From hablutzel1 at gmail.com Tue Sep 3 21:26:34 2013 From: hablutzel1 at gmail.com (Jaime Hablutzel Egoavil) Date: Tue, 3 Sep 2013 16:26:34 -0500 Subject: [Pki-users] Question about ETSI TS 102 231 Message-ID: My question is the following one: *What is the meaning of http://uri.etsi.org/TrstSvc/eSigDir-1999-93-EC-TrustedList/SvcInfoExt/RootCA-QCfrom ETSI TS 102 231 V3.1.2 * >From Technical Spec http://uri.etsi.org/TrstSvc/eSigDir-1999-93-EC-TrustedList/SvcInfoExt/RootCA-QC > a Root Certification Authority from which a certification path can be > established down to a Certification Authority issuing Qualified > Certificates. Only to be used as an extension, if the servicetype is > http://uri.etsi.org/TrstSvc/Svctype/CA/QC > But what is the purpose of having this URI associated to a TSPService > withServiceTypeIdentifier http://uri.etsi.org/TrstSvc/Svctype/CA/QC? Does it mean that if I have a prospective certificate path like this one: - A (root ca) - B (intermediate) - C (end user) Where A is the only one registered in the TSL as a TSPService without thehttp:// uri.etsi.org/TrstSvc/eSigDir-1999-93-EC-TrustedList/SvcInfoExt/RootCA-QCURIassociated, I can't construct a valid certification path for B and C? Is this the right place to make this kind of questions?? Or can you please recommend the right place to me please?? Is there something like a user mailing list or forum for ETSI Technical Specifications or IETF RFCs?? Thank you -- Jaime Hablutzel - RPC 994690880 -------------- next part -------------- An HTML attachment was scrubbed... URL: From alee at redhat.com Tue Sep 10 01:02:07 2013 From: alee at redhat.com (Ade Lee) Date: Mon, 09 Sep 2013 21:02:07 -0400 Subject: [Pki-users] Announcing the release of Dogtag 10.0.5 Message-ID: <1378774927.2412.36.camel@aleeredhat.laptop> The Dogtag team is proud to announce the fifth errata build for Dogtag 10.0. Builds are available for Fedora 18 and Fedora 19 in the updates-testing repositories. Please try them out and provide karma to move them to the F18 and F19 stable repositories. Karma can be provided at https://admin.fedoraproject.org/updates for each package. == Build Versions == pki-core-10.0.5-1 pki-ra-10.0.5-1 pki-tps-10.0.5-1 dogtag-pki-10.0.5-1 dogtag-pki-theme-10.0.5-1 pki-console-10.0.5-1 == Highlights since Dogtag 10.0.4 == * Due to changes in systemd, restarting Dogtag 10 instances using systemctl restart pki-tomcatd.target failed. Changes have been made to the systemd startup configuration to ensure that this works correctly. In addition, configuration has been added to require systemd to accept an exit status of 143 (a correct exit status for the JVM) as valid, so this exit value will no longer be reported in the system logs. * Due to changes in the python-requests, a new exception (ProxyError) was returned when attempting to connect to a server that is not yet available. This affected pkispawn installation code when we wait for a server to restart. The code has been modified to handle this (and other) exceptions. * In a case following a bad restart, the CS.cfg for an instance appeared to be cleared or truncated. The code has been changed to not write server status to the CS.cfg on startup, but rather to use an in-memory variable. * Fixed LDAP search filter code to no longer return certificates expired for both reason 1 and reason 10 when searching only for reason 1. == Detailed Changes since Dogtag 10.0.4 == alee (5): #712 pki cert-find --revocationReason 1 finds certs expired for reason 1 and reason 10 #714 CS.cfg cleared #716 pki-tomcatd at pki-tomcat.service does not start when pki-tomcatd.target is started #717 Proxy error while getting status when spawning CA #719 Incorrect value in CS,cfg for manager.ldif location From sross at trustedcs.com Fri Sep 20 22:20:22 2013 From: sross at trustedcs.com (Steve Ross) Date: Fri, 20 Sep 2013 17:20:22 -0500 Subject: [Pki-users] "Format" button never enabled in Enterprise Security Client Message-ID: <523CCA26.3050503@trustedcs.com> I'm a new user of the Dogtag Certificate System... I am trying to create a certificate and write it to a smart card. My problem is that my Enterprise Security Client (ESC) does not allow me to format the smart card. When I insert the blank smart card, the ESC GUI shows Issuer = Unknown Issued To = Unknown Status = Unformatted However, the "Format" button is disabled and remains so. Why? Is there any configuration that I need to do in one of the PKI subsystems or ESC itself? When I instead insert a Common Access Card (CAC), the ESC GUI shows Issuer = U.S Government Issued To = Status = Enrolled and ESC is able to display thethree certificates of the CAC. So, my hardware/software is working to the extent that it can read another card. I see the section in the Red Hat Certificate System (RHCS) 8.1 "Deployment, Planning, and Installation" guide that says: The Certificate System subsystems have been tested using the following tokens: Gemalto TOP IM FIPS CY2 64K token, both as a smart card and GemPCKey USB form factor key Gemalto Cyberflex e-gate 32K token Safenet 330J Java smart card I also see the section of the RHCS "Managing Smart Cards with the Enterprise Security Client" that says: The Enterprise Security Client supports smart cards which are JavaCard 2.1 or higher and Global Platform 2.01-compliant and was tested using the following cards: Safenet 330J Java smart cards Gemalto 64K V2 tokens, both as a smart card and GemPCKey USB form factor key Gemalto GCx4 72K and TOPDLGX4 144K common access cards (CAC) Oberthur ID One V5.2 common access cards (CAC) Personal identity verification (PIV) cards, compliant with FIPS 201 The smart card that I'm using is none of the above, though it exceeds the standards that the ESC manual describes. Following are the details of my smart card, reader, and installed software: Smart card: J2A080 - NXP JAVA based smart card, 80k EEPROM This is supposed to meet the standards JCOP 2.4.1, JC 2.2.2, and GP 2.1.1. It is a new card and is not supposed to have any applets on it. Smart card reader: OmniKey 3121 Operating system: CentOS 5.9 Software packages installed: esc-1.1.0-14.el5.centos.1 pki-ca-1.3.6-1.el5 pki-tks-1.3.3-1.el5 pki-tps-1.3.1-1.el5 coolkey-1.1.0-15.el5 tomcat5-5.5.23-0jpp.40.el5_9 httpd-2.2.3-82.el5.centos Thanks in advance for any help, -- Steve Ross From jmagne at redhat.com Fri Sep 20 23:39:20 2013 From: jmagne at redhat.com (John Magne) Date: Fri, 20 Sep 2013 19:39:20 -0400 (EDT) Subject: [Pki-users] "Format" button never enabled in Enterprise Security Client In-Reply-To: <523CCA26.3050503@trustedcs.com> References: <523CCA26.3050503@trustedcs.com> Message-ID: <1045007716.16102366.1379720360893.JavaMail.root@redhat.com> Steve: Thanks for the query. When you put in a blank token such as you have probably described, the ESC should pop up a "Phone Home" Dialog that asks you to type in a URL pointing to the TPS Server that is part of Dogtag Certificate System. If you do not get this Phone Home dialog there is possibly something wrong there. As for smart card support we only have tested the main cards supported. If there is some alternate card being attempted, it MAY work but we can make no assurances there. thanks, jack ----- Original Message ----- > From: "Steve Ross" > To: pki-users at redhat.com > Sent: Friday, September 20, 2013 3:20:22 PM > Subject: [Pki-users] "Format" button never enabled in Enterprise Security Client > > I'm a new user of the Dogtag Certificate System... > > I am trying to create a certificate and write it to a smart card. > > My problem is that my Enterprise Security Client (ESC) does not allow me > to format the smart card. When I insert the blank smart card, the ESC > GUI shows > Issuer = Unknown > Issued To = Unknown > Status = Unformatted > > However, the "Format" button is disabled and remains so. Why? Is there > any configuration that I need to do in one of the PKI subsystems or ESC > itself? > > When I instead insert a Common Access Card (CAC), the ESC GUI shows > Issuer = U.S Government > Issued To = > Status = Enrolled > > and ESC is able to display thethree certificates of the CAC. So, my > hardware/software is working to the extent that it can read another card. > > I see the section in the Red Hat Certificate System (RHCS) 8.1 > "Deployment, Planning, and Installation" guide that says: > > The Certificate System subsystems have been tested using the > following tokens: > Gemalto TOP IM FIPS CY2 64K token, both as a smart card and > GemPCKey USB form factor key > Gemalto Cyberflex e-gate 32K token > Safenet 330J Java smart card > > I also see the section of the RHCS "Managing Smart Cards with the > Enterprise Security Client" that says: > > The Enterprise Security Client supports smart cards which are > JavaCard 2.1 or higher and Global > Platform 2.01-compliant and was tested using the following cards: > Safenet 330J Java smart cards > Gemalto 64K V2 tokens, both as a smart card and GemPCKey USB > form factor key > Gemalto GCx4 72K and TOPDLGX4 144K common access cards (CAC) > Oberthur ID One V5.2 common access cards (CAC) > Personal identity verification (PIV) cards, compliant with FIPS 201 > > The smart card that I'm using is none of the above, though it exceeds > the standards that the ESC manual describes. > > > Following are the details of my smart card, reader, and installed software: > > Smart card: > J2A080 - NXP JAVA based smart card, 80k EEPROM > This is supposed to meet the standards JCOP 2.4.1, JC 2.2.2, and GP > 2.1.1. > It is a new card and is not supposed to have any applets on it. > > > Smart card reader: > OmniKey 3121 > > > Operating system: > CentOS 5.9 > > > Software packages installed: > esc-1.1.0-14.el5.centos.1 > pki-ca-1.3.6-1.el5 > pki-tks-1.3.3-1.el5 > pki-tps-1.3.1-1.el5 > coolkey-1.1.0-15.el5 > tomcat5-5.5.23-0jpp.40.el5_9 > httpd-2.2.3-82.el5.centos > > > Thanks in advance for any help, > -- Steve Ross > > > > > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users > From sross at trustedcs.com Mon Sep 23 23:45:22 2013 From: sross at trustedcs.com (Steve Ross) Date: Mon, 23 Sep 2013 18:45:22 -0500 Subject: [Pki-users] "Format" button never enabled in Enterprise Security Client In-Reply-To: <1045007716.16102366.1379720360893.JavaMail.root@redhat.com> References: <523CCA26.3050503@trustedcs.com> <1045007716.16102366.1379720360893.JavaMail.root@redhat.com> Message-ID: <5240D292.9020802@trustedcs.com> Jack, Thanks for your quick reply. Regarding "Phone Home", I believe that both TPS and ESC are set up correctly by default. For example, the TPS "CS.cfg" file contains the lines: ... op.enroll.userKey.issuerinfo.enable=true op.enroll.userKey.issuerinfo.value=http://dhcp-12-90.il.tcs-sec.com:7888/cgi-bin/home/index.cgi ... op.format.userKey.issuerinfo.enable=true op.format.userKey.issuerinfo.value=http://dhcp-12-90.il.tcs-sec.com:7888/cgi-bin/home/index.cgi By using the "netstat" command, I can see that my TPS process is listening on ports 7888, 7889, and 7890. The file "/var/lib/pki-tps/cgi-bin/home/index.cgi", which I haven't edited, produces: Fedora Project http://dhcp-12-90.il.tcs-sec.com:7888/nk_service http://dhcp-12-90.il.tcs-sec.com:7888/cgi-bin/home/enroll.cgi http://www.fedora.redhat.com userKey which again references port 7888. I have edited the file "user/lib/esc-1.1.0/defaults/preferences/esc-prefs.js", where I've set: pref("esc.global.phone.home.url","http://dhcp-12-90.il.tcs-sec.com:7888/cgi-bin/home/index.cgi"); So, I'm confused as to why I don't see the "Phone Home Configuration Information" dialog that you mention. By default, does ESC communicate with TPS over HTTP port 7888? It is necessary to switch ESC to use HTTPS port 7890? Is there part of installation or configuration of ESC and TPS that people (like me) regularly get wrong? Thanks, -- Steve Ross On 09/20/2013 06:39 PM, John Magne wrote: > Steve: > > Thanks for the query. > > > When you put in a blank token such as you have probably described, the ESC should pop up > a "Phone Home" Dialog that asks you to type in a URL pointing to the TPS Server that is part > of Dogtag Certificate System. > > If you do not get this Phone Home dialog there is possibly something wrong there. > > As for smart card support we only have tested the main cards supported. If there is some alternate > card being attempted, it MAY work but we can make no assurances there. > > thanks, > jack > > > > ----- Original Message ----- >> From: "Steve Ross" >> To: pki-users at redhat.com >> Sent: Friday, September 20, 2013 3:20:22 PM >> Subject: [Pki-users] "Format" button never enabled in Enterprise Security Client >> >> I'm a new user of the Dogtag Certificate System... >> >> I am trying to create a certificate and write it to a smart card. >> >> My problem is that my Enterprise Security Client (ESC) does not allow me >> to format the smart card. When I insert the blank smart card, the ESC >> GUI shows >> Issuer = Unknown >> Issued To = Unknown >> Status = Unformatted >> >> However, the "Format" button is disabled and remains so. Why? Is there >> any configuration that I need to do in one of the PKI subsystems or ESC >> itself? >> >> When I instead insert a Common Access Card (CAC), the ESC GUI shows >> Issuer = U.S Government >> Issued To = >> Status = Enrolled >> >> and ESC is able to display thethree certificates of the CAC. So, my >> hardware/software is working to the extent that it can read another card. >> >> I see the section in the Red Hat Certificate System (RHCS) 8.1 >> "Deployment, Planning, and Installation" guide that says: >> >> The Certificate System subsystems have been tested using the >> following tokens: >> Gemalto TOP IM FIPS CY2 64K token, both as a smart card and >> GemPCKey USB form factor key >> Gemalto Cyberflex e-gate 32K token >> Safenet 330J Java smart card >> >> I also see the section of the RHCS "Managing Smart Cards with the >> Enterprise Security Client" that says: >> >> The Enterprise Security Client supports smart cards which are >> JavaCard 2.1 or higher and Global >> Platform 2.01-compliant and was tested using the following cards: >> Safenet 330J Java smart cards >> Gemalto 64K V2 tokens, both as a smart card and GemPCKey USB >> form factor key >> Gemalto GCx4 72K and TOPDLGX4 144K common access cards (CAC) >> Oberthur ID One V5.2 common access cards (CAC) >> Personal identity verification (PIV) cards, compliant with FIPS 201 >> >> The smart card that I'm using is none of the above, though it exceeds >> the standards that the ESC manual describes. >> >> >> Following are the details of my smart card, reader, and installed software: >> >> Smart card: >> J2A080 - NXP JAVA based smart card, 80k EEPROM >> This is supposed to meet the standards JCOP 2.4.1, JC 2.2.2, and GP >> 2.1.1. >> It is a new card and is not supposed to have any applets on it. >> >> >> Smart card reader: >> OmniKey 3121 >> >> >> Operating system: >> CentOS 5.9 >> >> >> Software packages installed: >> esc-1.1.0-14.el5.centos.1 >> pki-ca-1.3.6-1.el5 >> pki-tks-1.3.3-1.el5 >> pki-tps-1.3.1-1.el5 >> coolkey-1.1.0-15.el5 >> tomcat5-5.5.23-0jpp.40.el5_9 >> httpd-2.2.3-82.el5.centos >> >> >> Thanks in advance for any help, >> -- Steve Ross >> >> >> >> >> >> _______________________________________________ >> Pki-users mailing list >> Pki-users at redhat.com >> https://www.redhat.com/mailman/listinfo/pki-users >> From jmagne at redhat.com Tue Sep 24 00:20:54 2013 From: jmagne at redhat.com (John Magne) Date: Mon, 23 Sep 2013 20:20:54 -0400 (EDT) Subject: [Pki-users] "Format" button never enabled in Enterprise Security Client In-Reply-To: <5240D292.9020802@trustedcs.com> References: <523CCA26.3050503@trustedcs.com> <1045007716.16102366.1379720360893.JavaMail.root@redhat.com> <5240D292.9020802@trustedcs.com> Message-ID: <625725539.878813.1379982054894.JavaMail.root@redhat.com> Steve greetings: Comments below: ----- Original Message ----- > From: "Steve Ross" > To: "John Magne" > Cc: pki-users at redhat.com > Sent: Monday, September 23, 2013 4:45:22 PM > Subject: Re: [Pki-users] "Format" button never enabled in Enterprise Security Client > > Jack, > > Thanks for your quick reply. > > Regarding "Phone Home", I believe that both TPS and ESC are set up > correctly by default. For example, the TPS "CS.cfg" file contains the > lines: > ... > op.enroll.userKey.issuerinfo.enable=true > op.enroll.userKey.issuerinfo.value=http://dhcp-12-90.il.tcs-sec.com:7888/cgi-bin/home/index.cgi > ... > op.format.userKey.issuerinfo.enable=true > op.format.userKey.issuerinfo.value=http://dhcp-12-90.il.tcs-sec.com:7888/cgi-bin/home/index.cgi > > By using the "netstat" command, I can see that my TPS process is > listening on ports 7888, 7889, and 7890. > > The file "/var/lib/pki-tps/cgi-bin/home/index.cgi", which I haven't > edited, produces: > > > Fedora Project > > http://dhcp-12-90.il.tcs-sec.com:7888/nk_service > http://dhcp-12-90.il.tcs-sec.com:7888/cgi-bin/home/enroll.cgi > http://www.fedora.redhat.com > > userKey > > > > which again references port 7888. > > > I have edited the file > "user/lib/esc-1.1.0/defaults/preferences/esc-prefs.js", where I've set: > > pref("esc.global.phone.home.url","http://dhcp-12-90.il.tcs-sec.com:7888/cgi-bin/home/index.cgi"); OK, here is why you aren't getting the phone home dialog. This optional config param was put in for those that didn't want to be able to use a different phone home url for every token they use. This should prevent the dialog from coming up and the system should use that particular phone home url to contact the TPS server. One thing you could do is to hit that URL in a browser to make sure it is available. You should a printout of that tiny XML file you referenced above. Based on this, it sounds like that maybe your token was not properly recognized by the client. You could do the following: 1. Stop the pcscd daemon, I think it's service pcscd stop. 2. Run it in interactive mode. /usr/sbin/pcscd -d -f -a This will print out what is going on. 3. Bring up ESC again and insert the token. Have a look at the output and something might be useful for us to debug. Let us know. If this doesn't give us any useful info, we can get some debug output from our PKCS#11 module coolkey. 1. In a terminal, with esc dead, set this env var: COOL_KEY_LOG_FILE=/tmp/cool.log 2. Start ESC in the terminal : esc. 3. Take a look at the cool.log file and show us. There may be some obvious log statement that could be helpful. > > > So, I'm confused as to why I don't see the "Phone Home Configuration > Information" dialog that you mention. > > By default, does ESC communicate with TPS over HTTP port 7888? It is > necessary to switch ESC to use HTTPS port 7890? > > Is there part of installation or configuration of ESC and TPS that > people (like me) regularly get wrong? > > Thanks, > -- Steve Ross > > > On 09/20/2013 06:39 PM, John Magne wrote: > > Steve: > > > > Thanks for the query. > > > > > > When you put in a blank token such as you have probably described, the ESC > > should pop up > > a "Phone Home" Dialog that asks you to type in a URL pointing to the TPS > > Server that is part > > of Dogtag Certificate System. > > > > If you do not get this Phone Home dialog there is possibly something wrong > > there. > > > > As for smart card support we only have tested the main cards supported. If > > there is some alternate > > card being attempted, it MAY work but we can make no assurances there. > > > > thanks, > > jack > > > > > > > > ----- Original Message ----- > >> From: "Steve Ross" > >> To: pki-users at redhat.com > >> Sent: Friday, September 20, 2013 3:20:22 PM > >> Subject: [Pki-users] "Format" button never enabled in Enterprise Security > >> Client > >> > >> I'm a new user of the Dogtag Certificate System... > >> > >> I am trying to create a certificate and write it to a smart card. > >> > >> My problem is that my Enterprise Security Client (ESC) does not allow me > >> to format the smart card. When I insert the blank smart card, the ESC > >> GUI shows > >> Issuer = Unknown > >> Issued To = Unknown > >> Status = Unformatted > >> > >> However, the "Format" button is disabled and remains so. Why? Is there > >> any configuration that I need to do in one of the PKI subsystems or ESC > >> itself? > >> > >> When I instead insert a Common Access Card (CAC), the ESC GUI shows > >> Issuer = U.S Government > >> Issued To = > >> Status = Enrolled > >> > >> and ESC is able to display thethree certificates of the CAC. So, my > >> hardware/software is working to the extent that it can read another card. > >> > >> I see the section in the Red Hat Certificate System (RHCS) 8.1 > >> "Deployment, Planning, and Installation" guide that says: > >> > >> The Certificate System subsystems have been tested using the > >> following tokens: > >> Gemalto TOP IM FIPS CY2 64K token, both as a smart card and > >> GemPCKey USB form factor key > >> Gemalto Cyberflex e-gate 32K token > >> Safenet 330J Java smart card > >> > >> I also see the section of the RHCS "Managing Smart Cards with the > >> Enterprise Security Client" that says: > >> > >> The Enterprise Security Client supports smart cards which are > >> JavaCard 2.1 or higher and Global > >> Platform 2.01-compliant and was tested using the following cards: > >> Safenet 330J Java smart cards > >> Gemalto 64K V2 tokens, both as a smart card and GemPCKey USB > >> form factor key > >> Gemalto GCx4 72K and TOPDLGX4 144K common access cards (CAC) > >> Oberthur ID One V5.2 common access cards (CAC) > >> Personal identity verification (PIV) cards, compliant with FIPS > >> 201 > >> > >> The smart card that I'm using is none of the above, though it exceeds > >> the standards that the ESC manual describes. > >> > >> > >> Following are the details of my smart card, reader, and installed > >> software: > >> > >> Smart card: > >> J2A080 - NXP JAVA based smart card, 80k EEPROM > >> This is supposed to meet the standards JCOP 2.4.1, JC 2.2.2, and GP > >> 2.1.1. > >> It is a new card and is not supposed to have any applets on it. > >> > >> > >> Smart card reader: > >> OmniKey 3121 > >> > >> > >> Operating system: > >> CentOS 5.9 > >> > >> > >> Software packages installed: > >> esc-1.1.0-14.el5.centos.1 > >> pki-ca-1.3.6-1.el5 > >> pki-tks-1.3.3-1.el5 > >> pki-tps-1.3.1-1.el5 > >> coolkey-1.1.0-15.el5 > >> tomcat5-5.5.23-0jpp.40.el5_9 > >> httpd-2.2.3-82.el5.centos > >> > >> > >> Thanks in advance for any help, > >> -- Steve Ross > >> > >> > >> > >> > >> > >> _______________________________________________ > >> Pki-users mailing list > >> Pki-users at redhat.com > >> https://www.redhat.com/mailman/listinfo/pki-users > >> > > From sross at trustedcs.com Tue Sep 24 19:39:51 2013 From: sross at trustedcs.com (Steve Ross) Date: Tue, 24 Sep 2013 14:39:51 -0500 Subject: [Pki-users] "Format" button never enabled in Enterprise Security Client In-Reply-To: <625725539.878813.1379982054894.JavaMail.root@redhat.com> References: <523CCA26.3050503@trustedcs.com> <1045007716.16102366.1379720360893.JavaMail.root@redhat.com> <5240D292.9020802@trustedcs.com> <625725539.878813.1379982054894.JavaMail.root@redhat.com> Message-ID: <5241EA87.9040908@trustedcs.com> Hi Jack, thanks for your suggestions. My responses are in-line, below. -- Steve Ross On 09/23/2013 07:20 PM, John Magne wrote: > Steve greetings: > > Comments below: > > > > ----- Original Message ----- >> From: "Steve Ross" >> To: "John Magne" >> Cc: pki-users at redhat.com >> Sent: Monday, September 23, 2013 4:45:22 PM >> Subject: Re: [Pki-users] "Format" button never enabled in Enterprise Security Client >> >> Jack, >> >> Thanks for your quick reply. >> >> Regarding "Phone Home", I believe that both TPS and ESC are set up >> correctly by default. For example, the TPS "CS.cfg" file contains the >> lines: >> ... >> op.enroll.userKey.issuerinfo.enable=true >> op.enroll.userKey.issuerinfo.value=http://dhcp-12-90.il.tcs-sec.com:7888/cgi-bin/home/index.cgi >> ... >> op.format.userKey.issuerinfo.enable=true >> op.format.userKey.issuerinfo.value=http://dhcp-12-90.il.tcs-sec.com:7888/cgi-bin/home/index.cgi >> >> By using the "netstat" command, I can see that my TPS process is >> listening on ports 7888, 7889, and 7890. >> >> The file "/var/lib/pki-tps/cgi-bin/home/index.cgi", which I haven't >> edited, produces: >> >> >> Fedora Project >> >> http://dhcp-12-90.il.tcs-sec.com:7888/nk_service >> http://dhcp-12-90.il.tcs-sec.com:7888/cgi-bin/home/enroll.cgi >> http://www.fedora.redhat.com >> >> userKey >> >> >> >> which again references port 7888. >> >> >> I have edited the file >> "user/lib/esc-1.1.0/defaults/preferences/esc-prefs.js", where I've set: >> >> pref("esc.global.phone.home.url","http://dhcp-12-90.il.tcs-sec.com:7888/cgi-bin/home/index.cgi"); > OK, here is why you aren't getting the phone home dialog. This optional config param was put in for those that didn't > want to be able to use a different phone home url for every token they use. This should prevent the dialog from coming up > and the system should use that particular phone home url to contact the TPS server. Regarding the above "pref" statement, I killed the "escd" and "xulrunner" processes, commented out the statement, and restarted "esc". However, I still do *not* see any "Phone Home" dialog after I insert my unformatted smart card. > > One thing you could do is to hit that URL in a browser to make sure it is available. You should a printout of that tiny > XML file you referenced above. I verified that, as seen in a browser, I do indeed see the same 10-line XML file that I referenced above from port 7888. > > Based on this, it sounds like that maybe your token was not properly recognized by the client. > > > You could do the following: > > 1. Stop the pcscd daemon, I think it's service pcscd stop. > > 2. Run it in interactive mode. /usr/sbin/pcscd -d -f -a > > This will print out what is going on. > > 3. Bring up ESC again and insert the token. > > Have a look at the output and something might be useful for us to debug. Let us know. My apologies for flooding this e-mail with a couple of long logs, but here goes... Following is the "pcscd" debug log with APDU's enabled. I don't really know the APDU commands and responses, but it looks like the "pcscd" client: 1. Requested three different Applet IDs, and none were found. 2. Requested any Applet ID and received a response. 3. Requested data and was told that the request contained the wrong length. and then the client repeated the same three steps, and then stopped. Following is the log. I've added some comments following the pound/hash symbol. --- begin "pcscd" log --- # Before executing "esc". winscard_msg_srv.c:217:SHMProcessEventsServer() Common channel packet arrival winscard_msg_srv.c:226:SHMProcessEventsServer() SHMProcessCommonChannelRequest detects: 7 pcscdaemon.c:174:SVCServiceRunLoop() A new context thread creation is requested: 7 winscard_svc.c:131:ContextThread() Thread is started: 7 winscard_msg_srv.c:288:SHMProcessEventsContext() correctly processed client: 7 winscard_svc.c:179:ContextThread() Client is protocol version 2:2 winscard_msg_srv.c:288:SHMProcessEventsContext() correctly processed client: 7 winscard.c:242:SCardEstablishContext() Establishing Context: 17015714 winscard_msg_srv.c:288:SHMProcessEventsContext() correctly processed client: 7 winscard.c:298:SCardConnect() Attempting Connect to OmniKey CardMan 3121 00 00 using protocol: 3 winscard.c:360:SCardConnect() Card Not Inserted winscard_msg_srv.c:288:SHMProcessEventsContext() correctly processed client: 7 winscard.c:298:SCardConnect() Attempting Connect to OmniKey CardMan 3121 00 00 using protocol: 3 winscard.c:360:SCardConnect() Card Not Inserted winscard_msg_srv.c:288:SHMProcessEventsContext() correctly processed client: 7 winscard.c:298:SCardConnect() Attempting Connect to OmniKey CardMan 3121 00 00 using protocol: 3 winscard.c:360:SCardConnect() Card Not Inserted winscard_msg_srv.c:288:SHMProcessEventsContext() correctly processed client: 7 winscard.c:298:SCardConnect() Attempting Connect to OmniKey CardMan 3121 00 00 using protocol: 3 winscard.c:360:SCardConnect() Card Not Inserted # After executing "esc". # Before inserting card ifdhandler.c:924:IFDHPowerICC() lun: 0, action: PowerUp winscard_msg_srv.c:288:SHMProcessEventsContext() correctly processed client: 7 winscard.c:298:SCardConnect() Attempting Connect to OmniKey CardMan 3121 00 00 using protocol: 3 prothandler.c:130:PHSetProtocol() Attempting PTS to T=1 ifdhandler.c:488:IFDHSetProtocolParameters() lun: 0, protocol T=1 ifdhandler.c:1451:extra_egt() Extra EGT patch applied winscard.c:433:SCardConnect() Active Protocol: T=1 winscard.c:443:SCardConnect() hCard Identity: 15e47 eventhandler.c:431:EHStatusHandlerThread() Card inserted into OmniKey CardMan 3121 00 00 Card ATR: 3B F6 18 00 FF 81 31 FE 45 4A 32 41 30 38 30 1B winscard_msg_srv.c:288:SHMProcessEventsContext() correctly processed client: 7 winscard_msg_srv.c:288:SHMProcessEventsContext() correctly processed client: 7 winscard_msg_srv.c:288:SHMProcessEventsContext() correctly processed client: 7 winscard.c:1023:SCardBeginTransaction() Status: 0x00000000 winscard_msg_srv.c:288:SHMProcessEventsContext() correctly processed client: 7 winscard.c:1601:SCardTransmit() Send Protocol: T=1 APDU: 00 A4 04 00 07 62 76 01 FF 00 00 00 ifdhandler.c:1035:IFDHTransmitToICC() lun: 0 SW: 6A 82 winscard_msg_srv.c:288:SHMProcessEventsContext() correctly processed client: 7 winscard.c:1601:SCardTransmit() Send Protocol: T=1 APDU: 00 A4 04 00 07 A0 00 00 01 16 DB 00 ifdhandler.c:1035:IFDHTransmitToICC() lun: 0 SW: 6A 82 winscard_msg_srv.c:288:SHMProcessEventsContext() correctly processed client: 7 winscard.c:1601:SCardTransmit() Send Protocol: T=1 APDU: 00 A4 04 00 07 A0 00 00 00 79 01 00 ifdhandler.c:1035:IFDHTransmitToICC() lun: 0 SW: 6A 82 winscard_msg_srv.c:288:SHMProcessEventsContext() correctly processed client: 7 winscard.c:1171:SCardEndTransaction() Status: 0x00000000 winscard_msg_srv.c:288:SHMProcessEventsContext() correctly processed client: 7 winscard.c:1023:SCardBeginTransaction() Status: 0x00000000 winscard_msg_srv.c:288:SHMProcessEventsContext() correctly processed client: 7 winscard.c:1601:SCardTransmit() Send Protocol: T=1 APDU: 00 A4 04 00 00 ifdhandler.c:1035:IFDHTransmitToICC() lun: 0 SW: 6F 65 84 08 A0 00 00 00 03 00 00 00 A5 59 9F 65 01 FF 9F 6E 06 47 91 00 78 33 00 73 4A 06 07 2A 86 48 86 FC 6B 01 60 0C 06 0A 2A 86 48 86 FC 6B 02 02 01 01 63 09 06 07 2A 86 48 86 FC 6B 03 64 0B 06 09 2A 86 48 86 FC 6B 04 02 15 65 0B 06 09 2B 85 10 86 48 64 02 01 03 66 0C 06 0A 2B 06 01 04 01 2A 02 6E 01 02 90 00 winscard_msg_srv.c:288:SHMProcessEventsContext() correctly processed client: 7 winscard.c:1601:SCardTransmit() Send Protocol: T=1 APDU: 80 CA 9F 7F 2D ifdhandler.c:1035:IFDHTransmitToICC() lun: 0 SW: 67 00 winscard_msg_srv.c:288:SHMProcessEventsContext() correctly processed client: 7 winscard.c:1171:SCardEndTransaction() Status: 0x00000000 winscard_msg_srv.c:288:SHMProcessEventsContext() correctly processed client: 7 ... There are a total of 26 repetitions of this logging statement.... winscard_msg_srv.c:288:SHMProcessEventsContext() correctly processed client: 7 winscard_msg_srv.c:217:SHMProcessEventsServer() Common channel packet arrival winscard_msg_srv.c:226:SHMProcessEventsServer() SHMProcessCommonChannelRequest detects: 8 pcscdaemon.c:174:SVCServiceRunLoop() A new context thread creation is requested: 8 winscard_svc.c:131:ContextThread() Thread is started: 8 winscard_msg_srv.c:288:SHMProcessEventsContext() correctly processed client: 8 winscard_svc.c:179:ContextThread() Client is protocol version 2:2 winscard_msg_srv.c:288:SHMProcessEventsContext() correctly processed client: 8 winscard.c:242:SCardEstablishContext() Establishing Context: 17006901 winscard_msg_srv.c:288:SHMProcessEventsContext() correctly processed client: 8 winscard.c:298:SCardConnect() Attempting Connect to OmniKey CardMan 3121 00 00 using protocol: 3 winscard.c:433:SCardConnect() Active Protocol: T=1 winscard.c:443:SCardConnect() hCard Identity: 116b5 winscard_msg_srv.c:288:SHMProcessEventsContext() correctly processed client: 8 winscard_msg_srv.c:288:SHMProcessEventsContext() correctly processed client: 8 winscard_msg_srv.c:288:SHMProcessEventsContext() correctly processed client: 8 winscard.c:1023:SCardBeginTransaction() Status: 0x00000000 winscard_msg_srv.c:288:SHMProcessEventsContext() correctly processed client: 8 winscard.c:1601:SCardTransmit() Send Protocol: T=1 APDU: 00 A4 04 00 07 62 76 01 FF 00 00 00 ifdhandler.c:1035:IFDHTransmitToICC() lun: 0 SW: 6A 82 winscard_msg_srv.c:288:SHMProcessEventsContext() correctly processed client: 8 winscard.c:1601:SCardTransmit() Send Protocol: T=1 APDU: 00 A4 04 00 07 A0 00 00 01 16 DB 00 ifdhandler.c:1035:IFDHTransmitToICC() lun: 0 SW: 6A 82 winscard_msg_srv.c:288:SHMProcessEventsContext() correctly processed client: 8 winscard.c:1601:SCardTransmit() Send Protocol: T=1 APDU: 00 A4 04 00 07 A0 00 00 00 79 01 00 ifdhandler.c:1035:IFDHTransmitToICC() lun: 0 SW: 6A 82 winscard_msg_srv.c:288:SHMProcessEventsContext() correctly processed client: 8 winscard.c:1171:SCardEndTransaction() Status: 0x00000000 winscard_msg_srv.c:288:SHMProcessEventsContext() correctly processed client: 8 winscard.c:1023:SCardBeginTransaction() Status: 0x00000000 winscard_msg_srv.c:288:SHMProcessEventsContext() correctly processed client: 8 winscard.c:1601:SCardTransmit() Send Protocol: T=1 APDU: 00 A4 04 00 00 ifdhandler.c:1035:IFDHTransmitToICC() lun: 0 SW: 6F 65 84 08 A0 00 00 00 03 00 00 00 A5 59 9F 65 01 FF 9F 6E 06 47 91 00 78 33 00 73 4A 06 07 2A 86 48 86 FC 6B 01 60 0C 06 0A 2A 86 48 86 FC 6B 02 02 01 01 63 09 06 07 2A 86 48 86 FC 6B 03 64 0B 06 09 2A 86 48 86 FC 6B 04 02 15 65 0B 06 09 2B 85 10 86 48 64 02 01 03 66 0C 06 0A 2B 06 01 04 01 2A 02 6E 01 02 90 00 winscard_msg_srv.c:288:SHMProcessEventsContext() correctly processed client: 8 winscard.c:1601:SCardTransmit() Send Protocol: T=1 APDU: 80 CA 9F 7F 2D ifdhandler.c:1035:IFDHTransmitToICC() lun: 0 SW: 67 00 winscard_msg_srv.c:288:SHMProcessEventsContext() correctly processed client: 8 winscard.c:1171:SCardEndTransaction() Status: 0x00000000 winscard_msg_srv.c:288:SHMProcessEventsContext() correctly processed client: 8 ... There are a total of 52 repetitions of this logging statement.... winscard_msg_srv.c:288:SHMProcessEventsContext() correctly processed client: 8 # After card inserted. --- end "pcscd" log --- > > If this doesn't give us any useful info, we can get some debug output from our PKCS#11 module coolkey. > > 1. In a terminal, with esc dead, set this env var: > > COOL_KEY_LOG_FILE=/tmp/cool.log > > 2. Start ESC in the terminal : esc. > > 3. Take a look at the cool.log file and show us. There may be some obvious log statement that could be helpful. > --- begin "coolkey" log --- card changed cleared all sessions isTokenPresent, card state is 0x1 C_WaitForSlotEvent called Called C_GetSlotInfo calling IsConnected card changed cleared all sessions isTokenPresent, card state is 0x1 C_WaitForSlotEvent called # After starting "esc". # Before inserting card. Called C_GetSlotInfo calling IsConnected card changed cleared all sessions time connect: Connect Time 414 ms time connect: Read Slot 414 ms time connect: connection status 415 ms time connnect: Begin transaction 415 ms CoolKey Select failed 0x6 CAC Select failed 0x6 isTokenPresent, card state is 0xe C_GetTokenInfo called calling IsConnected IsConnected returned false isTokenPresent, card state is 0xe C_GetMechanismList called calling IsConnected IsConnected returned false isTokenPresent, card state is 0xe C_GetMechanismList returning 0 C_GetMechanismList called calling IsConnected IsConnected returned false isTokenPresent, card state is 0xe C_GetMechanismList returning 0 C_OpenSession called calling IsConnected IsConnected returned false isTokenPresent, card state is 0xe C_FindObjectsInit called, 1 templates template [00] type: 0000, pValue: b7f82174, ulValueLen: 00000004, value: 3461563221 calling IsConnected IsConnected returned false C_FindObjectsInit found matching object 0x00000002 C_FindObjects called, max objects = 10 calling IsConnected IsConnected returned false returned 1 objects: 0x00000002 C_GetAttributeValue called, 1 templates for object 0x00000002 template [00] type: 0003, pValue: 00000000, ulValueLen: 00000000 calling IsConnected IsConnected returned false template [00] type: 0003, pValue: 00000000, ulValueLen: 0000001a C_GetAttributeValue called, 1 templates for object 0x00000002 template [00] type: 0003, pValue: 08877338, ulValueLen: 0000001a calling IsConnected IsConnected returned false template [00] type: 0003, pValue: 08877338, ulValueLen: 0000001a C_GetAttributeValue called, 1 templates for object 0x00000002 template [00] type: ce534369, pValue: 00000000, ulValueLen: 00000000 calling IsConnected IsConnected returned false template [00] type: ce534369, pValue: 00000000, ulValueLen: 00000010 C_GetAttributeValue called, 1 templates for object 0x00000002 template [00] type: ce534369, pValue: 08877390, ulValueLen: 00000010 calling IsConnected IsConnected returned false template [00] type: ce534369, pValue: 08877390, ulValueLen: 00000010 C_GetTokenInfo called calling IsConnected IsConnected returned false isTokenPresent, card state is 0xe C_GetAttributeValue called, 1 templates for object 0x00000002 template [00] type: ce534368, pValue: 00000000, ulValueLen: 00000000 calling IsConnected IsConnected returned false template [00] type: ce534368, pValue: 00000000, ulValueLen: 00000001 C_GetAttributeValue called, 1 templates for object 0x00000002 template [00] type: ce534368, pValue: 088773a8, ulValueLen: 00000001 calling IsConnected IsConnected returned false template [00] type: ce534368, pValue: 088773a8, ulValueLen: 00000001 C_WaitForSlotEvent called Initialize called, hello 5 C_GetInfo called C_GetSlotList called calling IsConnected card changed cleared all sessions time connect: Connect Time 412 ms time connect: Read Slot 412 ms time connect: connection status 412 ms time connnect: Begin transaction 413 ms CoolKey Select failed 0x6 CAC Select failed 0x6 isTokenPresent, card state is 0xe C_GetSlotList called calling IsConnected IsConnected returned false isTokenPresent, card state is 0xe Called C_GetSlotInfo calling IsConnected IsConnected returned false isTokenPresent, card state is 0xe C_GetTokenInfo called calling IsConnected IsConnected returned false isTokenPresent, card state is 0xe C_GetMechanismList called calling IsConnected IsConnected returned false isTokenPresent, card state is 0xe C_GetMechanismList returning 0 C_GetMechanismList called calling IsConnected IsConnected returned false isTokenPresent, card state is 0xe C_GetMechanismList returning 0 C_OpenSession called calling IsConnected IsConnected returned false isTokenPresent, card state is 0xe C_FindObjectsInit called, 1 templates template [00] type: 0000, pValue: bffda99c, ulValueLen: 00000004, value: 3461563220 calling IsConnected IsConnected returned false C_FindObjects called, max objects = 1 calling IsConnected IsConnected returned false returned 0 objects: C_WaitForSlotEvent called Called C_GetSlotInfo calling IsConnected IsConnected returned false isTokenPresent, card state is 0xe C_GetSessionInfo called calling IsConnected IsConnected returned false C_FindObjectsInit called, 1 templates template [00] type: 0000, pValue: ad5fe174, ulValueLen: 00000004, value: 3461563221 calling IsConnected IsConnected returned false C_FindObjectsInit found matching object 0x00000002 C_FindObjects called, max objects = 10calling IsConnected IsConnected returned false returned 1 objects: 0x00000002 C_GetAttributeValue called, 1 templates for object 0x00000002 template [00] type: 0003, pValue: 00000000, ulValueLen: 00000000 calling IsConnected IsConnected returned false template [00] type: 0003, pValue: 00000000, ulValueLen: 0000001a C_GetAttributeValue called, 1 templates for object 0x00000002 template [00] type: 0003, pValue: b1f39520, ulValueLen: 0000001a calling IsConnected IsConnected returned false template [00] type: 0003, pValue: b1f39520, ulValueLen: 0000001a C_GetAttributeValue called, 1 templates for object 0x00000002 template [00] type: ce534369, pValue: 00000000, ulValueLen: 00000000 calling IsConnected IsConnected returned false template [00] type: ce534369, pValue: 00000000, ulValueLen: 00000010 C_GetAttributeValue called, 1 templates for object 0x00000002 template [00] type: ce534369, pValue: b1f3b6f0, ulValueLen: 00000010 calling IsConnected IsConnected returned false template [00] type: ce534369, pValue: b1f3b6f0, ulValueLen: 00000010 C_GetTokenInfo called calling IsConnected IsConnected returned false isTokenPresent, card state is 0xe C_GetAttributeValue called, 1 templates for object 0x00000002 template [00] type: ce534368, pValue: 00000000, ulValueLen: 00000000 calling IsConnected IsConnected returned false template [00] type: ce534368, pValue: 00000000, ulValueLen: 00000001 C_GetAttributeValue called, 1 templates for object 0x00000002 template [00] type: ce534368, pValue: b7d41c14, ulValueLen: 00000001 calling IsConnected IsConnected returned false template [00] type: ce534368, pValue: b7d41c14, ulValueLen: 00000001 C_WaitForSlotEvent called C_FindObjectsInit called, 2 templates template [00] type: 0001, pValue: 05be5874, ulValueLen: 00000001 template [01] type: 0000, pValue: bffda4b8, ulValueLen: 00000004, value: 3461563219 calling IsConnected IsConnected returned false C_FindObjects called, max objects = 10 calling IsConnected IsConnected returned false returned 0 objects: C_FindObjectsInit called, 2 templates template [00] type: 0001, pValue: 05be5874, ulValueLen: 00000001 template [01] type: 0000, pValue: 05be5878, ulValueLen: 00000004, value: 1 calling IsConnected IsConnected returned false C_FindObjects called, max objects = 16 calling IsConnected IsConnected returned false returned 0 objects: C_GetSessionInfo called calling IsConnected IsConnected returned false C_FindObjectsInit called, 2 templates template [00] type: 0001, pValue: 05be5874, ulValueLen: 00000001 template [01] type: 0000, pValue: 05be5878, ulValueLen: 00000004, value: 1 calling IsConnected IsConnected returned false C_FindObjects called, max objects = 16 calling IsConnected IsConnected returned false returned 0 objects: # "esc" GUI appears. --- end "coolkey" log --- > > >> >> So, I'm confused as to why I don't see the "Phone Home Configuration >> Information" dialog that you mention. >> >> By default, does ESC communicate with TPS over HTTP port 7888? It is >> necessary to switch ESC to use HTTPS port 7890? >> >> Is there part of installation or configuration of ESC and TPS that >> people (like me) regularly get wrong? >> >> Thanks, >> -- Steve Ross >> >> >> From anyang at waycooler.co Fri Sep 27 05:25:41 2013 From: anyang at waycooler.co (=?gb18030?B?sLLj8w==?=) Date: Fri, 27 Sep 2013 13:25:41 +0800 Subject: [Pki-users] will the new version of RHCS support RHEL6? Message-ID: Hi all, I'm a beginner of the dogtag certificate system, dogtag?RHCS?is a wonderful project, but I'm confused about RHCS, could you give any help? The latest version of RHCS is 8.1, which is based on dogtag 8.1, it supports RHEL5.8, and in RHEL6, pki-ca 9.0.3 was included without the other 5 subsystems, could you show me the consideration why RHCS do not support RHEL6? Is RHEL6 not secure enough or some other reasons? Regards. An Yang -------------- next part -------------- An HTML attachment was scrubbed... URL: From nkinder at redhat.com Fri Sep 27 19:03:02 2013 From: nkinder at redhat.com (Nathan Kinder) Date: Fri, 27 Sep 2013 12:03:02 -0700 Subject: [Pki-users] will the new version of RHCS support RHEL6? In-Reply-To: References: Message-ID: <5245D666.8030508@redhat.com> On 09/26/2013 10:25 PM, ?? wrote: > Hi all, > > I'm a beginner of the dogtag certificate system, dogtag(RHCS)is a > wonderful project, but I'm confused about RHCS, could you give any help? > > The latest version of RHCS is 8.1, which is based on dogtag 8.1, it > supports RHEL5.8, and in RHEL6, pki-ca 9.0.3 was included without the > other 5 subsystems, could you show me the consideration why RHCS do > not support RHEL6? > Is RHEL6 not secure enough or some other reasons? It was simply not a targeted platform (nor are there plans to release it there). The pki-ca portion is included for use by IdM (based on the FreeIPA project). Thanks, -NGK > > Regards. > An Yang > > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users -------------- next part -------------- An HTML attachment was scrubbed... URL: From anyang at waycooler.co Sat Sep 28 08:04:53 2013 From: anyang at waycooler.co (=?gb18030?B?sLLj8w==?=) Date: Sat, 28 Sep 2013 16:04:53 +0800 Subject: [Pki-users] Could RHCS81 run under RHEL59? Message-ID: Hi all, service pki-ca start failed, in catalina.out: Caused by: java.security.AccessControlException: access denied (java.io.FilePermission /usr/lib/jvm/java-1.6.0-openjdk-1.6.0.0.x86_64/jre/lib/logging.properties read) The same installation method is OK under RHEL58, but could not run under RHEL59. -------------- next part -------------- An HTML attachment was scrubbed... URL: From alee at redhat.com Mon Sep 30 13:33:28 2013 From: alee at redhat.com (Ade Lee) Date: Mon, 30 Sep 2013 09:33:28 -0400 Subject: [Pki-users] Could RHCS81 run under RHEL59? In-Reply-To: References: Message-ID: <1380548008.2851.31.camel@aleeredhat.laptop> Please open a bugzilla and attach the stack trace. Please indicate the versions of pki-ca, pki-common and tomcat. This sounds like an update may be needed to the Java security policy. In the meantime, to get the server to start, you can disable the Java security manager by editing /etc/sysconfig/pki-ca and setting: SECURITY_MANAGER="false" Ade On Sat, 2013-09-28 at 16:04 +0800, ?? wrote: > Hi all, > > service pki-ca start failed, in catalina.out: > Caused by: java.security.AccessControlException: access denied > (java.io.FilePermission /usr/lib/jvm/java-1.6.0-openjdk-1.6.0.0.x86_64/jre/lib/logging.properties read) > > The same installation method is OK under RHEL58, but could not run > under RHEL59. > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users