From zach.casper at envieta.com Mon Jan 5 15:45:13 2009 From: zach.casper at envieta.com (Zach Casper) Date: Mon, 5 Jan 2009 10:45:13 -0500 Subject: [Pki-users] Default Secure Channel Key for Dogtag Message-ID: <000601c96f4c$9ae16470$d0a42d50$@casper@envieta.com> Could there be an issue with the default key our card is loaded (VISA Key) not being able to create the secure connection to Dogtag subsystems? What are the default key(s) used/needed by Dogtag for connection? -- Zach Casper Envieta LLC -------------- next part -------------- An HTML attachment was scrubbed... URL: From mundulica at gmail.com Tue Jan 6 07:10:56 2009 From: mundulica at gmail.com (soham) Date: Tue, 6 Jan 2009 17:10:56 +1000 Subject: [Pki-users] any suggestion for get going with pki-tps in dogtag Message-ID: <7a57ad630901052310g56964f8cyb15d120af5bee1f9@mail.gmail.com> Hi, Whereas i could install all other instances, but could not get going with pki-tps instance. What could be the common error. I have followed the same procedures for installing it. error message says 'unable to connect'. -------------- next part -------------- An HTML attachment was scrubbed... URL: From zach.casper at envieta.com Tue Jan 6 15:12:13 2009 From: zach.casper at envieta.com (Zach Casper) Date: Tue, 6 Jan 2009 10:12:13 -0500 Subject: [Pki-users] any suggestion for get going with pki-tps in dogtag In-Reply-To: <7a57ad630901052310g56964f8cyb15d120af5bee1f9@mail.gmail.com> References: <7a57ad630901052310g56964f8cyb15d120af5bee1f9@mail.gmail.com> Message-ID: <000a01c97011$29a98420$7cfc8c60$@casper@envieta.com> Have you installed, initialized and restarted each Dogtag subsystem in the order they appear on the wiki? Subsequent subsystems rely on certificates created prior to its installation. Also - check your versions of mod_nss and nss - it will not work if you are using NSS 3.12 or later or MOD_NSS 1.0.7-3 or later. That is if you are using the prebuilt packages on the Dogtag wiki for Fedora 8 installation. I believe if you build locally from most recent source for 8, 9 or 10 it is ok. Hope this helps. Zach Casper Lead Engineer Envieta, LLC From: pki-users-bounces at redhat.com [mailto:pki-users-bounces at redhat.com] On Behalf Of soham Sent: Tuesday, January 06, 2009 2:11 AM To: pki-users at redhat.com Subject: [Pki-users] any suggestion for get going with pki-tps in dogtag Hi, Whereas i could install all other instances, but could not get going with pki-tps instance. What could be the common error. I have followed the same procedures for installing it. error message says 'unable to connect'. -------------- next part -------------- An HTML attachment was scrubbed... URL: From jmagne at redhat.com Wed Jan 7 18:09:23 2009 From: jmagne at redhat.com (Jack Magne) Date: Wed, 07 Jan 2009 10:09:23 -0800 Subject: [Pki-users] ESC Format / Enroll Error In-Reply-To: <002401c96b91$eb97e4c0$c2c7ae40$@casper@envieta.com> References: <001201c96527$1c706e30$55514a90$@casper@envieta.com><49512983.2080702@redhat.com> <003401c96530$9d9a71f0$d8cf55d0$@casper@envieta.com> <150446754087724BA4B8F287083846B2037E2FAC@AZ25EXM04.gddsi.com> <49513E0D.9080901@redhat.com> <004d01c96537$55373d60$ffa5b820$@casper@envieta.com> <4951678D.3080202@redhat.com> <002401c96b91$eb97e4c0$c2c7ae40$@casper@envieta.com> Message-ID: <4964EFD3.2030606@redhat.com> Zach: Sorry for the delay.... The default developer keyset we use for our keys with TPS is the standard like follows: tks.defKeySet.auth_key=#40#41...#4f tks.defKeySet.kek_key=#40#41...#4f tks.defKeySet.mac_key=#40#41.. #4f If you look in the CS.cfg file under /var/lib/pki-tks/conf We have an entire procedure documented in the CS 7.3 documentation to perform a key changeover if required. Feel free to post any further logs you might obtain after further testing. thanks, jack Zach Casper wrote: > > Could there be an issue with the default key our card is loaded with > (VISA Key) not being able to create the secure connection? What are > the default key(s) used/needed by Dogtag? > > _____________________________________________ > *From:* Jack Magne [mailto:jmagne at redhat.com] > *Sent:* Tuesday, December 23, 2008 5:35 PM > *To:* Zach Casper > *Cc:* pki-users at redhat.com > *Subject:* Re: [Pki-users] ESC Format / Enroll Error > > I'll have to take a closer look later but there is a quick thing you can > > try. > > Also, remember depending upon your card, if you make too many failed > > attempts at a secure channel, the card can lock itself up. > > In /var/lib/pki-tps/conf/CS.cfg you will have a block like this: > > channel.defKeyVersion=1 > > channel. defKeyIndex=1 > > We have experimented with some other cards where the following works: > > channel.defKeyVersion=0 > > channel.defKeyIndex=0 > > Zach Casper wrote: > > > > > > tps-error.log > > > ... > > > [2008-12-23 12:09:39] ba5de4e0 RA_Processor::SetupSecureChannel - > > > Failed to create a secure channel - potentially due to an RA/TKS key > > > mismatch or differing RA/TKS key versions. > > > [2008-12-23 12:09:39] ba5de4e0 RA_Processor::UpgradeApplet - channel > > > creation failure > > > [2008-12-23 12:10:20] ba5cb398 RA_Processor::SetupSecureChannel - > > > Failed to create a secure channel - potentially due to an RA/TKS key > > > mismatch or differing RA/TKS key versions. > > > [2008-12-23 12:10:20] ba5cb398 RA_Processor::UpgradeApplet - channel > > > creation failure > > > [2008-12-23 12:11:14] b8e04520 RA_Processor::SetupSecureChannel - > > > Failed to create a secure channel - potentially due to an RA/TKS key > > > mismatch or differing RA/TKS key versions. > > > [2008-12-23 12:11:14] b8e04520 RA_Processor::UpgradeApplet - channel > > > creation failure > > > [2008-12-23 12:39:38] ba5c00e0 RA_Processor::SetupSecureChannel - > > > Failed to create a secure channel - potentially due to an RA/TKS key > > > mismatch or differing RA/TKS key versions. > > > [2008-12-23 12:39:38] ba5c00e0 RA_Processor::UpgradeApplet - channel > > > creation failure > > > [2008-12-23 12:44:27] ba5b14c8 RA_Processor::SetupSecureChannel - > > > Failed to create a secure channel - potentially due to an RA/TKS key > > > mismatch or differing RA/TKS key versions. > > > [2008-12-23 12:44:27] ba5b14c8 RA_Processor::UpgradeApplet - channel > > > creation failure > > > [2008-12-23 12:45:54] ba5f2590 RA_Processor::SetupSecureChannel - > > > Failed to create a secure channel - potentially due to an RA/TKS key > > > mismatch or differing RA/TKS key versions. > > > [2008-12-23 12:45:54] ba5f2590 RA_Processor::UpgradeApplet - channel > > > creation failure > > > > > > tps-debug.log > > > ... > > > [2008-12-23 12:45:54] ba5f2590 RA_Format_Processor::Process - > > > Authenticate returns: 0 > > > [2008-12-23 12:45:54] ba5f2590 AP_Session::WriteMsg - Sent > > > 's=67&msg_type=14¤t_state=10&next_task_name=PROGRESS_APPLET_UPGRADE' > > > [2008-12-23 12:45:54] ba5f2590 RA_Processor::UpgradeApplet - path = > > > /usr/share/pki/tps/applets/1.3.44724DDE.ijc > > > [2008-12-23 12:45:54] ba5f2590 AP_Session::WriteMsg - pdu_len='12' > > > [2008-12-23 12:45:54] ba5f2590 AP_Session::WriteMsg - Sent > > > 's=68&msg_type=9&pdu_size=12&pdu_data=%00%A4%04%00%07%A0%00%00%00%03%00%00' > > > [2008-12-23 12:45:54] ba5f2590 AP_Session::ReadMsg - decoded pdu = > > > (length='20') > > > [2008-12-23 12:45:54] ba5f2590 AP_Session::ReadMsg - 6f 10 84 08 a0 00 > > > 00 00 03 00 > > > [2008-12-23 12:45:54] ba5f2590 AP_Session::ReadMsg - 00 00 a5 04 9f 65 > > > 01 ff 90 00 > > > [2008-12-23 12:45:54] ba5f2590 AP_Session::ReadMsg - > > > [2008-12-23 12:45:54] ba5f2590 AP_Session::WriteMsg - pdu_len='13' > > > [2008-12-23 12:45:54] ba5f2590 AP_Session::WriteMsg - Sent > > > 's=71&msg_type=9&pdu_size=13&pdu_data=%80%50%01%01%08%56%F5%29%9D%7B%8F%6F%A7' > > > [2008-12-23 12:45:54] ba5f2590 AP_Session::ReadMsg - decoded pdu = > > > (length='2') > > > [2008-12-23 12:45:54] ba5f2590 AP_Session::ReadMsg - 6a 86 > > > [2008-12-23 12:45:54] ba5f2590 RA_Format_Processor::Process - applet > > > upgrade failed > > > [2008-12-23 12:45:54] ba5f2590 AP_Session::WriteMsg - pdu_len='12' > > > [2008-12-23 12:45:54] ba5f2590 AP_Session::WriteMsg - Sent > > > 's=68&msg_type=9&pdu_size=12&pdu_data=%00%A4%04%00%07%62%76%01%FF%00%00%00' > > > [2008-12-23 12:45:54] ba5f2590 AP_Session::ReadMsg - decoded pdu = > > > (length='2') > > > [2008-12-23 12:45:54] ba5f2590 AP_Session::ReadMsg - 90 00 > > > [2008-12-23 12:45:54] ba5f2590 AP_Session::WriteMsg - Sent > > > 's=43&msg_type=13&operation=5&result=1&message=19' > > > > > > zach > > > > > > _____________________________________________ > > > *From:* Jack Magne [mailto:jmagne at redhat.com] > > > *Sent:* Tuesday, December 23, 2008 2:38 PM > > > *To:* Adewumi, Julius-p99373 > > > *Cc:* Zach Casper; pki-users at redhat.com > > > *Subject:* Re: [Pki-users] ESC Format / Enroll Error > > > > > > You are having a problem creating a secure channel. Perhaps posting a > > > > > > snippet of the log might help. > > > > > > > > > > > > Adewumi, Julius-p99373 wrote: > > > > > > > You might want to play with changing "false" to "true in the CS.cfg for > > > > > > > op.enroll.userKey.update.applet.emptyToken.enable=false or the > > > > > > > op.format... equivalent , etc. > > > > > > > > > > > > > > /From: Julius Adewumi/ > > > > > > > /@GDC4S.com/ > > > > > > > /Ph:480-441-6768/ > > > > > > > /Contract Corp:MTSI/ > > > > > > > > > > > > > > > > > > > > > > ------------------------------------------------------------------------ > > > > > > > *From:* pki-users-bounces at redhat.com > > > > > > > [mailto:pki-users-bounces at redhat.com] *On Behalf Of *Zach Casper > > > > > > > *Sent:* Tuesday, December 23, 2008 12:00 PM > > > > > > > *To:* pki-users at redhat.com > > > > > > > *Subject:* RE: [Pki-users] ESC Format / Enroll Error > > > > > > > > > > > > > > Tps-debug log shows the following: > > > > > > > > > > > > > > RA_Format_Processor::Process ? applet upgrade failed > > > > > > > > > > > > > > Tps-error log show the following: > > > > > > > > > > > > > > RA_Processor::SetupSecureChannel ? Failed to create a secure channel > > > > > > > 0- potentially due to an RA/TKS key mismatch or differing RA/TKS key > > > > > > > versions. > > > > > > > > > > > > > > RA_Processor::UpgradeApplet -0 channel create failure > > > > > > > > > > > > > > And a series of Bad Response when trying to SelectApplet or GetStatus > > > > > > > > > > > > > > zach > > > > > > > > > > > > > > _____________________________________________ > > > > > > > *From:* Jack Magne [mailto:jmagne at redhat.com] > > > > > > > *Sent:* Tuesday, December 23, 2008 1:10 PM > > > > > > > *To:* Zach Casper > > > > > > > *Subject:* Re: [Pki-users] ESC Format / Enroll Error > > > > > > > > > > > > > > The first step would be to take a look at the tps log or smart card > > > > > > > server. > > > > > > > > > > > > > > These can be found at: > > > > > > > > > > > > > > /var/lib/pki-tps/logs/tps-debug.log > > > > > > > > > > > > > > Search the bottom of the log for error 19 and it should give you an > idea > > > > > > > > > > > > > > of what TPS was trying to do at the time. > > > > > > > > > > > > > > Zach Casper wrote: > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > We have an Infineon Smart Card and currently we are unable to > > > > > > > > > > > > > > > Format/Enroll due to the following ESC Error > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > ?Formatting of smart card failed. Error: The Smart Card Server cannot > > > > > > > > > > > > > > > upgrade the software on your smart card.? > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > And Diagnostics show this error: > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > ?Attempting to Format Key, ID: ####### - Key Format failure, Error: > > > 19.? > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > This card comes up as ?Formatted? because we?ve manually installed a > > > > > > > > > > > > > > > version of the Dogtag applet prior to using ESC & Dogtag. > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Any advice on how we can troubleshoot? > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > -- > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Zach Casper > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Envieta LLC > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > ---------------------------------------- > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > ------------------------------------------------------------------------ > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > _______________________________________________ > > > > > > > > > > > > > > > Pki-users mailing list > > > > > > > > > > > > > > > Pki-users at redhat.com > > > > > > > > > > > > > > > https://www.redhat.com/mailman/listinfo/pki-users > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > ------------------------------------------------------------------------ > > > > > > > > > > > > > > _______________________________________________ > > > > > > > Pki-users mailing list > > > > > > > Pki-users at redhat.com > > > > > > > https://www.redhat.com/mailman/listinfo/pki-users > > > > > > > > > > > > > ------------------------------------------------------------------------ > > > > > > _______________________________________________ > > > Pki-users mailing list > > > Pki-users at redhat.com > > > https://www.redhat.com/mailman/listinfo/pki-users > > > > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3237 bytes Desc: S/MIME Cryptographic Signature URL: From zach.casper at envieta.com Wed Jan 7 19:14:16 2009 From: zach.casper at envieta.com (Zach Casper) Date: Wed, 7 Jan 2009 14:14:16 -0500 Subject: [Pki-users] ESC Format / Enroll Error In-Reply-To: <4964EFD3.2030606@redhat.com> References: <001201c96527$1c706e30$55514a90$@casper@envieta.com><49512983.2080702@redhat.com> <003401c96530$9d9a71f0$d8cf55d0$@casper@envieta.com> <150446754087724BA4B8F287083846B2037E2FAC@AZ25EXM04.gddsi.com> <49513E0D.9080901@redhat.com> <004d01c96537$55373d60$ffa5b820$@casper@envieta.com> <4951678D.3080202@redhat.com> <002401c96b91$eb97e4c0$c2c7ae40$@casper@envieta.com> <4964EFD3.2030606@redhat.com> Message-ID: <002601c970fc$241a9080$6c4fb180$@casper@envieta.com> Thanks Jack. It appears we are using the same keys so on to troubleshooting our error logs. Below are our current logs file contents. When we use the default values: channel.defKeyVersion=1 channel. defKeyIndex=1 Ther error we get is: [2009-01-07 11:05:07] ba6ec600 LDAP_Authentication::Authenticate - User bind required 'uid=testuser1,ou=People,dc=localdomain' 'envieta123' [2009-01-07 11:05:07] ba6ec600 LDAP_Authentication::Authenticate - Attributes mail,cn,uid [2009-01-07 11:05:07] ba6ec600 LDAP_Authentication::Authenticate - Exposed cn=Test User1 [2009-01-07 11:05:07] ba6ec600 LDAP_Authentication::Authenticate - Size 3 [2009-01-07 11:05:07] ba6ec600 LDAP_Authentication::Authenticate - Exposed uid=testuser1 [2009-01-07 11:05:07] ba6ec600 LDAP_Authentication::Authenticate - Size 4 [2009-01-07 11:05:07] ba6ec600 RA_Format_Processor::Process - Authenticate returns: 0 [2009-01-07 11:05:07] ba6ec600 AP_Session::WriteMsg - Sent 's=67&msg_type=14¤t_state=10&next_task_name=PROGRESS_APPLET_UPGRADE' [2009-01-07 11:05:07] ba6ec600 RA_Processor::UpgradeApplet - path = /usr/share/pki/tps/applets/1.3.44724DDE.ijc [2009-01-07 11:05:07] ba6ec600 AP_Session::WriteMsg - pdu_len='12' [2009-01-07 11:05:07] ba6ec600 AP_Session::WriteMsg - Sent 's=68&msg_type=9&pdu_size=12&pdu_data=%00%A4%04%00%07%A0%00%00%00%03%00%00' [2009-01-07 11:05:07] ba6ec600 AP_Session::ReadMsg - decoded pdu = (length='20') [2009-01-07 11:05:07] ba6ec600 AP_Session::ReadMsg - 6f 10 84 08 a0 00 00 00 03 00 [2009-01-07 11:05:07] ba6ec600 AP_Session::ReadMsg - 00 00 a5 04 9f 65 01 ff 90 00 [2009-01-07 11:05:07] ba6ec600 AP_Session::ReadMsg - [2009-01-07 11:05:07] ba6ec600 AP_Session::WriteMsg - pdu_len='13' [2009-01-07 11:05:07] ba6ec600 AP_Session::WriteMsg - Sent 's=71&msg_type=9&pdu_size=13&pdu_data=%80%50%01%01%08%09%CD%60%A7%11%EC%23%A 5' [2009-01-07 11:05:08] ba6ec600 AP_Session::ReadMsg - decoded pdu = (length='2') [2009-01-07 11:05:08] ba6ec600 AP_Session::ReadMsg - 6a 86 [2009-01-07 11:05:08] ba6ec600 RA_Format_Processor::Process - applet upgrade failed [2009-01-07 11:05:08] ba6ec600 AP_Session::WriteMsg - pdu_len='12' [2009-01-07 11:05:08] ba6ec600 AP_Session::WriteMsg - Sent 's=68&msg_type=9&pdu_size=12&pdu_data=%00%A4%04%00%07%62%76%01%FF%00%00%00' [2009-01-07 11:05:08] ba6ec600 AP_Session::ReadMsg - decoded pdu = (length='2') [2009-01-07 11:05:08] ba6ec600 AP_Session::ReadMsg - 90 00 [2009-01-07 11:05:08] ba6ec600 AP_Session::WriteMsg - Sent 's=43&msg_type=13&operation=5&result=1&message=19' When we switch the values to be: channel.defKeyVersion=0 channel. defKeyIndex=0 The error now looks like this: [2009-01-07 11:20:41] bacd2d28 LDAP_Authentication::Authenticate - User bind required 'uid=testuser1,ou=People,dc=localdomain' 'envieta123' [2009-01-07 11:20:41] bacd2d28 LDAP_Authentication::Authenticate - Attributes mail,cn,uid [2009-01-07 11:20:41] bacd2d28 LDAP_Authentication::Authenticate - Exposed cn=Test User1 [2009-01-07 11:20:41] bacd2d28 LDAP_Authentication::Authenticate - Size 3 [2009-01-07 11:20:41] bacd2d28 LDAP_Authentication::Authenticate - Exposed uid=testuser1 [2009-01-07 11:20:41] bacd2d28 LDAP_Authentication::Authenticate - Size 4 [2009-01-07 11:20:41] bacd2d28 RA_Format_Processor::Process - Authenticate returns: 0 [2009-01-07 11:20:41] bacd2d28 AP_Session::WriteMsg - Sent 's=67&msg_type=14¤t_state=10&next_task_name=PROGRESS_APPLET_UPGRADE' [2009-01-07 11:20:41] bacd2d28 RA_Processor::UpgradeApplet - path = /usr/share/pki/tps/applets/1.3.44724DDE.ijc [2009-01-07 11:20:41] bacd2d28 AP_Session::WriteMsg - pdu_len='12' [2009-01-07 11:20:41] bacd2d28 AP_Session::WriteMsg - Sent 's=68&msg_type=9&pdu_size=12&pdu_data=%00%A4%04%00%07%A0%00%00%00%03%00%00' [2009-01-07 11:20:41] bacd2d28 AP_Session::ReadMsg - decoded pdu = (length='20') [2009-01-07 11:20:41] bacd2d28 AP_Session::ReadMsg - 6f 10 84 08 a0 00 00 00 03 00 [2009-01-07 11:20:41] bacd2d28 AP_Session::ReadMsg - 00 00 a5 04 9f 65 01 ff 90 00 [2009-01-07 11:20:41] bacd2d28 AP_Session::ReadMsg - [2009-01-07 11:20:41] bacd2d28 AP_Session::WriteMsg - pdu_len='13' [2009-01-07 11:20:41] bacd2d28 AP_Session::WriteMsg - Sent 's=71&msg_type=9&pdu_size=13&pdu_data=%80%50%00%00%08%95%74%0B%AC%37%C9%DE%8 0' [2009-01-07 11:20:41] bacd2d28 AP_Session::ReadMsg - decoded pdu = (length='30') [2009-01-07 11:20:41] bacd2d28 AP_Session::ReadMsg - 00 00 71 61 57 01 0e 0d 90 bd [2009-01-07 11:20:41] bacd2d28 AP_Session::ReadMsg - ff 02 00 21 2e 6b ec 9e 33 2b [2009-01-07 11:20:41] bacd2d28 AP_Session::ReadMsg - a5 26 d0 02 e6 64 c9 3c 90 00 [2009-01-07 11:20:41] bacd2d28 AP_Session::ReadMsg - [2009-01-07 11:20:41] bacd2d28 HttpConnection::getResponse - Send request to host localhost.localdomain:13443 servlet /tks/agent/tks/computeSessionKey [2009-01-07 11:20:42] bacd2d28 RA::Engine - Pre-processing content 'HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Content-Type: text/html Content-Length: 8 Date: Wed, 07 Jan 2009 16:20:42 GMT status=3 [2009-01-07 11:20:42] bacd2d28 RA::Engine - Post-processing content 'status=3 [2009-01-07 11:20:42] bacd2d28 RA_Format_Processor::Process - applet upgrade failed [2009-01-07 11:20:42] bacd2d28 AP_Session::WriteMsg - pdu_len='12' [2009-01-07 11:20:42] bacd2d28 AP_Session::WriteMsg - Sent 's=68&msg_type=9&pdu_size=12&pdu_data=%00%A4%04%00%07%62%76%01%FF%00%00%00' [2009-01-07 11:20:42] bacd2d28 AP_Session::ReadMsg - decoded pdu = (length='2') [2009-01-07 11:20:42] bacd2d28 AP_Session::ReadMsg - 90 00 [2009-01-07 11:20:42] bacd2d28 AP_Session::WriteMsg - Sent 's=43&msg_type=13&operation=5&result=1&message=19' In addition - the following is the pki-tps.tps-error.log snippet [2008-12-23 12:09:39] ba5de4e0 RA_Processor::SetupSecureChannel - Failed to create a secure channel - potentially due to an RA/TKS key mismatch or differing RA/TKS key versions. [2008-12-23 12:09:39] ba5de4e0 RA_Processor::UpgradeApplet - channel creation failure [2008-12-23 12:10:20] ba5cb398 RA_Processor::SetupSecureChannel - Failed to create a secure channel - potentially due to an RA/TKS key mismatch or differing RA/TKS key versions. [2008-12-23 12:10:20] ba5cb398 RA_Processor::UpgradeApplet - channel creation failure [2008-12-23 12:11:14] b8e04520 RA_Processor::SetupSecureChannel - Failed to create a secure channel - potentially due to an RA/TKS key mismatch or differing RA/TKS key versions. [2008-12-23 12:11:14] b8e04520 RA_Processor::UpgradeApplet - channel creation failure [2008-12-23 12:39:38] ba5c00e0 RA_Processor::SetupSecureChannel - Failed to create a secure channel - potentially due to an RA/TKS key mismatch or differing RA/TKS key versions. [2008-12-23 12:39:38] ba5c00e0 RA_Processor::UpgradeApplet - channel creation failure [2008-12-23 12:44:27] ba5b14c8 RA_Processor::SetupSecureChannel - Failed to create a secure channel - potentially due to an RA/TKS key mismatch or differing RA/TKS key versions. [2008-12-23 12:44:27] ba5b14c8 RA_Processor::UpgradeApplet - channel creation failure [2008-12-23 12:45:54] ba5f2590 RA_Processor::SetupSecureChannel - Failed to create a secure channel - potentially due to an RA/TKS key mismatch or differing RA/TKS key versions. [2008-12-23 12:45:54] ba5f2590 RA_Processor::UpgradeApplet - channel creation failure I'm also bringing John Whitelock, another one of our engineers in on discussions. He just joined the pki-users list. Zach Casper _____________________________________________ From: Jack Magne [mailto:jmagne at redhat.com] Sent: Wednesday, January 07, 2009 1:09 PM To: Zach Casper Cc: pki-users at redhat.com Subject: Re: [Pki-users] ESC Format / Enroll Error Zach: Sorry for the delay.... The default developer keyset we use for our keys with TPS is the standard like follows: tks.defKeySet.auth_key=#40#41...#4f tks.defKeySet.kek_key=#40#41...#4f tks.defKeySet.mac_key=#40#41.. #4f If you look in the CS.cfg file under /var/lib/pki-tks/conf We have an entire procedure documented in the CS 7.3 documentation to perform a key changeover if required. Feel free to post any further logs you might obtain after further testing. thanks, jack Zach Casper wrote: > > Could there be an issue with the default key our card is loaded with > (VISA Key) not being able to create the secure connection? What are > the default key(s) used/needed by Dogtag? > > _____________________________________________ > *From:* Jack Magne [mailto:jmagne at redhat.com] > *Sent:* Tuesday, December 23, 2008 5:35 PM > *To:* Zach Casper > *Cc:* pki-users at redhat.com > *Subject:* Re: [Pki-users] ESC Format / Enroll Error > > I'll have to take a closer look later but there is a quick thing you can > > try. > > Also, remember depending upon your card, if you make too many failed > > attempts at a secure channel, the card can lock itself up. > > In /var/lib/pki-tps/conf/CS.cfg you will have a block like this: > > channel.defKeyVersion=1 > > channel. defKeyIndex=1 > > We have experimented with some other cards where the following works: > > channel.defKeyVersion=0 > > channel.defKeyIndex=0 > > Zach Casper wrote: > > > > > > tps-error.log > > > ... > > > [2008-12-23 12:09:39] ba5de4e0 RA_Processor::SetupSecureChannel - > > > Failed to create a secure channel - potentially due to an RA/TKS key > > > mismatch or differing RA/TKS key versions. > > > [2008-12-23 12:09:39] ba5de4e0 RA_Processor::UpgradeApplet - channel > > > creation failure > > > [2008-12-23 12:10:20] ba5cb398 RA_Processor::SetupSecureChannel - > > > Failed to create a secure channel - potentially due to an RA/TKS key > > > mismatch or differing RA/TKS key versions. > > > [2008-12-23 12:10:20] ba5cb398 RA_Processor::UpgradeApplet - channel > > > creation failure > > > [2008-12-23 12:11:14] b8e04520 RA_Processor::SetupSecureChannel - > > > Failed to create a secure channel - potentially due to an RA/TKS key > > > mismatch or differing RA/TKS key versions. > > > [2008-12-23 12:11:14] b8e04520 RA_Processor::UpgradeApplet - channel > > > creation failure > > > [2008-12-23 12:39:38] ba5c00e0 RA_Processor::SetupSecureChannel - > > > Failed to create a secure channel - potentially due to an RA/TKS key > > > mismatch or differing RA/TKS key versions. > > > [2008-12-23 12:39:38] ba5c00e0 RA_Processor::UpgradeApplet - channel > > > creation failure > > > [2008-12-23 12:44:27] ba5b14c8 RA_Processor::SetupSecureChannel - > > > Failed to create a secure channel - potentially due to an RA/TKS key > > > mismatch or differing RA/TKS key versions. > > > [2008-12-23 12:44:27] ba5b14c8 RA_Processor::UpgradeApplet - channel > > > creation failure > > > [2008-12-23 12:45:54] ba5f2590 RA_Processor::SetupSecureChannel - > > > Failed to create a secure channel - potentially due to an RA/TKS key > > > mismatch or differing RA/TKS key versions. > > > [2008-12-23 12:45:54] ba5f2590 RA_Processor::UpgradeApplet - channel > > > creation failure > > > > > > tps-debug.log > > > ... > > > [2008-12-23 12:45:54] ba5f2590 RA_Format_Processor::Process - > > > Authenticate returns: 0 > > > [2008-12-23 12:45:54] ba5f2590 AP_Session::WriteMsg - Sent > > > 's=67&msg_type=14¤t_state=10&next_task_name=PROGRESS_APPLET_UPGRADE' > > > [2008-12-23 12:45:54] ba5f2590 RA_Processor::UpgradeApplet - path = > > > /usr/share/pki/tps/applets/1.3.44724DDE.ijc > > > [2008-12-23 12:45:54] ba5f2590 AP_Session::WriteMsg - pdu_len='12' > > > [2008-12-23 12:45:54] ba5f2590 AP_Session::WriteMsg - Sent > > > 's=68&msg_type=9&pdu_size=12&pdu_data=%00%A4%04%00%07%A0%00%00%00%03%00%00' > > > [2008-12-23 12:45:54] ba5f2590 AP_Session::ReadMsg - decoded pdu = > > > (length='20') > > > [2008-12-23 12:45:54] ba5f2590 AP_Session::ReadMsg - 6f 10 84 08 a0 00 > > > 00 00 03 00 > > > [2008-12-23 12:45:54] ba5f2590 AP_Session::ReadMsg - 00 00 a5 04 9f 65 > > > 01 ff 90 00 > > > [2008-12-23 12:45:54] ba5f2590 AP_Session::ReadMsg - > > > [2008-12-23 12:45:54] ba5f2590 AP_Session::WriteMsg - pdu_len='13' > > > [2008-12-23 12:45:54] ba5f2590 AP_Session::WriteMsg - Sent > > > 's=71&msg_type=9&pdu_size=13&pdu_data=%80%50%01%01%08%56%F5%29%9D%7B%8F%6F%A 7' > > > [2008-12-23 12:45:54] ba5f2590 AP_Session::ReadMsg - decoded pdu = > > > (length='2') > > > [2008-12-23 12:45:54] ba5f2590 AP_Session::ReadMsg - 6a 86 > > > [2008-12-23 12:45:54] ba5f2590 RA_Format_Processor::Process - applet > > > upgrade failed > > > [2008-12-23 12:45:54] ba5f2590 AP_Session::WriteMsg - pdu_len='12' > > > [2008-12-23 12:45:54] ba5f2590 AP_Session::WriteMsg - Sent > > > 's=68&msg_type=9&pdu_size=12&pdu_data=%00%A4%04%00%07%62%76%01%FF%00%00%00' > > > [2008-12-23 12:45:54] ba5f2590 AP_Session::ReadMsg - decoded pdu = > > > (length='2') > > > [2008-12-23 12:45:54] ba5f2590 AP_Session::ReadMsg - 90 00 > > > [2008-12-23 12:45:54] ba5f2590 AP_Session::WriteMsg - Sent > > > 's=43&msg_type=13&operation=5&result=1&message=19' > > > > > > zach > > > > > > _____________________________________________ > > > *From:* Jack Magne [mailto:jmagne at redhat.com] > > > *Sent:* Tuesday, December 23, 2008 2:38 PM > > > *To:* Adewumi, Julius-p99373 > > > *Cc:* Zach Casper; pki-users at redhat.com > > > *Subject:* Re: [Pki-users] ESC Format / Enroll Error > > > > > > You are having a problem creating a secure channel. Perhaps posting a > > > > > > snippet of the log might help. > > > > > > > > > > > > Adewumi, Julius-p99373 wrote: > > > > > > > You might want to play with changing "false" to "true in the CS.cfg for > > > > > > > op.enroll.userKey.update.applet.emptyToken.enable=false or the > > > > > > > op.format... equivalent , etc. > > > > > > > > > > > > > > /From: Julius Adewumi/ > > > > > > > /@GDC4S.com/ > > > > > > > /Ph:480-441-6768/ > > > > > > > /Contract Corp:MTSI/ > > > > > > > > > > > > > > > > > > > > > > ------------------------------------------------------------------------ > > > > > > > *From:* pki-users-bounces at redhat.com > > > > > > > [mailto:pki-users-bounces at redhat.com] *On Behalf Of *Zach Casper > > > > > > > *Sent:* Tuesday, December 23, 2008 12:00 PM > > > > > > > *To:* pki-users at redhat.com > > > > > > > *Subject:* RE: [Pki-users] ESC Format / Enroll Error > > > > > > > > > > > > > > Tps-debug log shows the following: > > > > > > > > > > > > > > RA_Format_Processor::Process - applet upgrade failed > > > > > > > > > > > > > > Tps-error log show the following: > > > > > > > > > > > > > > RA_Processor::SetupSecureChannel - Failed to create a secure channel > > > > > > > 0- potentially due to an RA/TKS key mismatch or differing RA/TKS key > > > > > > > versions. > > > > > > > > > > > > > > RA_Processor::UpgradeApplet -0 channel create failure > > > > > > > > > > > > > > And a series of Bad Response when trying to SelectApplet or GetStatus > > > > > > > > > > > > > > zach > > > > > > > > > > > > > > _____________________________________________ > > > > > > > *From:* Jack Magne [mailto:jmagne at redhat.com] > > > > > > > *Sent:* Tuesday, December 23, 2008 1:10 PM > > > > > > > *To:* Zach Casper > > > > > > > *Subject:* Re: [Pki-users] ESC Format / Enroll Error > > > > > > > > > > > > > > The first step would be to take a look at the tps log or smart card > > > > > > > server. > > > > > > > > > > > > > > These can be found at: > > > > > > > > > > > > > > /var/lib/pki-tps/logs/tps-debug.log > > > > > > > > > > > > > > Search the bottom of the log for error 19 and it should give you an > idea > > > > > > > > > > > > > > of what TPS was trying to do at the time. > > > > > > > > > > > > > > Zach Casper wrote: > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > We have an Infineon Smart Card and currently we are unable to > > > > > > > > > > > > > > > Format/Enroll due to the following ESC Error > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > "Formatting of smart card failed. Error: The Smart Card Server cannot > > > > > > > > > > > > > > > upgrade the software on your smart card." > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > And Diagnostics show this error: > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > "Attempting to Format Key, ID: ####### - Key Format failure, Error: > > > 19." > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > This card comes up as "Formatted" because we've manually installed a > > > > > > > > > > > > > > > version of the Dogtag applet prior to using ESC & Dogtag. > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Any advice on how we can troubleshoot? > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > -- > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Zach Casper > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Envieta LLC > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > ---------------------------------------- > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > ------------------------------------------------------------------------ > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > _______________________________________________ > > > > > > > > > > > > > > > Pki-users mailing list > > > > > > > > > > > > > > > Pki-users at redhat.com > > > > > > > > > > > > > > > https://www.redhat.com/mailman/listinfo/pki-users > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > ------------------------------------------------------------------------ > > > > > > > > > > > > > > _______________________________________________ > > > > > > > Pki-users mailing list > > > > > > > Pki-users at redhat.com > > > > > > > https://www.redhat.com/mailman/listinfo/pki-users > > > > > > > > > > > > > ------------------------------------------------------------------------ > > > > > > _______________________________________________ > > > Pki-users mailing list > > > Pki-users at redhat.com > > > https://www.redhat.com/mailman/listinfo/pki-users > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From jmagne at redhat.com Wed Jan 7 21:23:49 2009 From: jmagne at redhat.com (Jack Magne) Date: Wed, 07 Jan 2009 13:23:49 -0800 Subject: [Pki-users] ESC Format / Enroll Error In-Reply-To: <002601c970fc$241a9080$6c4fb180$@casper@envieta.com> References: <001201c96527$1c706e30$55514a90$@casper@envieta.com><49512983.2080702@redhat.com> <003401c96530$9d9a71f0$d8cf55d0$@casper@envieta.com> <150446754087724BA4B8F287083846B2037E2FAC@AZ25EXM04.gddsi.com> <49513E0D.9080901@redhat.com> <004d01c96537$55373d60$ffa5b820$@casper@envieta.com> <4951678D.3080202@redhat.com> <002401c96b91$eb97e4c0$c2c7ae40$@casper@envieta.com> <4964EFD3.2030606@redhat.com> <002601c970fc$241a9080$6c4fb180$@casper@envieta.com> Message-ID: <49651D65.9050504@redhat.com> Zach: It looks like with your second test, you have managed to get by the hurdle of the failed "InitializeUpdate" command. This is due to using 0 and 0 for the defKeyVersion and defKeyIndex. Now it looks like the TKS system is not acting as expected. It would be great to have a look at the TKS debug log found in /var/lib/pki-tks/logs I suspect we are having an issue with computing the session key in the TKS. thanks, jack Zach Casper wrote: > > Thanks Jack. > > It appears we are using the same keys so on to troubleshooting our > error logs. Below are our current logs file contents. > > When we use the default values: > > channel.defKeyVersion=1 > > channel. defKeyIndex=1 > > Ther error we get is: > > [2009-01-07 11:05:07] ba6ec600 LDAP_Authentication::Authenticate - > User bind required 'uid=testuser1,ou=People,dc=localdomain' 'envieta123' > > [2009-01-07 11:05:07] ba6ec600 LDAP_Authentication::Authenticate - > Attributes mail,cn,uid > > [2009-01-07 11:05:07] ba6ec600 LDAP_Authentication::Authenticate - > Exposed cn=Test User1 > > [2009-01-07 11:05:07] ba6ec600 LDAP_Authentication::Authenticate - Size 3 > > [2009-01-07 11:05:07] ba6ec600 LDAP_Authentication::Authenticate - > Exposed uid=testuser1 > > [2009-01-07 11:05:07] ba6ec600 LDAP_Authentication::Authenticate - Size 4 > > [2009-01-07 11:05:07] ba6ec600 RA_Format_Processor::Process - > Authenticate returns: 0 > > [2009-01-07 11:05:07] ba6ec600 AP_Session::WriteMsg - Sent > 's=67&msg_type=14¤t_state=10&next_task_name=PROGRESS_APPLET_UPGRADE' > > [2009-01-07 11:05:07] ba6ec600 RA_Processor::UpgradeApplet - path = > /usr/share/pki/tps/applets/1.3.44724DDE.ijc > > [2009-01-07 11:05:07] ba6ec600 AP_Session::WriteMsg - pdu_len='12' > > [2009-01-07 11:05:07] ba6ec600 AP_Session::WriteMsg - Sent > 's=68&msg_type=9&pdu_size=12&pdu_data=%00%A4%04%00%07%A0%00%00%00%03%00%00' > > [2009-01-07 11:05:07] ba6ec600 AP_Session::ReadMsg - decoded pdu = > (length='20') > > [2009-01-07 11:05:07] ba6ec600 AP_Session::ReadMsg - 6f 10 84 08 a0 00 > 00 00 03 00 > > [2009-01-07 11:05:07] ba6ec600 AP_Session::ReadMsg - 00 00 a5 04 9f 65 > 01 ff 90 00 > > [2009-01-07 11:05:07] ba6ec600 AP_Session::ReadMsg - > > [2009-01-07 11:05:07] ba6ec600 AP_Session::WriteMsg - pdu_len='13' > > [2009-01-07 11:05:07] ba6ec600 AP_Session::WriteMsg - Sent > 's=71&msg_type=9&pdu_size=13&pdu_data=%80%50%01%01%08%09%CD%60%A7%11%EC%23%A5' > > [2009-01-07 11:05:08] ba6ec600 AP_Session::ReadMsg - decoded pdu = > (length='2') > > [2009-01-07 11:05:08] ba6ec600 AP_Session::ReadMsg - 6a 86 > > [2009-01-07 11:05:08] ba6ec600 RA_Format_Processor::Process - applet > upgrade failed > > [2009-01-07 11:05:08] ba6ec600 AP_Session::WriteMsg - pdu_len='12' > > [2009-01-07 11:05:08] ba6ec600 AP_Session::WriteMsg - Sent > 's=68&msg_type=9&pdu_size=12&pdu_data=%00%A4%04%00%07%62%76%01%FF%00%00%00' > > [2009-01-07 11:05:08] ba6ec600 AP_Session::ReadMsg - decoded pdu = > (length='2') > > [2009-01-07 11:05:08] ba6ec600 AP_Session::ReadMsg - 90 00 > > [2009-01-07 11:05:08] ba6ec600 AP_Session::WriteMsg - Sent > 's=43&msg_type=13&operation=5&result=1&message=19' > > When we switch the values to be: > > channel.defKeyVersion=0 > > channel. defKeyIndex=0 > > The error now looks like this: > > [2009-01-07 11:20:41] bacd2d28 LDAP_Authentication::Authenticate - > User bind required 'uid=testuser1,ou=People,dc=localdomain' 'envieta123' > > [2009-01-07 11:20:41] bacd2d28 LDAP_Authentication::Authenticate - > Attributes mail,cn,uid > > [2009-01-07 11:20:41] bacd2d28 LDAP_Authentication::Authenticate - > Exposed cn=Test User1 > > [2009-01-07 11:20:41] bacd2d28 LDAP_Authentication::Authenticate - Size 3 > > [2009-01-07 11:20:41] bacd2d28 LDAP_Authentication::Authenticate - > Exposed uid=testuser1 > > [2009-01-07 11:20:41] bacd2d28 LDAP_Authentication::Authenticate - Size 4 > > [2009-01-07 11:20:41] bacd2d28 RA_Format_Processor::Process - > Authenticate returns: 0 > > [2009-01-07 11:20:41] bacd2d28 AP_Session::WriteMsg - Sent > 's=67&msg_type=14¤t_state=10&next_task_name=PROGRESS_APPLET_UPGRADE' > > [2009-01-07 11:20:41] bacd2d28 RA_Processor::UpgradeApplet - path = > /usr/share/pki/tps/applets/1.3.44724DDE.ijc > > [2009-01-07 11:20:41] bacd2d28 AP_Session::WriteMsg - pdu_len='12' > > [2009-01-07 11:20:41] bacd2d28 AP_Session::WriteMsg - Sent > 's=68&msg_type=9&pdu_size=12&pdu_data=%00%A4%04%00%07%A0%00%00%00%03%00%00' > > [2009-01-07 11:20:41] bacd2d28 AP_Session::ReadMsg - decoded pdu = > (length='20') > > [2009-01-07 11:20:41] bacd2d28 AP_Session::ReadMsg - 6f 10 84 08 a0 00 > 00 00 03 00 > > [2009-01-07 11:20:41] bacd2d28 AP_Session::ReadMsg - 00 00 a5 04 9f 65 > 01 ff 90 00 > > [2009-01-07 11:20:41] bacd2d28 AP_Session::ReadMsg - > > [2009-01-07 11:20:41] bacd2d28 AP_Session::WriteMsg - pdu_len='13' > > [2009-01-07 11:20:41] bacd2d28 AP_Session::WriteMsg - Sent > 's=71&msg_type=9&pdu_size=13&pdu_data=%80%50%00%00%08%95%74%0B%AC%37%C9%DE%80' > > [2009-01-07 11:20:41] bacd2d28 AP_Session::ReadMsg - decoded pdu = > (length='30') > > [2009-01-07 11:20:41] bacd2d28 AP_Session::ReadMsg - 00 00 71 61 57 01 > 0e 0d 90 bd > > [2009-01-07 11:20:41] bacd2d28 AP_Session::ReadMsg - ff 02 00 21 2e 6b > ec 9e 33 2b > > [2009-01-07 11:20:41] bacd2d28 AP_Session::ReadMsg - a5 26 d0 02 e6 64 > c9 3c 90 00 > > [2009-01-07 11:20:41] bacd2d28 AP_Session::ReadMsg - > > [2009-01-07 11:20:41] bacd2d28 HttpConnection::getResponse - Send > request to host localhost.localdomain:13443 servlet > /tks/agent/tks/computeSessionKey > > [2009-01-07 11:20:42] bacd2d28 RA::Engine - Pre-processing content > 'HTTP/1.1 200 OK > > Server: Apache-Coyote/1.1 > > Content-Type: text/html > > Content-Length: 8 > > Date: Wed, 07 Jan 2009 16:20:42 GMT > > status=3 > > [2009-01-07 11:20:42] bacd2d28 RA::Engine - Post-processing content > 'status=3 > > [2009-01-07 11:20:42] bacd2d28 RA_Format_Processor::Process - applet > upgrade failed > > [2009-01-07 11:20:42] bacd2d28 AP_Session::WriteMsg - pdu_len='12' > > [2009-01-07 11:20:42] bacd2d28 AP_Session::WriteMsg - Sent > 's=68&msg_type=9&pdu_size=12&pdu_data=%00%A4%04%00%07%62%76%01%FF%00%00%00' > > [2009-01-07 11:20:42] bacd2d28 AP_Session::ReadMsg - decoded pdu = > (length='2') > > [2009-01-07 11:20:42] bacd2d28 AP_Session::ReadMsg - 90 00 > > [2009-01-07 11:20:42] bacd2d28 AP_Session::WriteMsg - Sent > 's=43&msg_type=13&operation=5&result=1&message=19' > > In addition ? the following is the pki-tps?tps-error.log snippet > > [2008-12-23 12:09:39] ba5de4e0 RA_Processor::SetupSecureChannel - > Failed to create a secure channel - potentially due to an RA/TKS key > mismatch or differing RA/TKS key versions. > [2008-12-23 12:09:39] ba5de4e0 RA_Processor::UpgradeApplet - channel > creation failure > [2008-12-23 12:10:20] ba5cb398 RA_Processor::SetupSecureChannel - > Failed to create a secure channel - potentially due to an RA/TKS key > mismatch or differing RA/TKS key versions. > [2008-12-23 12:10:20] ba5cb398 RA_Processor::UpgradeApplet - channel > creation failure > [2008-12-23 12:11:14] b8e04520 RA_Processor::SetupSecureChannel - > Failed to create a secure channel - potentially due to an RA/TKS key > mismatch or differing RA/TKS key versions. > [2008-12-23 12:11:14] b8e04520 RA_Processor::UpgradeApplet - channel > creation failure > [2008-12-23 12:39:38] ba5c00e0 RA_Processor::SetupSecureChannel - > Failed to create a secure channel - potentially due to an RA/TKS key > mismatch or differing RA/TKS key versions. > [2008-12-23 12:39:38] ba5c00e0 RA_Processor::UpgradeApplet - channel > creation failure > [2008-12-23 12:44:27] ba5b14c8 RA_Processor::SetupSecureChannel - > Failed to create a secure channel - potentially due to an RA/TKS key > mismatch or differing RA/TKS key versions. > [2008-12-23 12:44:27] ba5b14c8 RA_Processor::UpgradeApplet - channel > creation failure > [2008-12-23 12:45:54] ba5f2590 RA_Processor::SetupSecureChannel - > Failed to create a secure channel - potentially due to an RA/TKS key > mismatch or differing RA/TKS key versions. > [2008-12-23 12:45:54] ba5f2590 RA_Processor::UpgradeApplet - channel > creation failure > > I?m also bringing John Whitelock, another one of our engineers in on > discussions. He just joined the pki-users list. > > Zach Casper > > _____________________________________________ > *From:* Jack Magne [mailto:jmagne at redhat.com] > *Sent:* Wednesday, January 07, 2009 1:09 PM > *To:* Zach Casper > *Cc:* pki-users at redhat.com > *Subject:* Re: [Pki-users] ESC Format / Enroll Error > > Zach: > > Sorry for the delay.... > > The default developer keyset we use for our keys with TPS is the > > standard like follows: > > tks.defKeySet.auth_key=#40#41...#4f > > tks.defKeySet.kek_key=#40#41...#4f > > tks.defKeySet.mac_key=#40#41.. #4f > > If you look in the CS.cfg file under > > /var/lib/pki-tks/conf > > We have an entire procedure documented in the CS 7.3 documentation to > > perform a key changeover if required. > > Feel free to post any further logs you might obtain after further testing. > > thanks, > > jack > > Zach Casper wrote: > > > > > > Could there be an issue with the default key our card is loaded with > > > (VISA Key) not being able to create the secure connection? What are > > > the default key(s) used/needed by Dogtag? > > > > > > _____________________________________________ > > > *From:* Jack Magne [mailto:jmagne at redhat.com] > > > *Sent:* Tuesday, December 23, 2008 5:35 PM > > > *To:* Zach Casper > > > *Cc:* pki-users at redhat.com > > > *Subject:* Re: [Pki-users] ESC Format / Enroll Error > > > > > > I'll have to take a closer look later but there is a quick thing you can > > > > > > try. > > > > > > Also, remember depending upon your card, if you make too many failed > > > > > > attempts at a secure channel, the card can lock itself up. > > > > > > In /var/lib/pki-tps/conf/CS.cfg you will have a block like this: > > > > > > channel.defKeyVersion=1 > > > > > > channel. defKeyIndex=1 > > > > > > We have experimented with some other cards where the following works: > > > > > > channel.defKeyVersion=0 > > > > > > channel.defKeyIndex=0 > > > > > > Zach Casper wrote: > > > > > > > > > > > > > > tps-error.log > > > > > > > ... > > > > > > > [2008-12-23 12:09:39] ba5de4e0 RA_Processor::SetupSecureChannel - > > > > > > > Failed to create a secure channel - potentially due to an RA/TKS key > > > > > > > mismatch or differing RA/TKS key versions. > > > > > > > [2008-12-23 12:09:39] ba5de4e0 RA_Processor::UpgradeApplet - channel > > > > > > > creation failure > > > > > > > [2008-12-23 12:10:20] ba5cb398 RA_Processor::SetupSecureChannel - > > > > > > > Failed to create a secure channel - potentially due to an RA/TKS key > > > > > > > mismatch or differing RA/TKS key versions. > > > > > > > [2008-12-23 12:10:20] ba5cb398 RA_Processor::UpgradeApplet - channel > > > > > > > creation failure > > > > > > > [2008-12-23 12:11:14] b8e04520 RA_Processor::SetupSecureChannel - > > > > > > > Failed to create a secure channel - potentially due to an RA/TKS key > > > > > > > mismatch or differing RA/TKS key versions. > > > > > > > [2008-12-23 12:11:14] b8e04520 RA_Processor::UpgradeApplet - channel > > > > > > > creation failure > > > > > > > [2008-12-23 12:39:38] ba5c00e0 RA_Processor::SetupSecureChannel - > > > > > > > Failed to create a secure channel - potentially due to an RA/TKS key > > > > > > > mismatch or differing RA/TKS key versions. > > > > > > > [2008-12-23 12:39:38] ba5c00e0 RA_Processor::UpgradeApplet - channel > > > > > > > creation failure > > > > > > > [2008-12-23 12:44:27] ba5b14c8 RA_Processor::SetupSecureChannel - > > > > > > > Failed to create a secure channel - potentially due to an RA/TKS key > > > > > > > mismatch or differing RA/TKS key versions. > > > > > > > [2008-12-23 12:44:27] ba5b14c8 RA_Processor::UpgradeApplet - channel > > > > > > > creation failure > > > > > > > [2008-12-23 12:45:54] ba5f2590 RA_Processor::SetupSecureChannel - > > > > > > > Failed to create a secure channel - potentially due to an RA/TKS key > > > > > > > mismatch or differing RA/TKS key versions. > > > > > > > [2008-12-23 12:45:54] ba5f2590 RA_Processor::UpgradeApplet - channel > > > > > > > creation failure > > > > > > > > > > > > > > tps-debug.log > > > > > > > ... > > > > > > > [2008-12-23 12:45:54] ba5f2590 RA_Format_Processor::Process - > > > > > > > Authenticate returns: 0 > > > > > > > [2008-12-23 12:45:54] ba5f2590 AP_Session::WriteMsg - Sent > > > > > > > > 's=67&msg_type=14¤t_state=10&next_task_name=PROGRESS_APPLET_UPGRADE' > > > > > > > [2008-12-23 12:45:54] ba5f2590 RA_Processor::UpgradeApplet - path = > > > > > > > /usr/share/pki/tps/applets/1.3.44724DDE.ijc > > > > > > > [2008-12-23 12:45:54] ba5f2590 AP_Session::WriteMsg - pdu_len='12' > > > > > > > [2008-12-23 12:45:54] ba5f2590 AP_Session::WriteMsg - Sent > > > > > > > > 's=68&msg_type=9&pdu_size=12&pdu_data=%00%A4%04%00%07%A0%00%00%00%03%00%00' > > > > > > > [2008-12-23 12:45:54] ba5f2590 AP_Session::ReadMsg - decoded pdu = > > > > > > > (length='20') > > > > > > > [2008-12-23 12:45:54] ba5f2590 AP_Session::ReadMsg - 6f 10 84 08 a0 00 > > > > > > > 00 00 03 00 > > > > > > > [2008-12-23 12:45:54] ba5f2590 AP_Session::ReadMsg - 00 00 a5 04 9f 65 > > > > > > > 01 ff 90 00 > > > > > > > [2008-12-23 12:45:54] ba5f2590 AP_Session::ReadMsg - > > > > > > > [2008-12-23 12:45:54] ba5f2590 AP_Session::WriteMsg - pdu_len='13' > > > > > > > [2008-12-23 12:45:54] ba5f2590 AP_Session::WriteMsg - Sent > > > > > > > > 's=71&msg_type=9&pdu_size=13&pdu_data=%80%50%01%01%08%56%F5%29%9D%7B%8F%6F%A7' > > > > > > > [2008-12-23 12:45:54] ba5f2590 AP_Session::ReadMsg - decoded pdu = > > > > > > > (length='2') > > > > > > > [2008-12-23 12:45:54] ba5f2590 AP_Session::ReadMsg - 6a 86 > > > > > > > [2008-12-23 12:45:54] ba5f2590 RA_Format_Processor::Process - applet > > > > > > > upgrade failed > > > > > > > [2008-12-23 12:45:54] ba5f2590 AP_Session::WriteMsg - pdu_len='12' > > > > > > > [2008-12-23 12:45:54] ba5f2590 AP_Session::WriteMsg - Sent > > > > > > > > 's=68&msg_type=9&pdu_size=12&pdu_data=%00%A4%04%00%07%62%76%01%FF%00%00%00' > > > > > > > [2008-12-23 12:45:54] ba5f2590 AP_Session::ReadMsg - decoded pdu = > > > > > > > (length='2') > > > > > > > [2008-12-23 12:45:54] ba5f2590 AP_Session::ReadMsg - 90 00 > > > > > > > [2008-12-23 12:45:54] ba5f2590 AP_Session::WriteMsg - Sent > > > > > > > 's=43&msg_type=13&operation=5&result=1&message=19' > > > > > > > > > > > > > > zach > > > > > > > > > > > > > > _____________________________________________ > > > > > > > *From:* Jack Magne [mailto:jmagne at redhat.com] > > > > > > > *Sent:* Tuesday, December 23, 2008 2:38 PM > > > > > > > *To:* Adewumi, Julius-p99373 > > > > > > > *Cc:* Zach Casper; pki-users at redhat.com > > > > > > > *Subject:* Re: [Pki-users] ESC Format / Enroll Error > > > > > > > > > > > > > > You are having a problem creating a secure channel. Perhaps posting a > > > > > > > > > > > > > > snippet of the log might help. > > > > > > > > > > > > > > > > > > > > > > > > > > > > Adewumi, Julius-p99373 wrote: > > > > > > > > > > > > > > > You might want to play with changing "false" to "true in the > CS.cfg for > > > > > > > > > > > > > > > op.enroll.userKey.update.applet.emptyToken.enable=false or the > > > > > > > > > > > > > > > op.format... equivalent , etc. > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > /From: Julius Adewumi/ > > > > > > > > > > > > > > > /@GDC4S.com/ > > > > > > > > > > > > > > > /Ph:480-441-6768/ > > > > > > > > > > > > > > > /Contract Corp:MTSI/ > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > ------------------------------------------------------------------------ > > > > > > > > > > > > > > > *From:* pki-users-bounces at redhat.com > > > > > > > > > > > > > > > [mailto:pki-users-bounces at redhat.com] *On Behalf Of *Zach Casper > > > > > > > > > > > > > > > *Sent:* Tuesday, December 23, 2008 12:00 PM > > > > > > > > > > > > > > > *To:* pki-users at redhat.com > > > > > > > > > > > > > > > *Subject:* RE: [Pki-users] ESC Format / Enroll Error > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Tps-debug log shows the following: > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > RA_Format_Processor::Process ? applet upgrade failed > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Tps-error log show the following: > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > RA_Processor::SetupSecureChannel ? Failed to create a secure channel > > > > > > > > > > > > > > > 0- potentially due to an RA/TKS key mismatch or differing RA/TKS key > > > > > > > > > > > > > > > versions. > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > RA_Processor::UpgradeApplet -0 channel create failure > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > And a series of Bad Response when trying to SelectApplet or GetStatus > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > zach > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > _____________________________________________ > > > > > > > > > > > > > > > *From:* Jack Magne [mailto:jmagne at redhat.com] > > > > > > > > > > > > > > > *Sent:* Tuesday, December 23, 2008 1:10 PM > > > > > > > > > > > > > > > *To:* Zach Casper > > > > > > > > > > > > > > > *Subject:* Re: [Pki-users] ESC Format / Enroll Error > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > The first step would be to take a look at the tps log or smart card > > > > > > > > > > > > > > > server. > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > These can be found at: > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > /var/lib/pki-tps/logs/tps-debug.log > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Search the bottom of the log for error 19 and it should give you an > > > idea > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > of what TPS was trying to do at the time. > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Zach Casper wrote: > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > We have an Infineon Smart Card and currently we are unable to > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Format/Enroll due to the following ESC Error > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > ?Formatting of smart card failed. Error: The Smart Card Server > cannot > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > upgrade the software on your smart card.? > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > And Diagnostics show this error: > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > ?Attempting to Format Key, ID: ####### - Key Format failure, Error: > > > > > > > 19.? > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > This card comes up as ?Formatted? because we?ve manually > installed a > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > version of the Dogtag applet prior to using ESC & Dogtag. > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Any advice on how we can troubleshoot? > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > -- > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Zach Casper > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Envieta LLC > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > ---------------------------------------- > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > ------------------------------------------------------------------------ > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > _______________________________________________ > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Pki-users mailing list > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Pki-users at redhat.com > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > https://www.redhat.com/mailman/listinfo/pki-users > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > ------------------------------------------------------------------------ > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > _______________________________________________ > > > > > > > > > > > > > > > Pki-users mailing list > > > > > > > > > > > > > > > Pki-users at redhat.com > > > > > > > > > > > > > > > https://www.redhat.com/mailman/listinfo/pki-users > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > ------------------------------------------------------------------------ > > > > > > > > > > > > > > _______________________________________________ > > > > > > > Pki-users mailing list > > > > > > > Pki-users at redhat.com > > > > > > > https://www.redhat.com/mailman/listinfo/pki-users > > > > > > > > > > > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3237 bytes Desc: S/MIME Cryptographic Signature URL: From john.whitelock at envieta.com Wed Jan 7 21:36:05 2009 From: john.whitelock at envieta.com (John Whitelock) Date: Wed, 7 Jan 2009 16:36:05 -0500 Subject: [Pki-users] ESC Format / Enroll Error In-Reply-To: <49651D65.9050504@redhat.com> References: <001201c96527$1c706e30$55514a90$@casper@envieta.com><49512983.2080702@redhat.com> <003401c96530$9d9a71f0$d8cf55d0$@casper@envieta.com> <150446754087724BA4B8F287083846B2037E2FAC@AZ25EXM04.gddsi.com> <49513E0D.9080901@redhat.com> <004d01c96537$55373d60$ffa5b820$@casper@envieta.com> <4951678D.3080202@redhat.com> <002401c96b91$eb97e4c0$c2c7ae40$@casper@envieta.com> <4964EFD3.2030606@redhat.com> <002601c970fc$241a9080$6c4fb180$@casper@envieta.com> <49651D65.9050504@redhat.com> Message-ID: <003f01c9710f$f3cc2420$db646c60$@whitelock@envieta.com> Jack, Thanks again for the help. Below I have pasted the log you asked for from that same test. [07/Jan/2009:11:20:42][http-13443-Processor25]: Authentication: client certificate found [07/Jan/2009:11:20:42][http-13443-Processor25]: getConn: mNumConns now 2 [07/Jan/2009:11:20:42][http-13443-Processor25]: returnConn: mNumConns now 3 [07/Jan/2009:11:20:42][http-13443-Processor25]: Authentication: mapped certificate to user [07/Jan/2009:11:20:42][http-13443-Processor25]: authenticated uid=TPS-localhost.localdomain-7889,ou=People,dc=localhost.localdomain-pki-tk s [07/Jan/2009:11:20:42][http-13443-Processor25]: SignedAuditEventFactory: create() message=[AuditEvent=AUTH_SUCCESS][SubjectID=TPS-localhost.localdomain-7889][ Outcome=Success][AuthMgr=certUserDBAuthMgr] authentication success [07/Jan/2009:11:20:42][http-13443-Processor25]: checkACLS(): ACLEntry expressions= group="Token Key Service Manager Agents" [07/Jan/2009:11:20:42][http-13443-Processor25]: evaluating expressions: group="Token Key Service Manager Agents" [07/Jan/2009:11:20:42][http-13443-Processor25]: getConn: mNumConns now 2 [07/Jan/2009:11:20:42][http-13443-Processor25]: returnConn: mNumConns now 3 [07/Jan/2009:11:20:42][http-13443-Processor25]: UGSubsystem.isMemberOf() using new lookup code [07/Jan/2009:11:20:42][http-13443-Processor25]: getConn: mNumConns now 2 [07/Jan/2009:11:20:42][http-13443-Processor25]: authorization search base: cn=Token Key Service Manager Agents,ou=groups,dc=localhost.localdomain-pki-tks [07/Jan/2009:11:20:42][http-13443-Processor25]: authorization search filter: (uniquemember=uid=TPS-localhost.localdomain-7889,ou=People,dc=localhost.loca ldomain-pki-tks) [07/Jan/2009:11:20:42][http-13443-Processor25]: authorization result: true [07/Jan/2009:11:20:42][http-13443-Processor25]: returnConn: mNumConns now 3 [07/Jan/2009:11:20:42][http-13443-Processor25]: evaluated expression: group="Token Key Service Manager Agents" to be true [07/Jan/2009:11:20:42][http-13443-Processor25]: DirAclAuthz: authorization passed [07/Jan/2009:11:20:42][http-13443-Processor25]: SignedAuditEventFactory: create() message=[AuditEvent=AUTHZ_SUCCESS][SubjectID=TPS-localhost.localdomain-7889] [Outcome=Success][aclResource=certServer.tks.sessionkey][Op=read] authorization success [07/Jan/2009:11:20:42][http-13443-Processor25]: getConn: mNumConns now 2 [07/Jan/2009:11:20:42][http-13443-Processor25]: returnConn: mNumConns now 3 [07/Jan/2009:11:20:42][http-13443-Processor25]: SignedAuditEventFactory: create() message=[AuditEvent=ROLE_ASSUME][SubjectID=TPS-localhost.localdomain-7889][O utcome=Success][Role=Token Key Service Manager Agents] assume privileged role [07/Jan/2009:11:20:42][http-13443-Processor25]: keySet selected: defKeySet [07/Jan/2009:11:20:42][http-13443-Processor25]: keySet selected: defKeySet [07/Jan/2009:11:20:42][http-13443-Processor25]: processComputeSessionKey: [07/Jan/2009:11:20:42][http-13443-Processor25]: TokenServlet: serversideKeygen requested [07/Jan/2009:11:20:42][http-13443-Processor25]: TokenServlet about to try ComputeSessionKey selectedToken=Internal Key Storage Token keyNickName=#FF#02 [07/Jan/2009:11:20:42][http-13443-Processor25]: TokenServlet:Tried ComputeSessionKey, got NULL java.lang.Exception: Can't compute session key! at com.netscape.cms.servlet.tks.TokenServlet.processComputeSessionKey(TokenServ let.java:336) at com.netscape.cms.servlet.tks.TokenServlet.process(TokenServlet.java:945) at com.netscape.cms.servlet.base.CMSServlet.service(CMSServlet.java:482) at com.netscape.cms.servlet.tks.TokenServlet.service(TokenServlet.java:964) at javax.servlet.http.HttpServlet.service(HttpServlet.java:729) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Application FilterChain.java:269) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterCh ain.java:188) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.ja va:213) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.ja va:172) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127 ) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:117 ) at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:548) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java :108) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:174) at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:875) at org.apache.coyote.http11.Http11BaseProtocol$Http11ConnectionHandler.processC onnection(Http11BaseProtocol.java:665) at org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.jav a:528) at org.apache.tomcat.util.net.LeaderFollowerWorkerThread.runIt(LeaderFollowerWo rkerThread.java:81) at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.jav a:689) at java.lang.Thread.run(Thread.java:636) [07/Jan/2009:11:20:42][http-13443-Processor25]: TokenServlet Computing Session Key: java.lang.Exception: Can't compute session key! [07/Jan/2009:11:20:42][http-13443-Processor25]: TokenServlet:outputString.encode status=3 [07/Jan/2009:11:20:42][http-13443-Processor25]: TokenServlet:outputString.length 8 [07/Jan/2009:11:20:42][http-13443-Processor25]: CMSServlet: curDate=Wed Jan 07 11:20:42 GMT-05:00 2009 id=tksSessionKey time=430 -----Original Message----- From: Jack Magne [mailto:jmagne at redhat.com] Sent: Wednesday, January 07, 2009 4:24 PM To: Zach Casper Cc: pki-users at redhat.com; 'John Whitelock' Subject: Re: [Pki-users] ESC Format / Enroll Error Zach: It looks like with your second test, you have managed to get by the hurdle of the failed "InitializeUpdate" command. This is due to using 0 and 0 for the defKeyVersion and defKeyIndex. Now it looks like the TKS system is not acting as expected. It would be great to have a look at the TKS debug log found in /var/lib/pki-tks/logs I suspect we are having an issue with computing the session key in the TKS. thanks, jack Zach Casper wrote: > > Thanks Jack. > > It appears we are using the same keys so on to troubleshooting our > error logs. Below are our current logs file contents. > > When we use the default values: > > channel.defKeyVersion=1 > > channel. defKeyIndex=1 > > Ther error we get is: > > [2009-01-07 11:05:07] ba6ec600 LDAP_Authentication::Authenticate - > User bind required 'uid=testuser1,ou=People,dc=localdomain' 'envieta123' > > [2009-01-07 11:05:07] ba6ec600 LDAP_Authentication::Authenticate - > Attributes mail,cn,uid > > [2009-01-07 11:05:07] ba6ec600 LDAP_Authentication::Authenticate - > Exposed cn=Test User1 > > [2009-01-07 11:05:07] ba6ec600 LDAP_Authentication::Authenticate - Size 3 > > [2009-01-07 11:05:07] ba6ec600 LDAP_Authentication::Authenticate - > Exposed uid=testuser1 > > [2009-01-07 11:05:07] ba6ec600 LDAP_Authentication::Authenticate - Size 4 > > [2009-01-07 11:05:07] ba6ec600 RA_Format_Processor::Process - > Authenticate returns: 0 > > [2009-01-07 11:05:07] ba6ec600 AP_Session::WriteMsg - Sent > 's=67&msg_type=14¤t_state=10&next_task_name=PROGRESS_APPLET_UPGRADE' > > [2009-01-07 11:05:07] ba6ec600 RA_Processor::UpgradeApplet - path = > /usr/share/pki/tps/applets/1.3.44724DDE.ijc > > [2009-01-07 11:05:07] ba6ec600 AP_Session::WriteMsg - pdu_len='12' > > [2009-01-07 11:05:07] ba6ec600 AP_Session::WriteMsg - Sent > 's=68&msg_type=9&pdu_size=12&pdu_data=%00%A4%04%00%07%A0%00%00%00%03%00%00' > > [2009-01-07 11:05:07] ba6ec600 AP_Session::ReadMsg - decoded pdu = > (length='20') > > [2009-01-07 11:05:07] ba6ec600 AP_Session::ReadMsg - 6f 10 84 08 a0 00 > 00 00 03 00 > > [2009-01-07 11:05:07] ba6ec600 AP_Session::ReadMsg - 00 00 a5 04 9f 65 > 01 ff 90 00 > > [2009-01-07 11:05:07] ba6ec600 AP_Session::ReadMsg - > > [2009-01-07 11:05:07] ba6ec600 AP_Session::WriteMsg - pdu_len='13' > > [2009-01-07 11:05:07] ba6ec600 AP_Session::WriteMsg - Sent > 's=71&msg_type=9&pdu_size=13&pdu_data=%80%50%01%01%08%09%CD%60%A7%11%EC%23%A 5' > > [2009-01-07 11:05:08] ba6ec600 AP_Session::ReadMsg - decoded pdu = > (length='2') > > [2009-01-07 11:05:08] ba6ec600 AP_Session::ReadMsg - 6a 86 > > [2009-01-07 11:05:08] ba6ec600 RA_Format_Processor::Process - applet > upgrade failed > > [2009-01-07 11:05:08] ba6ec600 AP_Session::WriteMsg - pdu_len='12' > > [2009-01-07 11:05:08] ba6ec600 AP_Session::WriteMsg - Sent > 's=68&msg_type=9&pdu_size=12&pdu_data=%00%A4%04%00%07%62%76%01%FF%00%00%00' > > [2009-01-07 11:05:08] ba6ec600 AP_Session::ReadMsg - decoded pdu = > (length='2') > > [2009-01-07 11:05:08] ba6ec600 AP_Session::ReadMsg - 90 00 > > [2009-01-07 11:05:08] ba6ec600 AP_Session::WriteMsg - Sent > 's=43&msg_type=13&operation=5&result=1&message=19' > > When we switch the values to be: > > channel.defKeyVersion=0 > > channel. defKeyIndex=0 > > The error now looks like this: > > [2009-01-07 11:20:41] bacd2d28 LDAP_Authentication::Authenticate - > User bind required 'uid=testuser1,ou=People,dc=localdomain' 'envieta123' > > [2009-01-07 11:20:41] bacd2d28 LDAP_Authentication::Authenticate - > Attributes mail,cn,uid > > [2009-01-07 11:20:41] bacd2d28 LDAP_Authentication::Authenticate - > Exposed cn=Test User1 > > [2009-01-07 11:20:41] bacd2d28 LDAP_Authentication::Authenticate - Size 3 > > [2009-01-07 11:20:41] bacd2d28 LDAP_Authentication::Authenticate - > Exposed uid=testuser1 > > [2009-01-07 11:20:41] bacd2d28 LDAP_Authentication::Authenticate - Size 4 > > [2009-01-07 11:20:41] bacd2d28 RA_Format_Processor::Process - > Authenticate returns: 0 > > [2009-01-07 11:20:41] bacd2d28 AP_Session::WriteMsg - Sent > 's=67&msg_type=14¤t_state=10&next_task_name=PROGRESS_APPLET_UPGRADE' > > [2009-01-07 11:20:41] bacd2d28 RA_Processor::UpgradeApplet - path = > /usr/share/pki/tps/applets/1.3.44724DDE.ijc > > [2009-01-07 11:20:41] bacd2d28 AP_Session::WriteMsg - pdu_len='12' > > [2009-01-07 11:20:41] bacd2d28 AP_Session::WriteMsg - Sent > 's=68&msg_type=9&pdu_size=12&pdu_data=%00%A4%04%00%07%A0%00%00%00%03%00%00' > > [2009-01-07 11:20:41] bacd2d28 AP_Session::ReadMsg - decoded pdu = > (length='20') > > [2009-01-07 11:20:41] bacd2d28 AP_Session::ReadMsg - 6f 10 84 08 a0 00 > 00 00 03 00 > > [2009-01-07 11:20:41] bacd2d28 AP_Session::ReadMsg - 00 00 a5 04 9f 65 > 01 ff 90 00 > > [2009-01-07 11:20:41] bacd2d28 AP_Session::ReadMsg - > > [2009-01-07 11:20:41] bacd2d28 AP_Session::WriteMsg - pdu_len='13' > > [2009-01-07 11:20:41] bacd2d28 AP_Session::WriteMsg - Sent > 's=71&msg_type=9&pdu_size=13&pdu_data=%80%50%00%00%08%95%74%0B%AC%37%C9%DE%8 0' > > [2009-01-07 11:20:41] bacd2d28 AP_Session::ReadMsg - decoded pdu = > (length='30') > > [2009-01-07 11:20:41] bacd2d28 AP_Session::ReadMsg - 00 00 71 61 57 01 > 0e 0d 90 bd > > [2009-01-07 11:20:41] bacd2d28 AP_Session::ReadMsg - ff 02 00 21 2e 6b > ec 9e 33 2b > > [2009-01-07 11:20:41] bacd2d28 AP_Session::ReadMsg - a5 26 d0 02 e6 64 > c9 3c 90 00 > > [2009-01-07 11:20:41] bacd2d28 AP_Session::ReadMsg - > > [2009-01-07 11:20:41] bacd2d28 HttpConnection::getResponse - Send > request to host localhost.localdomain:13443 servlet > /tks/agent/tks/computeSessionKey > > [2009-01-07 11:20:42] bacd2d28 RA::Engine - Pre-processing content > 'HTTP/1.1 200 OK > > Server: Apache-Coyote/1.1 > > Content-Type: text/html > > Content-Length: 8 > > Date: Wed, 07 Jan 2009 16:20:42 GMT > > status=3 > > [2009-01-07 11:20:42] bacd2d28 RA::Engine - Post-processing content > 'status=3 > > [2009-01-07 11:20:42] bacd2d28 RA_Format_Processor::Process - applet > upgrade failed > > [2009-01-07 11:20:42] bacd2d28 AP_Session::WriteMsg - pdu_len='12' > > [2009-01-07 11:20:42] bacd2d28 AP_Session::WriteMsg - Sent > 's=68&msg_type=9&pdu_size=12&pdu_data=%00%A4%04%00%07%62%76%01%FF%00%00%00' > > [2009-01-07 11:20:42] bacd2d28 AP_Session::ReadMsg - decoded pdu = > (length='2') > > [2009-01-07 11:20:42] bacd2d28 AP_Session::ReadMsg - 90 00 > > [2009-01-07 11:20:42] bacd2d28 AP_Session::WriteMsg - Sent > 's=43&msg_type=13&operation=5&result=1&message=19' > > In addition - the following is the pki-tps.tps-error.log snippet > > [2008-12-23 12:09:39] ba5de4e0 RA_Processor::SetupSecureChannel - > Failed to create a secure channel - potentially due to an RA/TKS key > mismatch or differing RA/TKS key versions. > [2008-12-23 12:09:39] ba5de4e0 RA_Processor::UpgradeApplet - channel > creation failure > [2008-12-23 12:10:20] ba5cb398 RA_Processor::SetupSecureChannel - > Failed to create a secure channel - potentially due to an RA/TKS key > mismatch or differing RA/TKS key versions. > [2008-12-23 12:10:20] ba5cb398 RA_Processor::UpgradeApplet - channel > creation failure > [2008-12-23 12:11:14] b8e04520 RA_Processor::SetupSecureChannel - > Failed to create a secure channel - potentially due to an RA/TKS key > mismatch or differing RA/TKS key versions. > [2008-12-23 12:11:14] b8e04520 RA_Processor::UpgradeApplet - channel > creation failure > [2008-12-23 12:39:38] ba5c00e0 RA_Processor::SetupSecureChannel - > Failed to create a secure channel - potentially due to an RA/TKS key > mismatch or differing RA/TKS key versions. > [2008-12-23 12:39:38] ba5c00e0 RA_Processor::UpgradeApplet - channel > creation failure > [2008-12-23 12:44:27] ba5b14c8 RA_Processor::SetupSecureChannel - > Failed to create a secure channel - potentially due to an RA/TKS key > mismatch or differing RA/TKS key versions. > [2008-12-23 12:44:27] ba5b14c8 RA_Processor::UpgradeApplet - channel > creation failure > [2008-12-23 12:45:54] ba5f2590 RA_Processor::SetupSecureChannel - > Failed to create a secure channel - potentially due to an RA/TKS key > mismatch or differing RA/TKS key versions. > [2008-12-23 12:45:54] ba5f2590 RA_Processor::UpgradeApplet - channel > creation failure > > I'm also bringing John Whitelock, another one of our engineers in on > discussions. He just joined the pki-users list. > > Zach Casper > > _____________________________________________ > *From:* Jack Magne [mailto:jmagne at redhat.com] > *Sent:* Wednesday, January 07, 2009 1:09 PM > *To:* Zach Casper > *Cc:* pki-users at redhat.com > *Subject:* Re: [Pki-users] ESC Format / Enroll Error > > Zach: > > Sorry for the delay.... > > The default developer keyset we use for our keys with TPS is the > > standard like follows: > > tks.defKeySet.auth_key=#40#41...#4f > > tks.defKeySet.kek_key=#40#41...#4f > > tks.defKeySet.mac_key=#40#41.. #4f > > If you look in the CS.cfg file under > > /var/lib/pki-tks/conf > > We have an entire procedure documented in the CS 7.3 documentation to > > perform a key changeover if required. > > Feel free to post any further logs you might obtain after further testing. > > thanks, > > jack > > Zach Casper wrote: > > > > > > Could there be an issue with the default key our card is loaded with > > > (VISA Key) not being able to create the secure connection? What are > > > the default key(s) used/needed by Dogtag? > > > > > > _____________________________________________ > > > *From:* Jack Magne [mailto:jmagne at redhat.com] > > > *Sent:* Tuesday, December 23, 2008 5:35 PM > > > *To:* Zach Casper > > > *Cc:* pki-users at redhat.com > > > *Subject:* Re: [Pki-users] ESC Format / Enroll Error > > > > > > I'll have to take a closer look later but there is a quick thing you can > > > > > > try. > > > > > > Also, remember depending upon your card, if you make too many failed > > > > > > attempts at a secure channel, the card can lock itself up. > > > > > > In /var/lib/pki-tps/conf/CS.cfg you will have a block like this: > > > > > > channel.defKeyVersion=1 > > > > > > channel. defKeyIndex=1 > > > > > > We have experimented with some other cards where the following works: > > > > > > channel.defKeyVersion=0 > > > > > > channel.defKeyIndex=0 > > > > > > Zach Casper wrote: > > > > > > > > > > > > > > tps-error.log > > > > > > > ... > > > > > > > [2008-12-23 12:09:39] ba5de4e0 RA_Processor::SetupSecureChannel - > > > > > > > Failed to create a secure channel - potentially due to an RA/TKS key > > > > > > > mismatch or differing RA/TKS key versions. > > > > > > > [2008-12-23 12:09:39] ba5de4e0 RA_Processor::UpgradeApplet - channel > > > > > > > creation failure > > > > > > > [2008-12-23 12:10:20] ba5cb398 RA_Processor::SetupSecureChannel - > > > > > > > Failed to create a secure channel - potentially due to an RA/TKS key > > > > > > > mismatch or differing RA/TKS key versions. > > > > > > > [2008-12-23 12:10:20] ba5cb398 RA_Processor::UpgradeApplet - channel > > > > > > > creation failure > > > > > > > [2008-12-23 12:11:14] b8e04520 RA_Processor::SetupSecureChannel - > > > > > > > Failed to create a secure channel - potentially due to an RA/TKS key > > > > > > > mismatch or differing RA/TKS key versions. > > > > > > > [2008-12-23 12:11:14] b8e04520 RA_Processor::UpgradeApplet - channel > > > > > > > creation failure > > > > > > > [2008-12-23 12:39:38] ba5c00e0 RA_Processor::SetupSecureChannel - > > > > > > > Failed to create a secure channel - potentially due to an RA/TKS key > > > > > > > mismatch or differing RA/TKS key versions. > > > > > > > [2008-12-23 12:39:38] ba5c00e0 RA_Processor::UpgradeApplet - channel > > > > > > > creation failure > > > > > > > [2008-12-23 12:44:27] ba5b14c8 RA_Processor::SetupSecureChannel - > > > > > > > Failed to create a secure channel - potentially due to an RA/TKS key > > > > > > > mismatch or differing RA/TKS key versions. > > > > > > > [2008-12-23 12:44:27] ba5b14c8 RA_Processor::UpgradeApplet - channel > > > > > > > creation failure > > > > > > > [2008-12-23 12:45:54] ba5f2590 RA_Processor::SetupSecureChannel - > > > > > > > Failed to create a secure channel - potentially due to an RA/TKS key > > > > > > > mismatch or differing RA/TKS key versions. > > > > > > > [2008-12-23 12:45:54] ba5f2590 RA_Processor::UpgradeApplet - channel > > > > > > > creation failure > > > > > > > > > > > > > > tps-debug.log > > > > > > > ... > > > > > > > [2008-12-23 12:45:54] ba5f2590 RA_Format_Processor::Process - > > > > > > > Authenticate returns: 0 > > > > > > > [2008-12-23 12:45:54] ba5f2590 AP_Session::WriteMsg - Sent > > > > > > > > 's=67&msg_type=14¤t_state=10&next_task_name=PROGRESS_APPLET_UPGRADE' > > > > > > > [2008-12-23 12:45:54] ba5f2590 RA_Processor::UpgradeApplet - path = > > > > > > > /usr/share/pki/tps/applets/1.3.44724DDE.ijc > > > > > > > [2008-12-23 12:45:54] ba5f2590 AP_Session::WriteMsg - pdu_len='12' > > > > > > > [2008-12-23 12:45:54] ba5f2590 AP_Session::WriteMsg - Sent > > > > > > > > 's=68&msg_type=9&pdu_size=12&pdu_data=%00%A4%04%00%07%A0%00%00%00%03%00%00' > > > > > > > [2008-12-23 12:45:54] ba5f2590 AP_Session::ReadMsg - decoded pdu = > > > > > > > (length='20') > > > > > > > [2008-12-23 12:45:54] ba5f2590 AP_Session::ReadMsg - 6f 10 84 08 a0 00 > > > > > > > 00 00 03 00 > > > > > > > [2008-12-23 12:45:54] ba5f2590 AP_Session::ReadMsg - 00 00 a5 04 9f 65 > > > > > > > 01 ff 90 00 > > > > > > > [2008-12-23 12:45:54] ba5f2590 AP_Session::ReadMsg - > > > > > > > [2008-12-23 12:45:54] ba5f2590 AP_Session::WriteMsg - pdu_len='13' > > > > > > > [2008-12-23 12:45:54] ba5f2590 AP_Session::WriteMsg - Sent > > > > > > > > 's=71&msg_type=9&pdu_size=13&pdu_data=%80%50%01%01%08%56%F5%29%9D%7B%8F%6F%A 7' > > > > > > > [2008-12-23 12:45:54] ba5f2590 AP_Session::ReadMsg - decoded pdu = > > > > > > > (length='2') > > > > > > > [2008-12-23 12:45:54] ba5f2590 AP_Session::ReadMsg - 6a 86 > > > > > > > [2008-12-23 12:45:54] ba5f2590 RA_Format_Processor::Process - applet > > > > > > > upgrade failed > > > > > > > [2008-12-23 12:45:54] ba5f2590 AP_Session::WriteMsg - pdu_len='12' > > > > > > > [2008-12-23 12:45:54] ba5f2590 AP_Session::WriteMsg - Sent > > > > > > > > 's=68&msg_type=9&pdu_size=12&pdu_data=%00%A4%04%00%07%62%76%01%FF%00%00%00' > > > > > > > [2008-12-23 12:45:54] ba5f2590 AP_Session::ReadMsg - decoded pdu = > > > > > > > (length='2') > > > > > > > [2008-12-23 12:45:54] ba5f2590 AP_Session::ReadMsg - 90 00 > > > > > > > [2008-12-23 12:45:54] ba5f2590 AP_Session::WriteMsg - Sent > > > > > > > 's=43&msg_type=13&operation=5&result=1&message=19' > > > > > > > > > > > > > > zach > > > > > > > > > > > > > > _____________________________________________ > > > > > > > *From:* Jack Magne [mailto:jmagne at redhat.com] > > > > > > > *Sent:* Tuesday, December 23, 2008 2:38 PM > > > > > > > *To:* Adewumi, Julius-p99373 > > > > > > > *Cc:* Zach Casper; pki-users at redhat.com > > > > > > > *Subject:* Re: [Pki-users] ESC Format / Enroll Error > > > > > > > > > > > > > > You are having a problem creating a secure channel. Perhaps posting a > > > > > > > > > > > > > > snippet of the log might help. > > > > > > > > > > > > > > > > > > > > > > > > > > > > Adewumi, Julius-p99373 wrote: > > > > > > > > > > > > > > > You might want to play with changing "false" to "true in the > CS.cfg for > > > > > > > > > > > > > > > op.enroll.userKey.update.applet.emptyToken.enable=false or the > > > > > > > > > > > > > > > op.format... equivalent , etc. > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > /From: Julius Adewumi/ > > > > > > > > > > > > > > > /@GDC4S.com/ > > > > > > > > > > > > > > > /Ph:480-441-6768/ > > > > > > > > > > > > > > > /Contract Corp:MTSI/ > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > ------------------------------------------------------------------------ > > > > > > > > > > > > > > > *From:* pki-users-bounces at redhat.com > > > > > > > > > > > > > > > [mailto:pki-users-bounces at redhat.com] *On Behalf Of *Zach Casper > > > > > > > > > > > > > > > *Sent:* Tuesday, December 23, 2008 12:00 PM > > > > > > > > > > > > > > > *To:* pki-users at redhat.com > > > > > > > > > > > > > > > *Subject:* RE: [Pki-users] ESC Format / Enroll Error > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Tps-debug log shows the following: > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > RA_Format_Processor::Process - applet upgrade failed > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Tps-error log show the following: > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > RA_Processor::SetupSecureChannel - Failed to create a secure channel > > > > > > > > > > > > > > > 0- potentially due to an RA/TKS key mismatch or differing RA/TKS key > > > > > > > > > > > > > > > versions. > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > RA_Processor::UpgradeApplet -0 channel create failure > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > And a series of Bad Response when trying to SelectApplet or GetStatus > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > zach > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > _____________________________________________ > > > > > > > > > > > > > > > *From:* Jack Magne [mailto:jmagne at redhat.com] > > > > > > > > > > > > > > > *Sent:* Tuesday, December 23, 2008 1:10 PM > > > > > > > > > > > > > > > *To:* Zach Casper > > > > > > > > > > > > > > > *Subject:* Re: [Pki-users] ESC Format / Enroll Error > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > The first step would be to take a look at the tps log or smart card > > > > > > > > > > > > > > > server. > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > These can be found at: > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > /var/lib/pki-tps/logs/tps-debug.log > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Search the bottom of the log for error 19 and it should give you an > > > idea > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > of what TPS was trying to do at the time. > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Zach Casper wrote: > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > We have an Infineon Smart Card and currently we are unable to > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Format/Enroll due to the following ESC Error > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > "Formatting of smart card failed. Error: The Smart Card Server > cannot > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > upgrade the software on your smart card." > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > And Diagnostics show this error: > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > "Attempting to Format Key, ID: ####### - Key Format failure, Error: > > > > > > > 19." > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > This card comes up as "Formatted" because we've manually > installed a > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > version of the Dogtag applet prior to using ESC & Dogtag. > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Any advice on how we can troubleshoot? > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > -- > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Zach Casper > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Envieta LLC > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > ---------------------------------------- > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > ------------------------------------------------------------------------ > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > _______________________________________________ > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Pki-users mailing list > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Pki-users at redhat.com > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > https://www.redhat.com/mailman/listinfo/pki-users > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > ------------------------------------------------------------------------ > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > _______________________________________________ > > > > > > > > > > > > > > > Pki-users mailing list > > > > > > > > > > > > > > > Pki-users at redhat.com > > > > > > > > > > > > > > > https://www.redhat.com/mailman/listinfo/pki-users > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > ------------------------------------------------------------------------ > > > > > > > > > > > > > > _______________________________________________ > > > > > > > Pki-users mailing list > > > > > > > Pki-users at redhat.com > > > > > > > https://www.redhat.com/mailman/listinfo/pki-users > > > > > > > > > > > From jmagne at redhat.com Wed Jan 7 23:04:29 2009 From: jmagne at redhat.com (Jack Magne) Date: Wed, 07 Jan 2009 15:04:29 -0800 Subject: [Pki-users] ESC Format / Enroll Error In-Reply-To: <003f01c9710f$f3cc2420$db646c60$@whitelock@envieta.com> References: <001201c96527$1c706e30$55514a90$@casper@envieta.com><49512983.2080702@redhat.com> <003401c96530$9d9a71f0$d8cf55d0$@casper@envieta.com> <150446754087724BA4B8F287083846B2037E2FAC@AZ25EXM04.gddsi.com> <49513E0D.9080901@redhat.com> <004d01c96537$55373d60$ffa5b820$@casper@envieta.com> <4951678D.3080202@redhat.com> <002401c96b91$eb97e4c0$c2c7ae40$@casper@envieta.com> <4964EFD3.2030606@redhat.com> <002601c970fc$241a9080$6c4fb180$@casper@envieta.com> <49651D65.9050504@redhat.com> <003f01c9710f$f3cc2420$db646c60$@whitelock@envieta.com> Message-ID: <496534FD.9040408@redhat.com> Thanks: I will take a look in an effort to figure out what we have. John Whitelock wrote: > Jack, > > Thanks again for the help. Below I have pasted the log you asked for from > that same test. > > > [07/Jan/2009:11:20:42][http-13443-Processor25]: Authentication: client > certificate found > [07/Jan/2009:11:20:42][http-13443-Processor25]: getConn: mNumConns now 2 > [07/Jan/2009:11:20:42][http-13443-Processor25]: returnConn: mNumConns now 3 > [07/Jan/2009:11:20:42][http-13443-Processor25]: Authentication: mapped > certificate to user > [07/Jan/2009:11:20:42][http-13443-Processor25]: authenticated > uid=TPS-localhost.localdomain-7889,ou=People,dc=localhost.localdomain-pki-tk > s > [07/Jan/2009:11:20:42][http-13443-Processor25]: SignedAuditEventFactory: > create() > message=[AuditEvent=AUTH_SUCCESS][SubjectID=TPS-localhost.localdomain-7889][ > Outcome=Success][AuthMgr=certUserDBAuthMgr] authentication success > > [07/Jan/2009:11:20:42][http-13443-Processor25]: checkACLS(): ACLEntry > expressions= group="Token Key Service Manager Agents" > [07/Jan/2009:11:20:42][http-13443-Processor25]: evaluating expressions: > group="Token Key Service Manager Agents" > [07/Jan/2009:11:20:42][http-13443-Processor25]: getConn: mNumConns now 2 > [07/Jan/2009:11:20:42][http-13443-Processor25]: returnConn: mNumConns now 3 > [07/Jan/2009:11:20:42][http-13443-Processor25]: UGSubsystem.isMemberOf() > using new lookup code > [07/Jan/2009:11:20:42][http-13443-Processor25]: getConn: mNumConns now 2 > [07/Jan/2009:11:20:42][http-13443-Processor25]: authorization search base: > cn=Token Key Service Manager > Agents,ou=groups,dc=localhost.localdomain-pki-tks > [07/Jan/2009:11:20:42][http-13443-Processor25]: authorization search filter: > (uniquemember=uid=TPS-localhost.localdomain-7889,ou=People,dc=localhost.loca > ldomain-pki-tks) > [07/Jan/2009:11:20:42][http-13443-Processor25]: authorization result: true > [07/Jan/2009:11:20:42][http-13443-Processor25]: returnConn: mNumConns now 3 > [07/Jan/2009:11:20:42][http-13443-Processor25]: evaluated expression: > group="Token Key Service Manager Agents" to be true > [07/Jan/2009:11:20:42][http-13443-Processor25]: DirAclAuthz: authorization > passed > [07/Jan/2009:11:20:42][http-13443-Processor25]: SignedAuditEventFactory: > create() > message=[AuditEvent=AUTHZ_SUCCESS][SubjectID=TPS-localhost.localdomain-7889] > [Outcome=Success][aclResource=certServer.tks.sessionkey][Op=read] > authorization success > > [07/Jan/2009:11:20:42][http-13443-Processor25]: getConn: mNumConns now 2 > [07/Jan/2009:11:20:42][http-13443-Processor25]: returnConn: mNumConns now 3 > [07/Jan/2009:11:20:42][http-13443-Processor25]: SignedAuditEventFactory: > create() > message=[AuditEvent=ROLE_ASSUME][SubjectID=TPS-localhost.localdomain-7889][O > utcome=Success][Role=Token Key Service Manager Agents] assume privileged > role > > [07/Jan/2009:11:20:42][http-13443-Processor25]: keySet selected: defKeySet > [07/Jan/2009:11:20:42][http-13443-Processor25]: keySet selected: defKeySet > [07/Jan/2009:11:20:42][http-13443-Processor25]: processComputeSessionKey: > [07/Jan/2009:11:20:42][http-13443-Processor25]: TokenServlet: > serversideKeygen requested > [07/Jan/2009:11:20:42][http-13443-Processor25]: TokenServlet about to try > ComputeSessionKey selectedToken=Internal Key Storage Token > keyNickName=#FF#02 > [07/Jan/2009:11:20:42][http-13443-Processor25]: TokenServlet:Tried > ComputeSessionKey, got NULL > java.lang.Exception: Can't compute session key! > at > com.netscape.cms.servlet.tks.TokenServlet.processComputeSessionKey(TokenServ > let.java:336) > at > com.netscape.cms.servlet.tks.TokenServlet.process(TokenServlet.java:945) > at > com.netscape.cms.servlet.base.CMSServlet.service(CMSServlet.java:482) > at > com.netscape.cms.servlet.tks.TokenServlet.service(TokenServlet.java:964) > at javax.servlet.http.HttpServlet.service(HttpServlet.java:729) > at > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Application > FilterChain.java:269) > at > org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterCh > ain.java:188) > at > org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.ja > va:213) > at > org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.ja > va:172) > at > org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127 > ) > at > org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:117 > ) > at > org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:548) > at > org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java > :108) > at > org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:174) > at > org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:875) > at > org.apache.coyote.http11.Http11BaseProtocol$Http11ConnectionHandler.processC > onnection(Http11BaseProtocol.java:665) > at > org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.jav > a:528) > at > org.apache.tomcat.util.net.LeaderFollowerWorkerThread.runIt(LeaderFollowerWo > rkerThread.java:81) > at > org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.jav > a:689) > at java.lang.Thread.run(Thread.java:636) > [07/Jan/2009:11:20:42][http-13443-Processor25]: TokenServlet Computing > Session Key: java.lang.Exception: Can't compute session key! > [07/Jan/2009:11:20:42][http-13443-Processor25]: > TokenServlet:outputString.encode status=3 > [07/Jan/2009:11:20:42][http-13443-Processor25]: > TokenServlet:outputString.length 8 > [07/Jan/2009:11:20:42][http-13443-Processor25]: CMSServlet: curDate=Wed Jan > 07 11:20:42 GMT-05:00 2009 id=tksSessionKey time=430 > > -----Original Message----- > From: Jack Magne [mailto:jmagne at redhat.com] > Sent: Wednesday, January 07, 2009 4:24 PM > To: Zach Casper > Cc: pki-users at redhat.com; 'John Whitelock' > Subject: Re: [Pki-users] ESC Format / Enroll Error > > Zach: > > It looks like with your second test, you have managed to get by the > hurdle of the failed "InitializeUpdate" command. This is due to using 0 > and 0 for the defKeyVersion and defKeyIndex. > > Now it looks like the TKS system is not acting as expected. > > It would be great to have a look at the TKS debug log found in > /var/lib/pki-tks/logs > > I suspect we are having an issue with computing the session key in the TKS. > > thanks, > jack > > > Zach Casper wrote: > >> Thanks Jack. >> >> It appears we are using the same keys so on to troubleshooting our >> error logs. Below are our current logs file contents. >> >> When we use the default values: >> >> channel.defKeyVersion=1 >> >> channel. defKeyIndex=1 >> >> Ther error we get is: >> >> [2009-01-07 11:05:07] ba6ec600 LDAP_Authentication::Authenticate - >> User bind required 'uid=testuser1,ou=People,dc=localdomain' 'envieta123' >> >> [2009-01-07 11:05:07] ba6ec600 LDAP_Authentication::Authenticate - >> Attributes mail,cn,uid >> >> [2009-01-07 11:05:07] ba6ec600 LDAP_Authentication::Authenticate - >> Exposed cn=Test User1 >> >> [2009-01-07 11:05:07] ba6ec600 LDAP_Authentication::Authenticate - Size 3 >> >> [2009-01-07 11:05:07] ba6ec600 LDAP_Authentication::Authenticate - >> Exposed uid=testuser1 >> >> [2009-01-07 11:05:07] ba6ec600 LDAP_Authentication::Authenticate - Size 4 >> >> [2009-01-07 11:05:07] ba6ec600 RA_Format_Processor::Process - >> Authenticate returns: 0 >> >> [2009-01-07 11:05:07] ba6ec600 AP_Session::WriteMsg - Sent >> 's=67&msg_type=14¤t_state=10&next_task_name=PROGRESS_APPLET_UPGRADE' >> >> [2009-01-07 11:05:07] ba6ec600 RA_Processor::UpgradeApplet - path = >> /usr/share/pki/tps/applets/1.3.44724DDE.ijc >> >> [2009-01-07 11:05:07] ba6ec600 AP_Session::WriteMsg - pdu_len='12' >> >> [2009-01-07 11:05:07] ba6ec600 AP_Session::WriteMsg - Sent >> >> > 's=68&msg_type=9&pdu_size=12&pdu_data=%00%A4%04%00%07%A0%00%00%00%03%00%00' > >> [2009-01-07 11:05:07] ba6ec600 AP_Session::ReadMsg - decoded pdu = >> (length='20') >> >> [2009-01-07 11:05:07] ba6ec600 AP_Session::ReadMsg - 6f 10 84 08 a0 00 >> 00 00 03 00 >> >> [2009-01-07 11:05:07] ba6ec600 AP_Session::ReadMsg - 00 00 a5 04 9f 65 >> 01 ff 90 00 >> >> [2009-01-07 11:05:07] ba6ec600 AP_Session::ReadMsg - >> >> [2009-01-07 11:05:07] ba6ec600 AP_Session::WriteMsg - pdu_len='13' >> >> [2009-01-07 11:05:07] ba6ec600 AP_Session::WriteMsg - Sent >> >> > 's=71&msg_type=9&pdu_size=13&pdu_data=%80%50%01%01%08%09%CD%60%A7%11%EC%23%A > 5' > >> [2009-01-07 11:05:08] ba6ec600 AP_Session::ReadMsg - decoded pdu = >> (length='2') >> >> [2009-01-07 11:05:08] ba6ec600 AP_Session::ReadMsg - 6a 86 >> >> [2009-01-07 11:05:08] ba6ec600 RA_Format_Processor::Process - applet >> upgrade failed >> >> [2009-01-07 11:05:08] ba6ec600 AP_Session::WriteMsg - pdu_len='12' >> >> [2009-01-07 11:05:08] ba6ec600 AP_Session::WriteMsg - Sent >> >> > 's=68&msg_type=9&pdu_size=12&pdu_data=%00%A4%04%00%07%62%76%01%FF%00%00%00' > >> [2009-01-07 11:05:08] ba6ec600 AP_Session::ReadMsg - decoded pdu = >> (length='2') >> >> [2009-01-07 11:05:08] ba6ec600 AP_Session::ReadMsg - 90 00 >> >> [2009-01-07 11:05:08] ba6ec600 AP_Session::WriteMsg - Sent >> 's=43&msg_type=13&operation=5&result=1&message=19' >> >> When we switch the values to be: >> >> channel.defKeyVersion=0 >> >> channel. defKeyIndex=0 >> >> The error now looks like this: >> >> [2009-01-07 11:20:41] bacd2d28 LDAP_Authentication::Authenticate - >> User bind required 'uid=testuser1,ou=People,dc=localdomain' 'envieta123' >> >> [2009-01-07 11:20:41] bacd2d28 LDAP_Authentication::Authenticate - >> Attributes mail,cn,uid >> >> [2009-01-07 11:20:41] bacd2d28 LDAP_Authentication::Authenticate - >> Exposed cn=Test User1 >> >> [2009-01-07 11:20:41] bacd2d28 LDAP_Authentication::Authenticate - Size 3 >> >> [2009-01-07 11:20:41] bacd2d28 LDAP_Authentication::Authenticate - >> Exposed uid=testuser1 >> >> [2009-01-07 11:20:41] bacd2d28 LDAP_Authentication::Authenticate - Size 4 >> >> [2009-01-07 11:20:41] bacd2d28 RA_Format_Processor::Process - >> Authenticate returns: 0 >> >> [2009-01-07 11:20:41] bacd2d28 AP_Session::WriteMsg - Sent >> 's=67&msg_type=14¤t_state=10&next_task_name=PROGRESS_APPLET_UPGRADE' >> >> [2009-01-07 11:20:41] bacd2d28 RA_Processor::UpgradeApplet - path = >> /usr/share/pki/tps/applets/1.3.44724DDE.ijc >> >> [2009-01-07 11:20:41] bacd2d28 AP_Session::WriteMsg - pdu_len='12' >> >> [2009-01-07 11:20:41] bacd2d28 AP_Session::WriteMsg - Sent >> >> > 's=68&msg_type=9&pdu_size=12&pdu_data=%00%A4%04%00%07%A0%00%00%00%03%00%00' > >> [2009-01-07 11:20:41] bacd2d28 AP_Session::ReadMsg - decoded pdu = >> (length='20') >> >> [2009-01-07 11:20:41] bacd2d28 AP_Session::ReadMsg - 6f 10 84 08 a0 00 >> 00 00 03 00 >> >> [2009-01-07 11:20:41] bacd2d28 AP_Session::ReadMsg - 00 00 a5 04 9f 65 >> 01 ff 90 00 >> >> [2009-01-07 11:20:41] bacd2d28 AP_Session::ReadMsg - >> >> [2009-01-07 11:20:41] bacd2d28 AP_Session::WriteMsg - pdu_len='13' >> >> [2009-01-07 11:20:41] bacd2d28 AP_Session::WriteMsg - Sent >> >> > 's=71&msg_type=9&pdu_size=13&pdu_data=%80%50%00%00%08%95%74%0B%AC%37%C9%DE%8 > 0' > >> [2009-01-07 11:20:41] bacd2d28 AP_Session::ReadMsg - decoded pdu = >> (length='30') >> >> [2009-01-07 11:20:41] bacd2d28 AP_Session::ReadMsg - 00 00 71 61 57 01 >> 0e 0d 90 bd >> >> [2009-01-07 11:20:41] bacd2d28 AP_Session::ReadMsg - ff 02 00 21 2e 6b >> ec 9e 33 2b >> >> [2009-01-07 11:20:41] bacd2d28 AP_Session::ReadMsg - a5 26 d0 02 e6 64 >> c9 3c 90 00 >> >> [2009-01-07 11:20:41] bacd2d28 AP_Session::ReadMsg - >> >> [2009-01-07 11:20:41] bacd2d28 HttpConnection::getResponse - Send >> request to host localhost.localdomain:13443 servlet >> /tks/agent/tks/computeSessionKey >> >> [2009-01-07 11:20:42] bacd2d28 RA::Engine - Pre-processing content >> 'HTTP/1.1 200 OK >> >> Server: Apache-Coyote/1.1 >> >> Content-Type: text/html >> >> Content-Length: 8 >> >> Date: Wed, 07 Jan 2009 16:20:42 GMT >> >> status=3 >> >> [2009-01-07 11:20:42] bacd2d28 RA::Engine - Post-processing content >> 'status=3 >> >> [2009-01-07 11:20:42] bacd2d28 RA_Format_Processor::Process - applet >> upgrade failed >> >> [2009-01-07 11:20:42] bacd2d28 AP_Session::WriteMsg - pdu_len='12' >> >> [2009-01-07 11:20:42] bacd2d28 AP_Session::WriteMsg - Sent >> >> > 's=68&msg_type=9&pdu_size=12&pdu_data=%00%A4%04%00%07%62%76%01%FF%00%00%00' > >> [2009-01-07 11:20:42] bacd2d28 AP_Session::ReadMsg - decoded pdu = >> (length='2') >> >> [2009-01-07 11:20:42] bacd2d28 AP_Session::ReadMsg - 90 00 >> >> [2009-01-07 11:20:42] bacd2d28 AP_Session::WriteMsg - Sent >> 's=43&msg_type=13&operation=5&result=1&message=19' >> >> In addition - the following is the pki-tps.tps-error.log snippet >> >> [2008-12-23 12:09:39] ba5de4e0 RA_Processor::SetupSecureChannel - >> Failed to create a secure channel - potentially due to an RA/TKS key >> mismatch or differing RA/TKS key versions. >> [2008-12-23 12:09:39] ba5de4e0 RA_Processor::UpgradeApplet - channel >> creation failure >> [2008-12-23 12:10:20] ba5cb398 RA_Processor::SetupSecureChannel - >> Failed to create a secure channel - potentially due to an RA/TKS key >> mismatch or differing RA/TKS key versions. >> [2008-12-23 12:10:20] ba5cb398 RA_Processor::UpgradeApplet - channel >> creation failure >> [2008-12-23 12:11:14] b8e04520 RA_Processor::SetupSecureChannel - >> Failed to create a secure channel - potentially due to an RA/TKS key >> mismatch or differing RA/TKS key versions. >> [2008-12-23 12:11:14] b8e04520 RA_Processor::UpgradeApplet - channel >> creation failure >> [2008-12-23 12:39:38] ba5c00e0 RA_Processor::SetupSecureChannel - >> Failed to create a secure channel - potentially due to an RA/TKS key >> mismatch or differing RA/TKS key versions. >> [2008-12-23 12:39:38] ba5c00e0 RA_Processor::UpgradeApplet - channel >> creation failure >> [2008-12-23 12:44:27] ba5b14c8 RA_Processor::SetupSecureChannel - >> Failed to create a secure channel - potentially due to an RA/TKS key >> mismatch or differing RA/TKS key versions. >> [2008-12-23 12:44:27] ba5b14c8 RA_Processor::UpgradeApplet - channel >> creation failure >> [2008-12-23 12:45:54] ba5f2590 RA_Processor::SetupSecureChannel - >> Failed to create a secure channel - potentially due to an RA/TKS key >> mismatch or differing RA/TKS key versions. >> [2008-12-23 12:45:54] ba5f2590 RA_Processor::UpgradeApplet - channel >> creation failure >> >> I'm also bringing John Whitelock, another one of our engineers in on >> discussions. He just joined the pki-users list. >> >> Zach Casper >> >> _____________________________________________ >> *From:* Jack Magne [mailto:jmagne at redhat.com] >> *Sent:* Wednesday, January 07, 2009 1:09 PM >> *To:* Zach Casper >> *Cc:* pki-users at redhat.com >> *Subject:* Re: [Pki-users] ESC Format / Enroll Error >> >> Zach: >> >> Sorry for the delay.... >> >> The default developer keyset we use for our keys with TPS is the >> >> standard like follows: >> >> tks.defKeySet.auth_key=#40#41...#4f >> >> tks.defKeySet.kek_key=#40#41...#4f >> >> tks.defKeySet.mac_key=#40#41.. #4f >> >> If you look in the CS.cfg file under >> >> /var/lib/pki-tks/conf >> >> We have an entire procedure documented in the CS 7.3 documentation to >> >> perform a key changeover if required. >> >> Feel free to post any further logs you might obtain after further testing. >> >> thanks, >> >> jack >> >> Zach Casper wrote: >> >> >>> Could there be an issue with the default key our card is loaded with >>> >>> (VISA Key) not being able to create the secure connection? What are >>> >>> the default key(s) used/needed by Dogtag? >>> >>> _____________________________________________ >>> >>> *From:* Jack Magne [mailto:jmagne at redhat.com] >>> >>> *Sent:* Tuesday, December 23, 2008 5:35 PM >>> >>> *To:* Zach Casper >>> >>> *Cc:* pki-users at redhat.com >>> >>> *Subject:* Re: [Pki-users] ESC Format / Enroll Error >>> >>> I'll have to take a closer look later but there is a quick thing you can >>> >>> try. >>> >>> Also, remember depending upon your card, if you make too many failed >>> >>> attempts at a secure channel, the card can lock itself up. >>> >>> In /var/lib/pki-tps/conf/CS.cfg you will have a block like this: >>> >>> channel.defKeyVersion=1 >>> >>> channel. defKeyIndex=1 >>> >>> We have experimented with some other cards where the following works: >>> >>> channel.defKeyVersion=0 >>> >>> channel.defKeyIndex=0 >>> >>> Zach Casper wrote: >>> >>>> tps-error.log >>>> >>>> ... >>>> >>>> [2008-12-23 12:09:39] ba5de4e0 RA_Processor::SetupSecureChannel - >>>> >>>> Failed to create a secure channel - potentially due to an RA/TKS key >>>> >>>> mismatch or differing RA/TKS key versions. >>>> >>>> [2008-12-23 12:09:39] ba5de4e0 RA_Processor::UpgradeApplet - channel >>>> >>>> creation failure >>>> >>>> [2008-12-23 12:10:20] ba5cb398 RA_Processor::SetupSecureChannel - >>>> >>>> Failed to create a secure channel - potentially due to an RA/TKS key >>>> >>>> mismatch or differing RA/TKS key versions. >>>> >>>> [2008-12-23 12:10:20] ba5cb398 RA_Processor::UpgradeApplet - channel >>>> >>>> creation failure >>>> >>>> [2008-12-23 12:11:14] b8e04520 RA_Processor::SetupSecureChannel - >>>> >>>> Failed to create a secure channel - potentially due to an RA/TKS key >>>> >>>> mismatch or differing RA/TKS key versions. >>>> >>>> [2008-12-23 12:11:14] b8e04520 RA_Processor::UpgradeApplet - channel >>>> >>>> creation failure >>>> >>>> [2008-12-23 12:39:38] ba5c00e0 RA_Processor::SetupSecureChannel - >>>> >>>> Failed to create a secure channel - potentially due to an RA/TKS key >>>> >>>> mismatch or differing RA/TKS key versions. >>>> >>>> [2008-12-23 12:39:38] ba5c00e0 RA_Processor::UpgradeApplet - channel >>>> >>>> creation failure >>>> >>>> [2008-12-23 12:44:27] ba5b14c8 RA_Processor::SetupSecureChannel - >>>> >>>> Failed to create a secure channel - potentially due to an RA/TKS key >>>> >>>> mismatch or differing RA/TKS key versions. >>>> >>>> [2008-12-23 12:44:27] ba5b14c8 RA_Processor::UpgradeApplet - channel >>>> >>>> creation failure >>>> >>>> [2008-12-23 12:45:54] ba5f2590 RA_Processor::SetupSecureChannel - >>>> >>>> Failed to create a secure channel - potentially due to an RA/TKS key >>>> >>>> mismatch or differing RA/TKS key versions. >>>> >>>> [2008-12-23 12:45:54] ba5f2590 RA_Processor::UpgradeApplet - channel >>>> >>>> creation failure >>>> >>>> tps-debug.log >>>> >>>> ... >>>> >>>> [2008-12-23 12:45:54] ba5f2590 RA_Format_Processor::Process - >>>> >>>> Authenticate returns: 0 >>>> >>>> [2008-12-23 12:45:54] ba5f2590 AP_Session::WriteMsg - Sent >>>> >> 's=67&msg_type=14¤t_state=10&next_task_name=PROGRESS_APPLET_UPGRADE' >> >> >>>> [2008-12-23 12:45:54] ba5f2590 RA_Processor::UpgradeApplet - path = >>>> >>>> /usr/share/pki/tps/applets/1.3.44724DDE.ijc >>>> >>>> [2008-12-23 12:45:54] ba5f2590 AP_Session::WriteMsg - pdu_len='12' >>>> >>>> [2008-12-23 12:45:54] ba5f2590 AP_Session::WriteMsg - Sent >>>> > 's=68&msg_type=9&pdu_size=12&pdu_data=%00%A4%04%00%07%A0%00%00%00%03%00%00' > >>>> [2008-12-23 12:45:54] ba5f2590 AP_Session::ReadMsg - decoded pdu = >>>> >>>> (length='20') >>>> >>>> [2008-12-23 12:45:54] ba5f2590 AP_Session::ReadMsg - 6f 10 84 08 a0 00 >>>> >>>> 00 00 03 00 >>>> >>>> [2008-12-23 12:45:54] ba5f2590 AP_Session::ReadMsg - 00 00 a5 04 9f 65 >>>> >>>> 01 ff 90 00 >>>> >>>> [2008-12-23 12:45:54] ba5f2590 AP_Session::ReadMsg - >>>> >>>> [2008-12-23 12:45:54] ba5f2590 AP_Session::WriteMsg - pdu_len='13' >>>> >>>> [2008-12-23 12:45:54] ba5f2590 AP_Session::WriteMsg - Sent >>>> > 's=71&msg_type=9&pdu_size=13&pdu_data=%80%50%01%01%08%56%F5%29%9D%7B%8F%6F%A > 7' > >>>> [2008-12-23 12:45:54] ba5f2590 AP_Session::ReadMsg - decoded pdu = >>>> >>>> (length='2') >>>> >>>> [2008-12-23 12:45:54] ba5f2590 AP_Session::ReadMsg - 6a 86 >>>> >>>> [2008-12-23 12:45:54] ba5f2590 RA_Format_Processor::Process - applet >>>> >>>> upgrade failed >>>> >>>> [2008-12-23 12:45:54] ba5f2590 AP_Session::WriteMsg - pdu_len='12' >>>> >>>> [2008-12-23 12:45:54] ba5f2590 AP_Session::WriteMsg - Sent >>>> > 's=68&msg_type=9&pdu_size=12&pdu_data=%00%A4%04%00%07%62%76%01%FF%00%00%00' > >>>> [2008-12-23 12:45:54] ba5f2590 AP_Session::ReadMsg - decoded pdu = >>>> >>>> (length='2') >>>> >>>> [2008-12-23 12:45:54] ba5f2590 AP_Session::ReadMsg - 90 00 >>>> >>>> [2008-12-23 12:45:54] ba5f2590 AP_Session::WriteMsg - Sent >>>> >>>> 's=43&msg_type=13&operation=5&result=1&message=19' >>>> >>>> zach >>>> >>>> _____________________________________________ >>>> >>>> *From:* Jack Magne [mailto:jmagne at redhat.com] >>>> >>>> *Sent:* Tuesday, December 23, 2008 2:38 PM >>>> >>>> *To:* Adewumi, Julius-p99373 >>>> >>>> *Cc:* Zach Casper; pki-users at redhat.com >>>> >>>> *Subject:* Re: [Pki-users] ESC Format / Enroll Error >>>> >>>> You are having a problem creating a secure channel. Perhaps posting a >>>> >>>> snippet of the log might help. >>>> >>>> Adewumi, Julius-p99373 wrote: >>>> >>>>> You might want to play with changing "false" to "true in the >>>>> >> CS.cfg for >> >> >>>>> op.enroll.userKey.update.applet.emptyToken.enable=false or the >>>>> >>>>> op.format... equivalent , etc. >>>>> >>>>> /From: Julius Adewumi/ >>>>> >>>>> /@GDC4S.com/ >>>>> >>>>> /Ph:480-441-6768/ >>>>> >>>>> /Contract Corp:MTSI/ >>>>> >>> ------------------------------------------------------------------------ >>> >>>>> *From:* pki-users-bounces at redhat.com >>>>> >>>>> [mailto:pki-users-bounces at redhat.com] *On Behalf Of *Zach Casper >>>>> >>>>> *Sent:* Tuesday, December 23, 2008 12:00 PM >>>>> >>>>> *To:* pki-users at redhat.com >>>>> >>>>> *Subject:* RE: [Pki-users] ESC Format / Enroll Error >>>>> >>>>> Tps-debug log shows the following: >>>>> >>>>> RA_Format_Processor::Process - applet upgrade failed >>>>> >>>>> Tps-error log show the following: >>>>> >>>>> RA_Processor::SetupSecureChannel - Failed to create a secure channel >>>>> >>>>> 0- potentially due to an RA/TKS key mismatch or differing RA/TKS key >>>>> >>>>> versions. >>>>> >>>>> RA_Processor::UpgradeApplet -0 channel create failure >>>>> >>>>> And a series of Bad Response when trying to SelectApplet or >>>>> > GetStatus > >>>>> zach >>>>> >>>>> _____________________________________________ >>>>> >>>>> *From:* Jack Magne [mailto:jmagne at redhat.com] >>>>> >>>>> *Sent:* Tuesday, December 23, 2008 1:10 PM >>>>> >>>>> *To:* Zach Casper >>>>> >>>>> *Subject:* Re: [Pki-users] ESC Format / Enroll Error >>>>> >>>>> The first step would be to take a look at the tps log or smart card >>>>> >>>>> server. >>>>> >>>>> These can be found at: >>>>> >>>>> /var/lib/pki-tps/logs/tps-debug.log >>>>> >>>>> Search the bottom of the log for error 19 and it should give you an >>>>> >>> idea >>> >>>>> of what TPS was trying to do at the time. >>>>> >>>>> Zach Casper wrote: >>>>> >>>>>> We have an Infineon Smart Card and currently we are unable to >>>>>> >>>>>> Format/Enroll due to the following ESC Error >>>>>> >>>>>> "Formatting of smart card failed. Error: The Smart Card Server >>>>>> >> cannot >> >> >>>>>> upgrade the software on your smart card." >>>>>> >>>>>> And Diagnostics show this error: >>>>>> >>>>>> "Attempting to Format Key, ID: ####### - Key Format failure, >>>>>> > Error: > >>>> 19." >>>> >>>>>> This card comes up as "Formatted" because we've manually >>>>>> >> installed a >> >> >>>>>> version of the Dogtag applet prior to using ESC & Dogtag. >>>>>> >>>>>> Any advice on how we can troubleshoot? >>>>>> >>>>>> -- >>>>>> >>>>>> Zach Casper >>>>>> >>>>>> Envieta LLC >>>>>> >>>>>> ---------------------------------------- >>>>>> >> ------------------------------------------------------------------------ >> >> >>>>>> _______________________________________________ >>>>>> >>>>>> Pki-users mailing list >>>>>> >>>>>> Pki-users at redhat.com >>>>>> >>>>>> https://www.redhat.com/mailman/listinfo/pki-users >>>>>> >>> ------------------------------------------------------------------------ >>> >>>>> _______________________________________________ >>>>> >>>>> Pki-users mailing list >>>>> >>>>> Pki-users at redhat.com >>>>> >>>>> https://www.redhat.com/mailman/listinfo/pki-users >>>>> >> ------------------------------------------------------------------------ >> >> >>>> _______________________________________________ >>>> >>>> Pki-users mailing list >>>> >>>> Pki-users at redhat.com >>>> >>>> https://www.redhat.com/mailman/listinfo/pki-users >>>> > > > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3237 bytes Desc: S/MIME Cryptographic Signature URL: From sean.veale at gdc4s.com Thu Jan 8 22:55:37 2009 From: sean.veale at gdc4s.com (Veale, Sean) Date: Thu, 8 Jan 2009 17:55:37 -0500 Subject: [Pki-users] LDAP Authentication In-Reply-To: <4947E377.1090808@redhat.com> References: <001401c95f97$50da6440$f28f2cc0$@casper@envieta.com> <4947E377.1090808@redhat.com> Message-ID: I'm evaluating if an older token (Jforte) will work with the red hat 7.3 CS. I have the Auth Key, MAC key, and KEK key for the tokens and am looking for the process on how to set up the TPS/TKS to use these keys. I believe it is mainly documented in section 8.5.5. Configuring Symmetric Key Changeover of the Admin Guide, but references generating a new master key using (presumably) the default symmetric keys. How does one use new symmetric keys in this process? Sean From jmagne at redhat.com Fri Jan 9 18:52:55 2009 From: jmagne at redhat.com (Jack Magne) Date: Fri, 09 Jan 2009 10:52:55 -0800 Subject: [Pki-users] ESC Format / Enroll Error In-Reply-To: <003f01c9710f$f3cc2420$db646c60$@whitelock@envieta.com> References: <001201c96527$1c706e30$55514a90$@casper@envieta.com><49512983.2080702@redhat.com> <003401c96530$9d9a71f0$d8cf55d0$@casper@envieta.com> <150446754087724BA4B8F287083846B2037E2FAC@AZ25EXM04.gddsi.com> <49513E0D.9080901@redhat.com> <004d01c96537$55373d60$ffa5b820$@casper@envieta.com> <4951678D.3080202@redhat.com> <002401c96b91$eb97e4c0$c2c7ae40$@casper@envieta.com> <4964EFD3.2030606@redhat.com> <002601c970fc$241a9080$6c4fb180$@casper@envieta.com> <49651D65.9050504@redhat.com> <003f01c9710f$f3cc2420$db646c60$@whitelock@envieta.com> Message-ID: <49679D07.8080508@redhat.com> John,Zach: After looking into this, it appears that for the case of using the developer key set, there is some code in our tks, specifically the "symkey" rpm, that appears to be hard coded for Axalto tokens. Working on narrowing it down... John Whitelock wrote: > Jack, > > Thanks again for the help. Below I have pasted the log you asked for from > that same test. > > > [07/Jan/2009:11:20:42][http-13443-Processor25]: Authentication: client > certificate found > [07/Jan/2009:11:20:42][http-13443-Processor25]: getConn: mNumConns now 2 > [07/Jan/2009:11:20:42][http-13443-Processor25]: returnConn: mNumConns now 3 > [07/Jan/2009:11:20:42][http-13443-Processor25]: Authentication: mapped > certificate to user > [07/Jan/2009:11:20:42][http-13443-Processor25]: authenticated > uid=TPS-localhost.localdomain-7889,ou=People,dc=localhost.localdomain-pki-tk > s > [07/Jan/2009:11:20:42][http-13443-Processor25]: SignedAuditEventFactory: > create() > message=[AuditEvent=AUTH_SUCCESS][SubjectID=TPS-localhost.localdomain-7889][ > Outcome=Success][AuthMgr=certUserDBAuthMgr] authentication success > > [07/Jan/2009:11:20:42][http-13443-Processor25]: checkACLS(): ACLEntry > expressions= group="Token Key Service Manager Agents" > [07/Jan/2009:11:20:42][http-13443-Processor25]: evaluating expressions: > group="Token Key Service Manager Agents" > [07/Jan/2009:11:20:42][http-13443-Processor25]: getConn: mNumConns now 2 > [07/Jan/2009:11:20:42][http-13443-Processor25]: returnConn: mNumConns now 3 > [07/Jan/2009:11:20:42][http-13443-Processor25]: UGSubsystem.isMemberOf() > using new lookup code > [07/Jan/2009:11:20:42][http-13443-Processor25]: getConn: mNumConns now 2 > [07/Jan/2009:11:20:42][http-13443-Processor25]: authorization search base: > cn=Token Key Service Manager > Agents,ou=groups,dc=localhost.localdomain-pki-tks > [07/Jan/2009:11:20:42][http-13443-Processor25]: authorization search filter: > (uniquemember=uid=TPS-localhost.localdomain-7889,ou=People,dc=localhost.loca > ldomain-pki-tks) > [07/Jan/2009:11:20:42][http-13443-Processor25]: authorization result: true > [07/Jan/2009:11:20:42][http-13443-Processor25]: returnConn: mNumConns now 3 > [07/Jan/2009:11:20:42][http-13443-Processor25]: evaluated expression: > group="Token Key Service Manager Agents" to be true > [07/Jan/2009:11:20:42][http-13443-Processor25]: DirAclAuthz: authorization > passed > [07/Jan/2009:11:20:42][http-13443-Processor25]: SignedAuditEventFactory: > create() > message=[AuditEvent=AUTHZ_SUCCESS][SubjectID=TPS-localhost.localdomain-7889] > [Outcome=Success][aclResource=certServer.tks.sessionkey][Op=read] > authorization success > > [07/Jan/2009:11:20:42][http-13443-Processor25]: getConn: mNumConns now 2 > [07/Jan/2009:11:20:42][http-13443-Processor25]: returnConn: mNumConns now 3 > [07/Jan/2009:11:20:42][http-13443-Processor25]: SignedAuditEventFactory: > create() > message=[AuditEvent=ROLE_ASSUME][SubjectID=TPS-localhost.localdomain-7889][O > utcome=Success][Role=Token Key Service Manager Agents] assume privileged > role > > [07/Jan/2009:11:20:42][http-13443-Processor25]: keySet selected: defKeySet > [07/Jan/2009:11:20:42][http-13443-Processor25]: keySet selected: defKeySet > [07/Jan/2009:11:20:42][http-13443-Processor25]: processComputeSessionKey: > [07/Jan/2009:11:20:42][http-13443-Processor25]: TokenServlet: > serversideKeygen requested > [07/Jan/2009:11:20:42][http-13443-Processor25]: TokenServlet about to try > ComputeSessionKey selectedToken=Internal Key Storage Token > keyNickName=#FF#02 > [07/Jan/2009:11:20:42][http-13443-Processor25]: TokenServlet:Tried > ComputeSessionKey, got NULL > java.lang.Exception: Can't compute session key! > at > com.netscape.cms.servlet.tks.TokenServlet.processComputeSessionKey(TokenServ > let.java:336) > at > com.netscape.cms.servlet.tks.TokenServlet.process(TokenServlet.java:945) > at > com.netscape.cms.servlet.base.CMSServlet.service(CMSServlet.java:482) > at > com.netscape.cms.servlet.tks.TokenServlet.service(TokenServlet.java:964) > at javax.servlet.http.HttpServlet.service(HttpServlet.java:729) > at > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Application > FilterChain.java:269) > at > org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterCh > ain.java:188) > at > org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.ja > va:213) > at > org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.ja > va:172) > at > org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127 > ) > at > org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:117 > ) > at > org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:548) > at > org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java > :108) > at > org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:174) > at > org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:875) > at > org.apache.coyote.http11.Http11BaseProtocol$Http11ConnectionHandler.processC > onnection(Http11BaseProtocol.java:665) > at > org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.jav > a:528) > at > org.apache.tomcat.util.net.LeaderFollowerWorkerThread.runIt(LeaderFollowerWo > rkerThread.java:81) > at > org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.jav > a:689) > at java.lang.Thread.run(Thread.java:636) > [07/Jan/2009:11:20:42][http-13443-Processor25]: TokenServlet Computing > Session Key: java.lang.Exception: Can't compute session key! > [07/Jan/2009:11:20:42][http-13443-Processor25]: > TokenServlet:outputString.encode status=3 > [07/Jan/2009:11:20:42][http-13443-Processor25]: > TokenServlet:outputString.length 8 > [07/Jan/2009:11:20:42][http-13443-Processor25]: CMSServlet: curDate=Wed Jan > 07 11:20:42 GMT-05:00 2009 id=tksSessionKey time=430 > > -----Original Message----- > From: Jack Magne [mailto:jmagne at redhat.com] > Sent: Wednesday, January 07, 2009 4:24 PM > To: Zach Casper > Cc: pki-users at redhat.com; 'John Whitelock' > Subject: Re: [Pki-users] ESC Format / Enroll Error > > Zach: > > It looks like with your second test, you have managed to get by the > hurdle of the failed "InitializeUpdate" command. This is due to using 0 > and 0 for the defKeyVersion and defKeyIndex. > > Now it looks like the TKS system is not acting as expected. > > It would be great to have a look at the TKS debug log found in > /var/lib/pki-tks/logs > > I suspect we are having an issue with computing the session key in the TKS. > > thanks, > jack > > > Zach Casper wrote: > >> Thanks Jack. >> >> It appears we are using the same keys so on to troubleshooting our >> error logs. Below are our current logs file contents. >> >> When we use the default values: >> >> channel.defKeyVersion=1 >> >> channel. defKeyIndex=1 >> >> Ther error we get is: >> >> [2009-01-07 11:05:07] ba6ec600 LDAP_Authentication::Authenticate - >> User bind required 'uid=testuser1,ou=People,dc=localdomain' 'envieta123' >> >> [2009-01-07 11:05:07] ba6ec600 LDAP_Authentication::Authenticate - >> Attributes mail,cn,uid >> >> [2009-01-07 11:05:07] ba6ec600 LDAP_Authentication::Authenticate - >> Exposed cn=Test User1 >> >> [2009-01-07 11:05:07] ba6ec600 LDAP_Authentication::Authenticate - Size 3 >> >> [2009-01-07 11:05:07] ba6ec600 LDAP_Authentication::Authenticate - >> Exposed uid=testuser1 >> >> [2009-01-07 11:05:07] ba6ec600 LDAP_Authentication::Authenticate - Size 4 >> >> [2009-01-07 11:05:07] ba6ec600 RA_Format_Processor::Process - >> Authenticate returns: 0 >> >> [2009-01-07 11:05:07] ba6ec600 AP_Session::WriteMsg - Sent >> 's=67&msg_type=14¤t_state=10&next_task_name=PROGRESS_APPLET_UPGRADE' >> >> [2009-01-07 11:05:07] ba6ec600 RA_Processor::UpgradeApplet - path = >> /usr/share/pki/tps/applets/1.3.44724DDE.ijc >> >> [2009-01-07 11:05:07] ba6ec600 AP_Session::WriteMsg - pdu_len='12' >> >> [2009-01-07 11:05:07] ba6ec600 AP_Session::WriteMsg - Sent >> >> > 's=68&msg_type=9&pdu_size=12&pdu_data=%00%A4%04%00%07%A0%00%00%00%03%00%00' > >> [2009-01-07 11:05:07] ba6ec600 AP_Session::ReadMsg - decoded pdu = >> (length='20') >> >> [2009-01-07 11:05:07] ba6ec600 AP_Session::ReadMsg - 6f 10 84 08 a0 00 >> 00 00 03 00 >> >> [2009-01-07 11:05:07] ba6ec600 AP_Session::ReadMsg - 00 00 a5 04 9f 65 >> 01 ff 90 00 >> >> [2009-01-07 11:05:07] ba6ec600 AP_Session::ReadMsg - >> >> [2009-01-07 11:05:07] ba6ec600 AP_Session::WriteMsg - pdu_len='13' >> >> [2009-01-07 11:05:07] ba6ec600 AP_Session::WriteMsg - Sent >> >> > 's=71&msg_type=9&pdu_size=13&pdu_data=%80%50%01%01%08%09%CD%60%A7%11%EC%23%A > 5' > >> [2009-01-07 11:05:08] ba6ec600 AP_Session::ReadMsg - decoded pdu = >> (length='2') >> >> [2009-01-07 11:05:08] ba6ec600 AP_Session::ReadMsg - 6a 86 >> >> [2009-01-07 11:05:08] ba6ec600 RA_Format_Processor::Process - applet >> upgrade failed >> >> [2009-01-07 11:05:08] ba6ec600 AP_Session::WriteMsg - pdu_len='12' >> >> [2009-01-07 11:05:08] ba6ec600 AP_Session::WriteMsg - Sent >> >> > 's=68&msg_type=9&pdu_size=12&pdu_data=%00%A4%04%00%07%62%76%01%FF%00%00%00' > >> [2009-01-07 11:05:08] ba6ec600 AP_Session::ReadMsg - decoded pdu = >> (length='2') >> >> [2009-01-07 11:05:08] ba6ec600 AP_Session::ReadMsg - 90 00 >> >> [2009-01-07 11:05:08] ba6ec600 AP_Session::WriteMsg - Sent >> 's=43&msg_type=13&operation=5&result=1&message=19' >> >> When we switch the values to be: >> >> channel.defKeyVersion=0 >> >> channel. defKeyIndex=0 >> >> The error now looks like this: >> >> [2009-01-07 11:20:41] bacd2d28 LDAP_Authentication::Authenticate - >> User bind required 'uid=testuser1,ou=People,dc=localdomain' 'envieta123' >> >> [2009-01-07 11:20:41] bacd2d28 LDAP_Authentication::Authenticate - >> Attributes mail,cn,uid >> >> [2009-01-07 11:20:41] bacd2d28 LDAP_Authentication::Authenticate - >> Exposed cn=Test User1 >> >> [2009-01-07 11:20:41] bacd2d28 LDAP_Authentication::Authenticate - Size 3 >> >> [2009-01-07 11:20:41] bacd2d28 LDAP_Authentication::Authenticate - >> Exposed uid=testuser1 >> >> [2009-01-07 11:20:41] bacd2d28 LDAP_Authentication::Authenticate - Size 4 >> >> [2009-01-07 11:20:41] bacd2d28 RA_Format_Processor::Process - >> Authenticate returns: 0 >> >> [2009-01-07 11:20:41] bacd2d28 AP_Session::WriteMsg - Sent >> 's=67&msg_type=14¤t_state=10&next_task_name=PROGRESS_APPLET_UPGRADE' >> >> [2009-01-07 11:20:41] bacd2d28 RA_Processor::UpgradeApplet - path = >> /usr/share/pki/tps/applets/1.3.44724DDE.ijc >> >> [2009-01-07 11:20:41] bacd2d28 AP_Session::WriteMsg - pdu_len='12' >> >> [2009-01-07 11:20:41] bacd2d28 AP_Session::WriteMsg - Sent >> >> > 's=68&msg_type=9&pdu_size=12&pdu_data=%00%A4%04%00%07%A0%00%00%00%03%00%00' > >> [2009-01-07 11:20:41] bacd2d28 AP_Session::ReadMsg - decoded pdu = >> (length='20') >> >> [2009-01-07 11:20:41] bacd2d28 AP_Session::ReadMsg - 6f 10 84 08 a0 00 >> 00 00 03 00 >> >> [2009-01-07 11:20:41] bacd2d28 AP_Session::ReadMsg - 00 00 a5 04 9f 65 >> 01 ff 90 00 >> >> [2009-01-07 11:20:41] bacd2d28 AP_Session::ReadMsg - >> >> [2009-01-07 11:20:41] bacd2d28 AP_Session::WriteMsg - pdu_len='13' >> >> [2009-01-07 11:20:41] bacd2d28 AP_Session::WriteMsg - Sent >> >> > 's=71&msg_type=9&pdu_size=13&pdu_data=%80%50%00%00%08%95%74%0B%AC%37%C9%DE%8 > 0' > >> [2009-01-07 11:20:41] bacd2d28 AP_Session::ReadMsg - decoded pdu = >> (length='30') >> >> [2009-01-07 11:20:41] bacd2d28 AP_Session::ReadMsg - 00 00 71 61 57 01 >> 0e 0d 90 bd >> >> [2009-01-07 11:20:41] bacd2d28 AP_Session::ReadMsg - ff 02 00 21 2e 6b >> ec 9e 33 2b >> >> [2009-01-07 11:20:41] bacd2d28 AP_Session::ReadMsg - a5 26 d0 02 e6 64 >> c9 3c 90 00 >> >> [2009-01-07 11:20:41] bacd2d28 AP_Session::ReadMsg - >> >> [2009-01-07 11:20:41] bacd2d28 HttpConnection::getResponse - Send >> request to host localhost.localdomain:13443 servlet >> /tks/agent/tks/computeSessionKey >> >> [2009-01-07 11:20:42] bacd2d28 RA::Engine - Pre-processing content >> 'HTTP/1.1 200 OK >> >> Server: Apache-Coyote/1.1 >> >> Content-Type: text/html >> >> Content-Length: 8 >> >> Date: Wed, 07 Jan 2009 16:20:42 GMT >> >> status=3 >> >> [2009-01-07 11:20:42] bacd2d28 RA::Engine - Post-processing content >> 'status=3 >> >> [2009-01-07 11:20:42] bacd2d28 RA_Format_Processor::Process - applet >> upgrade failed >> >> [2009-01-07 11:20:42] bacd2d28 AP_Session::WriteMsg - pdu_len='12' >> >> [2009-01-07 11:20:42] bacd2d28 AP_Session::WriteMsg - Sent >> >> > 's=68&msg_type=9&pdu_size=12&pdu_data=%00%A4%04%00%07%62%76%01%FF%00%00%00' > >> [2009-01-07 11:20:42] bacd2d28 AP_Session::ReadMsg - decoded pdu = >> (length='2') >> >> [2009-01-07 11:20:42] bacd2d28 AP_Session::ReadMsg - 90 00 >> >> [2009-01-07 11:20:42] bacd2d28 AP_Session::WriteMsg - Sent >> 's=43&msg_type=13&operation=5&result=1&message=19' >> >> In addition - the following is the pki-tps.tps-error.log snippet >> >> [2008-12-23 12:09:39] ba5de4e0 RA_Processor::SetupSecureChannel - >> Failed to create a secure channel - potentially due to an RA/TKS key >> mismatch or differing RA/TKS key versions. >> [2008-12-23 12:09:39] ba5de4e0 RA_Processor::UpgradeApplet - channel >> creation failure >> [2008-12-23 12:10:20] ba5cb398 RA_Processor::SetupSecureChannel - >> Failed to create a secure channel - potentially due to an RA/TKS key >> mismatch or differing RA/TKS key versions. >> [2008-12-23 12:10:20] ba5cb398 RA_Processor::UpgradeApplet - channel >> creation failure >> [2008-12-23 12:11:14] b8e04520 RA_Processor::SetupSecureChannel - >> Failed to create a secure channel - potentially due to an RA/TKS key >> mismatch or differing RA/TKS key versions. >> [2008-12-23 12:11:14] b8e04520 RA_Processor::UpgradeApplet - channel >> creation failure >> [2008-12-23 12:39:38] ba5c00e0 RA_Processor::SetupSecureChannel - >> Failed to create a secure channel - potentially due to an RA/TKS key >> mismatch or differing RA/TKS key versions. >> [2008-12-23 12:39:38] ba5c00e0 RA_Processor::UpgradeApplet - channel >> creation failure >> [2008-12-23 12:44:27] ba5b14c8 RA_Processor::SetupSecureChannel - >> Failed to create a secure channel - potentially due to an RA/TKS key >> mismatch or differing RA/TKS key versions. >> [2008-12-23 12:44:27] ba5b14c8 RA_Processor::UpgradeApplet - channel >> creation failure >> [2008-12-23 12:45:54] ba5f2590 RA_Processor::SetupSecureChannel - >> Failed to create a secure channel - potentially due to an RA/TKS key >> mismatch or differing RA/TKS key versions. >> [2008-12-23 12:45:54] ba5f2590 RA_Processor::UpgradeApplet - channel >> creation failure >> >> I'm also bringing John Whitelock, another one of our engineers in on >> discussions. He just joined the pki-users list. >> >> Zach Casper >> >> _____________________________________________ >> *From:* Jack Magne [mailto:jmagne at redhat.com] >> *Sent:* Wednesday, January 07, 2009 1:09 PM >> *To:* Zach Casper >> *Cc:* pki-users at redhat.com >> *Subject:* Re: [Pki-users] ESC Format / Enroll Error >> >> Zach: >> >> Sorry for the delay.... >> >> The default developer keyset we use for our keys with TPS is the >> >> standard like follows: >> >> tks.defKeySet.auth_key=#40#41...#4f >> >> tks.defKeySet.kek_key=#40#41...#4f >> >> tks.defKeySet.mac_key=#40#41.. #4f >> >> If you look in the CS.cfg file under >> >> /var/lib/pki-tks/conf >> >> We have an entire procedure documented in the CS 7.3 documentation to >> >> perform a key changeover if required. >> >> Feel free to post any further logs you might obtain after further testing. >> >> thanks, >> >> jack >> >> Zach Casper wrote: >> >> >>> Could there be an issue with the default key our card is loaded with >>> >>> (VISA Key) not being able to create the secure connection? What are >>> >>> the default key(s) used/needed by Dogtag? >>> >>> _____________________________________________ >>> >>> *From:* Jack Magne [mailto:jmagne at redhat.com] >>> >>> *Sent:* Tuesday, December 23, 2008 5:35 PM >>> >>> *To:* Zach Casper >>> >>> *Cc:* pki-users at redhat.com >>> >>> *Subject:* Re: [Pki-users] ESC Format / Enroll Error >>> >>> I'll have to take a closer look later but there is a quick thing you can >>> >>> try. >>> >>> Also, remember depending upon your card, if you make too many failed >>> >>> attempts at a secure channel, the card can lock itself up. >>> >>> In /var/lib/pki-tps/conf/CS.cfg you will have a block like this: >>> >>> channel.defKeyVersion=1 >>> >>> channel. defKeyIndex=1 >>> >>> We have experimented with some other cards where the following works: >>> >>> channel.defKeyVersion=0 >>> >>> channel.defKeyIndex=0 >>> >>> Zach Casper wrote: >>> >>>> tps-error.log >>>> >>>> ... >>>> >>>> [2008-12-23 12:09:39] ba5de4e0 RA_Processor::SetupSecureChannel - >>>> >>>> Failed to create a secure channel - potentially due to an RA/TKS key >>>> >>>> mismatch or differing RA/TKS key versions. >>>> >>>> [2008-12-23 12:09:39] ba5de4e0 RA_Processor::UpgradeApplet - channel >>>> >>>> creation failure >>>> >>>> [2008-12-23 12:10:20] ba5cb398 RA_Processor::SetupSecureChannel - >>>> >>>> Failed to create a secure channel - potentially due to an RA/TKS key >>>> >>>> mismatch or differing RA/TKS key versions. >>>> >>>> [2008-12-23 12:10:20] ba5cb398 RA_Processor::UpgradeApplet - channel >>>> >>>> creation failure >>>> >>>> [2008-12-23 12:11:14] b8e04520 RA_Processor::SetupSecureChannel - >>>> >>>> Failed to create a secure channel - potentially due to an RA/TKS key >>>> >>>> mismatch or differing RA/TKS key versions. >>>> >>>> [2008-12-23 12:11:14] b8e04520 RA_Processor::UpgradeApplet - channel >>>> >>>> creation failure >>>> >>>> [2008-12-23 12:39:38] ba5c00e0 RA_Processor::SetupSecureChannel - >>>> >>>> Failed to create a secure channel - potentially due to an RA/TKS key >>>> >>>> mismatch or differing RA/TKS key versions. >>>> >>>> [2008-12-23 12:39:38] ba5c00e0 RA_Processor::UpgradeApplet - channel >>>> >>>> creation failure >>>> >>>> [2008-12-23 12:44:27] ba5b14c8 RA_Processor::SetupSecureChannel - >>>> >>>> Failed to create a secure channel - potentially due to an RA/TKS key >>>> >>>> mismatch or differing RA/TKS key versions. >>>> >>>> [2008-12-23 12:44:27] ba5b14c8 RA_Processor::UpgradeApplet - channel >>>> >>>> creation failure >>>> >>>> [2008-12-23 12:45:54] ba5f2590 RA_Processor::SetupSecureChannel - >>>> >>>> Failed to create a secure channel - potentially due to an RA/TKS key >>>> >>>> mismatch or differing RA/TKS key versions. >>>> >>>> [2008-12-23 12:45:54] ba5f2590 RA_Processor::UpgradeApplet - channel >>>> >>>> creation failure >>>> >>>> tps-debug.log >>>> >>>> ... >>>> >>>> [2008-12-23 12:45:54] ba5f2590 RA_Format_Processor::Process - >>>> >>>> Authenticate returns: 0 >>>> >>>> [2008-12-23 12:45:54] ba5f2590 AP_Session::WriteMsg - Sent >>>> >> 's=67&msg_type=14¤t_state=10&next_task_name=PROGRESS_APPLET_UPGRADE' >> >> >>>> [2008-12-23 12:45:54] ba5f2590 RA_Processor::UpgradeApplet - path = >>>> >>>> /usr/share/pki/tps/applets/1.3.44724DDE.ijc >>>> >>>> [2008-12-23 12:45:54] ba5f2590 AP_Session::WriteMsg - pdu_len='12' >>>> >>>> [2008-12-23 12:45:54] ba5f2590 AP_Session::WriteMsg - Sent >>>> > 's=68&msg_type=9&pdu_size=12&pdu_data=%00%A4%04%00%07%A0%00%00%00%03%00%00' > >>>> [2008-12-23 12:45:54] ba5f2590 AP_Session::ReadMsg - decoded pdu = >>>> >>>> (length='20') >>>> >>>> [2008-12-23 12:45:54] ba5f2590 AP_Session::ReadMsg - 6f 10 84 08 a0 00 >>>> >>>> 00 00 03 00 >>>> >>>> [2008-12-23 12:45:54] ba5f2590 AP_Session::ReadMsg - 00 00 a5 04 9f 65 >>>> >>>> 01 ff 90 00 >>>> >>>> [2008-12-23 12:45:54] ba5f2590 AP_Session::ReadMsg - >>>> >>>> [2008-12-23 12:45:54] ba5f2590 AP_Session::WriteMsg - pdu_len='13' >>>> >>>> [2008-12-23 12:45:54] ba5f2590 AP_Session::WriteMsg - Sent >>>> > 's=71&msg_type=9&pdu_size=13&pdu_data=%80%50%01%01%08%56%F5%29%9D%7B%8F%6F%A > 7' > >>>> [2008-12-23 12:45:54] ba5f2590 AP_Session::ReadMsg - decoded pdu = >>>> >>>> (length='2') >>>> >>>> [2008-12-23 12:45:54] ba5f2590 AP_Session::ReadMsg - 6a 86 >>>> >>>> [2008-12-23 12:45:54] ba5f2590 RA_Format_Processor::Process - applet >>>> >>>> upgrade failed >>>> >>>> [2008-12-23 12:45:54] ba5f2590 AP_Session::WriteMsg - pdu_len='12' >>>> >>>> [2008-12-23 12:45:54] ba5f2590 AP_Session::WriteMsg - Sent >>>> > 's=68&msg_type=9&pdu_size=12&pdu_data=%00%A4%04%00%07%62%76%01%FF%00%00%00' > >>>> [2008-12-23 12:45:54] ba5f2590 AP_Session::ReadMsg - decoded pdu = >>>> >>>> (length='2') >>>> >>>> [2008-12-23 12:45:54] ba5f2590 AP_Session::ReadMsg - 90 00 >>>> >>>> [2008-12-23 12:45:54] ba5f2590 AP_Session::WriteMsg - Sent >>>> >>>> 's=43&msg_type=13&operation=5&result=1&message=19' >>>> >>>> zach >>>> >>>> _____________________________________________ >>>> >>>> *From:* Jack Magne [mailto:jmagne at redhat.com] >>>> >>>> *Sent:* Tuesday, December 23, 2008 2:38 PM >>>> >>>> *To:* Adewumi, Julius-p99373 >>>> >>>> *Cc:* Zach Casper; pki-users at redhat.com >>>> >>>> *Subject:* Re: [Pki-users] ESC Format / Enroll Error >>>> >>>> You are having a problem creating a secure channel. Perhaps posting a >>>> >>>> snippet of the log might help. >>>> >>>> Adewumi, Julius-p99373 wrote: >>>> >>>>> You might want to play with changing "false" to "true in the >>>>> >> CS.cfg for >> >> >>>>> op.enroll.userKey.update.applet.emptyToken.enable=false or the >>>>> >>>>> op.format... equivalent , etc. >>>>> >>>>> /From: Julius Adewumi/ >>>>> >>>>> /@GDC4S.com/ >>>>> >>>>> /Ph:480-441-6768/ >>>>> >>>>> /Contract Corp:MTSI/ >>>>> >>> ------------------------------------------------------------------------ >>> >>>>> *From:* pki-users-bounces at redhat.com >>>>> >>>>> [mailto:pki-users-bounces at redhat.com] *On Behalf Of *Zach Casper >>>>> >>>>> *Sent:* Tuesday, December 23, 2008 12:00 PM >>>>> >>>>> *To:* pki-users at redhat.com >>>>> >>>>> *Subject:* RE: [Pki-users] ESC Format / Enroll Error >>>>> >>>>> Tps-debug log shows the following: >>>>> >>>>> RA_Format_Processor::Process - applet upgrade failed >>>>> >>>>> Tps-error log show the following: >>>>> >>>>> RA_Processor::SetupSecureChannel - Failed to create a secure channel >>>>> >>>>> 0- potentially due to an RA/TKS key mismatch or differing RA/TKS key >>>>> >>>>> versions. >>>>> >>>>> RA_Processor::UpgradeApplet -0 channel create failure >>>>> >>>>> And a series of Bad Response when trying to SelectApplet or >>>>> > GetStatus > >>>>> zach >>>>> >>>>> _____________________________________________ >>>>> >>>>> *From:* Jack Magne [mailto:jmagne at redhat.com] >>>>> >>>>> *Sent:* Tuesday, December 23, 2008 1:10 PM >>>>> >>>>> *To:* Zach Casper >>>>> >>>>> *Subject:* Re: [Pki-users] ESC Format / Enroll Error >>>>> >>>>> The first step would be to take a look at the tps log or smart card >>>>> >>>>> server. >>>>> >>>>> These can be found at: >>>>> >>>>> /var/lib/pki-tps/logs/tps-debug.log >>>>> >>>>> Search the bottom of the log for error 19 and it should give you an >>>>> >>> idea >>> >>>>> of what TPS was trying to do at the time. >>>>> >>>>> Zach Casper wrote: >>>>> >>>>>> We have an Infineon Smart Card and currently we are unable to >>>>>> >>>>>> Format/Enroll due to the following ESC Error >>>>>> >>>>>> "Formatting of smart card failed. Error: The Smart Card Server >>>>>> >> cannot >> >> >>>>>> upgrade the software on your smart card." >>>>>> >>>>>> And Diagnostics show this error: >>>>>> >>>>>> "Attempting to Format Key, ID: ####### - Key Format failure, >>>>>> > Error: > >>>> 19." >>>> >>>>>> This card comes up as "Formatted" because we've manually >>>>>> >> installed a >> >> >>>>>> version of the Dogtag applet prior to using ESC & Dogtag. >>>>>> >>>>>> Any advice on how we can troubleshoot? >>>>>> >>>>>> -- >>>>>> >>>>>> Zach Casper >>>>>> >>>>>> Envieta LLC >>>>>> >>>>>> ---------------------------------------- >>>>>> >> ------------------------------------------------------------------------ >> >> >>>>>> _______________________________________________ >>>>>> >>>>>> Pki-users mailing list >>>>>> >>>>>> Pki-users at redhat.com >>>>>> >>>>>> https://www.redhat.com/mailman/listinfo/pki-users >>>>>> >>> ------------------------------------------------------------------------ >>> >>>>> _______________________________________________ >>>>> >>>>> Pki-users mailing list >>>>> >>>>> Pki-users at redhat.com >>>>> >>>>> https://www.redhat.com/mailman/listinfo/pki-users >>>>> >> ------------------------------------------------------------------------ >> >> >>>> _______________________________________________ >>>> >>>> Pki-users mailing list >>>> >>>> Pki-users at redhat.com >>>> >>>> https://www.redhat.com/mailman/listinfo/pki-users >>>> > > > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3237 bytes Desc: S/MIME Cryptographic Signature URL: From john.whitelock at envieta.com Fri Jan 9 19:11:40 2009 From: john.whitelock at envieta.com (John Whitelock) Date: Fri, 9 Jan 2009 14:11:40 -0500 Subject: [Pki-users] ESC Format / Enroll Error In-Reply-To: <49679D07.8080508@redhat.com> References: <001201c96527$1c706e30$55514a90$@casper@envieta.com><49512983.2080702@redhat.com> <003401c96530$9d9a71f0$d8cf55d0$@casper@envieta.com> <150446754087724BA4B8F287083846B2037E2FAC@AZ25EXM04.gddsi.com> <49513E0D.9080901@redhat.com> <004d01c96537$55373d60$ffa5b820$@casper@envieta.com> <4951678D.3080202@redhat.com> <002401c96b91$eb97e4c0$c2c7ae40$@casper@envieta.com> <4964EFD3.2030606@redhat.com> <002601c970fc$241a9080$6c4fb180$@casper@envieta.com> <49651D65.9050504@redhat.com> <003f01c9710f$f3cc2420$db646c60$@whitelock@envieta.com> <49679D07.8080508@redhat.com> Message-ID: <007301c9728e$1baf8520$530e8f60$@whitelock@envieta.com> Thank you for the help Jack. Please let us know if there is anything we can do to help you. John -----Original Message----- From: Jack Magne [mailto:jmagne at redhat.com] Sent: Friday, January 09, 2009 1:53 PM To: John Whitelock Cc: pki-users at redhat.com; 'Zach Casper' Subject: Re: [Pki-users] ESC Format / Enroll Error John,Zach: After looking into this, it appears that for the case of using the developer key set, there is some code in our tks, specifically the "symkey" rpm, that appears to be hard coded for Axalto tokens. Working on narrowing it down... John Whitelock wrote: > Jack, > > Thanks again for the help. Below I have pasted the log you asked for from > that same test. > > > [07/Jan/2009:11:20:42][http-13443-Processor25]: Authentication: client > certificate found > [07/Jan/2009:11:20:42][http-13443-Processor25]: getConn: mNumConns now 2 > [07/Jan/2009:11:20:42][http-13443-Processor25]: returnConn: mNumConns now 3 > [07/Jan/2009:11:20:42][http-13443-Processor25]: Authentication: mapped > certificate to user > [07/Jan/2009:11:20:42][http-13443-Processor25]: authenticated > uid=TPS-localhost.localdomain-7889,ou=People,dc=localhost.localdomain-pki-tk > s > [07/Jan/2009:11:20:42][http-13443-Processor25]: SignedAuditEventFactory: > create() > message=[AuditEvent=AUTH_SUCCESS][SubjectID=TPS-localhost.localdomain-7889][ > Outcome=Success][AuthMgr=certUserDBAuthMgr] authentication success > > [07/Jan/2009:11:20:42][http-13443-Processor25]: checkACLS(): ACLEntry > expressions= group="Token Key Service Manager Agents" > [07/Jan/2009:11:20:42][http-13443-Processor25]: evaluating expressions: > group="Token Key Service Manager Agents" > [07/Jan/2009:11:20:42][http-13443-Processor25]: getConn: mNumConns now 2 > [07/Jan/2009:11:20:42][http-13443-Processor25]: returnConn: mNumConns now 3 > [07/Jan/2009:11:20:42][http-13443-Processor25]: UGSubsystem.isMemberOf() > using new lookup code > [07/Jan/2009:11:20:42][http-13443-Processor25]: getConn: mNumConns now 2 > [07/Jan/2009:11:20:42][http-13443-Processor25]: authorization search base: > cn=Token Key Service Manager > Agents,ou=groups,dc=localhost.localdomain-pki-tks > [07/Jan/2009:11:20:42][http-13443-Processor25]: authorization search filter: > (uniquemember=uid=TPS-localhost.localdomain-7889,ou=People,dc=localhost.loca > ldomain-pki-tks) > [07/Jan/2009:11:20:42][http-13443-Processor25]: authorization result: true > [07/Jan/2009:11:20:42][http-13443-Processor25]: returnConn: mNumConns now 3 > [07/Jan/2009:11:20:42][http-13443-Processor25]: evaluated expression: > group="Token Key Service Manager Agents" to be true > [07/Jan/2009:11:20:42][http-13443-Processor25]: DirAclAuthz: authorization > passed > [07/Jan/2009:11:20:42][http-13443-Processor25]: SignedAuditEventFactory: > create() > message=[AuditEvent=AUTHZ_SUCCESS][SubjectID=TPS-localhost.localdomain-7889] > [Outcome=Success][aclResource=certServer.tks.sessionkey][Op=read] > authorization success > > [07/Jan/2009:11:20:42][http-13443-Processor25]: getConn: mNumConns now 2 > [07/Jan/2009:11:20:42][http-13443-Processor25]: returnConn: mNumConns now 3 > [07/Jan/2009:11:20:42][http-13443-Processor25]: SignedAuditEventFactory: > create() > message=[AuditEvent=ROLE_ASSUME][SubjectID=TPS-localhost.localdomain-7889][O > utcome=Success][Role=Token Key Service Manager Agents] assume privileged > role > > [07/Jan/2009:11:20:42][http-13443-Processor25]: keySet selected: defKeySet > [07/Jan/2009:11:20:42][http-13443-Processor25]: keySet selected: defKeySet > [07/Jan/2009:11:20:42][http-13443-Processor25]: processComputeSessionKey: > [07/Jan/2009:11:20:42][http-13443-Processor25]: TokenServlet: > serversideKeygen requested > [07/Jan/2009:11:20:42][http-13443-Processor25]: TokenServlet about to try > ComputeSessionKey selectedToken=Internal Key Storage Token > keyNickName=#FF#02 > [07/Jan/2009:11:20:42][http-13443-Processor25]: TokenServlet:Tried > ComputeSessionKey, got NULL > java.lang.Exception: Can't compute session key! > at > com.netscape.cms.servlet.tks.TokenServlet.processComputeSessionKey(TokenServ > let.java:336) > at > com.netscape.cms.servlet.tks.TokenServlet.process(TokenServlet.java:945) > at > com.netscape.cms.servlet.base.CMSServlet.service(CMSServlet.java:482) > at > com.netscape.cms.servlet.tks.TokenServlet.service(TokenServlet.java:964) > at javax.servlet.http.HttpServlet.service(HttpServlet.java:729) > at > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Application > FilterChain.java:269) > at > org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterCh > ain.java:188) > at > org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.ja > va:213) > at > org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.ja > va:172) > at > org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127 > ) > at > org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:117 > ) > at > org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:548) > at > org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java > :108) > at > org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:174) > at > org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:875) > at > org.apache.coyote.http11.Http11BaseProtocol$Http11ConnectionHandler.processC > onnection(Http11BaseProtocol.java:665) > at > org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.jav > a:528) > at > org.apache.tomcat.util.net.LeaderFollowerWorkerThread.runIt(LeaderFollowerWo > rkerThread.java:81) > at > org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.jav > a:689) > at java.lang.Thread.run(Thread.java:636) > [07/Jan/2009:11:20:42][http-13443-Processor25]: TokenServlet Computing > Session Key: java.lang.Exception: Can't compute session key! > [07/Jan/2009:11:20:42][http-13443-Processor25]: > TokenServlet:outputString.encode status=3 > [07/Jan/2009:11:20:42][http-13443-Processor25]: > TokenServlet:outputString.length 8 > [07/Jan/2009:11:20:42][http-13443-Processor25]: CMSServlet: curDate=Wed Jan > 07 11:20:42 GMT-05:00 2009 id=tksSessionKey time=430 > > -----Original Message----- > From: Jack Magne [mailto:jmagne at redhat.com] > Sent: Wednesday, January 07, 2009 4:24 PM > To: Zach Casper > Cc: pki-users at redhat.com; 'John Whitelock' > Subject: Re: [Pki-users] ESC Format / Enroll Error > > Zach: > > It looks like with your second test, you have managed to get by the > hurdle of the failed "InitializeUpdate" command. This is due to using 0 > and 0 for the defKeyVersion and defKeyIndex. > > Now it looks like the TKS system is not acting as expected. > > It would be great to have a look at the TKS debug log found in > /var/lib/pki-tks/logs > > I suspect we are having an issue with computing the session key in the TKS. > > thanks, > jack > > > Zach Casper wrote: > >> Thanks Jack. >> >> It appears we are using the same keys so on to troubleshooting our >> error logs. Below are our current logs file contents. >> >> When we use the default values: >> >> channel.defKeyVersion=1 >> >> channel. defKeyIndex=1 >> >> Ther error we get is: >> >> [2009-01-07 11:05:07] ba6ec600 LDAP_Authentication::Authenticate - >> User bind required 'uid=testuser1,ou=People,dc=localdomain' 'envieta123' >> >> [2009-01-07 11:05:07] ba6ec600 LDAP_Authentication::Authenticate - >> Attributes mail,cn,uid >> >> [2009-01-07 11:05:07] ba6ec600 LDAP_Authentication::Authenticate - >> Exposed cn=Test User1 >> >> [2009-01-07 11:05:07] ba6ec600 LDAP_Authentication::Authenticate - Size 3 >> >> [2009-01-07 11:05:07] ba6ec600 LDAP_Authentication::Authenticate - >> Exposed uid=testuser1 >> >> [2009-01-07 11:05:07] ba6ec600 LDAP_Authentication::Authenticate - Size 4 >> >> [2009-01-07 11:05:07] ba6ec600 RA_Format_Processor::Process - >> Authenticate returns: 0 >> >> [2009-01-07 11:05:07] ba6ec600 AP_Session::WriteMsg - Sent >> 's=67&msg_type=14¤t_state=10&next_task_name=PROGRESS_APPLET_UPGRADE' >> >> [2009-01-07 11:05:07] ba6ec600 RA_Processor::UpgradeApplet - path = >> /usr/share/pki/tps/applets/1.3.44724DDE.ijc >> >> [2009-01-07 11:05:07] ba6ec600 AP_Session::WriteMsg - pdu_len='12' >> >> [2009-01-07 11:05:07] ba6ec600 AP_Session::WriteMsg - Sent >> >> > 's=68&msg_type=9&pdu_size=12&pdu_data=%00%A4%04%00%07%A0%00%00%00%03%00%00' > >> [2009-01-07 11:05:07] ba6ec600 AP_Session::ReadMsg - decoded pdu = >> (length='20') >> >> [2009-01-07 11:05:07] ba6ec600 AP_Session::ReadMsg - 6f 10 84 08 a0 00 >> 00 00 03 00 >> >> [2009-01-07 11:05:07] ba6ec600 AP_Session::ReadMsg - 00 00 a5 04 9f 65 >> 01 ff 90 00 >> >> [2009-01-07 11:05:07] ba6ec600 AP_Session::ReadMsg - >> >> [2009-01-07 11:05:07] ba6ec600 AP_Session::WriteMsg - pdu_len='13' >> >> [2009-01-07 11:05:07] ba6ec600 AP_Session::WriteMsg - Sent >> >> > 's=71&msg_type=9&pdu_size=13&pdu_data=%80%50%01%01%08%09%CD%60%A7%11%EC%23%A > 5' > >> [2009-01-07 11:05:08] ba6ec600 AP_Session::ReadMsg - decoded pdu = >> (length='2') >> >> [2009-01-07 11:05:08] ba6ec600 AP_Session::ReadMsg - 6a 86 >> >> [2009-01-07 11:05:08] ba6ec600 RA_Format_Processor::Process - applet >> upgrade failed >> >> [2009-01-07 11:05:08] ba6ec600 AP_Session::WriteMsg - pdu_len='12' >> >> [2009-01-07 11:05:08] ba6ec600 AP_Session::WriteMsg - Sent >> >> > 's=68&msg_type=9&pdu_size=12&pdu_data=%00%A4%04%00%07%62%76%01%FF%00%00%00' > >> [2009-01-07 11:05:08] ba6ec600 AP_Session::ReadMsg - decoded pdu = >> (length='2') >> >> [2009-01-07 11:05:08] ba6ec600 AP_Session::ReadMsg - 90 00 >> >> [2009-01-07 11:05:08] ba6ec600 AP_Session::WriteMsg - Sent >> 's=43&msg_type=13&operation=5&result=1&message=19' >> >> When we switch the values to be: >> >> channel.defKeyVersion=0 >> >> channel. defKeyIndex=0 >> >> The error now looks like this: >> >> [2009-01-07 11:20:41] bacd2d28 LDAP_Authentication::Authenticate - >> User bind required 'uid=testuser1,ou=People,dc=localdomain' 'envieta123' >> >> [2009-01-07 11:20:41] bacd2d28 LDAP_Authentication::Authenticate - >> Attributes mail,cn,uid >> >> [2009-01-07 11:20:41] bacd2d28 LDAP_Authentication::Authenticate - >> Exposed cn=Test User1 >> >> [2009-01-07 11:20:41] bacd2d28 LDAP_Authentication::Authenticate - Size 3 >> >> [2009-01-07 11:20:41] bacd2d28 LDAP_Authentication::Authenticate - >> Exposed uid=testuser1 >> >> [2009-01-07 11:20:41] bacd2d28 LDAP_Authentication::Authenticate - Size 4 >> >> [2009-01-07 11:20:41] bacd2d28 RA_Format_Processor::Process - >> Authenticate returns: 0 >> >> [2009-01-07 11:20:41] bacd2d28 AP_Session::WriteMsg - Sent >> 's=67&msg_type=14¤t_state=10&next_task_name=PROGRESS_APPLET_UPGRADE' >> >> [2009-01-07 11:20:41] bacd2d28 RA_Processor::UpgradeApplet - path = >> /usr/share/pki/tps/applets/1.3.44724DDE.ijc >> >> [2009-01-07 11:20:41] bacd2d28 AP_Session::WriteMsg - pdu_len='12' >> >> [2009-01-07 11:20:41] bacd2d28 AP_Session::WriteMsg - Sent >> >> > 's=68&msg_type=9&pdu_size=12&pdu_data=%00%A4%04%00%07%A0%00%00%00%03%00%00' > >> [2009-01-07 11:20:41] bacd2d28 AP_Session::ReadMsg - decoded pdu = >> (length='20') >> >> [2009-01-07 11:20:41] bacd2d28 AP_Session::ReadMsg - 6f 10 84 08 a0 00 >> 00 00 03 00 >> >> [2009-01-07 11:20:41] bacd2d28 AP_Session::ReadMsg - 00 00 a5 04 9f 65 >> 01 ff 90 00 >> >> [2009-01-07 11:20:41] bacd2d28 AP_Session::ReadMsg - >> >> [2009-01-07 11:20:41] bacd2d28 AP_Session::WriteMsg - pdu_len='13' >> >> [2009-01-07 11:20:41] bacd2d28 AP_Session::WriteMsg - Sent >> >> > 's=71&msg_type=9&pdu_size=13&pdu_data=%80%50%00%00%08%95%74%0B%AC%37%C9%DE%8 > 0' > >> [2009-01-07 11:20:41] bacd2d28 AP_Session::ReadMsg - decoded pdu = >> (length='30') >> >> [2009-01-07 11:20:41] bacd2d28 AP_Session::ReadMsg - 00 00 71 61 57 01 >> 0e 0d 90 bd >> >> [2009-01-07 11:20:41] bacd2d28 AP_Session::ReadMsg - ff 02 00 21 2e 6b >> ec 9e 33 2b >> >> [2009-01-07 11:20:41] bacd2d28 AP_Session::ReadMsg - a5 26 d0 02 e6 64 >> c9 3c 90 00 >> >> [2009-01-07 11:20:41] bacd2d28 AP_Session::ReadMsg - >> >> [2009-01-07 11:20:41] bacd2d28 HttpConnection::getResponse - Send >> request to host localhost.localdomain:13443 servlet >> /tks/agent/tks/computeSessionKey >> >> [2009-01-07 11:20:42] bacd2d28 RA::Engine - Pre-processing content >> 'HTTP/1.1 200 OK >> >> Server: Apache-Coyote/1.1 >> >> Content-Type: text/html >> >> Content-Length: 8 >> >> Date: Wed, 07 Jan 2009 16:20:42 GMT >> >> status=3 >> >> [2009-01-07 11:20:42] bacd2d28 RA::Engine - Post-processing content >> 'status=3 >> >> [2009-01-07 11:20:42] bacd2d28 RA_Format_Processor::Process - applet >> upgrade failed >> >> [2009-01-07 11:20:42] bacd2d28 AP_Session::WriteMsg - pdu_len='12' >> >> [2009-01-07 11:20:42] bacd2d28 AP_Session::WriteMsg - Sent >> >> > 's=68&msg_type=9&pdu_size=12&pdu_data=%00%A4%04%00%07%62%76%01%FF%00%00%00' > >> [2009-01-07 11:20:42] bacd2d28 AP_Session::ReadMsg - decoded pdu = >> (length='2') >> >> [2009-01-07 11:20:42] bacd2d28 AP_Session::ReadMsg - 90 00 >> >> [2009-01-07 11:20:42] bacd2d28 AP_Session::WriteMsg - Sent >> 's=43&msg_type=13&operation=5&result=1&message=19' >> >> In addition - the following is the pki-tps.tps-error.log snippet >> >> [2008-12-23 12:09:39] ba5de4e0 RA_Processor::SetupSecureChannel - >> Failed to create a secure channel - potentially due to an RA/TKS key >> mismatch or differing RA/TKS key versions. >> [2008-12-23 12:09:39] ba5de4e0 RA_Processor::UpgradeApplet - channel >> creation failure >> [2008-12-23 12:10:20] ba5cb398 RA_Processor::SetupSecureChannel - >> Failed to create a secure channel - potentially due to an RA/TKS key >> mismatch or differing RA/TKS key versions. >> [2008-12-23 12:10:20] ba5cb398 RA_Processor::UpgradeApplet - channel >> creation failure >> [2008-12-23 12:11:14] b8e04520 RA_Processor::SetupSecureChannel - >> Failed to create a secure channel - potentially due to an RA/TKS key >> mismatch or differing RA/TKS key versions. >> [2008-12-23 12:11:14] b8e04520 RA_Processor::UpgradeApplet - channel >> creation failure >> [2008-12-23 12:39:38] ba5c00e0 RA_Processor::SetupSecureChannel - >> Failed to create a secure channel - potentially due to an RA/TKS key >> mismatch or differing RA/TKS key versions. >> [2008-12-23 12:39:38] ba5c00e0 RA_Processor::UpgradeApplet - channel >> creation failure >> [2008-12-23 12:44:27] ba5b14c8 RA_Processor::SetupSecureChannel - >> Failed to create a secure channel - potentially due to an RA/TKS key >> mismatch or differing RA/TKS key versions. >> [2008-12-23 12:44:27] ba5b14c8 RA_Processor::UpgradeApplet - channel >> creation failure >> [2008-12-23 12:45:54] ba5f2590 RA_Processor::SetupSecureChannel - >> Failed to create a secure channel - potentially due to an RA/TKS key >> mismatch or differing RA/TKS key versions. >> [2008-12-23 12:45:54] ba5f2590 RA_Processor::UpgradeApplet - channel >> creation failure >> >> I'm also bringing John Whitelock, another one of our engineers in on >> discussions. He just joined the pki-users list. >> >> Zach Casper >> >> _____________________________________________ >> *From:* Jack Magne [mailto:jmagne at redhat.com] >> *Sent:* Wednesday, January 07, 2009 1:09 PM >> *To:* Zach Casper >> *Cc:* pki-users at redhat.com >> *Subject:* Re: [Pki-users] ESC Format / Enroll Error >> >> Zach: >> >> Sorry for the delay.... >> >> The default developer keyset we use for our keys with TPS is the >> >> standard like follows: >> >> tks.defKeySet.auth_key=#40#41...#4f >> >> tks.defKeySet.kek_key=#40#41...#4f >> >> tks.defKeySet.mac_key=#40#41.. #4f >> >> If you look in the CS.cfg file under >> >> /var/lib/pki-tks/conf >> >> We have an entire procedure documented in the CS 7.3 documentation to >> >> perform a key changeover if required. >> >> Feel free to post any further logs you might obtain after further testing. >> >> thanks, >> >> jack >> >> Zach Casper wrote: >> >> >>> Could there be an issue with the default key our card is loaded with >>> >>> (VISA Key) not being able to create the secure connection? What are >>> >>> the default key(s) used/needed by Dogtag? >>> >>> _____________________________________________ >>> >>> *From:* Jack Magne [mailto:jmagne at redhat.com] >>> >>> *Sent:* Tuesday, December 23, 2008 5:35 PM >>> >>> *To:* Zach Casper >>> >>> *Cc:* pki-users at redhat.com >>> >>> *Subject:* Re: [Pki-users] ESC Format / Enroll Error >>> >>> I'll have to take a closer look later but there is a quick thing you can >>> >>> try. >>> >>> Also, remember depending upon your card, if you make too many failed >>> >>> attempts at a secure channel, the card can lock itself up. >>> >>> In /var/lib/pki-tps/conf/CS.cfg you will have a block like this: >>> >>> channel.defKeyVersion=1 >>> >>> channel. defKeyIndex=1 >>> >>> We have experimented with some other cards where the following works: >>> >>> channel.defKeyVersion=0 >>> >>> channel.defKeyIndex=0 >>> >>> Zach Casper wrote: >>> >>>> tps-error.log >>>> >>>> ... >>>> >>>> [2008-12-23 12:09:39] ba5de4e0 RA_Processor::SetupSecureChannel - >>>> >>>> Failed to create a secure channel - potentially due to an RA/TKS key >>>> >>>> mismatch or differing RA/TKS key versions. >>>> >>>> [2008-12-23 12:09:39] ba5de4e0 RA_Processor::UpgradeApplet - channel >>>> >>>> creation failure >>>> >>>> [2008-12-23 12:10:20] ba5cb398 RA_Processor::SetupSecureChannel - >>>> >>>> Failed to create a secure channel - potentially due to an RA/TKS key >>>> >>>> mismatch or differing RA/TKS key versions. >>>> >>>> [2008-12-23 12:10:20] ba5cb398 RA_Processor::UpgradeApplet - channel >>>> >>>> creation failure >>>> >>>> [2008-12-23 12:11:14] b8e04520 RA_Processor::SetupSecureChannel - >>>> >>>> Failed to create a secure channel - potentially due to an RA/TKS key >>>> >>>> mismatch or differing RA/TKS key versions. >>>> >>>> [2008-12-23 12:11:14] b8e04520 RA_Processor::UpgradeApplet - channel >>>> >>>> creation failure >>>> >>>> [2008-12-23 12:39:38] ba5c00e0 RA_Processor::SetupSecureChannel - >>>> >>>> Failed to create a secure channel - potentially due to an RA/TKS key >>>> >>>> mismatch or differing RA/TKS key versions. >>>> >>>> [2008-12-23 12:39:38] ba5c00e0 RA_Processor::UpgradeApplet - channel >>>> >>>> creation failure >>>> >>>> [2008-12-23 12:44:27] ba5b14c8 RA_Processor::SetupSecureChannel - >>>> >>>> Failed to create a secure channel - potentially due to an RA/TKS key >>>> >>>> mismatch or differing RA/TKS key versions. >>>> >>>> [2008-12-23 12:44:27] ba5b14c8 RA_Processor::UpgradeApplet - channel >>>> >>>> creation failure >>>> >>>> [2008-12-23 12:45:54] ba5f2590 RA_Processor::SetupSecureChannel - >>>> >>>> Failed to create a secure channel - potentially due to an RA/TKS key >>>> >>>> mismatch or differing RA/TKS key versions. >>>> >>>> [2008-12-23 12:45:54] ba5f2590 RA_Processor::UpgradeApplet - channel >>>> >>>> creation failure >>>> >>>> tps-debug.log >>>> >>>> ... >>>> >>>> [2008-12-23 12:45:54] ba5f2590 RA_Format_Processor::Process - >>>> >>>> Authenticate returns: 0 >>>> >>>> [2008-12-23 12:45:54] ba5f2590 AP_Session::WriteMsg - Sent >>>> >> 's=67&msg_type=14¤t_state=10&next_task_name=PROGRESS_APPLET_UPGRADE' >> >> >>>> [2008-12-23 12:45:54] ba5f2590 RA_Processor::UpgradeApplet - path = >>>> >>>> /usr/share/pki/tps/applets/1.3.44724DDE.ijc >>>> >>>> [2008-12-23 12:45:54] ba5f2590 AP_Session::WriteMsg - pdu_len='12' >>>> >>>> [2008-12-23 12:45:54] ba5f2590 AP_Session::WriteMsg - Sent >>>> > 's=68&msg_type=9&pdu_size=12&pdu_data=%00%A4%04%00%07%A0%00%00%00%03%00%00' > >>>> [2008-12-23 12:45:54] ba5f2590 AP_Session::ReadMsg - decoded pdu = >>>> >>>> (length='20') >>>> >>>> [2008-12-23 12:45:54] ba5f2590 AP_Session::ReadMsg - 6f 10 84 08 a0 00 >>>> >>>> 00 00 03 00 >>>> >>>> [2008-12-23 12:45:54] ba5f2590 AP_Session::ReadMsg - 00 00 a5 04 9f 65 >>>> >>>> 01 ff 90 00 >>>> >>>> [2008-12-23 12:45:54] ba5f2590 AP_Session::ReadMsg - >>>> >>>> [2008-12-23 12:45:54] ba5f2590 AP_Session::WriteMsg - pdu_len='13' >>>> >>>> [2008-12-23 12:45:54] ba5f2590 AP_Session::WriteMsg - Sent >>>> > 's=71&msg_type=9&pdu_size=13&pdu_data=%80%50%01%01%08%56%F5%29%9D%7B%8F%6F%A > 7' > >>>> [2008-12-23 12:45:54] ba5f2590 AP_Session::ReadMsg - decoded pdu = >>>> >>>> (length='2') >>>> >>>> [2008-12-23 12:45:54] ba5f2590 AP_Session::ReadMsg - 6a 86 >>>> >>>> [2008-12-23 12:45:54] ba5f2590 RA_Format_Processor::Process - applet >>>> >>>> upgrade failed >>>> >>>> [2008-12-23 12:45:54] ba5f2590 AP_Session::WriteMsg - pdu_len='12' >>>> >>>> [2008-12-23 12:45:54] ba5f2590 AP_Session::WriteMsg - Sent >>>> > 's=68&msg_type=9&pdu_size=12&pdu_data=%00%A4%04%00%07%62%76%01%FF%00%00%00' > >>>> [2008-12-23 12:45:54] ba5f2590 AP_Session::ReadMsg - decoded pdu = >>>> >>>> (length='2') >>>> >>>> [2008-12-23 12:45:54] ba5f2590 AP_Session::ReadMsg - 90 00 >>>> >>>> [2008-12-23 12:45:54] ba5f2590 AP_Session::WriteMsg - Sent >>>> >>>> 's=43&msg_type=13&operation=5&result=1&message=19' >>>> >>>> zach >>>> >>>> _____________________________________________ >>>> >>>> *From:* Jack Magne [mailto:jmagne at redhat.com] >>>> >>>> *Sent:* Tuesday, December 23, 2008 2:38 PM >>>> >>>> *To:* Adewumi, Julius-p99373 >>>> >>>> *Cc:* Zach Casper; pki-users at redhat.com >>>> >>>> *Subject:* Re: [Pki-users] ESC Format / Enroll Error >>>> >>>> You are having a problem creating a secure channel. Perhaps posting a >>>> >>>> snippet of the log might help. >>>> >>>> Adewumi, Julius-p99373 wrote: >>>> >>>>> You might want to play with changing "false" to "true in the >>>>> >> CS.cfg for >> >> >>>>> op.enroll.userKey.update.applet.emptyToken.enable=false or the >>>>> >>>>> op.format... equivalent , etc. >>>>> >>>>> /From: Julius Adewumi/ >>>>> >>>>> /@GDC4S.com/ >>>>> >>>>> /Ph:480-441-6768/ >>>>> >>>>> /Contract Corp:MTSI/ >>>>> >>> ------------------------------------------------------------------------ >>> >>>>> *From:* pki-users-bounces at redhat.com >>>>> >>>>> [mailto:pki-users-bounces at redhat.com] *On Behalf Of *Zach Casper >>>>> >>>>> *Sent:* Tuesday, December 23, 2008 12:00 PM >>>>> >>>>> *To:* pki-users at redhat.com >>>>> >>>>> *Subject:* RE: [Pki-users] ESC Format / Enroll Error >>>>> >>>>> Tps-debug log shows the following: >>>>> >>>>> RA_Format_Processor::Process - applet upgrade failed >>>>> >>>>> Tps-error log show the following: >>>>> >>>>> RA_Processor::SetupSecureChannel - Failed to create a secure channel >>>>> >>>>> 0- potentially due to an RA/TKS key mismatch or differing RA/TKS key >>>>> >>>>> versions. >>>>> >>>>> RA_Processor::UpgradeApplet -0 channel create failure >>>>> >>>>> And a series of Bad Response when trying to SelectApplet or >>>>> > GetStatus > >>>>> zach >>>>> >>>>> _____________________________________________ >>>>> >>>>> *From:* Jack Magne [mailto:jmagne at redhat.com] >>>>> >>>>> *Sent:* Tuesday, December 23, 2008 1:10 PM >>>>> >>>>> *To:* Zach Casper >>>>> >>>>> *Subject:* Re: [Pki-users] ESC Format / Enroll Error >>>>> >>>>> The first step would be to take a look at the tps log or smart card >>>>> >>>>> server. >>>>> >>>>> These can be found at: >>>>> >>>>> /var/lib/pki-tps/logs/tps-debug.log >>>>> >>>>> Search the bottom of the log for error 19 and it should give you an >>>>> >>> idea >>> >>>>> of what TPS was trying to do at the time. >>>>> >>>>> Zach Casper wrote: >>>>> >>>>>> We have an Infineon Smart Card and currently we are unable to >>>>>> >>>>>> Format/Enroll due to the following ESC Error >>>>>> >>>>>> "Formatting of smart card failed. Error: The Smart Card Server >>>>>> >> cannot >> >> >>>>>> upgrade the software on your smart card." >>>>>> >>>>>> And Diagnostics show this error: >>>>>> >>>>>> "Attempting to Format Key, ID: ####### - Key Format failure, >>>>>> > Error: > >>>> 19." >>>> >>>>>> This card comes up as "Formatted" because we've manually >>>>>> >> installed a >> >> >>>>>> version of the Dogtag applet prior to using ESC & Dogtag. >>>>>> >>>>>> Any advice on how we can troubleshoot? >>>>>> >>>>>> -- >>>>>> >>>>>> Zach Casper >>>>>> >>>>>> Envieta LLC >>>>>> >>>>>> ---------------------------------------- >>>>>> >> ------------------------------------------------------------------------ >> >> >>>>>> _______________________________________________ >>>>>> >>>>>> Pki-users mailing list >>>>>> >>>>>> Pki-users at redhat.com >>>>>> >>>>>> https://www.redhat.com/mailman/listinfo/pki-users >>>>>> >>> ------------------------------------------------------------------------ >>> >>>>> _______________________________________________ >>>>> >>>>> Pki-users mailing list >>>>> >>>>> Pki-users at redhat.com >>>>> >>>>> https://www.redhat.com/mailman/listinfo/pki-users >>>>> >> ------------------------------------------------------------------------ >> >> >>>> _______________________________________________ >>>> >>>> Pki-users mailing list >>>> >>>> Pki-users at redhat.com >>>> >>>> https://www.redhat.com/mailman/listinfo/pki-users >>>> > > > From lambam80 at hotmail.com Tue Jan 13 15:20:28 2009 From: lambam80 at hotmail.com (lambam80 at hotmail.com) Date: Tue, 13 Jan 2009 10:20:28 -0500 Subject: [Pki-users] Certificate System Want to change hostname/IP address after installation Message-ID: Hello everybody: Firstly, is this the primary Email-list for Dogtag/Red Hat Certificate System ? Naturally, I've looked through all the archives, found here, for an answer: https://www.redhat.com/archives/pki-users/ We're using the DOGTAG CMS system found here: http://pki.fedoraproject.org/wiki/PKI_Main_Page We'd like to create a 'portable' CMS on a laptop running, say, Fedora release 8 (Werewolf).We'll then use this machine at different client sites where the machine's DNS name and IP address will change to issue certificates. Is this possible ? Firstly, I know that the console has the directory server's DNS name within the schema itself.My work-around is to leave an alias in /etc/hosts with the old hostname. I expect the following URLs to cause an 'exception' in the Browser because hostname in DN does NOT equal hostname for the machine: https://dogtag.org:9443/ca/agent/ca/https://dogtag.org:10443/kra/agent/kra/https://dogtag.org:12889/ I reckon this can be over-ridden by simply accepting the 'exception' when presented with the warning dialogue-box in Mozilla. Q1. Any other considerations or obstacles ? Cdlt, _________________________________________________________________ Keep in touch and up to date with friends and family. Make the connection now. http://www.microsoft.com/windows/windowslive/ -------------- next part -------------- An HTML attachment was scrubbed... URL: From sean.veale at gdc4s.com Tue Jan 13 15:28:39 2009 From: sean.veale at gdc4s.com (Veale, Sean) Date: Tue, 13 Jan 2009 10:28:39 -0500 Subject: [Pki-users] Certificate System Want to change hostname/IP address after installation In-Reply-To: References: Message-ID: Firstly, is this the primary Email-list for Dogtag/Red Hat Certificate System ? It seems to be the most active one I've found. We'd like to create a 'portable' CMS on a laptop running, say, Fedora release 8 (Werewolf). Is this possible ? I'd say it is possible. Take a look at this system here Firstly, I know that the console has the directory server's DNS name within the schema itself. My work-around is to leave an alias in /etc/hosts with the old hostname. I expect the following URLs to cause an 'exception' in the Browser because hostname in DN does NOT equal hostname for the machine: https://dogtag.org:9443/ca/agent/ca/ https://dogtag.org:10443/kra/agent/kra/ https://dogtag.org:12889/ I reckon this can be over-ridden by simply accepting the 'exception' when presented with the warning dialogue-box in Mozilla. Q1. Any other considerations or obstacles ? Cdlt, ________________________________ -------------- next part -------------- An HTML attachment was scrubbed... URL: From sean.veale at gdc4s.com Tue Jan 13 15:31:20 2009 From: sean.veale at gdc4s.com (Veale, Sean) Date: Tue, 13 Jan 2009 10:31:20 -0500 Subject: [Pki-users] Certificate System Want to change hostname/IP addressafter installation In-Reply-To: References: Message-ID: Sorry sent before I was done... We'd like to create a 'portable' CMS on a laptop running, say, Fedora release 8 (Werewolf). Is this possible ? I'd say it is possible. Take a look at this system here http://www.redhat.com/promo/summit/2008/downloads/pdf/Friday/Friday_1015 am_Bob_Lord_OSS.pdf I've seen the someone from spryus post here before or your best bet might be contacting them directly to see what info they can share. Sean -------------- next part -------------- An HTML attachment was scrubbed... URL: From cfu at redhat.com Tue Jan 13 15:58:58 2009 From: cfu at redhat.com (Christina Fu) Date: Tue, 13 Jan 2009 07:58:58 -0800 Subject: [Pki-users] Certificate System Want to change hostname/IP addressafter installation In-Reply-To: References: Message-ID: <496CBA42.3070905@redhat.com> I happened to have created one on a fc8 myself for the purpose of traveling. I have in my /etc/hosts file: 127.0.0.1 localhost.localdomain localhost localhost and in /etc/nsswitch.conf: hosts: files dns I do the following before each installation (rpm install or pkicreate) as root: domainname localdomain hostname localhost Christina Veale, Sean wrote: > Sorry sent before I was done... > > We'd like to create a 'portable' CMS on a laptop running, say, Fedora > release 8 (Werewolf). > > Is this possible ? > > I'd say it is possible. Take a look at this system here > http://www.redhat.com/promo/summit/2008/downloads/pdf/Friday/Friday_1015am_Bob_Lord_OSS.pdf > > I've seen the someone from spryus post here before or your best bet > might be contacting them directly to see what info they can share. > > Sean > > > ------------------------------------------------------------------------ > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users > From veryaware at gmail.com Fri Jan 16 06:36:35 2009 From: veryaware at gmail.com (Robert) Date: Fri, 16 Jan 2009 16:36:35 +1000 Subject: [Pki-users] Certificate System Want to change hostname/IP address after installation In-Reply-To: References: Message-ID: <321c4ad90901152236q64805bc6wdb83d5bd807d7d9b@mail.gmail.com> Your idea should be quite simple to achieve. The domain for the CA service does not have to be related to the certificates you issue. I do this currently on test machine (inside vmware) with the key ports forward from the host to the dogtag system. People connect remotely to the public and changing IP address specified by a DynDNS fully qualified host name. So for your install machine use a dynamic DNS host name. DynDNS offer a great service both the free and paid service. You could also use your own organisation's DNS, however DynDNS is quick and easy. At each new site you simply login to DynDNS, change the related IP addresses and away you go. For your own convenience, you also want the /etc/hosts file to resolve the host name to 127.0.0.1, so it always works even when not on a network... I do wonder about the security of your laptop, access control, whether you might like to use some sort of hardware token (smart card/HSM) to at least protect the CA key when on the road. It would be a shame to go to all the trouble and have the laptop stolen and/or compromised. On Wed, Jan 14, 2009 at 1:20 AM, wrote: > Hello everybody: > > Firstly, is this the primary Email-list for Dogtag/Red Hat Certificate > System ? > > Naturally, I've looked through all the archives, found here, for an answer: > https://www.redhat.com/archives/pki-users/ > > We're using the DOGTAG CMS system found here: > http://pki.fedoraproject.org/wiki/PKI_Main_Page > > We'd like to create a 'portable' CMS on a laptop running, say, Fedora > release 8 (Werewolf). > We'll then use this machine at different client sites where the machine's > DNS name and IP > address will change to issue certificates. > > Is this possible ? > > Firstly, I know that the console has the directory server's DNS name within > the schema itself. > My work-around is to leave an alias in /etc/hosts with the old hostname. > > I expect the following URLs to cause an 'exception' in the Browser because > hostname in DN does NOT equal hostname for the machine: > https://dogtag.org:9443/ca/agent/ca/ > https://dogtag.org:10443/kra/agent/kra/ > https://dogtag.org:12889/ > > I reckon this can be over-ridden by simply accepting the 'exception' when > presented > with the warning dialogue-box in Mozilla. > > Q1. Any other considerations or obstacles ? > > Cdlt, > > > ------------------------------ > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From sean.veale at gdc4s.com Mon Jan 19 22:19:50 2009 From: sean.veale at gdc4s.com (Veale, Sean) Date: Mon, 19 Jan 2009 17:19:50 -0500 Subject: [Pki-users] Token Cert Profile Question References: <001201c96527$1c706e30$55514a90$@casper@envieta.com> Message-ID: I currently have a CS setup where using Gemalto tokens, I can see that an signing and encryption certs are written to the card. What profile(s) in the /var/lib//profile directory is used to generate the certs in a default dogtag setup? I noticed there is both a caTokenUserEncryptionKeyEnrollment.cfg and caTokenUserSigningLeyEnrollment.cfg profiles in the directory that seem to correspond to each of the certs created on the token. That is a bit odd to me as I though it usually was one profile that would have multiple policysets to handle 2 certs not a seperate profile for each? The basic question is I'd like to modify the configuration so a third cert is created on the card (to be used for authentication) beyond the email signing and encryption certs. Anyone know how to do that? Thanks Sean -------------- next part -------------- An HTML attachment was scrubbed... URL: From jmagne at redhat.com Tue Jan 20 00:48:35 2009 From: jmagne at redhat.com (Jack Magne) Date: Mon, 19 Jan 2009 16:48:35 -0800 Subject: [Pki-users] Token Cert Profile Question In-Reply-To: References: <001201c96527$1c706e30$55514a90$@casper@envieta.com> Message-ID: <49751F63.1030205@redhat.com> Sean: Yes, we have a profile for each cert. If you look in the CS.cfg in /var/lib/pki-tps/conf, you will see that for each type of token (ie userKey), there is a list of key "types" that are generated. For an example of 3 types look for the string: op.enroll.soKeyTemporary.keyGen.keyType.num=3 The subsequent lines show how a 3rd auth cert is generated. Veale, Sean wrote: > I currently have a CS setup where using Gemalto tokens, I can see that > an signing and encryption certs are written to the card. What > profile(s) in the /var/lib//profile directory is used to > generate the certs in a default dogtag setup? > > I noticed there is both a caTokenUserEncryptionKeyEnrollment.cfg and > caTokenUserSigningLeyEnrollment.cfg profiles in the directory that > seem to correspond to each of the certs created on the token. That is > a bit odd to me as I though it usually was one profile that would have > multiple policysets to handle 2 certs not a seperate profile for each? > > The basic question is I'd like to modify the configuration so a third > cert is created on the card (to be used for authentication) beyond the > email signing and encryption certs. Anyone know how to do that? > > Thanks > Sean > ------------------------------------------------------------------------ > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3237 bytes Desc: S/MIME Cryptographic Signature URL: From chris.stromblad at hush.com Tue Jan 20 09:35:50 2009 From: chris.stromblad at hush.com (=?UTF-8?B?Q2hyaXN0b2ZmZXIgU3Ryw7ZtYmxhZA==?=) Date: Tue, 20 Jan 2009 10:35:50 +0100 Subject: [Pki-users] Autoenrollment with Dogtag Message-ID: <20090120093550.E44F81A003A@smtp.hushmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi list, As part of a future project I will be implementing a PKI using Dogtag. The company is interested in having autoenrollment functionality for their Linux-desktops. From what I've read I seem to find no indication that this functionality is provided. Is there a way to have a computer/user to be automatically provided with a certificate upon "notice" through SCEP? What options are available? Any hints or advice is appreciated. Regards, Christoffer Str?mblad -----BEGIN PGP SIGNATURE----- Charset: UTF8 Note: This signature can be verified at https://www.hushtools.com/verify Version: Hush 3.0 wpwEAQECAAYFAkl1mvYACgkQoGiwk4tHXN2oxAQAxm7gczqQLyxPBdX6h9vquySfLi+z CMxxP1DD13cQ673OVELFju6BXu+csQE+BpeeJsOJdOJ8RqefFSby8sXxhDsEsPtgeUlr +UAv/A1hULfQw+g9t6gE0v/vsX6wiXN1RBpvvylHkHGwluPTjc6OpKbCT+iBIQ3WOdwo Cn+P0Zc= =nFBy -----END PGP SIGNATURE----- From sean.veale at gdc4s.com Thu Jan 22 22:02:12 2009 From: sean.veale at gdc4s.com (Veale, Sean) Date: Thu, 22 Jan 2009 17:02:12 -0500 Subject: [Pki-users] Token Cert Profile Question In-Reply-To: <49751F63.1030205@redhat.com> References: <001201c96527$1c706e30$55514a90$@casper@envieta.com> <49751F63.1030205@redhat.com> Message-ID: Thanks. Where is it specified the type of token to use in the enrollement process? Thanks Sean -----Original Message----- From: Jack Magne [mailto:jmagne at redhat.com] Sent: Monday, January 19, 2009 7:49 PM To: Veale, Sean Cc: pki-users at redhat.com Subject: Re: [Pki-users] Token Cert Profile Question Sean: Yes, we have a profile for each cert. If you look in the CS.cfg in /var/lib/pki-tps/conf, you will see that for each type of token (ie userKey), there is a list of key "types" that are generated. For an example of 3 types look for the string: op.enroll.soKeyTemporary.keyGen.keyType.num=3 The subsequent lines show how a 3rd auth cert is generated. Veale, Sean wrote: > I currently have a CS setup where using Gemalto tokens, I can see that > an signing and encryption certs are written to the card. What > profile(s) in the /var/lib//profile directory is used to > generate the certs in a default dogtag setup? > > I noticed there is both a caTokenUserEncryptionKeyEnrollment.cfg and > caTokenUserSigningLeyEnrollment.cfg profiles in the directory that > seem to correspond to each of the certs created on the token. That is > a bit odd to me as I though it usually was one profile that would have > multiple policysets to handle 2 certs not a seperate profile for each? > > The basic question is I'd like to modify the configuration so a third > cert is created on the card (to be used for authentication) beyond the > email signing and encryption certs. Anyone know how to do that? > > Thanks > Sean > ---------------------------------------------------------------------- > -- > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 6382 bytes Desc: not available URL: From sean.veale at gdc4s.com Wed Jan 28 23:09:11 2009 From: sean.veale at gdc4s.com (Veale, Sean) Date: Wed, 28 Jan 2009 18:09:11 -0500 Subject: [Pki-users] Hi dogtag build question on fc9 In-Reply-To: <4947E377.1090808@redhat.com> References: <001401c95f97$50da6440$f28f2cc0$@casper@envieta.com> <4947E377.1090808@redhat.com> Message-ID: Hi I'm I've been building the dogtag CS system following these instruction here and have hit a snag that I was wondering if you knew about. http://pki.fedoraproject.org/wiki/PKI_Common_Components_via_Subversion I've been able to pull the source from svn and have been succusfully built and installed up to the pki-common But that one is complaining that it needs tomcatjss >= 1.00 is needed by pki-common-1.0.0.33.fc9.noarch.rpm Looking through yum or online I can't seem to find a package for tomcatjss beyond a couple bugs in the bugbase saying it needs to be pushed to redhat 5.3 like this one. https://bugzilla.redhat.com/show_bug.cgi?id=457338 Do you know where / if I can get an rpm for tomcatjss that will work for fc9? Thanks Sean From mharmsen at redhat.com Wed Jan 28 23:20:00 2009 From: mharmsen at redhat.com (Matthew Harmsen) Date: Wed, 28 Jan 2009 15:20:00 -0800 Subject: [Fwd: Re: [Pki-users] Hi dogtag build question on fc9] Message-ID: <4980E820.5090206@redhat.com> -------------- next part -------------- An embedded message was scrubbed... From: Matthew Harmsen Subject: Re: [Pki-users] Hi dogtag build question on fc9 Date: Wed, 28 Jan 2009 15:14:41 -0800 Size: 6811 URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: