[Pki-users] error -12271 trying to ESC connect to TPS

Jack Magne jmagne at redhat.com
Tue Nov 25 22:23:36 UTC 2008 

Ebbe:

I will continue to investigate to see if we have a bug.

When you are asked for the phone home URL, try the non secure version.

Something like:

http://host:7888/cgin-bin/home/index.cgi

This should keep you testing.

thanks,
jack

Ebbe Hansen wrote:
> If I do not have a certificate in my cert-store issued by the RedHat CA
> (ESC running on windows-XP) the browser (IE) indicates "The page cannot
> be displayed"
>
> The server is a "straight" RadHat 7.3 PKI installation with latest
> FireFox installed. Could FireFox have changed come of the original
> RedHat 7.3 SSL libraries?
>
> Ebbe
>
>
> -----Original Message-----
> From: Jack Magne [mailto:jmagne at redhat.com] 
> Sent: Tuesday, November 25, 2008 11:25 AM
> To: Ebbe Hansen
> Cc: pki-users at redhat.com
> Subject: Re: [Pki-users] error -12271 trying to ESC connect to TPS
>
> Ebbe:
>
> When you go to the URL with the browser, does it ask you for a cert?
> This is unusual, I will have to check around for you.
>
> thanks,
> jack
>
> Ebbe Hansen wrote:
>   
>> Jack,
>>
>> In my configuration the URL actually is:
>> https://redhat4.spyrus.com:7889/cgi-bin/home/index.cgi
>>
>> After clicking the "Test URL" button on the ESC (Smart Card Manager) I
>> observe the error:
>>
>> "Could not establish an encrypted connection bacause your certfcite
>>     
> was
>   
>> rejected by
>> Redhat4.spyrus.com. Error Code: -12271"
>>
>>
>> When accessting the TPS with a browser I receive the following
>>     
> display:
>   
>> <?xml version="1.0" encoding="UTF-8" ?> 
>> - <ServiceInfo>
>>   <IssuerName>Spyrus, Inc.</IssuerName> 
>> - <Services>
>>  
>>
>>     
> <Operation>https://redhat4.spyrus.com:7889/cgi-bin/home/index.cgi</Opera
>   
>> tion> 
>>   <UI>https://redhat4.spyrus.com:7889/cgi-bin/home/enroll.cgi</UI> 
>>  
>>
>>     
> <EnrolledTokenBrowserURL>http://www.spyrus.com</EnrolledTokenBrowserURL>
>   
>>   <EnrolledTokenURL /> 
>>   <TokenType>userKey</TokenType> 
>>   </Services>
>>   </ServiceInfo>
>>
>>
>> Ebbe
>>
>> -----Original Message-----
>> From: Jack Magne [mailto:jmagne at redhat.com] 
>> Sent: Monday, November 24, 2008 6:30 PM
>> To: Ebbe Hansen
>> Cc: pki-users at redhat.com
>> Subject: Re: [Pki-users] error -12271 trying to ESC connect to TPS
>>
>> Ebbe:
>>
>> Try this as your phone home URL.
>>
>> https://smartcardserver.example.com:7888/cgi-bin/home.cgi
>>
>> Also , you can try this with a browser and it should simply print out
>>     
> a 
>   
>> simple XML file for you.
>>
>> I will take a look at the doc and see how it can be improved.
>>
>> Ebbe Hansen wrote:
>>   
>>     
>>> Jack,
>>>
>>> I am trying to setup the initial "phone home" configuration with the
>>> intent to Format a blank token.
>>> The ESC User guide (and the ESC) is indicating the initial Phone Hole
>>> connection must be secured using https (e.g.
>>> "https://smartcardserver.example.com:7888").
>>>
>>> When connecting to the Admin services for all other PKI components
>>>     
>>>       
>> (CA,
>>   
>>     
>>> DRM, TKS and TPS) a client certificate is required to gain access.
>>>       
> The
>   
>>> error message I observe when trying to connect with the ESC indicates
>>>     
>>>       
>> a
>>   
>>     
>>> client certificate is also expected in this case - but I haven't
>>>       
> found
>   
>>> anything in the ESC Guide that documents this?
>>>
>>> Ebbe
>>>
>>>
>>> -----Original Message-----
>>> From: Jack Magne [mailto:jmagne at redhat.com] 
>>> Sent: Monday, November 24, 2008 9:54 AM
>>> To: Ebbe Hansen
>>> Cc: pki-users at redhat.com
>>> Subject: Re: [Pki-users] error -12271 trying to ESC connect to TPS
>>>
>>> Ebbe:
>>>
>>> Could you state exactly what operation you are trying to do with ESC 
>>> with respect to TPS.
>>> Are you performing the "phone home" step or actually attempting an 
>>> enrollment?
>>> The default case should not require client auth which appears to be
>>>     
>>>       
>> the 
>>   
>>     
>>> case with your error.
>>>
>>> thanks,
>>> jack
>>>
>>> Ebbe Hansen wrote:
>>>   
>>>     
>>>       
>>>> I am not successful connecting the ESC (Smart Card Manager) client
>>>>         
> to
>   
>>>>       
>>>>         
>>   
>>     
>>>> the TPS. I have configured TPS and ESC as documented in ESC Guide.
>>>>
>>>> The error message says: "Could not establish an encrypted connection
>>>>         
>
>   
>>>> because your certificate was rejected. Error -12271".
>>>>
>>>> Looks like the ESC needs a user certificate and key to establish SSL
>>>>         
>
>   
>>>> connection.
>>>>
>>>> Not sure how the ESC can be configured to access a dedicated user 
>>>> certificate & key? Can ESC detect and possibly use the TPS Admin 
>>>> cert/key if running on same platform?
>>>>
>>>> Ehansen @ SPYRUS Corp.
>>>>
>>>>
>>>>     
>>>>       
>>>>         
> ------------------------------------------------------------------------
>   
>>   
>>     
>>>   
>>>     
>>>       
>>>> _______________________________________________
>>>> Pki-users mailing list
>>>> Pki-users at redhat.com
>>>> https://www.redhat.com/mailman/listinfo/pki-users
>>>>   
>>>>     
>>>>       
>>>>         
>>>   
>>>     
>>>       
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3237 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/pki-users/attachments/20081125/4769807f/attachment.bin>

More information about the Pki-users mailing list