[Pki-users] ESC Format / Enroll Error

Zach Casper zach.casper at envieta.com
Wed Dec 31 21:51:20 UTC 2008 

Could there be an issue with the default key our card is loaded with (VISA
Key) not being able to create the secure connection? What are the default
key(s) used/needed by Dogtag? 

_____________________________________________
From: Jack Magne [mailto:jmagne at redhat.com] 
Sent: Tuesday, December 23, 2008 5:35 PM
To: Zach Casper
Cc: pki-users at redhat.com
Subject: Re: [Pki-users] ESC Format / Enroll Error




I'll have to take a closer look later but there is a quick thing you can 
try.

Also, remember depending upon your card, if you make too many failed 
attempts at a secure channel, the card can lock itself up.

In /var/lib/pki-tps/conf/CS.cfg you will have a block like this:

channel.defKeyVersion=1
channel. defKeyIndex=1

We have experimented with some other cards where the following works:

channel.defKeyVersion=0
channel.defKeyIndex=0

Zach Casper wrote:
>
> tps-error.log
> ...
> [2008-12-23 12:09:39] ba5de4e0 RA_Processor::SetupSecureChannel - 
> Failed to create a secure channel - potentially due to an RA/TKS key 
> mismatch or differing RA/TKS key versions.
> [2008-12-23 12:09:39] ba5de4e0 RA_Processor::UpgradeApplet - channel 
> creation failure
> [2008-12-23 12:10:20] ba5cb398 RA_Processor::SetupSecureChannel - 
> Failed to create a secure channel - potentially due to an RA/TKS key 
> mismatch or differing RA/TKS key versions.
> [2008-12-23 12:10:20] ba5cb398 RA_Processor::UpgradeApplet - channel 
> creation failure
> [2008-12-23 12:11:14] b8e04520 RA_Processor::SetupSecureChannel - 
> Failed to create a secure channel - potentially due to an RA/TKS key 
> mismatch or differing RA/TKS key versions.
> [2008-12-23 12:11:14] b8e04520 RA_Processor::UpgradeApplet - channel 
> creation failure
> [2008-12-23 12:39:38] ba5c00e0 RA_Processor::SetupSecureChannel - 
> Failed to create a secure channel - potentially due to an RA/TKS key 
> mismatch or differing RA/TKS key versions.
> [2008-12-23 12:39:38] ba5c00e0 RA_Processor::UpgradeApplet - channel 
> creation failure
> [2008-12-23 12:44:27] ba5b14c8 RA_Processor::SetupSecureChannel - 
> Failed to create a secure channel - potentially due to an RA/TKS key 
> mismatch or differing RA/TKS key versions.
> [2008-12-23 12:44:27] ba5b14c8 RA_Processor::UpgradeApplet - channel 
> creation failure
> [2008-12-23 12:45:54] ba5f2590 RA_Processor::SetupSecureChannel - 
> Failed to create a secure channel - potentially due to an RA/TKS key 
> mismatch or differing RA/TKS key versions.
> [2008-12-23 12:45:54] ba5f2590 RA_Processor::UpgradeApplet - channel 
> creation failure
>
> tps-debug.log
> ...
> [2008-12-23 12:45:54] ba5f2590 RA_Format_Processor::Process - 
> Authenticate returns: 0
> [2008-12-23 12:45:54] ba5f2590 AP_Session::WriteMsg - Sent 
> 's=67&msg_type=14&current_state=10&next_task_name=PROGRESS_APPLET_UPGRADE'
> [2008-12-23 12:45:54] ba5f2590 RA_Processor::UpgradeApplet - path = 
> /usr/share/pki/tps/applets/1.3.44724DDE.ijc
> [2008-12-23 12:45:54] ba5f2590 AP_Session::WriteMsg - pdu_len='12'
> [2008-12-23 12:45:54] ba5f2590 AP_Session::WriteMsg - Sent 
>
's=68&msg_type=9&pdu_size=12&pdu_data=%00%A4%04%00%07%A0%00%00%00%03%00%00'
> [2008-12-23 12:45:54] ba5f2590 AP_Session::ReadMsg - decoded pdu = 
> (length='20')
> [2008-12-23 12:45:54] ba5f2590 AP_Session::ReadMsg - 6f 10 84 08 a0 00 
> 00 00 03 00
> [2008-12-23 12:45:54] ba5f2590 AP_Session::ReadMsg - 00 00 a5 04 9f 65 
> 01 ff 90 00
> [2008-12-23 12:45:54] ba5f2590 AP_Session::ReadMsg -
> [2008-12-23 12:45:54] ba5f2590 AP_Session::WriteMsg - pdu_len='13'
> [2008-12-23 12:45:54] ba5f2590 AP_Session::WriteMsg - Sent 
>
's=71&msg_type=9&pdu_size=13&pdu_data=%80%50%01%01%08%56%F5%29%9D%7B%8F%6F%A
7'
> [2008-12-23 12:45:54] ba5f2590 AP_Session::ReadMsg - decoded pdu = 
> (length='2')
> [2008-12-23 12:45:54] ba5f2590 AP_Session::ReadMsg - 6a 86
> [2008-12-23 12:45:54] ba5f2590 RA_Format_Processor::Process - applet 
> upgrade failed
> [2008-12-23 12:45:54] ba5f2590 AP_Session::WriteMsg - pdu_len='12'
> [2008-12-23 12:45:54] ba5f2590 AP_Session::WriteMsg - Sent 
>
's=68&msg_type=9&pdu_size=12&pdu_data=%00%A4%04%00%07%62%76%01%FF%00%00%00'
> [2008-12-23 12:45:54] ba5f2590 AP_Session::ReadMsg - decoded pdu = 
> (length='2')
> [2008-12-23 12:45:54] ba5f2590 AP_Session::ReadMsg - 90 00
> [2008-12-23 12:45:54] ba5f2590 AP_Session::WriteMsg - Sent 
> 's=43&msg_type=13&operation=5&result=1&message=19'
>
> zach
>
> _____________________________________________
> *From:* Jack Magne [mailto:jmagne at redhat.com]
> *Sent:* Tuesday, December 23, 2008 2:38 PM
> *To:* Adewumi, Julius-p99373
> *Cc:* Zach Casper; pki-users at redhat.com
> *Subject:* Re: [Pki-users] ESC Format / Enroll Error
>
> You are having a problem creating a secure channel. Perhaps posting a
>
> snippet of the log might help.
>
>
>
> Adewumi, Julius-p99373 wrote:
>
> > You might want to play with changing "false" to "true in the CS.cfg for
>
> > op.enroll.userKey.update.applet.emptyToken.enable=false or the
>
> > op.format... equivalent , etc.
>
> >
>
> > /From: Julius Adewumi/
>
> > /@GDC4S.com/
>
> > /Ph:480-441-6768/
>
> > /Contract Corp:MTSI/
>
> >
>
> >
>
> > ------------------------------------------------------------------------
>
> > *From:* pki-users-bounces at redhat.com
>
> > [mailto:pki-users-bounces at redhat.com] *On Behalf Of *Zach Casper
>
> > *Sent:* Tuesday, December 23, 2008 12:00 PM
>
> > *To:* pki-users at redhat.com
>
> > *Subject:* RE: [Pki-users] ESC Format / Enroll Error
>
> >
>
> > Tps-debug log shows the following:
>
> >
>
> > RA_Format_Processor::Process - applet upgrade failed
>
> >
>
> > Tps-error log show the following:
>
> >
>
> > RA_Processor::SetupSecureChannel - Failed to create a secure channel
>
> > 0- potentially due to an RA/TKS key mismatch or differing RA/TKS key
>
> > versions.
>
> >
>
> > RA_Processor::UpgradeApplet -0 channel create failure
>
> >
>
> > And a series of Bad Response when trying to SelectApplet or GetStatus
>
> >
>
> > zach
>
> >
>
> > _____________________________________________
>
> > *From:* Jack Magne [mailto:jmagne at redhat.com]
>
> > *Sent:* Tuesday, December 23, 2008 1:10 PM
>
> > *To:* Zach Casper
>
> > *Subject:* Re: [Pki-users] ESC Format / Enroll Error
>
> >
>
> > The first step would be to take a look at the tps log or smart card
>
> > server.
>
> >
>
> > These can be found at:
>
> >
>
> > /var/lib/pki-tps/logs/tps-debug.log
>
> >
>
> > Search the bottom of the log for error 19 and it should give you an idea
>
> >
>
> > of what TPS was trying to do at the time.
>
> >
>
> > Zach Casper wrote:
>
> >
>
> > >
>
> >
>
> > > We have an Infineon Smart Card and currently we are unable to
>
> >
>
> > > Format/Enroll due to the following ESC Error
>
> >
>
> > >
>
> >
>
> > > "Formatting of smart card failed. Error: The Smart Card Server cannot
>
> >
>
> > > upgrade the software on your smart card."
>
> >
>
> > >
>
> >
>
> > > And Diagnostics show this error:
>
> >
>
> > >
>
> >
>
> > > "Attempting to Format Key, ID: ####### - Key Format failure, Error: 
> 19."
>
> >
>
> > >
>
> >
>
> > > This card comes up as "Formatted" because we've manually installed a
>
> >
>
> > > version of the Dogtag applet prior to using ESC & Dogtag.
>
> >
>
> > >
>
> >
>
> > > Any advice on how we can troubleshoot?
>
> >
>
> > >
>
> >
>
> > > --
>
> >
>
> > >
>
> >
>
> > > Zach Casper
>
> >
>
> > >
>
> >
>
> > > Envieta LLC
>
> >
>
> > >
>
> >
>
> > > ----------------------------------------
>
> >
>
> > >
>
> >
>
> > > 
> ------------------------------------------------------------------------
>
> >
>
> > >
>
> >
>
> > > _______________________________________________
>
> >
>
> > > Pki-users mailing list
>
> >
>
> > > Pki-users at redhat.com
>
> >
>
> > > https://www.redhat.com/mailman/listinfo/pki-users
>
> >
>
> > >
>
> >
>
> > ------------------------------------------------------------------------
>
> >
>
> > _______________________________________________
>
> > Pki-users mailing list
>
> > Pki-users at redhat.com
>
> > https://www.redhat.com/mailman/listinfo/pki-users
>
> >
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> Pki-users mailing list
> Pki-users at redhat.com
> https://www.redhat.com/mailman/listinfo/pki-users
>   


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pki-users/attachments/20081231/be5539d1/attachment.htm>

More information about the Pki-users mailing list