From ftweedal at redhat.com Mon Jan 4 01:10:16 2016 From: ftweedal at redhat.com (Fraser Tweedale) Date: Mon, 4 Jan 2016 11:10:16 +1000 Subject: [Pki-users] CRL Distribution point In-Reply-To: References: Message-ID: <20160104011015.GC31821@dhcp-40-8.bne.redhat.com> On Wed, Dec 23, 2015 at 12:23:01PM +0000, Sam Elliott wrote: > Hi, > > I maybe missing something here, but I have configured CRL distribution > point within the certificate profile, and this shows up within generated > certificates, but when I setup the CRL issuing distribution point it > doesn't seem to have any affect. > > I have enabled it, configured pointType to DirectoryName and then pointName > to crl/master.crl, after revoking some certs I try downloading the CRL but > get a 404, not sure if I am missing something with the configuration? > > Regards, > Sam > Hi Sam, "DirectoryName" is for an X.500 distinguished name (i.e. an LDAP DN where the CRL can be found according to RFC 4523 schema). If you want HTTP access use "URIName" and the apprpriate HTTP URI. If you need more assistance please show the relevant part of your profile config. Cheers, Fraser From beard.lionel at gmail.com Wed Jan 6 09:54:00 2016 From: beard.lionel at gmail.com (Lionel Beard) Date: Wed, 6 Jan 2016 10:54:00 +0100 Subject: [Pki-users] Unable to spawn CA when using HSM Message-ID: Hi, I'm trying to create a CA with a Atos/Bull HSM backend. I have created a configuration file default_hsm.cfg with hsm options enabled and configured, and I have set HSM token and password. When I run the command: # pkispawn -s CA -f /etc/pki/default_hsm.cfg -vvv I get the error: pkispawn : DEBUG ........... 0CArunning10.2.6-13.fc23 pkispawn : INFO ....... constructing PKI configuration data. pkispawn : INFO ....... executing 'certutil -R -d /root/.dogtag/pki-tomcat/ca/alias -s cn=PKI Administrator,e=caadmin at cls.fr ,o=cls.fr Security Domain -k rsa -g 2048 -z /root/.dogtag/pki-tomcat/ca/alias/noise -f /root/.dogtag/pki-tomcat/ca/password.conf -o /root/.dogtag/pki-tomcat/ca/alias/admin_pkcs10.bin' pkispawn : INFO ....... rm -f /root/.dogtag/pki-tomcat/ca/alias/noise pkispawn : INFO ....... BtoA /root/.dogtag/pki-tomcat/ca/alias/admin_pkcs10.bin /root/.dogtag/pki-tomcat/ca/alias/admin_pkcs10.bin.asc pkispawn : INFO ....... configuring PKI configuration data. pkispawn : ERROR ....... Exception from Java Configuration Servlet: 400 Client Error: Bad Request for url: https://freeipa-ca.cls.fr:8443/ca/rest/installer/configure pkispawn : ERROR ....... ParseError: not well-formed (invalid token): line 1, column 0: {"Attributes":{"Attribute":[]},"ClassName":"com.netscape.certsrv.base.BadRequestException","Code":400,"Message":"*Invalid Token provided. No such token*."} pkispawn : DEBUG ....... Error Type: ParseError pkispawn : DEBUG ....... Error Message: not well-formed (invalid token): line 1, column 0 pkispawn : DEBUG ....... File "/usr/sbin/pkispawn", line 597, in main rv = instance.spawn(deployer) File "/usr/lib/python2.7/site-packages/pki/server/deployment/scriptlets/configuration.py", line 116, in spawn json.dumps(data, cls=pki.encoder.CustomTypeEncoder)) File "/usr/lib/python2.7/site-packages/pki/server/deployment/pkihelper.py", line 3872, in configure_pki_data root = ET.fromstring(e.response.text) File "/usr/lib64/python2.7/xml/etree/ElementTree.py", line 1300, in XML parser.feed(text) File "/usr/lib64/python2.7/xml/etree/ElementTree.py", line 1642, in feed self._raiseerror(v) File "/usr/lib64/python2.7/xml/etree/ElementTree.py", line 1506, in _raiseerror raise err Installation failed. Just after pki service restart. I don't know which "Token" is it talking about, not sure it is HSM token. HSM is working fine because it is previously added to database with modutil: # modutil -list -dbdir /etc/pki/pki-tomcat/alias -nocertdb Bull TrustWay Proteccio NetHSM 2.4 Configuration read from /etc/proteccio//proteccio.rc Listing of PKCS #11 Modules ----------------------------------------------------------- 1. NSS Internal PKCS #11 Module slots: 2 slots attached status: loaded slot: NSS Internal Cryptographic Services token: NSS Generic Crypto Services slot: NSS User Private Key and Certificate Services token: NSS Certificate DB 2. nethsm library name: /usr/lib64/libnethsm.so slots: 8 slots attached status: loaded slot: Trustway Crypto Engine Slot token: nethsm1_V1 slot: Trustway Crypto Engine Slot token: slot: Trustway Crypto Engine Slot token: slot: Trustway Crypto Engine Slot token: slot: Trustway Crypto Engine Slot token: slot: Trustway Crypto Engine Slot token: slot: Trustway Crypto Engine Slot token: slot: Trustway Crypto Engine Slot token: ----------------------------------------------------------- Of course, I have updated default_hsm.cfg file according to Redhat documentation to enable HSM et put HSM token name and password: # grep hsm /etc/pki/default_hsm.cfg pki_audit_signing_token=nethsm1_V1 pki_hsm_enable=True pki_hsm_libfile=/usr/lib64/libnethsm.so pki_hsm_modulename=nethsm pki_ssl_server_token=nethsm1_V1 pki_subsystem_token=nethsm1_V1 pki_token_name=nethsm1_V1 pki_storage_token=nethsm1_V1 pki_transport_token=nethsm1_V1 I have tried with interactive installation (so with no HSM), and it is working fine. Does anyone can help me? Thanks! -------------- next part -------------- An HTML attachment was scrubbed... URL: From cfu at redhat.com Thu Jan 7 17:23:53 2016 From: cfu at redhat.com (Christina Fu) Date: Thu, 7 Jan 2016 09:23:53 -0800 Subject: [Pki-users] Unable to spawn CA when using HSM In-Reply-To: References: Message-ID: <568E9F29.1090207@redhat.com> you could normally find more accurate log info giving out more clue under /logs/debug, e.g. /var/lib/ pki/pki-tomcat/ca/logs/debug Christina On 01/06/2016 01:54 AM, Lionel Beard wrote: > Hi, > > I'm trying to create a CA with a Atos/Bull HSM backend. > I have created a configuration file default_hsm.cfg with hsm options > enabled and configured, and I have set HSM token and password. > > When I run the command: > # pkispawn -s CA -f /etc/pki/default_hsm.cfg -vvv > I get the error: > > pkispawn : DEBUG ........... standalone="no"?>0CArunning10.2.6-13.fc23 > pkispawn : INFO ....... constructing PKI configuration data. > pkispawn : INFO ....... executing 'certutil -R -d > /root/.dogtag/pki-tomcat/ca/alias -s cn=PKI > Administrator,e=caadmin at cls.fr ,o=cls.fr > Security Domain -k rsa -g 2048 -z > /root/.dogtag/pki-tomcat/ca/alias/noise -f > /root/.dogtag/pki-tomcat/ca/password.conf -o > /root/.dogtag/pki-tomcat/ca/alias/admin_pkcs10.bin' > pkispawn : INFO ....... rm -f /root/.dogtag/pki-tomcat/ca/alias/noise > pkispawn : INFO ....... BtoA > /root/.dogtag/pki-tomcat/ca/alias/admin_pkcs10.bin > /root/.dogtag/pki-tomcat/ca/alias/admin_pkcs10.bin.asc > pkispawn : INFO ....... configuring PKI configuration data. > pkispawn : ERROR ....... Exception from Java Configuration > Servlet: 400 Client Error: Bad Request for url: > https://freeipa-ca.cls.fr:8443/ca/rest/installer/configure > pkispawn : ERROR ....... ParseError: not well-formed (invalid > token): line 1, column 0: > {"Attributes":{"Attribute":[]},"ClassName":"com.netscape.certsrv.base.BadRequestException","Code":400,"Message":"*Invalid > Token provided. No such token*."} > pkispawn : DEBUG ....... Error Type: ParseError > pkispawn : DEBUG ....... Error Message: not well-formed (invalid > token): line 1, column 0 > pkispawn : DEBUG ....... File "/usr/sbin/pkispawn", line 597, in > main > rv = instance.spawn(deployer) > File > "/usr/lib/python2.7/site-packages/pki/server/deployment/scriptlets/configuration.py", > line 116, in spawn > json.dumps(data, cls=pki.encoder.CustomTypeEncoder)) > File > "/usr/lib/python2.7/site-packages/pki/server/deployment/pkihelper.py", > line 3872, in configure_pki_data > root = ET.fromstring(e.response.text) > File "/usr/lib64/python2.7/xml/etree/ElementTree.py", line 1300, in XML > parser.feed(text) > File "/usr/lib64/python2.7/xml/etree/ElementTree.py", line 1642, in feed > self._raiseerror(v) > File "/usr/lib64/python2.7/xml/etree/ElementTree.py", line 1506, in > _raiseerror > raise err > > > Installation failed. > > Just after pki service restart. > I don't know which "Token" is it talking about, not sure it is HSM token. > HSM is working fine because it is previously added to database with > modutil: > > # modutil -list -dbdir /etc/pki/pki-tomcat/alias -nocertdb > > Bull TrustWay Proteccio NetHSM 2.4 > > Configuration read from /etc/proteccio//proteccio.rc > > Listing of PKCS #11 Modules > ----------------------------------------------------------- > 1. NSS Internal PKCS #11 Module > slots: 2 slots attached > status: loaded > > slot: NSS Internal Cryptographic Services > token: NSS Generic Crypto Services > > slot: NSS User Private Key and Certificate Services > token: NSS Certificate DB > > 2. nethsm > library name: /usr/lib64/libnethsm.so > slots: 8 slots attached > status: loaded > > slot: Trustway Crypto Engine Slot > token: nethsm1_V1 > > slot: Trustway Crypto Engine Slot > token: > > slot: Trustway Crypto Engine Slot > token: > > slot: Trustway Crypto Engine Slot > token: > > slot: Trustway Crypto Engine Slot > token: > > slot: Trustway Crypto Engine Slot > token: > > slot: Trustway Crypto Engine Slot > token: > > slot: Trustway Crypto Engine Slot > token: > ----------------------------------------------------------- > > Of course, I have updated default_hsm.cfg file according to Redhat > documentation to enable HSM et put HSM token name and password: > # grep hsm /etc/pki/default_hsm.cfg > pki_audit_signing_token=nethsm1_V1 > pki_hsm_enable=True > pki_hsm_libfile=/usr/lib64/libnethsm.so > pki_hsm_modulename=nethsm > pki_ssl_server_token=nethsm1_V1 > pki_subsystem_token=nethsm1_V1 > pki_token_name=nethsm1_V1 > pki_storage_token=nethsm1_V1 > pki_transport_token=nethsm1_V1 > > I have tried with interactive installation (so with no HSM), and it is > working fine. > > Does anyone can help me? > > Thanks! > > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users -------------- next part -------------- An HTML attachment was scrubbed... URL: From yoshi314 at gmail.com Thu Jan 14 13:00:56 2016 From: yoshi314 at gmail.com (marcin kowalski) Date: Thu, 14 Jan 2016 14:00:56 +0100 Subject: [Pki-users] [dogtag] CA Issuers fields in authinfoaccess extension - how? Message-ID: Hi all ; I am running a subordinate ca dogtag instance, and i would like to copy AuthInfoExtension fields from the master ca cert into final certificates signed in dogtag I am struggling to add a few caIssuers fields to authInfoExtension fields in issued certificates the fields in question are to be like so (from openssl output of the master ca certificate) CA Issuers - URI:http://server/name.crt CA Issuers - URI:http://backupserver/name.crt Are there any examples out there so that i can figure this out? -------------- next part -------------- An HTML attachment was scrubbed... URL: From jmagne at redhat.com Thu Jan 14 18:36:36 2016 From: jmagne at redhat.com (John Magne) Date: Thu, 14 Jan 2016 13:36:36 -0500 (EST) Subject: [Pki-users] [dogtag] CA Issuers fields in authinfoaccess extension - how? In-Reply-To: References: Message-ID: <240442457.12611170.1452796596288.JavaMail.zimbra@redhat.com> Here is an example in the file we ship DomainController.cfg There are others in the directory /var/lib/pki/pki-tomcat/ca/profiles/ca if you need more: policyset.set1.5.default.class_id=authInfoAccessExtDefaultImpl policyset.set1.5.default.name=AIA Extension Default policyset.set1.5.default.params.authInfoAccessADEnable_0=true policyset.set1.5.default.params.authInfoAccessADLocationType_0=URIName policyset.set1.5.default.params.authInfoAccessADLocation_0=http://localhost.localdomain:9180/ca/ee/ca/getCRL?crlIssuingPoint=MasterCRL&op=getCRL&crlDisplayType=cachedCRL&submit=Submit policyset.set1.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.2 policyset.set1.5.default.params.authInfoAccessCritical=false policyset.set1.5.default.params.authInfoAccessNumADs=1 ----- Original Message ----- > From: "marcin kowalski" > To: pki-users at redhat.com > Sent: Thursday, January 14, 2016 5:00:56 AM > Subject: [Pki-users] [dogtag] CA Issuers fields in authinfoaccess extension - how? > > Hi all ; I am running a subordinate ca dogtag instance, and i would like to > copy AuthInfoExtension fields from the master ca cert into final > certificates signed in dogtag > > I am struggling to add a few caIssuers fields to authInfoExtension fields in > issued certificates > > the fields in question are to be like so (from openssl output of the master > ca certificate) > > CA Issuers - URI: http://server/name.crt > CA Issuers - URI: http://backupserver/name.crt > > > Are there any examples out there so that i can figure this out? > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users From yoshi314 at gmail.com Fri Jan 15 11:48:42 2016 From: yoshi314 at gmail.com (marcin kowalski) Date: Fri, 15 Jan 2016 12:48:42 +0100 Subject: [Pki-users] [dogtag] CA Issuers fields in authinfoaccess extension - how? In-Reply-To: <240442457.12611170.1452796596288.JavaMail.zimbra@redhat.com> References: <240442457.12611170.1452796596288.JavaMail.zimbra@redhat.com> Message-ID: Thanks. The problem is that i have to specify multiple entries, and this is when things go weird. policyset.serverCertSet.5.constraint.class_id=noConstraintImpl policyset.serverCertSet.5.constraint.name=No Constraint policyset.serverCertSet.5.default.class_id=authInfoAccessExtDefaultImpl policyset.serverCertSet.5.default.name=AIA Extension Default policyset.serverCertSet.5.default.params.authInfoAccessADEnable_0=true policyset.serverCertSet.5.default.params.authInfoAccessADLocationType_0=URIName policyset.serverCertSet.5.default.params.authInfoAccessADLocation_0= policyset.serverCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1 policyset.serverCertSet.5.default.params.authInfoAccessCritical=false policyset.serverCertSet.5.default.params.authInfoAccessADEnable_1=true policyset.serverCertSet.5.default.params.authInfoAccessADLocationType_1=URI policyset.serverCertSet.5.default.params.authInfoAccessADLocation_1= http://server1/cert1.crt policyset.serverCertSet.5.default.params.authInfoAccessADMethod_1=1.3.6.1.5.5.7.48.2 policyset.serverCertSet.5.default.params.authInfoAccessADEnable_2=true policyset.serverCertSet.5.default.params.authInfoAccessADLocationType_2=URI policyset.serverCertSet.5.default.params.authInfoAccessADLocation_2= http://server2/cert2.crt policyset.serverCertSet.5.default.params.authInfoAccessADMethod_2=1.3.6.1.5.5.7.48.2 policyset.serverCertSet.5.default.params.authInfoAccessADEnable_3=true policyset.serverCertSet.5.default.params.authInfoAccessADLocationType_3=URI policyset.serverCertSet.5.default.params.authInfoAccessADLocation_3=ldap:///CN=someconnectionstring policyset.serverCertSet.5.default.params.authInfoAccessADMethod_3=1.3.6.1.5.5.7.48.2 policyset.serverCertSet.5.default.params.authInfoAccessCritical=false policyset.serverCertSet.5.default.params.authInfoAccessNumADs=4 What happens in dogtag is that the first field is filled out with values, but there are empty records following like so : Record #0 Method:1.3.6.1.5.5.7.48.1 Location Type:URIName Location:http://dogtaginstance:8080/ca/ocsp Enable:true Record #1 Method: Location Type: Location: Enable:false Record #2 Method: Location Type: Location: Enable:false Record #3 Method: Location Type: Location: Enable:false And i have to fill them out manually. Then the fields get passed to the certificate. What could possibly be wrong here? 2016-01-14 19:36 GMT+01:00 John Magne : > Here is an example in the file we ship DomainController.cfg > There are others in the directory /var/lib/pki/pki-tomcat/ca/profiles/ca > if you need more: > > policyset.set1.5.default.class_id=authInfoAccessExtDefaultImpl > policyset.set1.5.default.name=AIA Extension Default > policyset.set1.5.default.params.authInfoAccessADEnable_0=true > policyset.set1.5.default.params.authInfoAccessADLocationType_0=URIName > policyset.set1.5.default.params.authInfoAccessADLocation_0= > http://localhost.localdomain:9180/ca/ee/ca/getCRL?crlIssuingPoint=MasterCRL&op=getCRL&crlDisplayType=cachedCRL&submit=Submit > policyset.set1.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.2 > policyset.set1.5.default.params.authInfoAccessCritical=false > policyset.set1.5.default.params.authInfoAccessNumADs=1 > > > > ----- Original Message ----- > > From: "marcin kowalski" > > To: pki-users at redhat.com > > Sent: Thursday, January 14, 2016 5:00:56 AM > > Subject: [Pki-users] [dogtag] CA Issuers fields in authinfoaccess > extension - how? > > > > Hi all ; I am running a subordinate ca dogtag instance, and i would like > to > > copy AuthInfoExtension fields from the master ca cert into final > > certificates signed in dogtag > > > > I am struggling to add a few caIssuers fields to authInfoExtension > fields in > > issued certificates > > > > the fields in question are to be like so (from openssl output of the > master > > ca certificate) > > > > CA Issuers - URI: http://server/name.crt > > CA Issuers - URI: http://backupserver/name.crt > > > > > > Are there any examples out there so that i can figure this out? > > > > _______________________________________________ > > Pki-users mailing list > > Pki-users at redhat.com > > https://www.redhat.com/mailman/listinfo/pki-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: From roberto.casiano at cogitogroup.com.au Fri Jan 22 00:22:07 2016 From: roberto.casiano at cogitogroup.com.au (Roberto Casiano) Date: Fri, 22 Jan 2016 00:22:07 +0000 Subject: [Pki-users] Windows Auto Enrollment Proxy installer Message-ID: Hello, Anybody know where I can download the installer or exe for Windows Auto Enrollment Proxy? The link to http://directory.fedoraproject.org/wiki/Windows_Certificate_Auto_Enrollment is broken. Thanks, Rob This email, and any attachment, is confidential and also privileged. If you have received it in error, please notify me immediately and delete it from your system along with any attachments. You should not copy or use it for any purpose, nor disclose its contents to any other person. -------------- next part -------------- An HTML attachment was scrubbed... URL: From aleksey.chudov at gmail.com Mon Jan 25 16:54:55 2016 From: aleksey.chudov at gmail.com (Aleksey Chudov) Date: Mon, 25 Jan 2016 18:54:55 +0200 Subject: [Pki-users] Extension cannot be cast to netscape.security.x509.CRLDistributionPointsExtension Message-ID: Hi, I have the following Dogtag PKI packages installed (rebuild from Fedora src rpms) # rpm -qa 'dogtag*' '*pki*' pki-server-10.2.6-7.el7.centos.noarch pki-tools-10.2.6-7.el7.centos.x86_64 dogtag-pki-server-theme-10.2.6-1.el7.centos.noarch pki-ca-10.2.6-7.el7.centos.noarch pki-base-10.2.6-7.el7.centos.noarch dogtag-pki-console-theme-10.2.6-1.el7.centos.noarch I have enabled CRLDistributionPointsExtension in all profiles and after every PKI restart I can't approve new requests. The following error message is displayed instead of regular certificate approval form --- The Certificate System has encountered an unrecoverable error. Error Message: java.lang.ClassCastException: netscape.security.x509.Extension cannot be cast to netscape.security.x509.CRLDistributionPointsExtension Please contact your local administrator for assistance. --- Full Exception from /var/log/pki/pki-tomcat/localhost.2016-01-25.log Jan 25, 2016 7:42:08 PM org.apache.catalina.core.ApplicationContext log INFO: caProfileReview: java.lang.ClassCastException: netscape.security.x509.Extension cannot be cast to netscape.security.x509.CRLDistributionPointsExtension at com.netscape.cms.profile.def.CRLDistributionPointsExtDefault.getValue(CRLDistributionPointsExtDefault.java:402) at com.netscape.cms.profile.def.EnrollDefault.getValue(EnrollDefault.java:286) at com.netscape.cms.servlet.profile.ProfileReviewServlet.handlePolicy(ProfileReviewServlet.java:425) at com.netscape.cms.servlet.profile.ProfileReviewServlet.process(ProfileReviewServlet.java:248) at com.netscape.cms.servlet.base.CMSServlet.service(CMSServlet.java:513) at javax.servlet.http.HttpServlet.service(HttpServlet.java:727) at sun.reflect.GeneratedMethodAccessor65.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:606) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:277) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:274) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.doAsPrivileged(Subject.java:536) at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:309) at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:169) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:297) at org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:55) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:191) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:187) at java.security.AccessController.doPrivileged(Native Method) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:186) at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52) at sun.reflect.GeneratedMethodAccessor53.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:606) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:277) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:274) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.doAsPrivileged(Subject.java:536) at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:309) at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:249) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:237) at org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:55) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:191) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:187) at java.security.AccessController.doPrivileged(Native Method) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:186) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:220) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:501) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:171) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:950) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:408) at org.apache.coyote.ajp.AjpProcessor.process(AjpProcessor.java:193) at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:607) at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:314) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) at java.lang.Thread.run(Thread.java:745) I have found bug report https://bugzilla.redhat.com/show_bug.cgi?format=multiple&id=639082. Proposed workaround https://bugzilla.redhat.com/show_bug.cgi?id=639082#c13 works but it is very inconvenient to create / reject new dumb request after every PKI restart. As I have three CA servers I need to create / reject dump request per server. Do you have plans to fix the issue? Or maybe it is already fixed in some commit? Regadrs, Aleksey From neill.thornton at mercy.navy.mil Wed Jan 27 01:49:43 2016 From: neill.thornton at mercy.navy.mil (Thornton, Neill R. CIV) Date: Wed, 27 Jan 2016 01:49:43 +0000 Subject: [Pki-users] Fedora 22 - ESC Error Message-ID: <0acf19b2d7a641e3a7d6038988a4c45f@MERC-EX-MB10.tah-19.mercy.navy.mil> All, I am hoping someone can help me out with a green field Dogtag install. We have installed all of the correct subsystems, and wanted to try and provision a hardware smart card. We are using Axalto Cyberflex 64k cards for testing. This is on Fedora 22, both the Dogtag server and the enrollment workstation have been updated using dnf to the latest packages. pcsc_scan on the enrollment station reports the following: PC/SC device scanner V 1.4.23 (c) 2001-2011, Ludovic Rousseau Compiled with PC/SC lite version: 1.8.13 Using reader plug'n play mechanism Scanning present readers... 0: SCM Microsystems Inc. SCR 355 [CCID Interface] 00 00 Tue Jan 26 17:42:20 2016 Reader 0: SCM Microsystems Inc. SCR 355 [CCID Interface] 00 00 Card state: Card inserted, Shared Mode, ATR: 3B 95 95 40 FF AE 01 03 00 00 defined(@array) is deprecated at /usr/lib64/perl5/vendor_perl/Chipcard/PCSC.pm l ine 69. (Maybe you should just omit the defined()?) ATR: 3B 95 95 40 FF AE 01 03 00 00 + TS = 3B --> Direct Convention + T0 = 95, Y(1): 1001, K: 5 (historical bytes) TA(1) = 95 --> Fi=512, Di=16, 32 cycles/ETU 125000 bits/s at 4 MHz, fMax for Fi = 5 MHz => 156250 bits/s TD(1) = 40 --> Y(i+1) = 0100, Protocol T = 0 ----- TC(2) = FF --> Work waiting time: 960 x 255 x (Fi/F) + Historical bytes: AE 01 03 00 00 Category indicator byte: AE (proprietary format) Possibly identified card (using /usr/share/pcsc/smartcard_list.txt): 3B 95 95 40 FF AE 01 03 00 00 Axalto - Cyberflex 64K Gemalto TOP IM FIPS CY2 (product code HWP115291A) -- However, when we start esc, either as root or as a user, the GUI will start and display no smart cards. When the "Diagnostics" button is pressed, an error dialog appears saying "coolkey.GetAvailableCoolKeys() failed! Undefined(undefined)". After pressing OK, the diagnostic window displays, confirming 0 smart cards are detected. System versions are listed as: Smart Card Manager Version: null System Versions: Mozilla/5.0 (x11; linux x86_64; rv:38.0) gecko/20100101 esc/1.1.0-24 Any insight to our problem would be greatly appreciated! Thanks, Neill -- Neill Thornton Chief Information Officer - Medical Treatment Facility USNS Mercy 619-235-3857 - Desk 619-206-5426 - Cell neill.thornton at mercy.navy.mil / neill.thornton at mercy.navy.smil.mil From pascal.jakobi at gmail.com Wed Jan 27 16:32:36 2016 From: pascal.jakobi at gmail.com (Pascal Jakobi) Date: Wed, 27 Jan 2016 17:32:36 +0100 Subject: [Pki-users] (no subject) Message-ID: I am surely doing something wrong but can't figure out what... Context : FC22. PKI version : 10.2.6 Running pkispawn fails at startup. Is this still the procedure ? Anywway, the error is : No connection - exception thrown: 404 Client Error: Not Found for url: https://w530.jakobi.fr:8443/ca/admin/ca/getStatus -- *Pascal Jakobi* 116 rue de Stalingrad 93100 Montreuil, France *+33 6 87 47 58 19*Pascal.Jakobi at gmail.com -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-ca-spawn.20160127172818.log Type: text/x-log Size: 168824 bytes Desc: not available URL: From cfu at redhat.com Wed Jan 27 17:40:28 2016 From: cfu at redhat.com (Christina Fu) Date: Wed, 27 Jan 2016 09:40:28 -0800 Subject: [Pki-users] Fedora 22 - ESC Error In-Reply-To: <0acf19b2d7a641e3a7d6038988a4c45f@MERC-EX-MB10.tah-19.mercy.navy.mil> References: <0acf19b2d7a641e3a7d6038988a4c45f@MERC-EX-MB10.tah-19.mercy.navy.mil> Message-ID: <56A9010C.7090303@redhat.com> Hi Neil, I am no expert, but I do know for different cards you need to diddle with the ifdDriverOptions value in /usr/lib64/pcsc/drivers/ifd-ccid.bundle/Contents/Info.plist By default, I think it's 0x0000 My guess is that you could change it to 0x0010 restart the escd if that doesn't work, change it to 0x0020 etc. Hope this helps, and please let us know how it works out for you (which value it works for the card). Christina On 01/26/2016 05:49 PM, Thornton, Neill R. CIV wrote: > All, > > I am hoping someone can help me out with a green field Dogtag install. We have installed all of the correct subsystems, and wanted to try and provision a hardware smart card. We are using Axalto Cyberflex 64k cards for testing. This is on Fedora 22, both the Dogtag server and the enrollment workstation have been updated using dnf to the latest packages. > > pcsc_scan on the enrollment station reports the following: > > PC/SC device scanner > V 1.4.23 (c) 2001-2011, Ludovic Rousseau > Compiled with PC/SC lite version: 1.8.13 > Using reader plug'n play mechanism > Scanning present readers... > 0: SCM Microsystems Inc. SCR 355 [CCID Interface] 00 00 > > Tue Jan 26 17:42:20 2016 > Reader 0: SCM Microsystems Inc. SCR 355 [CCID Interface] 00 00 > Card state: Card inserted, Shared Mode, > ATR: 3B 95 95 40 FF AE 01 03 00 00 > > defined(@array) is deprecated at /usr/lib64/perl5/vendor_perl/Chipcard/PCSC.pm l ine 69. > (Maybe you should just omit the defined()?) > ATR: 3B 95 95 40 FF AE 01 03 00 00 > + TS = 3B --> Direct Convention > + T0 = 95, Y(1): 1001, K: 5 (historical bytes) > TA(1) = 95 --> Fi=512, Di=16, 32 cycles/ETU > 125000 bits/s at 4 MHz, fMax for Fi = 5 MHz => 156250 bits/s > TD(1) = 40 --> Y(i+1) = 0100, Protocol T = 0 > ----- > TC(2) = FF --> Work waiting time: 960 x 255 x (Fi/F) > + Historical bytes: AE 01 03 00 00 > Category indicator byte: AE (proprietary format) > > Possibly identified card (using /usr/share/pcsc/smartcard_list.txt): > 3B 95 95 40 FF AE 01 03 00 00 > Axalto - Cyberflex 64K > Gemalto TOP IM FIPS CY2 (product code HWP115291A) > > -- > > > However, when we start esc, either as root or as a user, the GUI will start and display no smart cards. When the "Diagnostics" button is pressed, an error dialog appears saying "coolkey.GetAvailableCoolKeys() failed! Undefined(undefined)". > > After pressing OK, the diagnostic window displays, confirming 0 smart cards are detected. System versions are listed as: > Smart Card Manager Version: null > System Versions: Mozilla/5.0 (x11; linux x86_64; rv:38.0) gecko/20100101 esc/1.1.0-24 > > Any insight to our problem would be greatly appreciated! > > Thanks, > > Neill > > -- > Neill Thornton > Chief Information Officer - Medical Treatment Facility USNS Mercy > 619-235-3857 - Desk > 619-206-5426 - Cell > neill.thornton at mercy.navy.mil / neill.thornton at mercy.navy.smil.mil > > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users From cfu at redhat.com Wed Jan 27 17:45:14 2016 From: cfu at redhat.com (Christina Fu) Date: Wed, 27 Jan 2016 09:45:14 -0800 Subject: [Pki-users] Fedora 22 - ESC Error In-Reply-To: <56A9010C.7090303@redhat.com> References: <0acf19b2d7a641e3a7d6038988a4c45f@MERC-EX-MB10.tah-19.mercy.navy.mil> <56A9010C.7090303@redhat.com> Message-ID: <56A9022A.3090508@redhat.com> oops, some correction... On 01/27/2016 09:40 AM, Christina Fu wrote: > Hi Neil, I meant Neill...sorry > > I am no expert, but I do know for different cards you need to diddle > with the ifdDriverOptions value in > /usr/lib64/pcsc/drivers/ifd-ccid.bundle/Contents/Info.plist > > By default, I think it's > 0x0000 > > My guess is that you could change it to > 0x0010 > restart the escd actually, restart pcscd too. > > if that doesn't work, > change it to > 0x0020 > etc. > > Hope this helps, and please let us know how it works out for you > (which value it works for the card). > > Christina > > On 01/26/2016 05:49 PM, Thornton, Neill R. CIV wrote: >> All, >> >> I am hoping someone can help me out with a green field Dogtag >> install. We have installed all of the correct subsystems, and wanted >> to try and provision a hardware smart card. We are using Axalto >> Cyberflex 64k cards for testing. This is on Fedora 22, both the >> Dogtag server and the enrollment workstation have been updated using >> dnf to the latest packages. >> >> pcsc_scan on the enrollment station reports the following: >> >> PC/SC device scanner >> V 1.4.23 (c) 2001-2011, Ludovic Rousseau >> Compiled with PC/SC lite version: 1.8.13 >> Using reader plug'n play mechanism >> Scanning present readers... >> 0: SCM Microsystems Inc. SCR 355 [CCID Interface] 00 00 >> >> Tue Jan 26 17:42:20 2016 >> Reader 0: SCM Microsystems Inc. SCR 355 [CCID Interface] 00 00 >> Card state: Card inserted, Shared Mode, >> ATR: 3B 95 95 40 FF AE 01 03 00 00 >> >> defined(@array) is deprecated at >> /usr/lib64/perl5/vendor_perl/Chipcard/PCSC.pm >> l ine 69. >> (Maybe you should just omit the defined()?) >> ATR: 3B 95 95 40 FF AE 01 03 00 00 >> + TS = 3B --> Direct Convention >> + T0 = 95, Y(1): 1001, K: 5 (historical bytes) >> TA(1) = 95 --> Fi=512, Di=16, 32 cycles/ETU >> 125000 bits/s at 4 MHz, fMax for Fi = 5 MHz => 156250 bits/s >> TD(1) = 40 --> Y(i+1) = 0100, Protocol T = 0 >> ----- >> TC(2) = FF --> Work waiting time: 960 x 255 x (Fi/F) >> + Historical bytes: AE 01 03 00 00 >> Category indicator byte: AE (proprietary format) >> >> Possibly identified card (using /usr/share/pcsc/smartcard_list.txt): >> 3B 95 95 40 FF AE 01 03 00 00 >> Axalto - Cyberflex 64K >> Gemalto TOP IM FIPS CY2 (product code HWP115291A) >> >> -- >> >> >> However, when we start esc, either as root or as a user, the GUI will >> start and display no smart cards. When the "Diagnostics" button is >> pressed, an error dialog appears saying >> "coolkey.GetAvailableCoolKeys() failed! Undefined(undefined)". >> >> After pressing OK, the diagnostic window displays, confirming 0 smart >> cards are detected. System versions are listed as: >> Smart Card Manager Version: null >> System Versions: Mozilla/5.0 (x11; linux x86_64; rv:38.0) >> gecko/20100101 esc/1.1.0-24 >> >> Any insight to our problem would be greatly appreciated! >> >> Thanks, >> >> Neill >> >> -- >> Neill Thornton >> Chief Information Officer - Medical Treatment Facility USNS Mercy >> 619-235-3857 - Desk >> 619-206-5426 - Cell >> neill.thornton at mercy.navy.mil / neill.thornton at mercy.navy.smil.mil >> >> >> _______________________________________________ >> Pki-users mailing list >> Pki-users at redhat.com >> https://www.redhat.com/mailman/listinfo/pki-users > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users From neill.thornton at mercy.navy.mil Wed Jan 27 17:55:04 2016 From: neill.thornton at mercy.navy.mil (Thornton, Neill R. CIV) Date: Wed, 27 Jan 2016 17:55:04 +0000 Subject: [Pki-users] [Non-DoD Source] Re: Fedora 22 - ESC Error In-Reply-To: <56A9022A.3090508@redhat.com> References: <0acf19b2d7a641e3a7d6038988a4c45f@MERC-EX-MB10.tah-19.mercy.navy.mil> <56A9010C.7090303@redhat.com> <56A9022A.3090508@redhat.com> Message-ID: Christina, Thanks... I went into Info.plist and changed the ifdDriverOptions to each of the following: - 0x0010 - 0x0020 - 0x0001 - 0x0002 Restarting escd and pcsc each time. After each change I verified that pcsc_scan was still showing the card inserted, no issues there. Just won't show up in the ESC. Thanks again, Neill -----Original Message----- From: pki-users-bounces at redhat.com [mailto:pki-users-bounces at redhat.com] On Behalf Of Christina Fu Sent: Wednesday, January 27, 2016 9:45 AM To: pki-users at redhat.com Subject: [Non-DoD Source] Re: [Pki-users] Fedora 22 - ESC Error oops, some correction... On 01/27/2016 09:40 AM, Christina Fu wrote: > Hi Neil, I meant Neill...sorry > > I am no expert, but I do know for different cards you need to diddle > with the ifdDriverOptions value in > /usr/lib64/pcsc/drivers/ifd-ccid.bundle/Contents/Info.plist > > By default, I think it's > 0x0000 > > My guess is that you could change it to 0x0010 > restart the escd actually, restart pcscd too. > > if that doesn't work, > change it to > 0x0020 > etc. > > Hope this helps, and please let us know how it works out for you > (which value it works for the card). > > Christina > > On 01/26/2016 05:49 PM, Thornton, Neill R. CIV wrote: >> All, >> >> I am hoping someone can help me out with a green field Dogtag >> install. We have installed all of the correct subsystems, and wanted >> to try and provision a hardware smart card. We are using Axalto >> Cyberflex 64k cards for testing. This is on Fedora 22, both the >> Dogtag server and the enrollment workstation have been updated using >> dnf to the latest packages. >> >> pcsc_scan on the enrollment station reports the following: >> >> PC/SC device scanner >> V 1.4.23 (c) 2001-2011, Ludovic Rousseau >> Compiled with PC/SC lite version: 1.8.13 Using reader plug'n play >> mechanism Scanning present readers... >> 0: SCM Microsystems Inc. SCR 355 [CCID Interface] 00 00 >> >> Tue Jan 26 17:42:20 2016 >> Reader 0: SCM Microsystems Inc. SCR 355 [CCID Interface] 00 00 >> Card state: Card inserted, Shared Mode, >> ATR: 3B 95 95 40 FF AE 01 03 00 00 >> >> defined(@array) is deprecated at >> /usr/lib64/perl5/vendor_perl/Chipcard/PCSC.pm >> l ine 69. >> (Maybe you should just omit the defined()?) >> ATR: 3B 95 95 40 FF AE 01 03 00 00 >> + TS = 3B --> Direct Convention >> + T0 = 95, Y(1): 1001, K: 5 (historical bytes) >> TA(1) = 95 --> Fi=512, Di=16, 32 cycles/ETU >> 125000 bits/s at 4 MHz, fMax for Fi = 5 MHz => 156250 bits/s >> TD(1) = 40 --> Y(i+1) = 0100, Protocol T = 0 >> ----- >> TC(2) = FF --> Work waiting time: 960 x 255 x (Fi/F) >> + Historical bytes: AE 01 03 00 00 >> Category indicator byte: AE (proprietary format) >> >> Possibly identified card (using /usr/share/pcsc/smartcard_list.txt): >> 3B 95 95 40 FF AE 01 03 00 00 >> Axalto - Cyberflex 64K >> Gemalto TOP IM FIPS CY2 (product code HWP115291A) >> >> -- >> >> >> However, when we start esc, either as root or as a user, the GUI will >> start and display no smart cards. When the "Diagnostics" button is >> pressed, an error dialog appears saying >> "coolkey.GetAvailableCoolKeys() failed! Undefined(undefined)". >> >> After pressing OK, the diagnostic window displays, confirming 0 smart >> cards are detected. System versions are listed as: >> Smart Card Manager Version: null >> System Versions: Mozilla/5.0 (x11; linux x86_64; rv:38.0) >> gecko/20100101 esc/1.1.0-24 >> >> Any insight to our problem would be greatly appreciated! >> >> Thanks, >> >> Neill >> >> -- >> Neill Thornton >> Chief Information Officer - Medical Treatment Facility USNS Mercy >> 619-235-3857 - Desk >> 619-206-5426 - Cell >> neill.thornton at mercy.navy.mil / neill.thornton at mercy.navy.smil.mil >> >> >> _______________________________________________ >> Pki-users mailing list >> Pki-users at redhat.com >> https://www.redhat.com/mailman/listinfo/pki-users > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users _______________________________________________ Pki-users mailing list Pki-users at redhat.com https://www.redhat.com/mailman/listinfo/pki-users From dsirrine at redhat.com Wed Jan 27 18:50:17 2016 From: dsirrine at redhat.com (Dave Sirrine) Date: Wed, 27 Jan 2016 13:50:17 -0500 Subject: [Pki-users] (no subject) In-Reply-To: References: Message-ID: On Wed, Jan 27, 2016 at 11:32 AM, Pascal Jakobi wrote: > I am surely doing something wrong but can't figure out what... > Context : FC22. > PKI version : 10.2.6 > > Running pkispawn fails at startup. Is this still the procedure ? > > Anywway, the error is : > No connection - exception thrown: 404 Client Error: Not Found for url: > https://w530.jakobi.fr:8443/ca/admin/ca/getStatus > Is it possible to verify what your firewalld settings are? A simple firewall-cmd --list-all should give us what we need about what ports are open. It's also possible that there's dns resolution errors. Can you confirm that w530.jakobi.fr is in your /etc/hosts file with the correct IP address? > > > -- > *Pascal Jakobi* > 116 rue de Stalingrad > 93100 Montreuil, France > > *+33 6 87 47 58 19 <%2B33%206%2087%2047%2058%2019>*Pascal.Jakobi at gmail.com > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: From pascal.jakobi at gmail.com Wed Jan 27 20:24:36 2016 From: pascal.jakobi at gmail.com (Pascal Jakobi) Date: Wed, 27 Jan 2016 21:24:36 +0100 Subject: [Pki-users] (no subject) In-Reply-To: References: Message-ID: Thanks for your promptness, but DNS is ok and I have no firewall. [root at w530 ~]# dig w530.jakobi.fr ; <<>> DiG 9.10.3-P2-RedHat-9.10.3-7.P2.fc22 <<>> w530.jakobi.fr ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 61631 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;w530.jakobi.fr. IN A ;; ANSWER SECTION: w530.jakobi.fr. 38400 IN A 192.168.1.14 ;; AUTHORITY SECTION: jakobi.fr. 38400 IN NS raspb.jakobi.fr. ;; ADDITIONAL SECTION: raspb.jakobi.fr. 38400 IN A 192.168.1.2 ;; Query time: 3 msec ;; SERVER: 192.168.1.2#53(192.168.1.2) ;; WHEN: mer. janv. 27 21:22:44 CET 2016 ;; MSG SIZE rcvd: 95 [root at w530 ~]# host 192.168.1.14 14.1.168.192.in-addr.arpa domain name pointer w530.jakobi.fr. [root at w530 ~]# firewall-cmd --list-all FirewallD is not running [root at w530 ~]# 2016-01-27 19:50 GMT+01:00 Dave Sirrine : > > > On Wed, Jan 27, 2016 at 11:32 AM, Pascal Jakobi > wrote: > >> I am surely doing something wrong but can't figure out what... >> Context : FC22. >> PKI version : 10.2.6 >> >> Running pkispawn fails at startup. Is this still the procedure ? >> >> Anywway, the error is : >> No connection - exception thrown: 404 Client Error: Not Found for url: >> https://w530.jakobi.fr:8443/ca/admin/ca/getStatus >> > > Is it possible to verify what your firewalld settings are? > > A simple firewall-cmd --list-all should give us what we need about what > ports are open. > > It's also possible that there's dns resolution errors. Can you confirm > that w530.jakobi.fr is in your /etc/hosts file with the correct IP > address? > > >> >> >> -- >> *Pascal Jakobi* >> 116 rue de Stalingrad >> 93100 Montreuil, France >> >> *+33 6 87 47 58 19 <%2B33%206%2087%2047%2058%2019>* >> Pascal.Jakobi at gmail.com >> >> _______________________________________________ >> Pki-users mailing list >> Pki-users at redhat.com >> https://www.redhat.com/mailman/listinfo/pki-users >> > > -- *Pascal Jakobi* 116 rue de Stalingrad 93100 Montreuil, France *+33 6 87 47 58 19*Pascal.Jakobi at gmail.com -------------- next part -------------- An HTML attachment was scrubbed... URL: From pascal.jakobi at gmail.com Wed Jan 27 21:57:47 2016 From: pascal.jakobi at gmail.com (Pascal Jakobi) Date: Wed, 27 Jan 2016 22:57:47 +0100 Subject: [Pki-users] (no subject) In-Reply-To: References: Message-ID: I have found thie error in the tomcat logs : Failed to initialize connector [Connector[HTTP/1.1-8443]] org.apache.catalina.LifecycleException: Failed to initialize component [Connector[HTTP/1.1-8443]] I have an openldap running on port 389 and a 389-ds (for dogtag) on port 390. Could this be the issue ? Thanks again ! 2016-01-27 21:24 GMT+01:00 Pascal Jakobi : > Thanks for your promptness, but DNS is ok and I have no firewall. > [root at w530 ~]# dig w530.jakobi.fr > > ; <<>> DiG 9.10.3-P2-RedHat-9.10.3-7.P2.fc22 <<>> w530.jakobi.fr > ;; global options: +cmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 61631 > ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2 > > ;; OPT PSEUDOSECTION: > ; EDNS: version: 0, flags:; udp: 4096 > ;; QUESTION SECTION: > ;w530.jakobi.fr. IN A > > ;; ANSWER SECTION: > w530.jakobi.fr. 38400 IN A 192.168.1.14 > > ;; AUTHORITY SECTION: > jakobi.fr. 38400 IN NS raspb.jakobi.fr. > > ;; ADDITIONAL SECTION: > raspb.jakobi.fr. 38400 IN A 192.168.1.2 > > ;; Query time: 3 msec > ;; SERVER: 192.168.1.2#53(192.168.1.2) > ;; WHEN: mer. janv. 27 21:22:44 CET 2016 > ;; MSG SIZE rcvd: 95 > > [root at w530 ~]# host 192.168.1.14 > 14.1.168.192.in-addr.arpa domain name pointer w530.jakobi.fr. > [root at w530 ~]# firewall-cmd --list-all > FirewallD is not running > [root at w530 ~]# > > > 2016-01-27 19:50 GMT+01:00 Dave Sirrine : > >> >> >> On Wed, Jan 27, 2016 at 11:32 AM, Pascal Jakobi >> wrote: >> >>> I am surely doing something wrong but can't figure out what... >>> Context : FC22. >>> PKI version : 10.2.6 >>> >>> Running pkispawn fails at startup. Is this still the procedure ? >>> >>> Anywway, the error is : >>> No connection - exception thrown: 404 Client Error: Not Found for url: >>> https://w530.jakobi.fr:8443/ca/admin/ca/getStatus >>> >> >> Is it possible to verify what your firewalld settings are? >> >> A simple firewall-cmd --list-all should give us what we need about what >> ports are open. >> >> It's also possible that there's dns resolution errors. Can you confirm >> that w530.jakobi.fr is in your /etc/hosts file with the correct IP >> address? >> >> >>> >>> >>> -- >>> *Pascal Jakobi* >>> 116 rue de Stalingrad >>> 93100 Montreuil, France >>> >>> *+33 6 87 47 58 19 <%2B33%206%2087%2047%2058%2019>* >>> Pascal.Jakobi at gmail.com >>> >>> _______________________________________________ >>> Pki-users mailing list >>> Pki-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/pki-users >>> >> >> > > > -- > *Pascal Jakobi* > 116 rue de Stalingrad > 93100 Montreuil, France > > *+33 6 87 47 58 19 <%2B33%206%2087%2047%2058%2019>*Pascal.Jakobi at gmail.com > -- *Pascal Jakobi* 116 rue de Stalingrad 93100 Montreuil, France *+33 6 87 47 58 19*Pascal.Jakobi at gmail.com -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: catalina.2016-01-27.log Type: text/x-log Size: 14752 bytes Desc: not available URL: From cfu at redhat.com Fri Jan 29 18:46:25 2016 From: cfu at redhat.com (Christina Fu) Date: Fri, 29 Jan 2016 10:46:25 -0800 Subject: [Pki-users] [Non-DoD Source] Re: Fedora 22 - ESC Error In-Reply-To: References: <0acf19b2d7a641e3a7d6038988a4c45f@MERC-EX-MB10.tah-19.mercy.navy.mil> <56A9010C.7090303@redhat.com> <56A9022A.3090508@redhat.com> Message-ID: <56ABB381.2020404@redhat.com> Hi Neill, I'm not sure what could have gone wrong. And again, I'm really not an expert in this area. Our smart card guy has been out sick. And apparently I'm not doing a good job playing him ;-). Could you provide your esc version? Our latest f22 esc is here: http://koji.fedoraproject.org/koji/buildinfo?buildID=672713 One thing you could try is to see if esc is even trying to read the card (debugging I learned from our guy). You can rerun the pcscd like the following: export COOL_KEY_LOG_FILE=/tmp/coolkey.debug (this can be anything value, I don't think it actually writes to it) killall pcscd /usr/sbin/pcscd -f -d -a (this will produce a lot of debugging on terminal) restart esc on another terminal (*make sure you put in the phone home url; sometimes that pops up behind the ESC*) and observe if the debug terminal indicates any recognition of card read. For example, on my system, when I remove my card, i can see EHStatusHandlerThread() Card Removed From OMNIKEY AG CardMan 3121 00 00 when I reinsert it, I see EHStatusHandlerThread() Card inserted into OMNIKEY AG CardMan 3121 00 00 Let us know how it goes. Christina On 01/27/2016 09:55 AM, Thornton, Neill R. CIV wrote: > Christina, > > Thanks... I went into Info.plist and changed the ifdDriverOptions to each of the following: > > - 0x0010 > - 0x0020 > - 0x0001 > - 0x0002 > > Restarting escd and pcsc each time. After each change I verified that pcsc_scan was still showing the card inserted, no issues there. Just won't show up in the ESC. > > Thanks again, > > Neill > > -----Original Message----- > From: pki-users-bounces at redhat.com [mailto:pki-users-bounces at redhat.com] On Behalf Of Christina Fu > Sent: Wednesday, January 27, 2016 9:45 AM > To: pki-users at redhat.com > Subject: [Non-DoD Source] Re: [Pki-users] Fedora 22 - ESC Error > > oops, some correction... > > On 01/27/2016 09:40 AM, Christina Fu wrote: >> Hi Neil, > I meant Neill...sorry >> I am no expert, but I do know for different cards you need to diddle >> with the ifdDriverOptions value in >> /usr/lib64/pcsc/drivers/ifd-ccid.bundle/Contents/Info.plist >> >> By default, I think it's >> 0x0000 >> >> My guess is that you could change it to 0x0010 >> restart the escd > actually, restart pcscd too. >> if that doesn't work, >> change it to >> 0x0020 >> etc. >> >> Hope this helps, and please let us know how it works out for you >> (which value it works for the card). >> >> Christina >> >> On 01/26/2016 05:49 PM, Thornton, Neill R. CIV wrote: >>> All, >>> >>> I am hoping someone can help me out with a green field Dogtag >>> install. We have installed all of the correct subsystems, and wanted >>> to try and provision a hardware smart card. We are using Axalto >>> Cyberflex 64k cards for testing. This is on Fedora 22, both the >>> Dogtag server and the enrollment workstation have been updated using >>> dnf to the latest packages. >>> >>> pcsc_scan on the enrollment station reports the following: >>> >>> PC/SC device scanner >>> V 1.4.23 (c) 2001-2011, Ludovic Rousseau >>> Compiled with PC/SC lite version: 1.8.13 Using reader plug'n play >>> mechanism Scanning present readers... >>> 0: SCM Microsystems Inc. SCR 355 [CCID Interface] 00 00 >>> >>> Tue Jan 26 17:42:20 2016 >>> Reader 0: SCM Microsystems Inc. SCR 355 [CCID Interface] 00 00 >>> Card state: Card inserted, Shared Mode, >>> ATR: 3B 95 95 40 FF AE 01 03 00 00 >>> >>> defined(@array) is deprecated at >>> /usr/lib64/perl5/vendor_perl/Chipcard/PCSC.pm >>> l ine 69. >>> (Maybe you should just omit the defined()?) >>> ATR: 3B 95 95 40 FF AE 01 03 00 00 >>> + TS = 3B --> Direct Convention >>> + T0 = 95, Y(1): 1001, K: 5 (historical bytes) >>> TA(1) = 95 --> Fi=512, Di=16, 32 cycles/ETU >>> 125000 bits/s at 4 MHz, fMax for Fi = 5 MHz => 156250 bits/s >>> TD(1) = 40 --> Y(i+1) = 0100, Protocol T = 0 >>> ----- >>> TC(2) = FF --> Work waiting time: 960 x 255 x (Fi/F) >>> + Historical bytes: AE 01 03 00 00 >>> Category indicator byte: AE (proprietary format) >>> >>> Possibly identified card (using /usr/share/pcsc/smartcard_list.txt): >>> 3B 95 95 40 FF AE 01 03 00 00 >>> Axalto - Cyberflex 64K >>> Gemalto TOP IM FIPS CY2 (product code HWP115291A) >>> >>> -- >>> >>> >>> However, when we start esc, either as root or as a user, the GUI will >>> start and display no smart cards. When the "Diagnostics" button is >>> pressed, an error dialog appears saying >>> "coolkey.GetAvailableCoolKeys() failed! Undefined(undefined)". >>> >>> After pressing OK, the diagnostic window displays, confirming 0 smart >>> cards are detected. System versions are listed as: >>> Smart Card Manager Version: null >>> System Versions: Mozilla/5.0 (x11; linux x86_64; rv:38.0) >>> gecko/20100101 esc/1.1.0-24 >>> >>> Any insight to our problem would be greatly appreciated! >>> >>> Thanks, >>> >>> Neill >>> >>> -- >>> Neill Thornton >>> Chief Information Officer - Medical Treatment Facility USNS Mercy >>> 619-235-3857 - Desk >>> 619-206-5426 - Cell >>> neill.thornton at mercy.navy.mil / neill.thornton at mercy.navy.smil.mil >>> >>> >>> _______________________________________________ >>> Pki-users mailing list >>> Pki-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/pki-users >> _______________________________________________ >> Pki-users mailing list >> Pki-users at redhat.com >> https://www.redhat.com/mailman/listinfo/pki-users > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users -------------- next part -------------- An HTML attachment was scrubbed... URL: