From kobus.bensch at trustpayglobal.com Mon Jan 19 22:09:24 2015 From: kobus.bensch at trustpayglobal.com (Kobus Bensch) Date: Mon, 19 Jan 2015 22:09:24 +0000 Subject: [Pki-users] Setup Issue - Admin user creation Message-ID: <54BD8094.2010804@trustpayglobal.com> Hi I installed dogtag 4 times today and everytime i get to a certain point and the same issue. When I get to creating the admin user, the system just sits there not finishing the action. Has anybody come across this issue and if so, how did you fix it? I installed the system on Centos 6.6 Thanks Kobus -- Trustpay Global Limited is an authorised Electronic Money Institution regulated by the Financial Conduct Authority registration number 900043. Company No 07427913 Registered in England and Wales with registered address 130 Wood Street, London, EC2V 6DL, United Kingdom. For further details please visit our website at www.trustpayglobal.com. The information in this email and any attachments are confidential and remain the property of Trustpay Global Ltd unless agreed by contract. It is intended solely for the person to whom or the entity to which it is addressed. If you are not the intended recipient you may not use, disclose, copy, distribute, print or rely on the content of this email or its attachments. If this email has been received by you in error please advise the sender and delete the email from your system. Trustpay Global Ltd does not accept any liability for any personal view expressed in this message. From batkisso at redhat.com Mon Jan 19 22:32:15 2015 From: batkisso at redhat.com (Brian Atkisson) Date: Mon, 19 Jan 2015 17:32:15 -0500 (EST) Subject: [Pki-users] Setup Issue - Admin user creation In-Reply-To: <54BD8094.2010804@trustpayglobal.com> References: <54BD8094.2010804@trustpayglobal.com> Message-ID: <818667DC-45DE-46A2-A2D7-719329F673D5@redhat.com> is that in the web setup gui? I've seen this where in Firefox you have to manually import the CA cert before the admin cert will load. Cheers, Brian > On Jan 19, 2015, at 5:12 PM, Kobus Bensch wrote: > > Hi > > I installed dogtag 4 times today and everytime i get to a certain point and the same issue. > > When I get to creating the admin user, the system just sits there not finishing the action. Has anybody come across this issue and if so, how did you fix it? > > I installed the system on Centos 6.6 > > Thanks > > Kobus > > -- > > > Trustpay Global Limited is an authorised Electronic Money Institution regulated by the Financial Conduct Authority registration number 900043. Company No 07427913 Registered in England and Wales with registered address 130 Wood Street, London, EC2V 6DL, United Kingdom. > > For further details please visit our website at www.trustpayglobal.com. > > The information in this email and any attachments are confidential and remain the property of Trustpay Global Ltd unless agreed by contract. It is intended solely for the person to whom or the entity to which it is addressed. If you are not the intended recipient you may not use, disclose, copy, distribute, print or rely on the content of this email or its attachments. If this email has been received by you in error please advise the sender and delete the email from your system. Trustpay Global Ltd does not accept any liability for any personal view expressed in this message. > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users From kobus.bensch at trustpayglobal.com Mon Jan 19 22:34:54 2015 From: kobus.bensch at trustpayglobal.com (Kobus Bensch) Date: Mon, 19 Jan 2015 22:34:54 +0000 Subject: [Pki-users] Setup Issue - Admin user creation In-Reply-To: <818667DC-45DE-46A2-A2D7-719329F673D5@redhat.com> References: <54BD8094.2010804@trustpayglobal.com> <818667DC-45DE-46A2-A2D7-719329F673D5@redhat.com> Message-ID: <54BD868E.6050200@trustpayglobal.com> Thank you Yes in the gui. I have already tried to manually import into firefox. Still the same issue. Kobus On 19/01/2015 22:32, Brian Atkisson wrote: > is that in the web setup gui? I've seen this where in Firefox you have to manually import the CA cert before the admin cert will load. > > Cheers, > Brian > >> On Jan 19, 2015, at 5:12 PM, Kobus Bensch wrote: >> >> Hi >> >> I installed dogtag 4 times today and everytime i get to a certain point and the same issue. >> >> When I get to creating the admin user, the system just sits there not finishing the action. Has anybody come across this issue and if so, how did you fix it? >> >> I installed the system on Centos 6.6 >> >> Thanks >> >> Kobus >> >> -- >> >> >> Trustpay Global Limited is an authorised Electronic Money Institution regulated by the Financial Conduct Authority registration number 900043. Company No 07427913 Registered in England and Wales with registered address 130 Wood Street, London, EC2V 6DL, United Kingdom. >> >> For further details please visit our website at www.trustpayglobal.com. >> >> The information in this email and any attachments are confidential and remain the property of Trustpay Global Ltd unless agreed by contract. It is intended solely for the person to whom or the entity to which it is addressed. If you are not the intended recipient you may not use, disclose, copy, distribute, print or rely on the content of this email or its attachments. If this email has been received by you in error please advise the sender and delete the email from your system. Trustpay Global Ltd does not accept any liability for any personal view expressed in this message. >> >> _______________________________________________ >> Pki-users mailing list >> Pki-users at redhat.com >> https://www.redhat.com/mailman/listinfo/pki-users -- Trustpay Global Limited is an authorised Electronic Money Institution regulated by the Financial Conduct Authority registration number 900043. Company No 07427913 Registered in England and Wales with registered address 130 Wood Street, London, EC2V 6DL, United Kingdom. For further details please visit our website at www.trustpayglobal.com. The information in this email and any attachments are confidential and remain the property of Trustpay Global Ltd unless agreed by contract. It is intended solely for the person to whom or the entity to which it is addressed. If you are not the intended recipient you may not use, disclose, copy, distribute, print or rely on the content of this email or its attachments. If this email has been received by you in error please advise the sender and delete the email from your system. Trustpay Global Ltd does not accept any liability for any personal view expressed in this message. From kobus.bensch at trustpayglobal.com Tue Jan 20 11:34:58 2015 From: kobus.bensch at trustpayglobal.com (Kobus Bensch) Date: Tue, 20 Jan 2015 11:34:58 +0000 Subject: [Pki-users] Setup Issue - Admin user creation In-Reply-To: <54BD868E.6050200@trustpayglobal.com> References: <54BD8094.2010804@trustpayglobal.com> <818667DC-45DE-46A2-A2D7-719329F673D5@redhat.com> <54BD868E.6050200@trustpayglobal.com> Message-ID: <54BE3D62.6000508@trustpayglobal.com> Ok, I have started again. Deleted all certs from Firefox and Windows Certificates MMC. Executed the following and I still get no further from the Admin user screen. Can anybody shed some light please? Set hostname FQDN enable remi and remiphp55 yum -y install perl php httpd Edit /etc/hosts - add system name and ipaddress setenforce 0 chkconfig iptables off service iptables stop yum -y install wget wget http://mirror.bytemark.co.uk/fedora/epel/6/x86_64/epel-release-6-8.noarch.rpm http://remi.check-update.co.uk/enterprise/remi-release-6.rpm yum localinstall *.rpm -y useradd ds389 yum -y install 389-ds /usr/sbin/setup-ds.pl yes yes 2 dogtag.domain.com apache apache 389 dogtag dc=domian, dc=com cn=Directory Manager service httpd start service dirsrv start chkconfig dirsrv on chkconfig httpd on yum -y install pki-ca wget http://b72e18005286881a03f27d32.fcc.netdna-cdn.com/wp-content/uploads/2014/08/dogtag_fedora_theme.tar.gz?7e26d5 mv dogtag_fedora_theme.tar.gz?7e26d5 dogtag_fedora_theme.tar.gz rpm -e ipa-pki-common-theme-9.0.3-7.el6.noarch ipa-pki-ca-theme-9.0.3-7.el6.noarch --nodeps tar -zxf dogtag_fedora_theme.tar.gz yum -y localinstall dogtag-pki-kra-theme-9.0.15-1.fc17.noarch.rpm dogtag-pki-tps-theme-9.0.15-1.fc17.noarch.rpm dogtag-pki-ocsp-theme-9.0.15-1.fc17.noarch.rpm dogtag-pki-ra-theme-9.0.15-1.fc17.noarch.rpm dogtag-pki-common-theme-9.0.15-1.fc17.noarch.rpm dogtag-pki-theme-9.0.15-1.fc17.src.rpm dogtag-pki-console-theme-9.0.15-1.fc17.noarch.rpm dogtag-pki-tks-theme-9.0.15-1.fc17.noarch.rpm yum -y localinstall dogtag-pki-ca-theme-9.0.15-1.fc17.noarch.rpm pkicreate -pki_instance_root=/var/lib -pki_instance_name=domain-ca -subsystem_type=ca -agent_secure_port=9443 -ee_secure_port=9444 -ee_secure_client_auth_port=9446 -admin_secure_port=9447 -unsecure_port=9180 -tomcat_server_port=9701 -user=pkiuser -group=pkiuser -redirect conf=/etc/domain-ca -redirect logs=/var/log/domain-ca -verbose service httpd restart service dirsrv restart Browse to supplied URL at end of previous command Next Next New CA CA Name = Domain Domain CA Next New CA Subsystem Subsystem name = Domain Ltd Certificate Authority Next Make this a Self-Signed Root CA within this new PKI hierarchy. Next Enter Directory Server password Next Use the default key size (2048 bits). Next Prepend all nicknames with TPG DogTag Next Apply Next Export subsystem keys and certificates Password Next Save File then do the following: Rename savepkcs12 to savepkcs12.p12 Start --> Run --> mmc --> Enter File --> Add/Remove Snapins --> Computer Account --> Local Computer --> Ok --> Ok Open Trusted Root Certification Authorities Open Certificates Right Click Certificates --> All Tasks --> Import Next Browse to File Next Password Next Next Finish Ok Back to Browser click Next Import same file into Browser Next Enter Admin UID Name Email Password Next On 19/01/2015 22:34, Kobus Bensch wrote: > Thank you > > Yes in the gui. I have already tried to manually import into firefox. > Still the same issue. > > Kobus > > On 19/01/2015 22:32, Brian Atkisson wrote: >> is that in the web setup gui? I've seen this where in Firefox you >> have to manually import the CA cert before the admin cert will load. >> >> Cheers, >> Brian >> >>> On Jan 19, 2015, at 5:12 PM, Kobus Bensch >>> wrote: >>> >>> Hi >>> >>> I installed dogtag 4 times today and everytime i get to a certain >>> point and the same issue. >>> >>> When I get to creating the admin user, the system just sits there >>> not finishing the action. Has anybody come across this issue and if >>> so, how did you fix it? >>> >>> I installed the system on Centos 6.6 >>> >>> Thanks >>> >>> Kobus >>> >>> -- -- Trustpay Global Limited is an authorised Electronic Money Institution regulated by the Financial Conduct Authority registration number 900043. Company No 07427913 Registered in England and Wales with registered address 130 Wood Street, London, EC2V 6DL, United Kingdom. For further details please visit our website at www.trustpayglobal.com. The information in this email and any attachments are confidential and remain the property of Trustpay Global Ltd unless agreed by contract. It is intended solely for the person to whom or the entity to which it is addressed. If you are not the intended recipient you may not use, disclose, copy, distribute, print or rely on the content of this email or its attachments. If this email has been received by you in error please advise the sender and delete the email from your system. Trustpay Global Ltd does not accept any liability for any personal view expressed in this message. From rperez at pgjtabasco.gob.mx Fri Jan 23 04:55:39 2015 From: rperez at pgjtabasco.gob.mx (Ricardo Alexander Alexander Perez Ricardez) Date: Thu, 22 Jan 2015 22:55:39 -0600 (CST) Subject: [Pki-users] error 207 (net::err_cert_invalid) Message-ID: <2019162146.177765.1421988939678.JavaMail.root@pgjtabasco.gob.mx> When I try import a certificate I get this message: error 207 (net::err_cert_invalid) I use google chrome browser on linux From ftweedal at redhat.com Fri Jan 23 05:45:03 2015 From: ftweedal at redhat.com (Fraser Tweedale) Date: Fri, 23 Jan 2015 15:45:03 +1000 Subject: [Pki-users] error 207 (net::err_cert_invalid) In-Reply-To: <2019162146.177765.1421988939678.JavaMail.root@pgjtabasco.gob.mx> References: <2019162146.177765.1421988939678.JavaMail.root@pgjtabasco.gob.mx> Message-ID: <20150123054503.GS5536@dhcp-40-8.bne.redhat.com> On Thu, Jan 22, 2015 at 10:55:39PM -0600, Ricardo Alexander Alexander Perez Ricardez wrote: > When I try import a certificate I get this message: > > error 207 (net::err_cert_invalid) > > I use google chrome browser on linux > Can you provide more information? Can OpenSSL successfully parse the certificate? Are you trying to import a CA/server certificate or a user certificate (PKCS #12 format)? Regards, Fraser > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users From ftweedal at redhat.com Fri Jan 23 06:10:04 2015 From: ftweedal at redhat.com (Fraser Tweedale) Date: Fri, 23 Jan 2015 16:10:04 +1000 Subject: [Pki-users] error 207 (net::err_cert_invalid) In-Reply-To: <2019162146.177765.1421988939678.JavaMail.root@pgjtabasco.gob.mx> References: <2019162146.177765.1421988939678.JavaMail.root@pgjtabasco.gob.mx> Message-ID: <20150123061004.GT5536@dhcp-40-8.bne.redhat.com> On Thu, Jan 22, 2015 at 10:55:39PM -0600, Ricardo Alexander Alexander Perez Ricardez wrote: > When I try import a certificate I get this message: > > error 207 (net::err_cert_invalid) > > I use google chrome browser on linux > OK I have reproduced the problem. Apparently Chrome does not like PEM. Perhaps we can inspect the User-Agent and serve up DER for Chrome and PEM for everyone else. I will file a ticket, anyhow. Firefox works just fine, if you can use it, though you will have enrol anew. Regards, Fraser > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users From ftweedal at redhat.com Fri Jan 23 06:45:15 2015 From: ftweedal at redhat.com (Fraser Tweedale) Date: Fri, 23 Jan 2015 16:45:15 +1000 Subject: [Pki-users] error 207 (net::err_cert_invalid) In-Reply-To: <20150123054503.GS5536@dhcp-40-8.bne.redhat.com> References: <2019162146.177765.1421988939678.JavaMail.root@pgjtabasco.gob.mx> <20150123054503.GS5536@dhcp-40-8.bne.redhat.com> Message-ID: <20150123064515.GU5536@dhcp-40-8.bne.redhat.com> On Fri, Jan 23, 2015 at 03:45:03PM +1000, Fraser Tweedale wrote: > On Thu, Jan 22, 2015 at 10:55:39PM -0600, Ricardo Alexander Alexander Perez Ricardez wrote: > > When I try import a certificate I get this message: > > > > error 207 (net::err_cert_invalid) > > > > I use google chrome browser on linux > > > Can you provide more information? Can OpenSSL successfully parse > the certificate? Are you trying to import a CA/server certificate > or a user certificate (PKCS #12 format)? > > Regards, > Fraser > OK I reproduced the issue. It seems to be a quirk of Google Chrome (it expects DER, not PEM; see https://productforums.google.com/forum/#!topic/chrome/xAk3G8ClKYI). If you can use Firefox instead, it will work, although you will have to enrol anew. I will file a ticket about the Chrome behaviour. Cheers, Fraser > > _______________________________________________ > > Pki-users mailing list > > Pki-users at redhat.com > > https://www.redhat.com/mailman/listinfo/pki-users > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users From jgallartm at gmail.com Fri Jan 23 16:14:42 2015 From: jgallartm at gmail.com (Javier Gallart) Date: Fri, 23 Jan 2015 17:14:42 +0100 Subject: [Pki-users] Unable to format smart card Message-ID: Hello all first question in the list. I recently installed Dogtag version 10.2.1. Testing is going fine so far, with the exception of the smart card format stage. Let me give you the specs of the system: -Dogtag runs on a Fedora20 x86_64 -ESC (version esc-1.1.0-14.el5.centos1) runs on a Centos 5.11 x86_64 -Smart Card Model:SmartCafe Expert 3.2 72K from G&D with 72K on-board EEPROM When I push the format button, the authentication looks good; however the operation fails throwing this message: "The Smart Card Server cannot establish a secure channel with the smart card". Looking at the logs: ----TPS---- [23/Jan/2015:11:05:05][http-bio-8443-exec-11]: TPSEngine.computeSessionKey: Non zero status result: 1 [23/Jan/2015:11:05:05][http-bio-8443-exec-11]: TPSSession.process: Message processing failed: TPSProcessor.setupSecureChannel: Can't set up secure channel: TPSEngine.computeSessionKey: invalid returned status: 1 [23/Jan/2015:11:05:05][http-bio-8443-exec-11]: TPSMessage.write: Writing: s=43&msg_type=13&operation=5&result=1&message=17 [23/Jan/2015:11:05:05][http-bio-8443-exec-11]: TPSSession.process: leaving: result: 1 status: STATUS_ERROR_SECURE_CHANNEL [23/Jan/2015:11:05:05][http-bio-8443-exec-11]: After session.process() exiting ... ----TKS---- [23/Jan/2015:11:05:05][http-bio-8443-exec-14]: TokenServlet: ComputeSessionKey(): xkeyInfo[0] = 0x1, xkeyInfo[1] = 0x2 [23/Jan/2015:11:05:05][http-bio-8443-exec-14]: TokenServlet: ComputeSessionKey(): Nist SP800-108 KDF will be used for key versions >= 0x0 [23/Jan/2015:11:05:05][http-bio-8443-exec-14]: TokenServlet: ComputeSessionKey(): Nist SP800-108 KDF (if used) will use KDD. [23/Jan/2015:11:05:05][http-bio-8443-exec-14]: TokenServlet about to try ComputeSessionKey selectedToken=Internal Key Storage Token keyNickName=#01#02 [23/Jan/2015:11:05:05][http-bio-8443-exec-14]: TokenServlet:Tried ComputeSessionKey, got NULL java.lang.Exception: Can't compute session key! (...) [23/Jan/2015:11:05:05][http-bio-8443-exec-14]: TokenServlet Computing Session Key: java.lang.Exception: Can't compute session key! [23/Jan/2015:11:05:05][http-bio-8443-exec-14]: TokenServlet:outputString.encode status=1 [23/Jan/2015:11:05:05][http-bio-8443-exec-14]: TokenServlet:outputString.length 8 [23/Jan/2015:11:05:05][http-bio-8443-exec-14]: SignedAuditEventFactory: create() message=[AuditEvent=COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE][CUID_decoded=00002161960056514505][KDD_decoded=00002161960056514505][Outcome=Failure][status=1][AgentID=xxxxx-8443][IsCryptoValidate=true][IsServerSideKeygen=false][SelectedToken=Internal Key Storage Token][KeyNickName=#01#02][TKSKeyset=defKeySet][KeyInfo_KeyVersion=0x1][NistSP800_108KdfOnKeyVersion=0x0][NistSP800_108KdfUseCuidAsKdd=false][Error=Problem generating session key info.] TKS Compute session key request failed Any idea about the where the problem might be? Thanks in advance Regards Javi -------------- next part -------------- An HTML attachment was scrubbed... URL: From jmagne at redhat.com Fri Jan 23 18:24:40 2015 From: jmagne at redhat.com (John Magne) Date: Fri, 23 Jan 2015 13:24:40 -0500 (EST) Subject: [Pki-users] Unable to format smart card In-Reply-To: References: Message-ID: <203283648.17134256.1422037480920.JavaMail.zimbra@redhat.com> Hi: Interesting.. Couple of questions. Are you using the developer key set to start out or have you already attempted symmetric key changeover? Have you tried to at least establish a secure channel with "gpshell"? Is this a gp2.1.1 card per chance or 2.0.1, which is what we support right this minute? My quick advice would be to try first to get a secure channel with gpshell. If you fail in this fashion 3 times or more, your card is toast. Also, your CS.cfg might be helpful. thanks, jack ----- Original Message ----- > From: "Javier Gallart" > To: pki-users at redhat.com > Sent: Friday, January 23, 2015 8:14:42 AM > Subject: [Pki-users] Unable to format smart card > > Hello all > > first question in the list. I recently installed Dogtag version 10.2.1. > Testing is going fine so far, with the exception of the smart card format > stage. > Let me give you the specs of the system: > -Dogtag runs on a Fedora20 x86_64 > -ESC (version esc-1.1.0-14.el5.centos1) runs on a Centos 5.11 x86_64 > -Smart Card Model:SmartCafe Expert 3.2 72K from G&D with 72K on-board EEPROM > > When I push the format button, the authentication looks good; however the > operation fails throwing this message: "The Smart Card Server cannot > establish a secure channel with the smart card". > > Looking at the logs: > ----TPS---- > [23/Jan/2015:11:05:05][http-bio-8443-exec-11]: TPSEngine.computeSessionKey: > Non zero status result: 1 > [23/Jan/2015:11:05:05][http-bio-8443-exec-11]: TPSSession.process: Message > processing failed: TPSProcessor.setupSecureChannel: Can't set up secure > channel: TPSEngine.computeSessionKey: invalid returned status: 1 > [23/Jan/2015:11:05:05][http-bio-8443-exec-11]: TPSMessage.write: Writing: > s=43&msg_type=13&operation=5&result=1&message=17 > [23/Jan/2015:11:05:05][http-bio-8443-exec-11]: TPSSession.process: leaving: > result: 1 status: STATUS_ERROR_SECURE_CHANNEL > [23/Jan/2015:11:05:05][http-bio-8443-exec-11]: After session.process() > exiting ... > > > ----TKS---- > > > [23/Jan/2015:11:05:05][http-bio-8443-exec-14]: TokenServlet: > ComputeSessionKey(): xkeyInfo[0] = 0x1, xkeyInfo[1] = 0x2 > [23/Jan/2015:11:05:05][http-bio-8443-exec-14]: TokenServlet: > ComputeSessionKey(): Nist SP800-108 KDF will be used for key versions >= 0x0 > [23/Jan/2015:11:05:05][http-bio-8443-exec-14]: TokenServlet: > ComputeSessionKey(): Nist SP800-108 KDF (if used) will use KDD. > [23/Jan/2015:11:05:05][http-bio-8443-exec-14]: TokenServlet about to try > ComputeSessionKey selectedToken=Internal Key Storage Token > keyNickName=#01#02 > [23/Jan/2015:11:05:05][http-bio-8443-exec-14]: TokenServlet:Tried > ComputeSessionKey, got NULL > java.lang.Exception: Can't compute session key! > > (...) > > [23/Jan/2015:11:05:05][http-bio-8443-exec-14]: TokenServlet Computing Session > Key: java.lang.Exception: Can't compute session key! > [23/Jan/2015:11:05:05][http-bio-8443-exec-14]: > TokenServlet:outputString.encode status=1 > [23/Jan/2015:11:05:05][http-bio-8443-exec-14]: > TokenServlet:outputString.length 8 > [23/Jan/2015:11:05:05][http-bio-8443-exec-14]: SignedAuditEventFactory: > create() > message=[AuditEvent=COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE][CUID_decoded=00002161960056514505][KDD_decoded=00002161960056514505][Outcome=Failure][status=1][AgentID=xxxxx-8443][IsCryptoValidate=true][IsServerSideKeygen=false][SelectedToken=Internal > Key Storage > Token][KeyNickName=#01#02][TKSKeyset=defKeySet][KeyInfo_KeyVersion=0x1][NistSP800_108KdfOnKeyVersion=0x0][NistSP800_108KdfUseCuidAsKdd=false][Error=Problem > generating session key info.] TKS Compute session key request failed > > Any idea about the where the problem might be? > > Thanks in advance > > Regards > > Javi > > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users From jgallartm at gmail.com Mon Jan 26 15:47:32 2015 From: jgallartm at gmail.com (Javier Gallart) Date: Mon, 26 Jan 2015 15:47:32 +0000 Subject: [Pki-users] Fwd: Unable to format smart card In-Reply-To: References: <203283648.17134256.1422037480920.JavaMail.zimbra@redhat.com> Message-ID: Forgot to copy the list.... Javi ---------- Forwarded message ---------- From: Javier Gallart Date: Mon, Jan 26, 2015 at 12:21 PM Subject: Re: [Pki-users] Unable to format smart card To: John Magne Thanks Jack my replies: On Fri, Jan 23, 2015 at 6:24 PM, John Magne wrote: > Hi: > > Interesting.. > > Couple of questions. > > > Are you using the developer key set to start out or have you already > attempted > symmetric key changeover? > I am using the developer key set > > > > Have you tried to at least establish a secure channel with "gpshell"? > Yes, I've been able to establish a secure channel with gpshell. > > Is this a gp2.1.1 card per chance or 2.0.1, which is what we support right > this minute? > -I am using a gps2.1.1 card, I guess this is the problem.? > > My quick advice would be to try first to get a secure channel with gpshell. > > If you fail in this fashion 3 times or more, your card is toast. > > Also, your CS.cfg might be helpful. > Attaching CS.cfg for tps and tks Regards Javi > > thanks, > jack > > > > > ----- Original Message ----- > > From: "Javier Gallart" > > To: pki-users at redhat.com > > Sent: Friday, January 23, 2015 8:14:42 AM > > Subject: [Pki-users] Unable to format smart card > > > > Hello all > > > > first question in the list. I recently installed Dogtag version 10.2.1. > > Testing is going fine so far, with the exception of the smart card format > > stage. > > Let me give you the specs of the system: > > -Dogtag runs on a Fedora20 x86_64 > > -ESC (version esc-1.1.0-14.el5.centos1) runs on a Centos 5.11 x86_64 > > -Smart Card Model:SmartCafe Expert 3.2 72K from G&D with 72K on-board > EEPROM > > > > When I push the format button, the authentication looks good; however the > > operation fails throwing this message: "The Smart Card Server cannot > > establish a secure channel with the smart card". > > > > Looking at the logs: > > ----TPS---- > > [23/Jan/2015:11:05:05][http-bio-8443-exec-11]: > TPSEngine.computeSessionKey: > > Non zero status result: 1 > > [23/Jan/2015:11:05:05][http-bio-8443-exec-11]: TPSSession.process: > Message > > processing failed: TPSProcessor.setupSecureChannel: Can't set up secure > > channel: TPSEngine.computeSessionKey: invalid returned status: 1 > > [23/Jan/2015:11:05:05][http-bio-8443-exec-11]: TPSMessage.write: Writing: > > s=43&msg_type=13&operation=5&result=1&message=17 > > [23/Jan/2015:11:05:05][http-bio-8443-exec-11]: TPSSession.process: > leaving: > > result: 1 status: STATUS_ERROR_SECURE_CHANNEL > > [23/Jan/2015:11:05:05][http-bio-8443-exec-11]: After session.process() > > exiting ... > > > > > > ----TKS---- > > > > > > [23/Jan/2015:11:05:05][http-bio-8443-exec-14]: TokenServlet: > > ComputeSessionKey(): xkeyInfo[0] = 0x1, xkeyInfo[1] = 0x2 > > [23/Jan/2015:11:05:05][http-bio-8443-exec-14]: TokenServlet: > > ComputeSessionKey(): Nist SP800-108 KDF will be used for key versions >= > 0x0 > > [23/Jan/2015:11:05:05][http-bio-8443-exec-14]: TokenServlet: > > ComputeSessionKey(): Nist SP800-108 KDF (if used) will use KDD. > > [23/Jan/2015:11:05:05][http-bio-8443-exec-14]: TokenServlet about to try > > ComputeSessionKey selectedToken=Internal Key Storage Token > > keyNickName=#01#02 > > [23/Jan/2015:11:05:05][http-bio-8443-exec-14]: TokenServlet:Tried > > ComputeSessionKey, got NULL > > java.lang.Exception: Can't compute session key! > > > > (...) > > > > [23/Jan/2015:11:05:05][http-bio-8443-exec-14]: TokenServlet Computing > Session > > Key: java.lang.Exception: Can't compute session key! > > [23/Jan/2015:11:05:05][http-bio-8443-exec-14]: > > TokenServlet:outputString.encode status=1 > > [23/Jan/2015:11:05:05][http-bio-8443-exec-14]: > > TokenServlet:outputString.length 8 > > [23/Jan/2015:11:05:05][http-bio-8443-exec-14]: SignedAuditEventFactory: > > create() > > > message=[AuditEvent=COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE][CUID_decoded=00002161960056514505][KDD_decoded=00002161960056514505][Outcome=Failure][status=1][AgentID=xxxxx-8443][IsCryptoValidate=true][IsServerSideKeygen=false][SelectedToken=Internal > > Key Storage > > > Token][KeyNickName=#01#02][TKSKeyset=defKeySet][KeyInfo_KeyVersion=0x1][NistSP800_108KdfOnKeyVersion=0x0][NistSP800_108KdfUseCuidAsKdd=false][Error=Problem > > generating session key info.] TKS Compute session key request failed > > > > Any idea about the where the problem might be? > > > > Thanks in advance > > > > Regards > > > > Javi > > > > > > _______________________________________________ > > Pki-users mailing list > > Pki-users at redhat.com > > https://www.redhat.com/mailman/listinfo/pki-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: tks.cfg Type: application/octet-stream Size: 28338 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: tps.cfg Type: application/octet-stream Size: 90970 bytes Desc: not available URL: From yoshi314 at gmail.com Wed Jan 28 14:37:18 2015 From: yoshi314 at gmail.com (marcin kowalski) Date: Wed, 28 Jan 2015 15:37:18 +0100 Subject: [Pki-users] initial setup difficulties with dogtag ca instance Message-ID: Hi, i am testing out dogtag and i wanted to setup a simple local ca to take it for a spin. Following the docs, i created a directory server, pkispawn'ed the ca and kra instances and after importing the certificate into my browser for administrative access the difficulties started. Most guides i found refer to different versions of dogtag apparently, because they show output of pkicreate command which seems no longer to exist, and then they lead the user to "CA Setup WIzard" page where all CA configuration happens. I somehow do not get any access to such page, so probably the procedure is different now. I cannot find any such option in the web interface, and i am not exactly sure what am i missing here. It must be something obvious. Everything was done on current Fedora installation, with no extra repositories configured. -------------- next part -------------- An HTML attachment was scrubbed... URL: From alee at redhat.com Wed Jan 28 16:36:50 2015 From: alee at redhat.com (Ade Lee) Date: Wed, 28 Jan 2015 11:36:50 -0500 Subject: [Pki-users] initial setup difficulties with dogtag ca instance In-Reply-To: References: Message-ID: <1422463010.1439.7.camel@alee-redhat.laptop> Hi, pkispawn is indeed different from the old pkicreate/ web UI configuration that is used in RHCS 8.x. The old method required you to pkicreate the instance and the go through the web UI to configure it. pkispawn does creation and configuration all together in one non-interactive step. So, what that means is that its super easy to take dogtag for a spin. Just do as you have done and run pkispawn, answering all of the questions along the way. You then have a fully functional CA/KRA - with no further configuration required. Now, if you want to customize the system certs, you can run pkispawn with a config file. To see how to do this, type "man pkispawn". This will provide examples and point you to more detailed man pages. Ade On Wed, 2015-01-28 at 15:37 +0100, marcin kowalski wrote: > Hi, i am testing out dogtag and i wanted to setup a simple local ca to > take it for a spin. > > Following the docs, i created a directory server, pkispawn'ed the ca > and kra instances and after importing the certificate into my browser > for administrative access the difficulties started. > > Most guides i found refer to different versions of dogtag apparently, > because they show output of pkicreate command which seems no longer to > exist, and then they lead the user to "CA Setup WIzard" page where all > CA configuration happens. I somehow do not get any access to such > page, so probably the procedure is different now. > > I cannot find any such option in the web interface, and i am not > exactly sure what am i missing here. It must be something obvious. > > Everything was done on current Fedora installation, with no extra > repositories configured. > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users