URL: From sean.veale at gdc4s.com Tue Dec 23 18:29:09 2008 From: sean.veale at gdc4s.com (Veale, Sean) Date: Tue, 23 Dec 2008 13:29:09 -0500 Subject: [Pki-users] ESC Format / Enroll Error In-Reply-To: <001201c96527$1c706e30$55514a90$@casper@envieta.com> References: <001201c96527$1c706e30$55514a90$@casper@envieta.com> Message-ID: Do you know what version of the JavaCard the card supports? I think you the card needs to work with JC 2.2.2 to work correctly (at least in CS 7.3 and probally in Dogtag CS) but confirmation on that would be good. Sean ________________________________ From: pki-users-bounces at redhat.com [mailto:pki-users-bounces at redhat.com] On Behalf Of Zach Casper Sent: Tuesday, December 23, 2008 12:52 PM To: pki-users at redhat.com Subject: [Pki-users] ESC Format / Enroll Error We have an Infineon Smart Card and currently we are unable to Format/Enroll due to the following ESC Error "Formatting of smart card failed. Error: The Smart Card Server cannot upgrade the software on your smart card." And Diagnostics show this error: "Attempting to Format Key, ID: ####### - Key Format failure, Error: 19." This card comes up as "Formatted" because we've manually installed a version of the Dogtag applet prior to using ESC & Dogtag. Any advice on how we can troubleshoot? -- Zach Casper Envieta LLC ---------------------------------------- -------------- next part -------------- An HTML attachment was scrubbed... URL: From Julius.Adewumi at gdc4s.com Tue Dec 23 18:31:48 2008 From: Julius.Adewumi at gdc4s.com (Adewumi, Julius-p99373) Date: Tue, 23 Dec 2008 11:31:48 -0700 Subject: [Pki-users] ESC Format / Enroll Error In-Reply-To: <001201c96527$1c706e30$55514a90$@casper@envieta.com> References: <001201c96527$1c706e30$55514a90$@casper@envieta.com> Message-ID: <150446754087724BA4B8F287083846B2037E2F3E@AZ25EXM04.gddsi.com> You may find further clue in the TPS log, perhaps in the "/var/lib/rhpki-tps/logs/tps-debug.log". From: Julius Adewumi @GDC4S.com Ph:480-441-6768 Contract Corp:MTSI ________________________________ From: pki-users-bounces at redhat.com [mailto:pki-users-bounces at redhat.com] On Behalf Of Zach Casper Sent: Tuesday, December 23, 2008 10:52 AM To: pki-users at redhat.com Subject: [Pki-users] ESC Format / Enroll Error We have an Infineon Smart Card and currently we are unable to Format/Enroll due to the following ESC Error "Formatting of smart card failed. Error: The Smart Card Server cannot upgrade the software on your smart card." And Diagnostics show this error: "Attempting to Format Key, ID: ####### - Key Format failure, Error: 19." This card comes up as "Formatted" because we've manually installed a version of the Dogtag applet prior to using ESC & Dogtag. Any advice on how we can troubleshoot? -- Zach Casper Envieta LLC ---------------------------------------- -------------- next part -------------- An HTML attachment was scrubbed... URL: From zach.casper at envieta.com Tue Dec 23 18:42:11 2008 From: zach.casper at envieta.com (Zach Casper) Date: Tue, 23 Dec 2008 13:42:11 -0500 Subject: [Pki-users] ESC Format / Enroll Error In-Reply-To: References: <001201c96527$1c706e30$55514a90$@casper@envieta.com> Message-ID: <002901c9652e$2d40eb20$87c2c160$@casper@envieta.com> Yes - Our cards are JavaCard 2.2.1 and Global Platform 2.1.1 Could that be the problem? From: pki-users-bounces at redhat.com [mailto:pki-users-bounces at redhat.com] On Behalf Of Veale, Sean Sent: Tuesday, December 23, 2008 1:29 PM To: pki-users at redhat.com Subject: RE: [Pki-users] ESC Format / Enroll Error Do you know what version of the JavaCard the card supports? I think you the card needs to work with JC 2.2.2 to work correctly (at least in CS 7.3 and probally in Dogtag CS) but confirmation on that would be good. Sean _____ From: pki-users-bounces at redhat.com [mailto:pki-users-bounces at redhat.com] On Behalf Of Zach Casper Sent: Tuesday, December 23, 2008 12:52 PM To: pki-users at redhat.com Subject: [Pki-users] ESC Format / Enroll Error We have an Infineon Smart Card and currently we are unable to Format/Enroll due to the following ESC Error "Formatting of smart card failed. Error: The Smart Card Server cannot upgrade the software on your smart card." And Diagnostics show this error: "Attempting to Format Key, ID: ####### - Key Format failure, Error: 19." This card comes up as "Formatted" because we've manually installed a version of the Dogtag applet prior to using ESC & Dogtag. Any advice on how we can troubleshoot? -- Zach Casper Envieta LLC ---------------------------------------- -------------- next part -------------- An HTML attachment was scrubbed... URL: From Julius.Adewumi at gdc4s.com Tue Dec 23 18:56:55 2008 From: Julius.Adewumi at gdc4s.com (Adewumi, Julius-p99373) Date: Tue, 23 Dec 2008 11:56:55 -0700 Subject: [Pki-users] ESC Format / Enroll Error In-Reply-To: <002901c9652e$2d40eb20$87c2c160$@casper@envieta.com> References: <001201c96527$1c706e30$55514a90$@casper@envieta.com> <002901c9652e$2d40eb20$87c2c160$@casper@envieta.com> Message-ID: <150446754087724BA4B8F287083846B2037E2F7E@AZ25EXM04.gddsi.com> Where do you find the info about your javacard? I have a set of blank Gemalto smartcards and I don't see javacard or model number info on them. From: Julius Adewumi @GDC4S.com Ph:480-441-6768 Contract Corp:MTSI ________________________________ From: pki-users-bounces at redhat.com [mailto:pki-users-bounces at redhat.com] On Behalf Of Zach Casper Sent: Tuesday, December 23, 2008 11:42 AM To: pki-users at redhat.com Subject: RE: [Pki-users] ESC Format / Enroll Error Yes - Our cards are JavaCard 2.2.1 and Global Platform 2.1.1 Could that be the problem? From: pki-users-bounces at redhat.com [mailto:pki-users-bounces at redhat.com] On Behalf Of Veale, Sean Sent: Tuesday, December 23, 2008 1:29 PM To: pki-users at redhat.com Subject: RE: [Pki-users] ESC Format / Enroll Error Do you know what version of the JavaCard the card supports? I think you the card needs to work with JC 2.2.2 to work correctly (at least in CS 7.3 and probally in Dogtag CS) but confirmation on that would be good. Sean ________________________________ From: pki-users-bounces at redhat.com [mailto:pki-users-bounces at redhat.com] On Behalf Of Zach Casper Sent: Tuesday, December 23, 2008 12:52 PM To: pki-users at redhat.com Subject: [Pki-users] ESC Format / Enroll Error We have an Infineon Smart Card and currently we are unable to Format/Enroll due to the following ESC Error "Formatting of smart card failed. Error: The Smart Card Server cannot upgrade the software on your smart card." And Diagnostics show this error: "Attempting to Format Key, ID: ####### - Key Format failure, Error: 19." This card comes up as "Formatted" because we've manually installed a version of the Dogtag applet prior to using ESC & Dogtag. Any advice on how we can troubleshoot? -- Zach Casper Envieta LLC ---------------------------------------- -------------- next part -------------- An HTML attachment was scrubbed... URL: From zach.casper at envieta.com Tue Dec 23 18:59:40 2008 From: zach.casper at envieta.com (Zach Casper) Date: Tue, 23 Dec 2008 13:59:40 -0500 Subject: [Pki-users] ESC Format / Enroll Error In-Reply-To: <49512983.2080702@redhat.com> References: <001201c96527$1c706e30$55514a90$@casper@envieta.com> <49512983.2080702@redhat.com> Message-ID: <003401c96530$9d9a71f0$d8cf55d0$@casper@envieta.com> Tps-debug log shows the following: RA_Format_Processor::Process - applet upgrade failed Tps-error log show the following: RA_Processor::SetupSecureChannel - Failed to create a secure channel 0- potentially due to an RA/TKS key mismatch or differing RA/TKS key versions. RA_Processor::UpgradeApplet -0 channel create failure And a series of Bad Response when trying to SelectApplet or GetStatus zach _____________________________________________ From: Jack Magne [mailto:jmagne at redhat.com] Sent: Tuesday, December 23, 2008 1:10 PM To: Zach Casper Subject: Re: [Pki-users] ESC Format / Enroll Error The first step would be to take a look at the tps log or smart card server. These can be found at: /var/lib/pki-tps/logs/tps-debug.log Search the bottom of the log for error 19 and it should give you an idea of what TPS was trying to do at the time. Zach Casper wrote: > > We have an Infineon Smart Card and currently we are unable to > Format/Enroll due to the following ESC Error > > "Formatting of smart card failed. Error: The Smart Card Server cannot > upgrade the software on your smart card." > > And Diagnostics show this error: > > "Attempting to Format Key, ID: ####### - Key Format failure, Error: 19." > > This card comes up as "Formatted" because we've manually installed a > version of the Dogtag applet prior to using ESC & Dogtag. > > Any advice on how we can troubleshoot? > > -- > > Zach Casper > > Envieta LLC > > ---------------------------------------- > > ------------------------------------------------------------------------ > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: From Julius.Adewumi at gdc4s.com Tue Dec 23 19:09:00 2008 From: Julius.Adewumi at gdc4s.com (Adewumi, Julius-p99373) Date: Tue, 23 Dec 2008 12:09:00 -0700 Subject: [Pki-users] ESC Format / Enroll Error In-Reply-To: <003401c96530$9d9a71f0$d8cf55d0$@casper@envieta.com> References: <001201c96527$1c706e30$55514a90$@casper@envieta.com><49512983.2080702@redhat.com> <003401c96530$9d9a71f0$d8cf55d0$@casper@envieta.com> Message-ID: <150446754087724BA4B8F287083846B2037E2FAC@AZ25EXM04.gddsi.com> You might want to play with changing "false" to "true in the CS.cfg for op.enroll.userKey.update.applet.emptyToken.enable=false or the op.format... equivalent , etc. From: Julius Adewumi @GDC4S.com Ph:480-441-6768 Contract Corp:MTSI ________________________________ From: pki-users-bounces at redhat.com [mailto:pki-users-bounces at redhat.com] On Behalf Of Zach Casper Sent: Tuesday, December 23, 2008 12:00 PM To: pki-users at redhat.com Subject: RE: [Pki-users] ESC Format / Enroll Error Tps-debug log shows the following: RA_Format_Processor::Process - applet upgrade failed Tps-error log show the following: RA_Processor::SetupSecureChannel - Failed to create a secure channel 0- potentially due to an RA/TKS key mismatch or differing RA/TKS key versions. RA_Processor::UpgradeApplet -0 channel create failure And a series of Bad Response when trying to SelectApplet or GetStatus zach _____________________________________________ From: Jack Magne [mailto:jmagne at redhat.com] Sent: Tuesday, December 23, 2008 1:10 PM To: Zach Casper Subject: Re: [Pki-users] ESC Format / Enroll Error The first step would be to take a look at the tps log or smart card server. These can be found at: /var/lib/pki-tps/logs/tps-debug.log Search the bottom of the log for error 19 and it should give you an idea of what TPS was trying to do at the time. Zach Casper wrote: > > We have an Infineon Smart Card and currently we are unable to > Format/Enroll due to the following ESC Error > > "Formatting of smart card failed. Error: The Smart Card Server cannot > upgrade the software on your smart card." > > And Diagnostics show this error: > > "Attempting to Format Key, ID: ####### - Key Format failure, Error: 19." > > This card comes up as "Formatted" because we've manually installed a > version of the Dogtag applet prior to using ESC & Dogtag. > > Any advice on how we can troubleshoot? > > -- > > Zach Casper > > Envieta LLC > > ---------------------------------------- > > ------------------------------------------------------------------------ > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: From jmagne at redhat.com Tue Dec 23 19:37:49 2008 From: jmagne at redhat.com (Jack Magne) Date: Tue, 23 Dec 2008 11:37:49 -0800 Subject: [Pki-users] ESC Format / Enroll Error In-Reply-To: <150446754087724BA4B8F287083846B2037E2FAC@AZ25EXM04.gddsi.com> References: <001201c96527$1c706e30$55514a90$@casper@envieta.com><49512983.2080702@redhat.com> <003401c96530$9d9a71f0$d8cf55d0$@casper@envieta.com> <150446754087724BA4B8F287083846B2037E2FAC@AZ25EXM04.gddsi.com> Message-ID: <49513E0D.9080901@redhat.com> You are having a problem creating a secure channel. Perhaps posting a snippet of the log might help. Adewumi, Julius-p99373 wrote: > You might want to play with changing "false" to "true in the CS.cfg for > op.enroll.userKey.update.applet.emptyToken.enable=false or the > op.format... equivalent , etc. > > /From: Julius Adewumi/ > /@GDC4S.com/ > /Ph:480-441-6768/ > /Contract Corp:MTSI/ > > > ------------------------------------------------------------------------ > *From:* pki-users-bounces at redhat.com > [mailto:pki-users-bounces at redhat.com] *On Behalf Of *Zach Casper > *Sent:* Tuesday, December 23, 2008 12:00 PM > *To:* pki-users at redhat.com > *Subject:* RE: [Pki-users] ESC Format / Enroll Error > > Tps-debug log shows the following: > > RA_Format_Processor::Process ? applet upgrade failed > > Tps-error log show the following: > > RA_Processor::SetupSecureChannel ? Failed to create a secure channel > 0- potentially due to an RA/TKS key mismatch or differing RA/TKS key > versions. > > RA_Processor::UpgradeApplet -0 channel create failure > > And a series of Bad Response when trying to SelectApplet or GetStatus > > zach > > _____________________________________________ > *From:* Jack Magne [mailto:jmagne at redhat.com] > *Sent:* Tuesday, December 23, 2008 1:10 PM > *To:* Zach Casper > *Subject:* Re: [Pki-users] ESC Format / Enroll Error > > The first step would be to take a look at the tps log or smart card > server. > > These can be found at: > > /var/lib/pki-tps/logs/tps-debug.log > > Search the bottom of the log for error 19 and it should give you an idea > > of what TPS was trying to do at the time. > > Zach Casper wrote: > > > > > > We have an Infineon Smart Card and currently we are unable to > > > Format/Enroll due to the following ESC Error > > > > > > ?Formatting of smart card failed. Error: The Smart Card Server cannot > > > upgrade the software on your smart card.? > > > > > > And Diagnostics show this error: > > > > > > ?Attempting to Format Key, ID: ####### - Key Format failure, Error: 19.? > > > > > > This card comes up as ?Formatted? because we?ve manually installed a > > > version of the Dogtag applet prior to using ESC & Dogtag. > > > > > > Any advice on how we can troubleshoot? > > > > > > -- > > > > > > Zach Casper > > > > > > Envieta LLC > > > > > > ---------------------------------------- > > > > > > ------------------------------------------------------------------------ > > > > > > _______________________________________________ > > > Pki-users mailing list > > > Pki-users at redhat.com > > > https://www.redhat.com/mailman/listinfo/pki-users > > > > > ------------------------------------------------------------------------ > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3237 bytes Desc: S/MIME Cryptographic Signature URL: From zach.casper at envieta.com Tue Dec 23 19:47:44 2008 From: zach.casper at envieta.com (Zach Casper) Date: Tue, 23 Dec 2008 14:47:44 -0500 Subject: [Pki-users] ESC Format / Enroll Error In-Reply-To: <49513E0D.9080901@redhat.com> References: <001201c96527$1c706e30$55514a90$@casper@envieta.com><49512983.2080702@redhat.com> <003401c96530$9d9a71f0$d8cf55d0$@casper@envieta.com> <150446754087724BA4B8F287083846B2037E2FAC@AZ25EXM04.gddsi.com> <49513E0D.9080901@redhat.com> Message-ID: <004d01c96537$55373d60$ffa5b820$@casper@envieta.com> tps-error.log ... [2008-12-23 12:09:39] ba5de4e0 RA_Processor::SetupSecureChannel - Failed to create a secure channel - potentially due to an RA/TKS key mismatch or differing RA/TKS key versions. [2008-12-23 12:09:39] ba5de4e0 RA_Processor::UpgradeApplet - channel creation failure [2008-12-23 12:10:20] ba5cb398 RA_Processor::SetupSecureChannel - Failed to create a secure channel - potentially due to an RA/TKS key mismatch or differing RA/TKS key versions. [2008-12-23 12:10:20] ba5cb398 RA_Processor::UpgradeApplet - channel creation failure [2008-12-23 12:11:14] b8e04520 RA_Processor::SetupSecureChannel - Failed to create a secure channel - potentially due to an RA/TKS key mismatch or differing RA/TKS key versions. [2008-12-23 12:11:14] b8e04520 RA_Processor::UpgradeApplet - channel creation failure [2008-12-23 12:39:38] ba5c00e0 RA_Processor::SetupSecureChannel - Failed to create a secure channel - potentially due to an RA/TKS key mismatch or differing RA/TKS key versions. [2008-12-23 12:39:38] ba5c00e0 RA_Processor::UpgradeApplet - channel creation failure [2008-12-23 12:44:27] ba5b14c8 RA_Processor::SetupSecureChannel - Failed to create a secure channel - potentially due to an RA/TKS key mismatch or differing RA/TKS key versions. [2008-12-23 12:44:27] ba5b14c8 RA_Processor::UpgradeApplet - channel creation failure [2008-12-23 12:45:54] ba5f2590 RA_Processor::SetupSecureChannel - Failed to create a secure channel - potentially due to an RA/TKS key mismatch or differing RA/TKS key versions. [2008-12-23 12:45:54] ba5f2590 RA_Processor::UpgradeApplet - channel creation failure tps-debug.log ... [2008-12-23 12:45:54] ba5f2590 RA_Format_Processor::Process - Authenticate returns: 0 [2008-12-23 12:45:54] ba5f2590 AP_Session::WriteMsg - Sent 's=67&msg_type=14¤t_state=10&next_task_name=PROGRESS_APPLET_UPGRADE' [2008-12-23 12:45:54] ba5f2590 RA_Processor::UpgradeApplet - path = /usr/share/pki/tps/applets/1.3.44724DDE.ijc [2008-12-23 12:45:54] ba5f2590 AP_Session::WriteMsg - pdu_len='12' [2008-12-23 12:45:54] ba5f2590 AP_Session::WriteMsg - Sent 's=68&msg_type=9&pdu_size=12&pdu_data=%00%A4%04%00%07%A0%00%00%00%03%00%00' [2008-12-23 12:45:54] ba5f2590 AP_Session::ReadMsg - decoded pdu = (length='20') [2008-12-23 12:45:54] ba5f2590 AP_Session::ReadMsg - 6f 10 84 08 a0 00 00 00 03 00 [2008-12-23 12:45:54] ba5f2590 AP_Session::ReadMsg - 00 00 a5 04 9f 65 01 ff 90 00 [2008-12-23 12:45:54] ba5f2590 AP_Session::ReadMsg - [2008-12-23 12:45:54] ba5f2590 AP_Session::WriteMsg - pdu_len='13' [2008-12-23 12:45:54] ba5f2590 AP_Session::WriteMsg - Sent 's=71&msg_type=9&pdu_size=13&pdu_data=%80%50%01%01%08%56%F5%29%9D%7B%8F%6F%A 7' [2008-12-23 12:45:54] ba5f2590 AP_Session::ReadMsg - decoded pdu = (length='2') [2008-12-23 12:45:54] ba5f2590 AP_Session::ReadMsg - 6a 86 [2008-12-23 12:45:54] ba5f2590 RA_Format_Processor::Process - applet upgrade failed [2008-12-23 12:45:54] ba5f2590 AP_Session::WriteMsg - pdu_len='12' [2008-12-23 12:45:54] ba5f2590 AP_Session::WriteMsg - Sent 's=68&msg_type=9&pdu_size=12&pdu_data=%00%A4%04%00%07%62%76%01%FF%00%00%00' [2008-12-23 12:45:54] ba5f2590 AP_Session::ReadMsg - decoded pdu = (length='2') [2008-12-23 12:45:54] ba5f2590 AP_Session::ReadMsg - 90 00 [2008-12-23 12:45:54] ba5f2590 AP_Session::WriteMsg - Sent 's=43&msg_type=13&operation=5&result=1&message=19' zach _____________________________________________ From: Jack Magne [mailto:jmagne at redhat.com] Sent: Tuesday, December 23, 2008 2:38 PM To: Adewumi, Julius-p99373 Cc: Zach Casper; pki-users at redhat.com Subject: Re: [Pki-users] ESC Format / Enroll Error You are having a problem creating a secure channel. Perhaps posting a snippet of the log might help. Adewumi, Julius-p99373 wrote: > You might want to play with changing "false" to "true in the CS.cfg for > op.enroll.userKey.update.applet.emptyToken.enable=false or the > op.format... equivalent , etc. > > /From: Julius Adewumi/ > /@GDC4S.com/ > /Ph:480-441-6768/ > /Contract Corp:MTSI/ > > > ------------------------------------------------------------------------ > *From:* pki-users-bounces at redhat.com > [mailto:pki-users-bounces at redhat.com] *On Behalf Of *Zach Casper > *Sent:* Tuesday, December 23, 2008 12:00 PM > *To:* pki-users at redhat.com > *Subject:* RE: [Pki-users] ESC Format / Enroll Error > > Tps-debug log shows the following: > > RA_Format_Processor::Process - applet upgrade failed > > Tps-error log show the following: > > RA_Processor::SetupSecureChannel - Failed to create a secure channel > 0- potentially due to an RA/TKS key mismatch or differing RA/TKS key > versions. > > RA_Processor::UpgradeApplet -0 channel create failure > > And a series of Bad Response when trying to SelectApplet or GetStatus > > zach > > _____________________________________________ > *From:* Jack Magne [mailto:jmagne at redhat.com] > *Sent:* Tuesday, December 23, 2008 1:10 PM > *To:* Zach Casper > *Subject:* Re: [Pki-users] ESC Format / Enroll Error > > The first step would be to take a look at the tps log or smart card > server. > > These can be found at: > > /var/lib/pki-tps/logs/tps-debug.log > > Search the bottom of the log for error 19 and it should give you an idea > > of what TPS was trying to do at the time. > > Zach Casper wrote: > > > > > > We have an Infineon Smart Card and currently we are unable to > > > Format/Enroll due to the following ESC Error > > > > > > "Formatting of smart card failed. Error: The Smart Card Server cannot > > > upgrade the software on your smart card." > > > > > > And Diagnostics show this error: > > > > > > "Attempting to Format Key, ID: ####### - Key Format failure, Error: 19." > > > > > > This card comes up as "Formatted" because we've manually installed a > > > version of the Dogtag applet prior to using ESC & Dogtag. > > > > > > Any advice on how we can troubleshoot? > > > > > > -- > > > > > > Zach Casper > > > > > > Envieta LLC > > > > > > ---------------------------------------- > > > > > > ------------------------------------------------------------------------ > > > > > > _______________________________________________ > > > Pki-users mailing list > > > Pki-users at redhat.com > > > https://www.redhat.com/mailman/listinfo/pki-users > > > > > ------------------------------------------------------------------------ > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: From jmagne at redhat.com Tue Dec 23 22:34:53 2008 From: jmagne at redhat.com (Jack Magne) Date: Tue, 23 Dec 2008 14:34:53 -0800 Subject: [Pki-users] ESC Format / Enroll Error In-Reply-To: <004d01c96537$55373d60$ffa5b820$@casper@envieta.com> References: <001201c96527$1c706e30$55514a90$@casper@envieta.com><49512983.2080702@redhat.com> <003401c96530$9d9a71f0$d8cf55d0$@casper@envieta.com> <150446754087724BA4B8F287083846B2037E2FAC@AZ25EXM04.gddsi.com> <49513E0D.9080901@redhat.com> <004d01c96537$55373d60$ffa5b820$@casper@envieta.com> Message-ID: <4951678D.3080202@redhat.com> I'll have to take a closer look later but there is a quick thing you can try. Also, remember depending upon your card, if you make too many failed attempts at a secure channel, the card can lock itself up. In /var/lib/pki-tps/conf/CS.cfg you will have a block like this: channel.defKeyVersion=1 channel. defKeyIndex=1 We have experimented with some other cards where the following works: channel.defKeyVersion=0 channel.defKeyIndex=0 Zach Casper wrote: > > tps-error.log > ... > [2008-12-23 12:09:39] ba5de4e0 RA_Processor::SetupSecureChannel - > Failed to create a secure channel - potentially due to an RA/TKS key > mismatch or differing RA/TKS key versions. > [2008-12-23 12:09:39] ba5de4e0 RA_Processor::UpgradeApplet - channel > creation failure > [2008-12-23 12:10:20] ba5cb398 RA_Processor::SetupSecureChannel - > Failed to create a secure channel - potentially due to an RA/TKS key > mismatch or differing RA/TKS key versions. > [2008-12-23 12:10:20] ba5cb398 RA_Processor::UpgradeApplet - channel > creation failure > [2008-12-23 12:11:14] b8e04520 RA_Processor::SetupSecureChannel - > Failed to create a secure channel - potentially due to an RA/TKS key > mismatch or differing RA/TKS key versions. > [2008-12-23 12:11:14] b8e04520 RA_Processor::UpgradeApplet - channel > creation failure > [2008-12-23 12:39:38] ba5c00e0 RA_Processor::SetupSecureChannel - > Failed to create a secure channel - potentially due to an RA/TKS key > mismatch or differing RA/TKS key versions. > [2008-12-23 12:39:38] ba5c00e0 RA_Processor::UpgradeApplet - channel > creation failure > [2008-12-23 12:44:27] ba5b14c8 RA_Processor::SetupSecureChannel - > Failed to create a secure channel - potentially due to an RA/TKS key > mismatch or differing RA/TKS key versions. > [2008-12-23 12:44:27] ba5b14c8 RA_Processor::UpgradeApplet - channel > creation failure > [2008-12-23 12:45:54] ba5f2590 RA_Processor::SetupSecureChannel - > Failed to create a secure channel - potentially due to an RA/TKS key > mismatch or differing RA/TKS key versions. > [2008-12-23 12:45:54] ba5f2590 RA_Processor::UpgradeApplet - channel > creation failure > > tps-debug.log > ... > [2008-12-23 12:45:54] ba5f2590 RA_Format_Processor::Process - > Authenticate returns: 0 > [2008-12-23 12:45:54] ba5f2590 AP_Session::WriteMsg - Sent > 's=67&msg_type=14¤t_state=10&next_task_name=PROGRESS_APPLET_UPGRADE' > [2008-12-23 12:45:54] ba5f2590 RA_Processor::UpgradeApplet - path = > /usr/share/pki/tps/applets/1.3.44724DDE.ijc > [2008-12-23 12:45:54] ba5f2590 AP_Session::WriteMsg - pdu_len='12' > [2008-12-23 12:45:54] ba5f2590 AP_Session::WriteMsg - Sent > 's=68&msg_type=9&pdu_size=12&pdu_data=%00%A4%04%00%07%A0%00%00%00%03%00%00' > [2008-12-23 12:45:54] ba5f2590 AP_Session::ReadMsg - decoded pdu = > (length='20') > [2008-12-23 12:45:54] ba5f2590 AP_Session::ReadMsg - 6f 10 84 08 a0 00 > 00 00 03 00 > [2008-12-23 12:45:54] ba5f2590 AP_Session::ReadMsg - 00 00 a5 04 9f 65 > 01 ff 90 00 > [2008-12-23 12:45:54] ba5f2590 AP_Session::ReadMsg - > [2008-12-23 12:45:54] ba5f2590 AP_Session::WriteMsg - pdu_len='13' > [2008-12-23 12:45:54] ba5f2590 AP_Session::WriteMsg - Sent > 's=71&msg_type=9&pdu_size=13&pdu_data=%80%50%01%01%08%56%F5%29%9D%7B%8F%6F%A7' > [2008-12-23 12:45:54] ba5f2590 AP_Session::ReadMsg - decoded pdu = > (length='2') > [2008-12-23 12:45:54] ba5f2590 AP_Session::ReadMsg - 6a 86 > [2008-12-23 12:45:54] ba5f2590 RA_Format_Processor::Process - applet > upgrade failed > [2008-12-23 12:45:54] ba5f2590 AP_Session::WriteMsg - pdu_len='12' > [2008-12-23 12:45:54] ba5f2590 AP_Session::WriteMsg - Sent > 's=68&msg_type=9&pdu_size=12&pdu_data=%00%A4%04%00%07%62%76%01%FF%00%00%00' > [2008-12-23 12:45:54] ba5f2590 AP_Session::ReadMsg - decoded pdu = > (length='2') > [2008-12-23 12:45:54] ba5f2590 AP_Session::ReadMsg - 90 00 > [2008-12-23 12:45:54] ba5f2590 AP_Session::WriteMsg - Sent > 's=43&msg_type=13&operation=5&result=1&message=19' > > zach > > _____________________________________________ > *From:* Jack Magne [mailto:jmagne at redhat.com] > *Sent:* Tuesday, December 23, 2008 2:38 PM > *To:* Adewumi, Julius-p99373 > *Cc:* Zach Casper; pki-users at redhat.com > *Subject:* Re: [Pki-users] ESC Format / Enroll Error > > You are having a problem creating a secure channel. Perhaps posting a > > snippet of the log might help. > > > > Adewumi, Julius-p99373 wrote: > > > You might want to play with changing "false" to "true in the CS.cfg for > > > op.enroll.userKey.update.applet.emptyToken.enable=false or the > > > op.format... equivalent , etc. > > > > > > /From: Julius Adewumi/ > > > /@GDC4S.com/ > > > /Ph:480-441-6768/ > > > /Contract Corp:MTSI/ > > > > > > > > > ------------------------------------------------------------------------ > > > *From:* pki-users-bounces at redhat.com > > > [mailto:pki-users-bounces at redhat.com] *On Behalf Of *Zach Casper > > > *Sent:* Tuesday, December 23, 2008 12:00 PM > > > *To:* pki-users at redhat.com > > > *Subject:* RE: [Pki-users] ESC Format / Enroll Error > > > > > > Tps-debug log shows the following: > > > > > > RA_Format_Processor::Process ? applet upgrade failed > > > > > > Tps-error log show the following: > > > > > > RA_Processor::SetupSecureChannel ? Failed to create a secure channel > > > 0- potentially due to an RA/TKS key mismatch or differing RA/TKS key > > > versions. > > > > > > RA_Processor::UpgradeApplet -0 channel create failure > > > > > > And a series of Bad Response when trying to SelectApplet or GetStatus > > > > > > zach > > > > > > _____________________________________________ > > > *From:* Jack Magne [mailto:jmagne at redhat.com] > > > *Sent:* Tuesday, December 23, 2008 1:10 PM > > > *To:* Zach Casper > > > *Subject:* Re: [Pki-users] ESC Format / Enroll Error > > > > > > The first step would be to take a look at the tps log or smart card > > > server. > > > > > > These can be found at: > > > > > > /var/lib/pki-tps/logs/tps-debug.log > > > > > > Search the bottom of the log for error 19 and it should give you an idea > > > > > > of what TPS was trying to do at the time. > > > > > > Zach Casper wrote: > > > > > > > > > > > > > > We have an Infineon Smart Card and currently we are unable to > > > > > > > Format/Enroll due to the following ESC Error > > > > > > > > > > > > > > ?Formatting of smart card failed. Error: The Smart Card Server cannot > > > > > > > upgrade the software on your smart card.? > > > > > > > > > > > > > > And Diagnostics show this error: > > > > > > > > > > > > > > ?Attempting to Format Key, ID: ####### - Key Format failure, Error: > 19.? > > > > > > > > > > > > > > This card comes up as ?Formatted? because we?ve manually installed a > > > > > > > version of the Dogtag applet prior to using ESC & Dogtag. > > > > > > > > > > > > > > Any advice on how we can troubleshoot? > > > > > > > > > > > > > > -- > > > > > > > > > > > > > > Zach Casper > > > > > > > > > > > > > > Envieta LLC > > > > > > > > > > > > > > ---------------------------------------- > > > > > > > > > > > > > > > ------------------------------------------------------------------------ > > > > > > > > > > > > > > _______________________________________________ > > > > > > > Pki-users mailing list > > > > > > > Pki-users at redhat.com > > > > > > > https://www.redhat.com/mailman/listinfo/pki-users > > > > > > > > > > > > > ------------------------------------------------------------------------ > > > > > > _______________________________________________ > > > Pki-users mailing list > > > Pki-users at redhat.com > > > https://www.redhat.com/mailman/listinfo/pki-users > > > > > ------------------------------------------------------------------------ > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3237 bytes Desc: S/MIME Cryptographic Signature URL: From zach.casper at envieta.com Wed Dec 24 15:28:02 2008 From: zach.casper at envieta.com (Zach Casper) Date: Wed, 24 Dec 2008 10:28:02 -0500 Subject: [Pki-users] ESC Format / Enroll Error References: <001201c96527$1c706e30$55514a90$@casper@envieta.com> Message-ID: <000b01c965dc$3684c090$a38e41b0$@casper@envieta.com> Thanks Sean. Has it been verified that JC 2.2.1 cards are incompatible with Dogtag/CMS 7.3? zach From: Zach Casper [mailto:zach.casper at envieta.com] Sent: Tuesday, December 23, 2008 1:42 PM To: 'pki-users at redhat.com' Subject: RE: [Pki-users] ESC Format / Enroll Error Yes - Our cards are JavaCard 2.2.1 and Global Platform 2.1.1 Could that be the problem? From: pki-users-bounces at redhat.com [mailto:pki-users-bounces at redhat.com] On Behalf Of Veale, Sean Sent: Tuesday, December 23, 2008 1:29 PM To: pki-users at redhat.com Subject: RE: [Pki-users] ESC Format / Enroll Error Do you know what version of the JavaCard the card supports? I think you the card needs to work with JC 2.2.2 to work correctly (at least in CS 7.3 and probally in Dogtag CS) but confirmation on that would be good. Sean _____ From: pki-users-bounces at redhat.com [mailto:pki-users-bounces at redhat.com] On Behalf Of Zach Casper Sent: Tuesday, December 23, 2008 12:52 PM To: pki-users at redhat.com Subject: [Pki-users] ESC Format / Enroll Error We have an Infineon Smart Card and currently we are unable to Format/Enroll due to the following ESC Error "Formatting of smart card failed. Error: The Smart Card Server cannot upgrade the software on your smart card." And Diagnostics show this error: "Attempting to Format Key, ID: ####### - Key Format failure, Error: 19." This card comes up as "Formatted" because we've manually installed a version of the Dogtag applet prior to using ESC & Dogtag. Any advice on how we can troubleshoot? -- Zach Casper Envieta LLC ---------------------------------------- -------------- next part -------------- An HTML attachment was scrubbed... URL: From sean.veale at gdc4s.com Wed Dec 24 15:59:12 2008 From: sean.veale at gdc4s.com (Veale, Sean) Date: Wed, 24 Dec 2008 10:59:12 -0500 Subject: [Pki-users] ESC Format / Enroll Error In-Reply-To: <000b01c965dc$3684c090$a38e41b0$@casper@envieta.com> References: <001201c96527$1c706e30$55514a90$@casper@envieta.com> <000b01c965dc$3684c090$a38e41b0$@casper@envieta.com> Message-ID: No I from further diving down in the documents I belive JC 2.2.1 cards should work but I've only had the gemalto cards work correctly so far. On the same note I've only just started using 7.3 and later plan to use dogtag so I wouldn't take any answer I give as fact :) This is an interesting bug relating to Safenet cards so It might be useful for you to see if you have something simular https://bugzilla.redhat.com/show_bug.cgi?id=459538 Sean ________________________________ From: pki-users-bounces at redhat.com [mailto:pki-users-bounces at redhat.com] On Behalf Of Zach Casper Sent: Wednesday, December 24, 2008 10:28 AM To: pki-users at redhat.com Subject: RE: [Pki-users] ESC Format / Enroll Error Thanks Sean. Has it been verified that JC 2.2.1 cards are incompatible with Dogtag/CMS 7.3? zach From: Zach Casper [mailto:zach.casper at envieta.com] Sent: Tuesday, December 23, 2008 1:42 PM To: 'pki-users at redhat.com' Subject: RE: [Pki-users] ESC Format / Enroll Error Yes - Our cards are JavaCard 2.2.1 and Global Platform 2.1.1 Could that be the problem? From: pki-users-bounces at redhat.com [mailto:pki-users-bounces at redhat.com] On Behalf Of Veale, Sean Sent: Tuesday, December 23, 2008 1:29 PM To: pki-users at redhat.com Subject: RE: [Pki-users] ESC Format / Enroll Error Do you know what version of the JavaCard the card supports? I think you the card needs to work with JC 2.2.2 to work correctly (at least in CS 7.3 and probally in Dogtag CS) but confirmation on that would be good. Sean ________________________________ From: pki-users-bounces at redhat.com [mailto:pki-users-bounces at redhat.com] On Behalf Of Zach Casper Sent: Tuesday, December 23, 2008 12:52 PM To: pki-users at redhat.com Subject: [Pki-users] ESC Format / Enroll Error We have an Infineon Smart Card and currently we are unable to Format/Enroll due to the following ESC Error "Formatting of smart card failed. Error: The Smart Card Server cannot upgrade the software on your smart card." And Diagnostics show this error: "Attempting to Format Key, ID: ####### - Key Format failure, Error: 19." This card comes up as "Formatted" because we've manually installed a version of the Dogtag applet prior to using ESC & Dogtag. Any advice on how we can troubleshoot? -- Zach Casper Envieta LLC ---------------------------------------- -------------- next part -------------- An HTML attachment was scrubbed... URL: From zach.casper at envieta.com Wed Dec 31 21:51:20 2008 From: zach.casper at envieta.com (Zach Casper) Date: Wed, 31 Dec 2008 16:51:20 -0500 Subject: [Pki-users] ESC Format / Enroll Error In-Reply-To: <4951678D.3080202@redhat.com> References: <001201c96527$1c706e30$55514a90$@casper@envieta.com><49512983.2080702@redhat.com> <003401c96530$9d9a71f0$d8cf55d0$@casper@envieta.com> <150446754087724BA4B8F287083846B2037E2FAC@AZ25EXM04.gddsi.com> <49513E0D.9080901@redhat.com> <004d01c96537$55373d60$ffa5b820$@casper@envieta.com> <4951678D.3080202@redhat.com> Message-ID: <002401c96b91$eb97e4c0$c2c7ae40$@casper@envieta.com> Could there be an issue with the default key our card is loaded with (VISA Key) not being able to create the secure connection? What are the default key(s) used/needed by Dogtag? _____________________________________________ From: Jack Magne [mailto:jmagne at redhat.com] Sent: Tuesday, December 23, 2008 5:35 PM To: Zach Casper Cc: pki-users at redhat.com Subject: Re: [Pki-users] ESC Format / Enroll Error I'll have to take a closer look later but there is a quick thing you can try. Also, remember depending upon your card, if you make too many failed attempts at a secure channel, the card can lock itself up. In /var/lib/pki-tps/conf/CS.cfg you will have a block like this: channel.defKeyVersion=1 channel. defKeyIndex=1 We have experimented with some other cards where the following works: channel.defKeyVersion=0 channel.defKeyIndex=0 Zach Casper wrote: > > tps-error.log > ... > [2008-12-23 12:09:39] ba5de4e0 RA_Processor::SetupSecureChannel - > Failed to create a secure channel - potentially due to an RA/TKS key > mismatch or differing RA/TKS key versions. > [2008-12-23 12:09:39] ba5de4e0 RA_Processor::UpgradeApplet - channel > creation failure > [2008-12-23 12:10:20] ba5cb398 RA_Processor::SetupSecureChannel - > Failed to create a secure channel - potentially due to an RA/TKS key > mismatch or differing RA/TKS key versions. > [2008-12-23 12:10:20] ba5cb398 RA_Processor::UpgradeApplet - channel > creation failure > [2008-12-23 12:11:14] b8e04520 RA_Processor::SetupSecureChannel - > Failed to create a secure channel - potentially due to an RA/TKS key > mismatch or differing RA/TKS key versions. > [2008-12-23 12:11:14] b8e04520 RA_Processor::UpgradeApplet - channel > creation failure > [2008-12-23 12:39:38] ba5c00e0 RA_Processor::SetupSecureChannel - > Failed to create a secure channel - potentially due to an RA/TKS key > mismatch or differing RA/TKS key versions. > [2008-12-23 12:39:38] ba5c00e0 RA_Processor::UpgradeApplet - channel > creation failure > [2008-12-23 12:44:27] ba5b14c8 RA_Processor::SetupSecureChannel - > Failed to create a secure channel - potentially due to an RA/TKS key > mismatch or differing RA/TKS key versions. > [2008-12-23 12:44:27] ba5b14c8 RA_Processor::UpgradeApplet - channel > creation failure > [2008-12-23 12:45:54] ba5f2590 RA_Processor::SetupSecureChannel - > Failed to create a secure channel - potentially due to an RA/TKS key > mismatch or differing RA/TKS key versions. > [2008-12-23 12:45:54] ba5f2590 RA_Processor::UpgradeApplet - channel > creation failure > > tps-debug.log > ... > [2008-12-23 12:45:54] ba5f2590 RA_Format_Processor::Process - > Authenticate returns: 0 > [2008-12-23 12:45:54] ba5f2590 AP_Session::WriteMsg - Sent > 's=67&msg_type=14¤t_state=10&next_task_name=PROGRESS_APPLET_UPGRADE' > [2008-12-23 12:45:54] ba5f2590 RA_Processor::UpgradeApplet - path = > /usr/share/pki/tps/applets/1.3.44724DDE.ijc > [2008-12-23 12:45:54] ba5f2590 AP_Session::WriteMsg - pdu_len='12' > [2008-12-23 12:45:54] ba5f2590 AP_Session::WriteMsg - Sent > 's=68&msg_type=9&pdu_size=12&pdu_data=%00%A4%04%00%07%A0%00%00%00%03%00%00' > [2008-12-23 12:45:54] ba5f2590 AP_Session::ReadMsg - decoded pdu = > (length='20') > [2008-12-23 12:45:54] ba5f2590 AP_Session::ReadMsg - 6f 10 84 08 a0 00 > 00 00 03 00 > [2008-12-23 12:45:54] ba5f2590 AP_Session::ReadMsg - 00 00 a5 04 9f 65 > 01 ff 90 00 > [2008-12-23 12:45:54] ba5f2590 AP_Session::ReadMsg - > [2008-12-23 12:45:54] ba5f2590 AP_Session::WriteMsg - pdu_len='13' > [2008-12-23 12:45:54] ba5f2590 AP_Session::WriteMsg - Sent > 's=71&msg_type=9&pdu_size=13&pdu_data=%80%50%01%01%08%56%F5%29%9D%7B%8F%6F%A 7' > [2008-12-23 12:45:54] ba5f2590 AP_Session::ReadMsg - decoded pdu = > (length='2') > [2008-12-23 12:45:54] ba5f2590 AP_Session::ReadMsg - 6a 86 > [2008-12-23 12:45:54] ba5f2590 RA_Format_Processor::Process - applet > upgrade failed > [2008-12-23 12:45:54] ba5f2590 AP_Session::WriteMsg - pdu_len='12' > [2008-12-23 12:45:54] ba5f2590 AP_Session::WriteMsg - Sent > 's=68&msg_type=9&pdu_size=12&pdu_data=%00%A4%04%00%07%62%76%01%FF%00%00%00' > [2008-12-23 12:45:54] ba5f2590 AP_Session::ReadMsg - decoded pdu = > (length='2') > [2008-12-23 12:45:54] ba5f2590 AP_Session::ReadMsg - 90 00 > [2008-12-23 12:45:54] ba5f2590 AP_Session::WriteMsg - Sent > 's=43&msg_type=13&operation=5&result=1&message=19' > > zach > > _____________________________________________ > *From:* Jack Magne [mailto:jmagne at redhat.com] > *Sent:* Tuesday, December 23, 2008 2:38 PM > *To:* Adewumi, Julius-p99373 > *Cc:* Zach Casper; pki-users at redhat.com > *Subject:* Re: [Pki-users] ESC Format / Enroll Error > > You are having a problem creating a secure channel. Perhaps posting a > > snippet of the log might help. > > > > Adewumi, Julius-p99373 wrote: > > > You might want to play with changing "false" to "true in the CS.cfg for > > > op.enroll.userKey.update.applet.emptyToken.enable=false or the > > > op.format... equivalent , etc. > > > > > > /From: Julius Adewumi/ > > > /@GDC4S.com/ > > > /Ph:480-441-6768/ > > > /Contract Corp:MTSI/ > > > > > > > > > ------------------------------------------------------------------------ > > > *From:* pki-users-bounces at redhat.com > > > [mailto:pki-users-bounces at redhat.com] *On Behalf Of *Zach Casper > > > *Sent:* Tuesday, December 23, 2008 12:00 PM > > > *To:* pki-users at redhat.com > > > *Subject:* RE: [Pki-users] ESC Format / Enroll Error > > > > > > Tps-debug log shows the following: > > > > > > RA_Format_Processor::Process - applet upgrade failed > > > > > > Tps-error log show the following: > > > > > > RA_Processor::SetupSecureChannel - Failed to create a secure channel > > > 0- potentially due to an RA/TKS key mismatch or differing RA/TKS key > > > versions. > > > > > > RA_Processor::UpgradeApplet -0 channel create failure > > > > > > And a series of Bad Response when trying to SelectApplet or GetStatus > > > > > > zach > > > > > > _____________________________________________ > > > *From:* Jack Magne [mailto:jmagne at redhat.com] > > > *Sent:* Tuesday, December 23, 2008 1:10 PM > > > *To:* Zach Casper > > > *Subject:* Re: [Pki-users] ESC Format / Enroll Error > > > > > > The first step would be to take a look at the tps log or smart card > > > server. > > > > > > These can be found at: > > > > > > /var/lib/pki-tps/logs/tps-debug.log > > > > > > Search the bottom of the log for error 19 and it should give you an idea > > > > > > of what TPS was trying to do at the time. > > > > > > Zach Casper wrote: > > > > > > > > > > > > > > We have an Infineon Smart Card and currently we are unable to > > > > > > > Format/Enroll due to the following ESC Error > > > > > > > > > > > > > > "Formatting of smart card failed. Error: The Smart Card Server cannot > > > > > > > upgrade the software on your smart card." > > > > > > > > > > > > > > And Diagnostics show this error: > > > > > > > > > > > > > > "Attempting to Format Key, ID: ####### - Key Format failure, Error: > 19." > > > > > > > > > > > > > > This card comes up as "Formatted" because we've manually installed a > > > > > > > version of the Dogtag applet prior to using ESC & Dogtag. > > > > > > > > > > > > > > Any advice on how we can troubleshoot? > > > > > > > > > > > > > > -- > > > > > > > > > > > > > > Zach Casper > > > > > > > > > > > > > > Envieta LLC > > > > > > > > > > > > > > ---------------------------------------- > > > > > > > > > > > > > > > ------------------------------------------------------------------------ > > > > > > > > > > > > > > _______________________________________________ > > > > > > > Pki-users mailing list > > > > > > > Pki-users at redhat.com > > > > > > > https://www.redhat.com/mailman/listinfo/pki-users > > > > > > > > > > > > > ------------------------------------------------------------------------ > > > > > > _______________________________________________ > > > Pki-users mailing list > > > Pki-users at redhat.com > > > https://www.redhat.com/mailman/listinfo/pki-users > > > > > ------------------------------------------------------------------------ > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: