From Julius.Adewumi at gdc4s.com Mon Jul 13 17:15:46 2009 From: Julius.Adewumi at gdc4s.com (Adewumi, Julius-p99373) Date: Mon, 13 Jul 2009 10:15:46 -0700 Subject: [Pki-users] Error 7 in SOkey enrollment Message-ID: <65efa6c10005acb4@gddsi.com> Has anyone familiarity with the following VFY_CreateContext() failure or the verifyProof failure who can shed some light on what is going on, config or software release version --suspect is certEnroll()? Here is a section of the log: ------------------------------------------- [2009-07-01 16:35:52] b5b5710 RA_Enroll_Processor::DoEnrollment - Successfully read public key buffer [2009-07-01 16:35:52] b5b5710 RA_Enroll_Processor::DoEnrollment - public_key = (length='271') [2009-07-01 16:35:52] b5b5710 RA_Enroll_Processor::DoEnrollment - 00 8b 00 01 04 00 00 80 8d aa [2009-07-01 16:35:52] b5b5710 RA_Enroll_Processor::DoEnrollment - cc 88 8d f5 b5 ae 93 72 9c ec [2009-07-01 16:35:52] b5b5710 RA_Enroll_Processor::DoEnrollment - 60 c7 3c a8 65 f8 09 62 65 b7 [2009-07-01 16:35:52] b5b5710 RA_Enroll_Processor::DoEnrollment - 95 8a fe 5e 75 7e 00 2c ad 06 [2009-07-01 16:35:52] b5b5710 RA_Enroll_Processor::DoEnrollment - 15 c3 ad 3f 96 39 c9 78 d8 73 [2009-07-01 16:35:52] b5b5710 RA_Enroll_Processor::DoEnrollment - 07 92 3e 39 d9 3e 88 63 3b 18 [2009-07-01 16:35:52] b5b5710 RA_Enroll_Processor::DoEnrollment - de 76 6d 33 ec 49 53 25 ce 9c [2009-07-01 16:35:52] b5b5710 RA_Enroll_Processor::DoEnrollment - 5b 55 70 fe 4b 60 a0 f9 8a 75 [2009-07-01 16:35:52] b5b5710 RA_Enroll_Processor::DoEnrollment - 29 9e 90 ac 87 9e fc 2b 1a 55 [2009-07-01 16:35:52] b5b5710 RA_Enroll_Processor::DoEnrollment - c9 04 00 21 ea 5c e1 f0 2f 0d [2009-07-01 16:35:52] b5b5710 RA_Enroll_Processor::DoEnrollment - 72 49 38 47 96 51 3d f2 ab 06 [2009-07-01 16:35:52] b5b5710 RA_Enroll_Processor::DoEnrollment - 6e 9f e8 93 e6 22 9b dc ab 3a [2009-07-01 16:35:52] b5b5710 RA_Enroll_Processor::DoEnrollment - eb 80 d1 8d 5b 68 b1 6f 66 1b [2009-07-01 16:35:52] b5b5710 RA_Enroll_Processor::DoEnrollment - 3a 3d 5d 75 e9 87 00 03 01 00 [2009-07-01 16:35:52] b5b5710 RA_Enroll_Processor::DoEnrollment - 01 00 80 5f a0 76 96 30 ff 55 [2009-07-01 16:35:52] b5b5710 RA_Enroll_Processor::DoEnrollment - db d5 4e b5 ed 4e 82 c9 8c d9 [2009-07-01 16:35:52] b5b5710 RA_Enroll_Processor::DoEnrollment - a7 56 0b bd fd e7 b2 34 c9 50 [2009-07-01 16:35:52] b5b5710 RA_Enroll_Processor::DoEnrollment - fa 2a 19 88 99 89 a6 80 39 5c [2009-07-01 16:35:52] b5b5710 RA_Enroll_Processor::DoEnrollment - ed 89 a8 c8 17 52 b7 04 eb 25 [2009-07-01 16:35:52] b5b5710 RA_Enroll_Processor::DoEnrollment - 91 b9 35 bd d9 e8 6e 5c 0b 7c [2009-07-01 16:35:52] b5b5710 RA_Enroll_Processor::DoEnrollment - 0a 80 bd 3f fc f4 20 a8 b6 61 [2009-07-01 16:35:52] b5b5710 RA_Enroll_Processor::DoEnrollment - 49 0b 9f 0e c6 8b a5 8c 60 e7 [2009-07-01 16:35:52] b5b5710 RA_Enroll_Processor::DoEnrollment - d2 46 91 86 93 2f 6c 9d 56 62 [2009-07-01 16:35:52] b5b5710 RA_Enroll_Processor::DoEnrollment - 30 33 79 84 ba 4d b5 60 14 87 [2009-07-01 16:35:52] b5b5710 RA_Enroll_Processor::DoEnrollment - 03 8d cd 17 85 a0 bc 02 21 ff [2009-07-01 16:35:52] b5b5710 RA_Enroll_Processor::DoEnrollment - 5c fe 71 cf fd f2 2b 7f 68 bb [2009-07-01 16:35:52] b5b5710 RA_Enroll_Processor::DoEnrollment - 1e 38 26 33 96 ff e2 48 66 ef [2009-07-01 16:35:52] b5b5710 RA_Enroll_Processor::DoEnrollment - 57 [2009-07-01 16:35:52] b5b5710 RA_Enroll_Processor::DoEnrollment - challenge size=16 [2009-07-01 16:35:52] b5b5710 RA_Enroll_Processor::process - challenge = (length='16') [2009-07-01 16:35:52] b5b5710 RA_Enroll_Processor::process - c9 1f 72 35 21 17 90 5a ed ce [2009-07-01 16:35:52] b5b5710 RA_Enroll_Processor::process - dd a5 c6 9d ad 51 [2009-07-01 16:35:52] b5b5710 AP_Session::WriteMsg - Sent 's=69&msg_type=14¤t_state=73&next_task_name=PROGRESS_PARSE_PUBLIC_ KEY' [2009-07-01 16:35:52] b5b5710 RA_Enroll_Processor::DoEnrollment - About to Parse Public Key [2009-07-01 16:35:52] b5b5710 CertEnroll::verifyProof - VFY_CreateContext() failed [2009-07-01 16:35:52] b5b5710 CertEnroll::ParsePublicKeyBlob - verify proof failed [2009-07-01 16:35:52] b5b5710 RA_Enroll_Processor::DoEnrollment - Failed to parse public key [2009-07-01 16:35:52] b5b5710 RA_Enroll_Processor::GenerateCertificate - Got a status error from DoEnrollment: 7 [2009-07-01 16:35:53] b5b5710 AP_Session::WriteMsg - Sent 's=42&msg_type=13&operation=1&result=1&message=7' ---------------------------------------- The config seems to show that Private Key is to be generated on the Token for SO mode (Security Officer Mode enrollment). It is during this Private Key generation that this failure occurs each time. Any input will help. The lkast line of the log is where Error 7 was spawned. From: Julius Adewumi @GDC4S.com Ph:480-441-6768 Contract Corp:MTSI -------------- next part -------------- An HTML attachment was scrubbed... URL: From jmagne at redhat.com Mon Jul 13 19:52:49 2009 From: jmagne at redhat.com (John Magne) Date: Mon, 13 Jul 2009 15:52:49 -0400 (EDT) Subject: [Pki-users] Error 7 in SOkey enrollment In-Reply-To: <65efa6c10005acb4@gddsi.com> Message-ID: <368840574.347701247514769302.JavaMail.root@zmail06.collab.prod.int.phx2.redhat.com> Just curious, what type of token are you trying? ----- Original Message ----- From: "Julius-p99373 Adewumi" To: pki-users at redhat.com Sent: Monday, July 13, 2009 10:15:46 AM GMT -08:00 US/Canada Pacific Subject: [Pki-users] Error 7 in SOkey enrollment Error 7 in SOkey enrollment Has anyone familiarity with the following VFY_CreateContext() failure or the verifyProof failure who can shed some light on what is going on, config or software release version --suspect is certEnroll()? Here is a section of the log: ------------------------------------------- [2009-07-01 16:35:52] b5b5710 RA_Enroll_Processor::DoEnrollment - Successfully read public key buffer [2009-07-01 16:35:52] b5b5710 RA_Enroll_Processor::DoEnrollment - public_key = (length='271') [2009-07-01 16:35:52] b5b5710 RA_Enroll_Processor::DoEnrollment - 00 8b 00 01 04 00 00 80 8d aa [2009-07-01 16:35:52] b5b5710 RA_Enroll_Processor::DoEnrollment - cc 88 8d f5 b5 ae 93 72 9c ec [2009-07-01 16:35:52] b5b5710 RA_Enroll_Processor::DoEnrollment - 60 c7 3c a8 65 f8 09 62 65 b7 [2009-07-01 16:35:52] b5b5710 RA_Enroll_Processor::DoEnrollment - 95 8a fe 5e 75 7e 00 2c ad 06 [2009-07-01 16:35:52] b5b5710 RA_Enroll_Processor::DoEnrollment - 15 c3 ad 3f 96 39 c9 78 d8 73 [2009-07-01 16:35:52] b5b5710 RA_Enroll_Processor::DoEnrollment - 07 92 3e 39 d9 3e 88 63 3b 18 [2009-07-01 16:35:52] b5b5710 RA_Enroll_Processor::DoEnrollment - de 76 6d 33 ec 49 53 25 ce 9c [2009-07-01 16:35:52] b5b5710 RA_Enroll_Processor::DoEnrollment - 5b 55 70 fe 4b 60 a0 f9 8a 75 [2009-07-01 16:35:52] b5b5710 RA_Enroll_Processor::DoEnrollment - 29 9e 90 ac 87 9e fc 2b 1a 55 [2009-07-01 16:35:52] b5b5710 RA_Enroll_Processor::DoEnrollment - c9 04 00 21 ea 5c e1 f0 2f 0d [2009-07-01 16:35:52] b5b5710 RA_Enroll_Processor::DoEnrollment - 72 49 38 47 96 51 3d f2 ab 06 [2009-07-01 16:35:52] b5b5710 RA_Enroll_Processor::DoEnrollment - 6e 9f e8 93 e6 22 9b dc ab 3a [2009-07-01 16:35:52] b5b5710 RA_Enroll_Processor::DoEnrollment - eb 80 d1 8d 5b 68 b1 6f 66 1b [2009-07-01 16:35:52] b5b5710 RA_Enroll_Processor::DoEnrollment - 3a 3d 5d 75 e9 87 00 03 01 00 [2009-07-01 16:35:52] b5b5710 RA_Enroll_Processor::DoEnrollment - 01 00 80 5f a0 76 96 30 ff 55 [2009-07-01 16:35:52] b5b5710 RA_Enroll_Processor::DoEnrollment - db d5 4e b5 ed 4e 82 c9 8c d9 [2009-07-01 16:35:52] b5b5710 RA_Enroll_Processor::DoEnrollment - a7 56 0b bd fd e7 b2 34 c9 50 [2009-07-01 16:35:52] b5b5710 RA_Enroll_Processor::DoEnrollment - fa 2a 19 88 99 89 a6 80 39 5c [2009-07-01 16:35:52] b5b5710 RA_Enroll_Processor::DoEnrollment - ed 89 a8 c8 17 52 b7 04 eb 25 [2009-07-01 16:35:52] b5b5710 RA_Enroll_Processor::DoEnrollment - 91 b9 35 bd d9 e8 6e 5c 0b 7c [2009-07-01 16:35:52] b5b5710 RA_Enroll_Processor::DoEnrollment - 0a 80 bd 3f fc f4 20 a8 b6 61 [2009-07-01 16:35:52] b5b5710 RA_Enroll_Processor::DoEnrollment - 49 0b 9f 0e c6 8b a5 8c 60 e7 [2009-07-01 16:35:52] b5b5710 RA_Enroll_Processor::DoEnrollment - d2 46 91 86 93 2f 6c 9d 56 62 [2009-07-01 16:35:52] b5b5710 RA_Enroll_Processor::DoEnrollment - 30 33 79 84 ba 4d b5 60 14 87 [2009-07-01 16:35:52] b5b5710 RA_Enroll_Processor::DoEnrollment - 03 8d cd 17 85 a0 bc 02 21 ff [2009-07-01 16:35:52] b5b5710 RA_Enroll_Processor::DoEnrollment - 5c fe 71 cf fd f2 2b 7f 68 bb [2009-07-01 16:35:52] b5b5710 RA_Enroll_Processor::DoEnrollment - 1e 38 26 33 96 ff e2 48 66 ef [2009-07-01 16:35:52] b5b5710 RA_Enroll_Processor::DoEnrollment - 57 [2009-07-01 16:35:52] b5b5710 RA_Enroll_Processor::DoEnrollment - challenge size=16 [2009-07-01 16:35:52] b5b5710 RA_Enroll_Processor::process - challenge = (length='16') [2009-07-01 16:35:52] b5b5710 RA_Enroll_Processor::process - c9 1f 72 35 21 17 90 5a ed ce [2009-07-01 16:35:52] b5b5710 RA_Enroll_Processor::process - dd a5 c6 9d ad 51 [2009-07-01 16:35:52] b5b5710 AP_Session::WriteMsg - Sent 's=69&msg_type=14¤t_state=73&next_task_name=PROGRESS_PARSE_PUBLIC_KEY' [2009-07-01 16:35:52] b5b5710 RA_Enroll_Processor::DoEnrollment - About to Parse Public Key [2009-07-01 16:35:52] b5b5710 CertEnroll::verifyProof - VFY_CreateContext() failed [2009-07-01 16:35:52] b5b5710 CertEnroll::ParsePublicKeyBlob - verify proof failed [2009-07-01 16:35:52] b5b5710 RA_Enroll_Processor::DoEnrollment - Failed to parse public key [2009-07-01 16:35:52] b5b5710 RA_Enroll_Processor::GenerateCertificate - Got a status error from DoEnrollment: 7 [2009-07-01 16:35:53] b5b5710 AP_Session::WriteMsg - Sent 's=42&msg_type=13&operation=1&result=1&message=7' ---------------------------------------- The config seems to show that Private Key is to be generated on the Token for SO mode (Security Officer Mode enrollment). It is during this Private Key generation that this failure occurs each time. Any input will help. The lkast line of the log is where Error 7 was spawned. From: Julius Adewumi @GDC4S.com Ph:480-441-6768 Contract Corp:MTSI _______________________________________________ Pki-users mailing list Pki-users at redhat.com https://www.redhat.com/mailman/listinfo/pki-users From Julius.Adewumi at gdc4s.com Mon Jul 13 20:40:47 2009 From: Julius.Adewumi at gdc4s.com (Adewumi, Julius-p99373) Date: Mon, 13 Jul 2009 13:40:47 -0700 Subject: [Pki-users] Error 7 in SOkey enrollment In-Reply-To: <368840574.347701247514769302.JavaMail.root@zmail06.collab.prod.int.phx2.redhat.com> References: <65efa6c10005acb4@gddsi.com> <368840574.347701247514769302.JavaMail.root@zmail06.collab.prod.int.phx2.redhat.com> Message-ID: <66ab5bfa0005d55b@gddsi.com> They are Gemalto smartcards. I can enroll users successfully, but to enroll security officer (SO) who is capable of managing user-tokens is the problem. From: Julius Adewumi -----Original Message----- From: pki-users-bounces at redhat.com [mailto:pki-users-bounces at redhat.com] On Behalf Of John Magne Sent: Monday, July 13, 2009 12:53 PM To: Adewumi, Julius-p99373 Cc: pki-users at redhat.com Subject: Re: [Pki-users] Error 7 in SOkey enrollment Just curious, what type of token are you trying? ----- Original Message ----- From: "Julius-p99373 Adewumi" To: pki-users at redhat.com Sent: Monday, July 13, 2009 10:15:46 AM GMT -08:00 US/Canada Pacific Subject: [Pki-users] Error 7 in SOkey enrollment Error 7 in SOkey enrollment Has anyone familiarity with the following VFY_CreateContext() failure or the verifyProof failure who can shed some light on what is going on, config or software release version --suspect is certEnroll()? Here is a section of the log: ------------------------------------------- [2009-07-01 16:35:52] b5b5710 RA_Enroll_Processor::DoEnrollment - Successfully read public key buffer [2009-07-01 16:35:52] b5b5710 RA_Enroll_Processor::DoEnrollment - public_key = (length='271') [2009-07-01 16:35:52] b5b5710 RA_Enroll_Processor::DoEnrollment - 00 8b 00 01 04 00 00 80 8d aa [2009-07-01 16:35:52] b5b5710 RA_Enroll_Processor::DoEnrollment - cc 88 8d f5 b5 ae 93 72 9c ec [2009-07-01 16:35:52] b5b5710 RA_Enroll_Processor::DoEnrollment - 60 c7 3c a8 65 f8 09 62 65 b7 [2009-07-01 16:35:52] b5b5710 RA_Enroll_Processor::DoEnrollment - 95 8a fe 5e 75 7e 00 2c ad 06 [2009-07-01 16:35:52] b5b5710 RA_Enroll_Processor::DoEnrollment - 15 c3 ad 3f 96 39 c9 78 d8 73 [2009-07-01 16:35:52] b5b5710 RA_Enroll_Processor::DoEnrollment - 07 92 3e 39 d9 3e 88 63 3b 18 [2009-07-01 16:35:52] b5b5710 RA_Enroll_Processor::DoEnrollment - de 76 6d 33 ec 49 53 25 ce 9c [2009-07-01 16:35:52] b5b5710 RA_Enroll_Processor::DoEnrollment - 5b 55 70 fe 4b 60 a0 f9 8a 75 [2009-07-01 16:35:52] b5b5710 RA_Enroll_Processor::DoEnrollment - 29 9e 90 ac 87 9e fc 2b 1a 55 [2009-07-01 16:35:52] b5b5710 RA_Enroll_Processor::DoEnrollment - c9 04 00 21 ea 5c e1 f0 2f 0d [2009-07-01 16:35:52] b5b5710 RA_Enroll_Processor::DoEnrollment - 72 49 38 47 96 51 3d f2 ab 06 [2009-07-01 16:35:52] b5b5710 RA_Enroll_Processor::DoEnrollment - 6e 9f e8 93 e6 22 9b dc ab 3a [2009-07-01 16:35:52] b5b5710 RA_Enroll_Processor::DoEnrollment - eb 80 d1 8d 5b 68 b1 6f 66 1b [2009-07-01 16:35:52] b5b5710 RA_Enroll_Processor::DoEnrollment - 3a 3d 5d 75 e9 87 00 03 01 00 [2009-07-01 16:35:52] b5b5710 RA_Enroll_Processor::DoEnrollment - 01 00 80 5f a0 76 96 30 ff 55 [2009-07-01 16:35:52] b5b5710 RA_Enroll_Processor::DoEnrollment - db d5 4e b5 ed 4e 82 c9 8c d9 [2009-07-01 16:35:52] b5b5710 RA_Enroll_Processor::DoEnrollment - a7 56 0b bd fd e7 b2 34 c9 50 [2009-07-01 16:35:52] b5b5710 RA_Enroll_Processor::DoEnrollment - fa 2a 19 88 99 89 a6 80 39 5c [2009-07-01 16:35:52] b5b5710 RA_Enroll_Processor::DoEnrollment - ed 89 a8 c8 17 52 b7 04 eb 25 [2009-07-01 16:35:52] b5b5710 RA_Enroll_Processor::DoEnrollment - 91 b9 35 bd d9 e8 6e 5c 0b 7c [2009-07-01 16:35:52] b5b5710 RA_Enroll_Processor::DoEnrollment - 0a 80 bd 3f fc f4 20 a8 b6 61 [2009-07-01 16:35:52] b5b5710 RA_Enroll_Processor::DoEnrollment - 49 0b 9f 0e c6 8b a5 8c 60 e7 [2009-07-01 16:35:52] b5b5710 RA_Enroll_Processor::DoEnrollment - d2 46 91 86 93 2f 6c 9d 56 62 [2009-07-01 16:35:52] b5b5710 RA_Enroll_Processor::DoEnrollment - 30 33 79 84 ba 4d b5 60 14 87 [2009-07-01 16:35:52] b5b5710 RA_Enroll_Processor::DoEnrollment - 03 8d cd 17 85 a0 bc 02 21 ff [2009-07-01 16:35:52] b5b5710 RA_Enroll_Processor::DoEnrollment - 5c fe 71 cf fd f2 2b 7f 68 bb [2009-07-01 16:35:52] b5b5710 RA_Enroll_Processor::DoEnrollment - 1e 38 26 33 96 ff e2 48 66 ef [2009-07-01 16:35:52] b5b5710 RA_Enroll_Processor::DoEnrollment - 57 [2009-07-01 16:35:52] b5b5710 RA_Enroll_Processor::DoEnrollment - challenge size=16 [2009-07-01 16:35:52] b5b5710 RA_Enroll_Processor::process - challenge = (length='16') [2009-07-01 16:35:52] b5b5710 RA_Enroll_Processor::process - c9 1f 72 35 21 17 90 5a ed ce [2009-07-01 16:35:52] b5b5710 RA_Enroll_Processor::process - dd a5 c6 9d ad 51 [2009-07-01 16:35:52] b5b5710 AP_Session::WriteMsg - Sent 's=69&msg_type=14¤t_state=73&next_task_name=PROGRESS_PARSE_PUBLIC_ KEY' [2009-07-01 16:35:52] b5b5710 RA_Enroll_Processor::DoEnrollment - About to Parse Public Key [2009-07-01 16:35:52] b5b5710 CertEnroll::verifyProof - VFY_CreateContext() failed [2009-07-01 16:35:52] b5b5710 CertEnroll::ParsePublicKeyBlob - verify proof failed [2009-07-01 16:35:52] b5b5710 RA_Enroll_Processor::DoEnrollment - Failed to parse public key [2009-07-01 16:35:52] b5b5710 RA_Enroll_Processor::GenerateCertificate - Got a status error from DoEnrollment: 7 [2009-07-01 16:35:53] b5b5710 AP_Session::WriteMsg - Sent 's=42&msg_type=13&operation=1&result=1&message=7' ---------------------------------------- The config seems to show that Private Key is to be generated on the Token for SO mode (Security Officer Mode enrollment). It is during this Private Key generation that this failure occurs each time. Any input will help. The lkast line of the log is where Error 7 was spawned. From: Julius Adewumi @GDC4S.com Ph:480-441-6768 Contract Corp:MTSI _______________________________________________ Pki-users mailing list Pki-users at redhat.com https://www.redhat.com/mailman/listinfo/pki-users _______________________________________________ Pki-users mailing list Pki-users at redhat.com https://www.redhat.com/mailman/listinfo/pki-users From jmagne at redhat.com Mon Jul 13 20:54:37 2009 From: jmagne at redhat.com (John Magne) Date: Mon, 13 Jul 2009 16:54:37 -0400 (EDT) Subject: [Pki-users] Error 7 in SOkey enrollment In-Reply-To: <66ab5bfa0005d55b@gddsi.com> Message-ID: <924792233.352211247518477066.JavaMail.root@zmail06.collab.prod.int.phx2.redhat.com> Oh: OK, thanks. So it's probably not an token or applet issue. In this case you might want to inspect your TPS's CS.cfg. Compare the entries for "userKey" which is the regular user with the ones for "soKey" and look for differences. ----- Original Message ----- From: "Julius-p99373 Adewumi" To: "John Magne" Cc: pki-users at redhat.com Sent: Monday, July 13, 2009 1:40:47 PM GMT -08:00 US/Canada Pacific Subject: RE: [Pki-users] Error 7 in SOkey enrollment They are Gemalto smartcards. I can enroll users successfully, but to enroll security officer (SO) who is capable of managing user-tokens is the problem. From: Julius Adewumi -----Original Message----- From: pki-users-bounces at redhat.com [mailto:pki-users-bounces at redhat.com] On Behalf Of John Magne Sent: Monday, July 13, 2009 12:53 PM To: Adewumi, Julius-p99373 Cc: pki-users at redhat.com Subject: Re: [Pki-users] Error 7 in SOkey enrollment Just curious, what type of token are you trying? ----- Original Message ----- From: "Julius-p99373 Adewumi" To: pki-users at redhat.com Sent: Monday, July 13, 2009 10:15:46 AM GMT -08:00 US/Canada Pacific Subject: [Pki-users] Error 7 in SOkey enrollment Error 7 in SOkey enrollment Has anyone familiarity with the following VFY_CreateContext() failure or the verifyProof failure who can shed some light on what is going on, config or software release version --suspect is certEnroll()? Here is a section of the log: ------------------------------------------- [2009-07-01 16:35:52] b5b5710 RA_Enroll_Processor::DoEnrollment - Successfully read public key buffer [2009-07-01 16:35:52] b5b5710 RA_Enroll_Processor::DoEnrollment - public_key = (length='271') [2009-07-01 16:35:52] b5b5710 RA_Enroll_Processor::DoEnrollment - 00 8b 00 01 04 00 00 80 8d aa [2009-07-01 16:35:52] b5b5710 RA_Enroll_Processor::DoEnrollment - cc 88 8d f5 b5 ae 93 72 9c ec [2009-07-01 16:35:52] b5b5710 RA_Enroll_Processor::DoEnrollment - 60 c7 3c a8 65 f8 09 62 65 b7 [2009-07-01 16:35:52] b5b5710 RA_Enroll_Processor::DoEnrollment - 95 8a fe 5e 75 7e 00 2c ad 06 [2009-07-01 16:35:52] b5b5710 RA_Enroll_Processor::DoEnrollment - 15 c3 ad 3f 96 39 c9 78 d8 73 [2009-07-01 16:35:52] b5b5710 RA_Enroll_Processor::DoEnrollment - 07 92 3e 39 d9 3e 88 63 3b 18 [2009-07-01 16:35:52] b5b5710 RA_Enroll_Processor::DoEnrollment - de 76 6d 33 ec 49 53 25 ce 9c [2009-07-01 16:35:52] b5b5710 RA_Enroll_Processor::DoEnrollment - 5b 55 70 fe 4b 60 a0 f9 8a 75 [2009-07-01 16:35:52] b5b5710 RA_Enroll_Processor::DoEnrollment - 29 9e 90 ac 87 9e fc 2b 1a 55 [2009-07-01 16:35:52] b5b5710 RA_Enroll_Processor::DoEnrollment - c9 04 00 21 ea 5c e1 f0 2f 0d [2009-07-01 16:35:52] b5b5710 RA_Enroll_Processor::DoEnrollment - 72 49 38 47 96 51 3d f2 ab 06 [2009-07-01 16:35:52] b5b5710 RA_Enroll_Processor::DoEnrollment - 6e 9f e8 93 e6 22 9b dc ab 3a [2009-07-01 16:35:52] b5b5710 RA_Enroll_Processor::DoEnrollment - eb 80 d1 8d 5b 68 b1 6f 66 1b [2009-07-01 16:35:52] b5b5710 RA_Enroll_Processor::DoEnrollment - 3a 3d 5d 75 e9 87 00 03 01 00 [2009-07-01 16:35:52] b5b5710 RA_Enroll_Processor::DoEnrollment - 01 00 80 5f a0 76 96 30 ff 55 [2009-07-01 16:35:52] b5b5710 RA_Enroll_Processor::DoEnrollment - db d5 4e b5 ed 4e 82 c9 8c d9 [2009-07-01 16:35:52] b5b5710 RA_Enroll_Processor::DoEnrollment - a7 56 0b bd fd e7 b2 34 c9 50 [2009-07-01 16:35:52] b5b5710 RA_Enroll_Processor::DoEnrollment - fa 2a 19 88 99 89 a6 80 39 5c [2009-07-01 16:35:52] b5b5710 RA_Enroll_Processor::DoEnrollment - ed 89 a8 c8 17 52 b7 04 eb 25 [2009-07-01 16:35:52] b5b5710 RA_Enroll_Processor::DoEnrollment - 91 b9 35 bd d9 e8 6e 5c 0b 7c [2009-07-01 16:35:52] b5b5710 RA_Enroll_Processor::DoEnrollment - 0a 80 bd 3f fc f4 20 a8 b6 61 [2009-07-01 16:35:52] b5b5710 RA_Enroll_Processor::DoEnrollment - 49 0b 9f 0e c6 8b a5 8c 60 e7 [2009-07-01 16:35:52] b5b5710 RA_Enroll_Processor::DoEnrollment - d2 46 91 86 93 2f 6c 9d 56 62 [2009-07-01 16:35:52] b5b5710 RA_Enroll_Processor::DoEnrollment - 30 33 79 84 ba 4d b5 60 14 87 [2009-07-01 16:35:52] b5b5710 RA_Enroll_Processor::DoEnrollment - 03 8d cd 17 85 a0 bc 02 21 ff [2009-07-01 16:35:52] b5b5710 RA_Enroll_Processor::DoEnrollment - 5c fe 71 cf fd f2 2b 7f 68 bb [2009-07-01 16:35:52] b5b5710 RA_Enroll_Processor::DoEnrollment - 1e 38 26 33 96 ff e2 48 66 ef [2009-07-01 16:35:52] b5b5710 RA_Enroll_Processor::DoEnrollment - 57 [2009-07-01 16:35:52] b5b5710 RA_Enroll_Processor::DoEnrollment - challenge size=16 [2009-07-01 16:35:52] b5b5710 RA_Enroll_Processor::process - challenge = (length='16') [2009-07-01 16:35:52] b5b5710 RA_Enroll_Processor::process - c9 1f 72 35 21 17 90 5a ed ce [2009-07-01 16:35:52] b5b5710 RA_Enroll_Processor::process - dd a5 c6 9d ad 51 [2009-07-01 16:35:52] b5b5710 AP_Session::WriteMsg - Sent 's=69&msg_type=14¤t_state=73&next_task_name=PROGRESS_PARSE_PUBLIC_ KEY' [2009-07-01 16:35:52] b5b5710 RA_Enroll_Processor::DoEnrollment - About to Parse Public Key [2009-07-01 16:35:52] b5b5710 CertEnroll::verifyProof - VFY_CreateContext() failed [2009-07-01 16:35:52] b5b5710 CertEnroll::ParsePublicKeyBlob - verify proof failed [2009-07-01 16:35:52] b5b5710 RA_Enroll_Processor::DoEnrollment - Failed to parse public key [2009-07-01 16:35:52] b5b5710 RA_Enroll_Processor::GenerateCertificate - Got a status error from DoEnrollment: 7 [2009-07-01 16:35:53] b5b5710 AP_Session::WriteMsg - Sent 's=42&msg_type=13&operation=1&result=1&message=7' ---------------------------------------- The config seems to show that Private Key is to be generated on the Token for SO mode (Security Officer Mode enrollment). It is during this Private Key generation that this failure occurs each time. Any input will help. The lkast line of the log is where Error 7 was spawned. From: Julius Adewumi @GDC4S.com Ph:480-441-6768 Contract Corp:MTSI _______________________________________________ Pki-users mailing list Pki-users at redhat.com https://www.redhat.com/mailman/listinfo/pki-users _______________________________________________ Pki-users mailing list Pki-users at redhat.com https://www.redhat.com/mailman/listinfo/pki-users From Julius.Adewumi at gdc4s.com Mon Jul 13 21:41:33 2009 From: Julius.Adewumi at gdc4s.com (Adewumi, Julius-p99373) Date: Mon, 13 Jul 2009 14:41:33 -0700 Subject: [Pki-users] Error 7 in SOkey enrollment In-Reply-To: <924792233.352211247518477066.JavaMail.root@zmail06.collab.prod.int.phx2.redhat.com> References: <66ab5bfa0005d55b@gddsi.com> <924792233.352211247518477066.JavaMail.root@zmail06.collab.prod.int.phx2.redhat.com> Message-ID: <66e2f4080005e2b6@gddsi.com> I did and only difference is: Op.enroll.sokey.keyGen.encryption.serverKeygen.enable=value For "userkey" value is "true" For "sokey" value is "[SERVER_KEYGEN]" , which translates to "false". It invokes Private key to be generated on the token instead of on the server. (Can't tell why) But that is where it fails. I played with it and changed it to match the "userkey" ie, changed it to "true" and tried it. It said successful, however, the key did not work as Security Officer Mode. It simply completed as userkey again. From: Julius Adewumi @GDC4S.com Ph:480-441-6768 Contract Corp:MTSI -----Original Message----- From: John Magne [mailto:jmagne at redhat.com] Sent: Monday, July 13, 2009 1:55 PM To: Adewumi, Julius-p99373 Cc: pki-users at redhat.com Subject: Re: [Pki-users] Error 7 in SOkey enrollment Oh: OK, thanks. So it's probably not an token or applet issue. In this case you might want to inspect your TPS's CS.cfg. Compare the entries for "userKey" which is the regular user with the ones for "soKey" and look for differences. ----- Original Message ----- From: "Julius-p99373 Adewumi" To: "John Magne" Cc: pki-users at redhat.com Sent: Monday, July 13, 2009 1:40:47 PM GMT -08:00 US/Canada Pacific Subject: RE: [Pki-users] Error 7 in SOkey enrollment They are Gemalto smartcards. I can enroll users successfully, but to enroll security officer (SO) who is capable of managing user-tokens is the problem. From: Julius Adewumi -----Original Message----- From: pki-users-bounces at redhat.com [mailto:pki-users-bounces at redhat.com] On Behalf Of John Magne Sent: Monday, July 13, 2009 12:53 PM To: Adewumi, Julius-p99373 Cc: pki-users at redhat.com Subject: Re: [Pki-users] Error 7 in SOkey enrollment Just curious, what type of token are you trying? ----- Original Message ----- From: "Julius-p99373 Adewumi" To: pki-users at redhat.com Sent: Monday, July 13, 2009 10:15:46 AM GMT -08:00 US/Canada Pacific Subject: [Pki-users] Error 7 in SOkey enrollment Error 7 in SOkey enrollment Has anyone familiarity with the following VFY_CreateContext() failure or the verifyProof failure who can shed some light on what is going on, config or software release version --suspect is certEnroll()? Here is a section of the log: ------------------------------------------- [2009-07-01 16:35:52] b5b5710 RA_Enroll_Processor::DoEnrollment - Successfully read public key buffer [2009-07-01 16:35:52] b5b5710 RA_Enroll_Processor::DoEnrollment - public_key = (length='271') [2009-07-01 16:35:52] b5b5710 RA_Enroll_Processor::DoEnrollment - 00 8b 00 01 04 00 00 80 8d aa [2009-07-01 16:35:52] b5b5710 RA_Enroll_Processor::DoEnrollment - cc 88 8d f5 b5 ae 93 72 9c ec [2009-07-01 16:35:52] b5b5710 RA_Enroll_Processor::DoEnrollment - 60 c7 3c a8 65 f8 09 62 65 b7 [2009-07-01 16:35:52] b5b5710 RA_Enroll_Processor::DoEnrollment - 95 8a fe 5e 75 7e 00 2c ad 06 [2009-07-01 16:35:52] b5b5710 RA_Enroll_Processor::DoEnrollment - 15 c3 ad 3f 96 39 c9 78 d8 73 [2009-07-01 16:35:52] b5b5710 RA_Enroll_Processor::DoEnrollment - 07 92 3e 39 d9 3e 88 63 3b 18 [2009-07-01 16:35:52] b5b5710 RA_Enroll_Processor::DoEnrollment - de 76 6d 33 ec 49 53 25 ce 9c [2009-07-01 16:35:52] b5b5710 RA_Enroll_Processor::DoEnrollment - 5b 55 70 fe 4b 60 a0 f9 8a 75 [2009-07-01 16:35:52] b5b5710 RA_Enroll_Processor::DoEnrollment - 29 9e 90 ac 87 9e fc 2b 1a 55 [2009-07-01 16:35:52] b5b5710 RA_Enroll_Processor::DoEnrollment - c9 04 00 21 ea 5c e1 f0 2f 0d [2009-07-01 16:35:52] b5b5710 RA_Enroll_Processor::DoEnrollment - 72 49 38 47 96 51 3d f2 ab 06 [2009-07-01 16:35:52] b5b5710 RA_Enroll_Processor::DoEnrollment - 6e 9f e8 93 e6 22 9b dc ab 3a [2009-07-01 16:35:52] b5b5710 RA_Enroll_Processor::DoEnrollment - eb 80 d1 8d 5b 68 b1 6f 66 1b [2009-07-01 16:35:52] b5b5710 RA_Enroll_Processor::DoEnrollment - 3a 3d 5d 75 e9 87 00 03 01 00 [2009-07-01 16:35:52] b5b5710 RA_Enroll_Processor::DoEnrollment - 01 00 80 5f a0 76 96 30 ff 55 [2009-07-01 16:35:52] b5b5710 RA_Enroll_Processor::DoEnrollment - db d5 4e b5 ed 4e 82 c9 8c d9 [2009-07-01 16:35:52] b5b5710 RA_Enroll_Processor::DoEnrollment - a7 56 0b bd fd e7 b2 34 c9 50 [2009-07-01 16:35:52] b5b5710 RA_Enroll_Processor::DoEnrollment - fa 2a 19 88 99 89 a6 80 39 5c [2009-07-01 16:35:52] b5b5710 RA_Enroll_Processor::DoEnrollment - ed 89 a8 c8 17 52 b7 04 eb 25 [2009-07-01 16:35:52] b5b5710 RA_Enroll_Processor::DoEnrollment - 91 b9 35 bd d9 e8 6e 5c 0b 7c [2009-07-01 16:35:52] b5b5710 RA_Enroll_Processor::DoEnrollment - 0a 80 bd 3f fc f4 20 a8 b6 61 [2009-07-01 16:35:52] b5b5710 RA_Enroll_Processor::DoEnrollment - 49 0b 9f 0e c6 8b a5 8c 60 e7 [2009-07-01 16:35:52] b5b5710 RA_Enroll_Processor::DoEnrollment - d2 46 91 86 93 2f 6c 9d 56 62 [2009-07-01 16:35:52] b5b5710 RA_Enroll_Processor::DoEnrollment - 30 33 79 84 ba 4d b5 60 14 87 [2009-07-01 16:35:52] b5b5710 RA_Enroll_Processor::DoEnrollment - 03 8d cd 17 85 a0 bc 02 21 ff [2009-07-01 16:35:52] b5b5710 RA_Enroll_Processor::DoEnrollment - 5c fe 71 cf fd f2 2b 7f 68 bb [2009-07-01 16:35:52] b5b5710 RA_Enroll_Processor::DoEnrollment - 1e 38 26 33 96 ff e2 48 66 ef [2009-07-01 16:35:52] b5b5710 RA_Enroll_Processor::DoEnrollment - 57 [2009-07-01 16:35:52] b5b5710 RA_Enroll_Processor::DoEnrollment - challenge size=16 [2009-07-01 16:35:52] b5b5710 RA_Enroll_Processor::process - challenge = (length='16') [2009-07-01 16:35:52] b5b5710 RA_Enroll_Processor::process - c9 1f 72 35 21 17 90 5a ed ce [2009-07-01 16:35:52] b5b5710 RA_Enroll_Processor::process - dd a5 c6 9d ad 51 [2009-07-01 16:35:52] b5b5710 AP_Session::WriteMsg - Sent 's=69&msg_type=14¤t_state=73&next_task_name=PROGRESS_PARSE_PUBLIC_ KEY' [2009-07-01 16:35:52] b5b5710 RA_Enroll_Processor::DoEnrollment - About to Parse Public Key [2009-07-01 16:35:52] b5b5710 CertEnroll::verifyProof - VFY_CreateContext() failed [2009-07-01 16:35:52] b5b5710 CertEnroll::ParsePublicKeyBlob - verify proof failed [2009-07-01 16:35:52] b5b5710 RA_Enroll_Processor::DoEnrollment - Failed to parse public key [2009-07-01 16:35:52] b5b5710 RA_Enroll_Processor::GenerateCertificate - Got a status error from DoEnrollment: 7 [2009-07-01 16:35:53] b5b5710 AP_Session::WriteMsg - Sent 's=42&msg_type=13&operation=1&result=1&message=7' ---------------------------------------- The config seems to show that Private Key is to be generated on the Token for SO mode (Security Officer Mode enrollment). It is during this Private Key generation that this failure occurs each time. Any input will help. The lkast line of the log is where Error 7 was spawned. From: Julius Adewumi @GDC4S.com Ph:480-441-6768 Contract Corp:MTSI _______________________________________________ Pki-users mailing list Pki-users at redhat.com https://www.redhat.com/mailman/listinfo/pki-users _______________________________________________ Pki-users mailing list Pki-users at redhat.com https://www.redhat.com/mailman/listinfo/pki-users From cfu at redhat.com Thu Jul 16 04:01:37 2009 From: cfu at redhat.com (Christina Fu) Date: Wed, 15 Jul 2009 21:01:37 -0700 Subject: [Pki-users] Error 7 in SOkey enrollment In-Reply-To: <65efa6c10005acb4@gddsi.com> References: <65efa6c10005acb4@gddsi.com> Message-ID: <4A5EA621.8030402@redhat.com> Adewumi, Julius-p99373 wrote: > > Has anyone familiarity with the following VFY_CreateContext() failure > or the verifyProof failure > who can shed some light on what is going on, config or software > release version --suspect is certEnroll()? > The proof verification is for proving that the token does have the private key that goes with the public key in the cert request. Like you have observed, the userKey profile's encryption cert by default has the server generate the keys, therefore does not need the proof verification. The signing cert does generate keys on the token itself, thus causes the proof verification. And you can see the success proof verification like the following: [2009-07-15 15:53:55] a3c21b8 CertEnroll::verifyProof - verify proof begins [2009-07-15 15:53:55] a3c21b8 CertEnroll::verifyProof - VFY_CreateContext() succeeded [2009-07-15 15:53:55] a3c21b8 CertEnroll::verifyProof - VFY_End() returned 0 If you try changing the userKey profile's encryption cert to generate the keys on the token instead, such as: op.enroll.userKey.keyGen.encryption.serverKeygen.enable=false You will notice now that you have both signing and encryption cert requests going through the verifyProof (2 sets of the above messages in log). It seems like in the security officer case, the proof somehow is incorrect, thus failed the verifyProof check on TPS. Further investigation is needed. Christina > Here is a section of the log: > > ------------------------------------------- > [2009-07-01 16:35:52] b5b5710 RA_Enroll_Processor::DoEnrollment - > Successfully read public key buffer > [2009-07-01 16:35:52] b5b5710 RA_Enroll_Processor::DoEnrollment - > public_key = (length='271') > [2009-07-01 16:35:52] b5b5710 RA_Enroll_Processor::DoEnrollment - 00 > 8b 00 01 04 00 00 80 8d aa > [2009-07-01 16:35:52] b5b5710 RA_Enroll_Processor::DoEnrollment - cc > 88 8d f5 b5 ae 93 72 9c ec > [2009-07-01 16:35:52] b5b5710 RA_Enroll_Processor::DoEnrollment - 60 > c7 3c a8 65 f8 09 62 65 b7 > [2009-07-01 16:35:52] b5b5710 RA_Enroll_Processor::DoEnrollment - 95 > 8a fe 5e 75 7e 00 2c ad 06 > [2009-07-01 16:35:52] b5b5710 RA_Enroll_Processor::DoEnrollment - 15 > c3 ad 3f 96 39 c9 78 d8 73 > [2009-07-01 16:35:52] b5b5710 RA_Enroll_Processor::DoEnrollment - 07 > 92 3e 39 d9 3e 88 63 3b 18 > [2009-07-01 16:35:52] b5b5710 RA_Enroll_Processor::DoEnrollment - de > 76 6d 33 ec 49 53 25 ce 9c > [2009-07-01 16:35:52] b5b5710 RA_Enroll_Processor::DoEnrollment - 5b > 55 70 fe 4b 60 a0 f9 8a 75 > [2009-07-01 16:35:52] b5b5710 RA_Enroll_Processor::DoEnrollment - 29 > 9e 90 ac 87 9e fc 2b 1a 55 > [2009-07-01 16:35:52] b5b5710 RA_Enroll_Processor::DoEnrollment - c9 > 04 00 21 ea 5c e1 f0 2f 0d > [2009-07-01 16:35:52] b5b5710 RA_Enroll_Processor::DoEnrollment - 72 > 49 38 47 96 51 3d f2 ab 06 > [2009-07-01 16:35:52] b5b5710 RA_Enroll_Processor::DoEnrollment - 6e > 9f e8 93 e6 22 9b dc ab 3a > [2009-07-01 16:35:52] b5b5710 RA_Enroll_Processor::DoEnrollment - eb > 80 d1 8d 5b 68 b1 6f 66 1b > [2009-07-01 16:35:52] b5b5710 RA_Enroll_Processor::DoEnrollment - 3a > 3d 5d 75 e9 87 00 03 01 00 > [2009-07-01 16:35:52] b5b5710 RA_Enroll_Processor::DoEnrollment - 01 > 00 80 5f a0 76 96 30 ff 55 > [2009-07-01 16:35:52] b5b5710 RA_Enroll_Processor::DoEnrollment - db > d5 4e b5 ed 4e 82 c9 8c d9 > [2009-07-01 16:35:52] b5b5710 RA_Enroll_Processor::DoEnrollment - a7 > 56 0b bd fd e7 b2 34 c9 50 > [2009-07-01 16:35:52] b5b5710 RA_Enroll_Processor::DoEnrollment - fa > 2a 19 88 99 89 a6 80 39 5c > [2009-07-01 16:35:52] b5b5710 RA_Enroll_Processor::DoEnrollment - ed > 89 a8 c8 17 52 b7 04 eb 25 > [2009-07-01 16:35:52] b5b5710 RA_Enroll_Processor::DoEnrollment - 91 > b9 35 bd d9 e8 6e 5c 0b 7c > [2009-07-01 16:35:52] b5b5710 RA_Enroll_Processor::DoEnrollment - 0a > 80 bd 3f fc f4 20 a8 b6 61 > [2009-07-01 16:35:52] b5b5710 RA_Enroll_Processor::DoEnrollment - 49 > 0b 9f 0e c6 8b a5 8c 60 e7 > [2009-07-01 16:35:52] b5b5710 RA_Enroll_Processor::DoEnrollment - d2 > 46 91 86 93 2f 6c 9d 56 62 > [2009-07-01 16:35:52] b5b5710 RA_Enroll_Processor::DoEnrollment - 30 > 33 79 84 ba 4d b5 60 14 87 > [2009-07-01 16:35:52] b5b5710 RA_Enroll_Processor::DoEnrollment - 03 > 8d cd 17 85 a0 bc 02 21 ff > [2009-07-01 16:35:52] b5b5710 RA_Enroll_Processor::DoEnrollment - 5c > fe 71 cf fd f2 2b 7f 68 bb > [2009-07-01 16:35:52] b5b5710 RA_Enroll_Processor::DoEnrollment - 1e > 38 26 33 96 ff e2 48 66 ef > [2009-07-01 16:35:52] b5b5710 RA_Enroll_Processor::DoEnrollment - 57 > [2009-07-01 16:35:52] b5b5710 RA_Enroll_Processor::DoEnrollment - > challenge size=16 > [2009-07-01 16:35:52] b5b5710 RA_Enroll_Processor::process - challenge > = (length='16') > [2009-07-01 16:35:52] b5b5710 RA_Enroll_Processor::process - c9 1f 72 > 35 21 17 90 5a ed ce > [2009-07-01 16:35:52] b5b5710 RA_Enroll_Processor::process - dd a5 c6 > 9d ad 51 > [2009-07-01 16:35:52] b5b5710 AP_Session::WriteMsg - Sent > 's=69&msg_type=14¤t_state=73&next_task_name=PROGRESS_PARSE_PUBLIC_KEY' > > [2009-07-01 16:35:52] b5b5710 RA_Enroll_Processor::DoEnrollment - > About to Parse Public Key > [2009-07-01 16:35:52] b5b5710 CertEnroll::verifyProof - > VFY_CreateContext() failed > [2009-07-01 16:35:52] b5b5710 CertEnroll::ParsePublicKeyBlob - verify > proof failed > [2009-07-01 16:35:52] b5b5710 RA_Enroll_Processor::DoEnrollment - > Failed to parse public key > [2009-07-01 16:35:52] b5b5710 RA_Enroll_Processor::GenerateCertificate > - Got a status error from DoEnrollment: 7 > [2009-07-01 16:35:53] b5b5710 AP_Session::WriteMsg - Sent > 's=42&msg_type=13&operation=1&result=1&message=7' > > > ---------------------------------------- > > The config seems to show that Private Key is to be generated on the > Token for SO mode (Security Officer Mode enrollment). It is during > this Private Key generation that this failure occurs each time. Any > input will help. The lkast line of the log is where Error 7 was spawned. > > > /From: Julius Adewumi/ > /@GDC4S.com/ > /Ph:480-441-6768/ > /Contract Corp:MTSI/ > > > ------------------------------------------------------------------------ > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users > From Julius.Adewumi at gdc4s.com Thu Jul 16 16:37:54 2009 From: Julius.Adewumi at gdc4s.com (Adewumi, Julius-p99373) Date: Thu, 16 Jul 2009 09:37:54 -0700 Subject: [Pki-users] Error 7 in SOkey enrollment In-Reply-To: <4A5EA621.8030402@redhat.com> References: <65efa6c10005acb4@gddsi.com> <4A5EA621.8030402@redhat.com> Message-ID: <150446754087724BA4B8F287083846B204D47D9A@AZ25EXM04.gddsi.com> Thanks. Is there any config change that will rectify this? I see the log says it receives public key (from the token) in response to the "generate priv key on token" request, and the first failure logged was that "Parsing of the public key failed". I thought a different smartcard reader or different smartcard will prove something. I changed to a different reader and the problem persisted. If I can use a different model of smartcards and the problem persists, I will conclude it's the TPS (Certificate Systems software). Am I missing something in my analysis? From: Julius Adewumi @GDC4S.com Ph:480-441-6768 Contract Corp:MTSI -----Original Message----- From: Christina Fu [mailto:cfu at redhat.com] Sent: Wednesday, July 15, 2009 9:02 PM To: Adewumi, Julius-p99373 Cc: pki-users at redhat.com Subject: Re: [Pki-users] Error 7 in SOkey enrollment Adewumi, Julius-p99373 wrote: > > Has anyone familiarity with the following VFY_CreateContext() failure > or the verifyProof failure who can shed some light on what is going > on, config or software release version --suspect is certEnroll()? > The proof verification is for proving that the token does have the private key that goes with the public key in the cert request. Like you have observed, the userKey profile's encryption cert by default has the server generate the keys, therefore does not need the proof verification. The signing cert does generate keys on the token itself, thus causes the proof verification. And you can see the success proof verification like the following: [2009-07-15 15:53:55] a3c21b8 CertEnroll::verifyProof - verify proof begins [2009-07-15 15:53:55] a3c21b8 CertEnroll::verifyProof - VFY_CreateContext() succeeded [2009-07-15 15:53:55] a3c21b8 CertEnroll::verifyProof - VFY_End() returned 0 If you try changing the userKey profile's encryption cert to generate the keys on the token instead, such as: op.enroll.userKey.keyGen.encryption.serverKeygen.enable=false You will notice now that you have both signing and encryption cert requests going through the verifyProof (2 sets of the above messages in log). It seems like in the security officer case, the proof somehow is incorrect, thus failed the verifyProof check on TPS. Further investigation is needed. Christina From jmagne at redhat.com Thu Jul 16 17:02:47 2009 From: jmagne at redhat.com (John Magne) Date: Thu, 16 Jul 2009 13:02:47 -0400 (EDT) Subject: [Pki-users] Error 7 in SOkey enrollment In-Reply-To: <150446754087724BA4B8F287083846B204D47D9A@AZ25EXM04.gddsi.com> Message-ID: <678409956.516191247763767071.JavaMail.root@zmail06.collab.prod.int.phx2.redhat.com> Is there any chance you are using a webstore gemalto card? You may be using a version of CS that requires a specific version of this Gemalto card. ----- Original Message ----- From: "Julius-p99373 Adewumi" To: "Christina Fu" Cc: pki-users at redhat.com Sent: Thursday, July 16, 2009 9:37:54 AM GMT -08:00 US/Canada Pacific Subject: RE: [Pki-users] Error 7 in SOkey enrollment Thanks. Is there any config change that will rectify this? I see the log says it receives public key (from the token) in response to the "generate priv key on token" request, and the first failure logged was that "Parsing of the public key failed". I thought a different smartcard reader or different smartcard will prove something. I changed to a different reader and the problem persisted. If I can use a different model of smartcards and the problem persists, I will conclude it's the TPS (Certificate Systems software). Am I missing something in my analysis? From: Julius Adewumi @GDC4S.com Ph:480-441-6768 Contract Corp:MTSI -----Original Message----- From: Christina Fu [mailto:cfu at redhat.com] Sent: Wednesday, July 15, 2009 9:02 PM To: Adewumi, Julius-p99373 Cc: pki-users at redhat.com Subject: Re: [Pki-users] Error 7 in SOkey enrollment Adewumi, Julius-p99373 wrote: > > Has anyone familiarity with the following VFY_CreateContext() failure > or the verifyProof failure who can shed some light on what is going > on, config or software release version --suspect is certEnroll()? > The proof verification is for proving that the token does have the private key that goes with the public key in the cert request. Like you have observed, the userKey profile's encryption cert by default has the server generate the keys, therefore does not need the proof verification. The signing cert does generate keys on the token itself, thus causes the proof verification. And you can see the success proof verification like the following: [2009-07-15 15:53:55] a3c21b8 CertEnroll::verifyProof - verify proof begins [2009-07-15 15:53:55] a3c21b8 CertEnroll::verifyProof - VFY_CreateContext() succeeded [2009-07-15 15:53:55] a3c21b8 CertEnroll::verifyProof - VFY_End() returned 0 If you try changing the userKey profile's encryption cert to generate the keys on the token instead, such as: op.enroll.userKey.keyGen.encryption.serverKeygen.enable=false You will notice now that you have both signing and encryption cert requests going through the verifyProof (2 sets of the above messages in log). It seems like in the security officer case, the proof somehow is incorrect, thus failed the verifyProof check on TPS. Further investigation is needed. Christina _______________________________________________ Pki-users mailing list Pki-users at redhat.com https://www.redhat.com/mailman/listinfo/pki-users From Julius.Adewumi at gdc4s.com Thu Jul 16 17:29:09 2009 From: Julius.Adewumi at gdc4s.com (Adewumi, Julius-p99373) Date: Thu, 16 Jul 2009 10:29:09 -0700 Subject: [Pki-users] Error 7 in SOkey enrollment In-Reply-To: <678409956.516191247763767071.JavaMail.root@zmail06.collab.prod.int.phx2.redhat.com> References: <150446754087724BA4B8F287083846B204D47D9A@AZ25EXM04.gddsi.com> <678409956.516191247763767071.JavaMail.root@zmail06.collab.prod.int.phx2.redhat.com> Message-ID: <756ed8be00004ae6@gddsi.com> We got a box of these Gemalto cards, and here is the only info inside the box: Cyberflex www.cyberflex.com gemalto Key: Value (hexadecimal - no spaces) Auth: 404142434445......4E4F MAC: 404142434445......4E4F KEK: 404142434445......4E4F Warning: Ten failed attempts will render this card useless. Gemalto does not replace blocked cards. You see, there is no Model number or nothing on them. They are white and blank cards with Just the chip embed. From: Julius Adewumi @GDC4S.com Ph:480-441-6768 Contract Corp:MTSI -----Original Message----- From: pki-users-bounces at redhat.com [mailto:pki-users-bounces at redhat.com] On Behalf Of John Magne Sent: Thursday, July 16, 2009 10:03 AM To: Adewumi, Julius-p99373 Cc: pki-users at redhat.com Subject: Re: [Pki-users] Error 7 in SOkey enrollment Is there any chance you are using a webstore gemalto card? You may be using a version of CS that requires a specific version of this Gemalto card. ----- Original Message ----- From: "Julius-p99373 Adewumi" To: "Christina Fu" Cc: pki-users at redhat.com Sent: Thursday, July 16, 2009 9:37:54 AM GMT -08:00 US/Canada Pacific Subject: RE: [Pki-users] Error 7 in SOkey enrollment Thanks. Is there any config change that will rectify this? I see the log says it receives public key (from the token) in response to the "generate priv key on token" request, and the first failure logged was that "Parsing of the public key failed". I thought a different smartcard reader or different smartcard will prove something. I changed to a different reader and the problem persisted. If I can use a different model of smartcards and the problem persists, I will conclude it's the TPS (Certificate Systems software). Am I missing something in my analysis? From: Julius Adewumi @GDC4S.com Ph:480-441-6768 Contract Corp:MTSI -----Original Message----- From: Christina Fu [mailto:cfu at redhat.com] Sent: Wednesday, July 15, 2009 9:02 PM To: Adewumi, Julius-p99373 Cc: pki-users at redhat.com Subject: Re: [Pki-users] Error 7 in SOkey enrollment Adewumi, Julius-p99373 wrote: > > Has anyone familiarity with the following VFY_CreateContext() failure > or the verifyProof failure who can shed some light on what is going > on, config or software release version --suspect is certEnroll()? > The proof verification is for proving that the token does have the private key that goes with the public key in the cert request. Like you have observed, the userKey profile's encryption cert by default has the server generate the keys, therefore does not need the proof verification. The signing cert does generate keys on the token itself, thus causes the proof verification. And you can see the success proof verification like the following: [2009-07-15 15:53:55] a3c21b8 CertEnroll::verifyProof - verify proof begins [2009-07-15 15:53:55] a3c21b8 CertEnroll::verifyProof - VFY_CreateContext() succeeded [2009-07-15 15:53:55] a3c21b8 CertEnroll::verifyProof - VFY_End() returned 0 If you try changing the userKey profile's encryption cert to generate the keys on the token instead, such as: op.enroll.userKey.keyGen.encryption.serverKeygen.enable=false You will notice now that you have both signing and encryption cert requests going through the verifyProof (2 sets of the above messages in log). It seems like in the security officer case, the proof somehow is incorrect, thus failed the verifyProof check on TPS. Further investigation is needed. Christina _______________________________________________ Pki-users mailing list Pki-users at redhat.com https://www.redhat.com/mailman/listinfo/pki-users _______________________________________________ Pki-users mailing list Pki-users at redhat.com https://www.redhat.com/mailman/listinfo/pki-users From Julius.Adewumi at gdc4s.com Thu Jul 16 17:46:26 2009 From: Julius.Adewumi at gdc4s.com (Adewumi, Julius-p99373) Date: Thu, 16 Jul 2009 10:46:26 -0700 Subject: [Pki-users] Error 7 in SOkey enrollment In-Reply-To: <150446754087724BA4B8F287083846B204D47E9A@AZ25EXM04.gddsi.com> References: <150446754087724BA4B8F287083846B204D47D9A@AZ25EXM04.gddsi.com><678409956.516191247763767071.JavaMail.root@zmail06.collab.prod.int.phx2.redhat.com> <150446754087724BA4B8F287083846B204D47E9A@AZ25EXM04.gddsi.com> Message-ID: <150446754087724BA4B8F287083846B204D47EEF@AZ25EXM04.gddsi.com> To be precise, here is how it was ordered : Quantity 20, Part Number GEMALTO (Cyberflex)-64K-TOKEN, Description GEMALTO 64K GEMPC Key Token From: Julius Adewumi @GDC4S.com Ph:480-441-6768 Contract Corp:MTSI -----Original Message----- From: pki-users-bounces at redhat.com [mailto:pki-users-bounces at redhat.com] On Behalf Of Adewumi, Julius-p99373 Sent: Thursday, July 16, 2009 10:29 AM To: John Magne Cc: pki-users at redhat.com Subject: RE: [Pki-users] Error 7 in SOkey enrollment We got a box of these Gemalto cards, and here is the only info inside the box: Cyberflex www.cyberflex.com gemalto Key: Value (hexadecimal - no spaces) Auth: 404142434445......4E4F MAC: 404142434445......4E4F KEK: 404142434445......4E4F Warning: Ten failed attempts will render this card useless. Gemalto does not replace blocked cards. You see, there is no Model number or nothing on them. They are white and blank cards with Just the chip embed. From: Julius Adewumi @GDC4S.com Ph:480-441-6768 Contract Corp:MTSI -----Original Message----- From: pki-users-bounces at redhat.com [mailto:pki-users-bounces at redhat.com] On Behalf Of John Magne Sent: Thursday, July 16, 2009 10:03 AM To: Adewumi, Julius-p99373 Cc: pki-users at redhat.com Subject: Re: [Pki-users] Error 7 in SOkey enrollment Is there any chance you are using a webstore gemalto card? You may be using a version of CS that requires a specific version of this Gemalto card. ----- Original Message ----- From: "Julius-p99373 Adewumi" To: "Christina Fu" Cc: pki-users at redhat.com Sent: Thursday, July 16, 2009 9:37:54 AM GMT -08:00 US/Canada Pacific Subject: RE: [Pki-users] Error 7 in SOkey enrollment Thanks. Is there any config change that will rectify this? I see the log says it receives public key (from the token) in response to the "generate priv key on token" request, and the first failure logged was that "Parsing of the public key failed". I thought a different smartcard reader or different smartcard will prove something. I changed to a different reader and the problem persisted. If I can use a different model of smartcards and the problem persists, I will conclude it's the TPS (Certificate Systems software). Am I missing something in my analysis? From: Julius Adewumi @GDC4S.com Ph:480-441-6768 Contract Corp:MTSI -----Original Message----- From: Christina Fu [mailto:cfu at redhat.com] Sent: Wednesday, July 15, 2009 9:02 PM To: Adewumi, Julius-p99373 Cc: pki-users at redhat.com Subject: Re: [Pki-users] Error 7 in SOkey enrollment Adewumi, Julius-p99373 wrote: > > Has anyone familiarity with the following VFY_CreateContext() failure > or the verifyProof failure who can shed some light on what is going > on, config or software release version --suspect is certEnroll()? > The proof verification is for proving that the token does have the private key that goes with the public key in the cert request. Like you have observed, the userKey profile's encryption cert by default has the server generate the keys, therefore does not need the proof verification. The signing cert does generate keys on the token itself, thus causes the proof verification. And you can see the success proof verification like the following: [2009-07-15 15:53:55] a3c21b8 CertEnroll::verifyProof - verify proof begins [2009-07-15 15:53:55] a3c21b8 CertEnroll::verifyProof - VFY_CreateContext() succeeded [2009-07-15 15:53:55] a3c21b8 CertEnroll::verifyProof - VFY_End() returned 0 If you try changing the userKey profile's encryption cert to generate the keys on the token instead, such as: op.enroll.userKey.keyGen.encryption.serverKeygen.enable=false You will notice now that you have both signing and encryption cert requests going through the verifyProof (2 sets of the above messages in log). It seems like in the security officer case, the proof somehow is incorrect, thus failed the verifyProof check on TPS. Further investigation is needed. Christina _______________________________________________ Pki-users mailing list Pki-users at redhat.com https://www.redhat.com/mailman/listinfo/pki-users _______________________________________________ Pki-users mailing list Pki-users at redhat.com https://www.redhat.com/mailman/listinfo/pki-users _______________________________________________ Pki-users mailing list Pki-users at redhat.com https://www.redhat.com/mailman/listinfo/pki-users From Julius.Adewumi at gdc4s.com Fri Jul 17 18:24:25 2009 From: Julius.Adewumi at gdc4s.com (Adewumi, Julius-p99373) Date: Fri, 17 Jul 2009 11:24:25 -0700 Subject: [Pki-users] ESC: SmartCardManagerSetup-1.0.1-X.win32.i386.exe In-Reply-To: <678409956.516191247763767071.JavaMail.root@zmail06.collab.prod.int.phx2.redhat.com> References: <150446754087724BA4B8F287083846B204D47D9A@AZ25EXM04.gddsi.com> <678409956.516191247763767071.JavaMail.root@zmail06.collab.prod.int.phx2.redhat.com> Message-ID: <7ac7b96c0000d3e4@gddsi.com> I have searched for this ESC package for windows on Redhat.com to no success. Where can I download a newer version of this if there is any? From: Julius Adewumi @GDC4S.com Ph:480-441-6768 Contract Corp:MTSI From msauton at redhat.com Fri Jul 17 20:39:02 2009 From: msauton at redhat.com (Marc Sauton) Date: Fri, 17 Jul 2009 13:39:02 -0700 Subject: [Pki-users] ESC: SmartCardManagerSetup-1.0.1-X.win32.i386.exe In-Reply-To: <7ac7b96c0000d3e4@gddsi.com> References: <150446754087724BA4B8F287083846B204D47D9A@AZ25EXM04.gddsi.com> <678409956.516191247763767071.JavaMail.root@zmail06.collab.prod.int.phx2.redhat.com> <7ac7b96c0000d3e4@gddsi.com> Message-ID: <4A60E166.9020808@redhat.com> That would be on RHN in the Certificate System channel, under "Download" M. Adewumi, Julius-p99373 wrote: > I have searched for this ESC package for windows on Redhat.com to no > success. > > Where can I download a newer version of this if there is any? > > > From: Julius Adewumi > @GDC4S.com > Ph:480-441-6768 > Contract Corp:MTSI > > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users > From cjbrown at mitre.org Wed Jul 29 18:37:06 2009 From: cjbrown at mitre.org (Brown, Chris) Date: Wed, 29 Jul 2009 14:37:06 -0400 Subject: [Pki-users] smartcard purchase Message-ID: When purchasing smartcards for use with the DogTag system, is it necessary to purchase the middleware and card mgmt software that vendors also offer? Since DogTag offers this I would guess not, but wanted to make sure. Thanks. -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3513 bytes Desc: not available URL: