From dgnatowski at yahoo.com Mon Jul 3 14:12:42 2017 From: dgnatowski at yahoo.com (Dennis Gnatowski) Date: Mon, 3 Jul 2017 14:12:42 +0000 (UTC) Subject: [Pki-users] Invalid chunck header In-Reply-To: <1498628187.12903580.1498768541936.JavaMail.zimbra@redhat.com> References: <1121496478.1401114.1498760839893.ref@mail.yahoo.com> <1121496478.1401114.1498760839893@mail.yahoo.com> <788749869.12885629.1498761666326.JavaMail.zimbra@redhat.com> <920424302.1379876.1498761838619@mail.yahoo.com> <1498628187.12903580.1498768541936.JavaMail.zimbra@redhat.com> Message-ID: <1435853596.3514601.1499091162508@mail.yahoo.com> Solved.? Turned out to be environmental.? Smartcard reader connected to docking station wasn't being recognized correctly by the virtualization app. Thanks for the help.? All working properly now.?-----------------------------------------------------------Dennis Gnatowski?dgnatowski at yahoo.com From: John Magne To: Dennis Gnatowski Cc: pki-users at redhat.com Sent: Thursday, June 29, 2017 4:35 PM Subject: Re: [Pki-users] Invalid chunck header OK: Not sure if I've seen anything like this for quite some time... First of all, we dropped support for that windows client a while back, although it could possibly work anyway. You might try the client on rhel and see if the problem goes away. thanks, jack ----- Original Message ----- From: "Dennis Gnatowski" To: "John Magne" Cc: pki-users at redhat.com Sent: Thursday, June 29, 2017 11:43:58 AM Subject: Re: [Pki-users] Invalid chunck header Yes, and it shows up in TPS debug log.? I'm using blank SC650 cards and ESC v1.1.0-10 on Windows 10. ?-----------------------------------------------------------Dennis Gnatowski?dgnatowski at yahoo.com ? ? ? From: John Magne To: Dennis Gnatowski Cc: pki-users at redhat.com Sent: Thursday, June 29, 2017 2:41 PM Subject: Re: [Pki-users] Invalid chunck header ? Did the client accept the phone home url you gave it without complaint? ----- Original Message ----- From: "Dennis Gnatowski" To: pki-users at redhat.com Sent: Thursday, June 29, 2017 11:27:19 AM Subject: [Pki-users] Invalid chunck header I?m getting an error when attempting to format a new blank card (sc650). Fresh, new install of CA, KRA, TKS, TPS on single instance. Insert card into reader (3121) and ESC (1.1.0-13 on Windows 10) prompts for phone Home URL. Enter TPS phone Home URL then press Format button and get error (in localhost.log). I have the same issue on RHCS 9.1 (latest patches) as well as Dogtag 10.3.x. Not sure where the issue lies or how to fix. SEVERE: Servlet.service() for servlet [tps] in context with path [/tps] threw exception java.io.IOException: Invalid chunk header at org.apache.coyote.http11.filters.ChunkedInputFilter.throwIOException(ChunkedInputFilter.java:615) at org.apache.coyote.http11.filters.ChunkedInputFilter.doRead(ChunkedInputFilter.java:192) at org.apache.coyote.http11.AbstractInputBuffer.doRead(AbstractInputBuffer.java:287) at org.apache.coyote.Request.doRead(Request.java:438) at org.apache.catalina.connector.InputBuffer.realReadBytes(InputBuffer.java:290) at org.apache.tomcat.util.buf.ByteChunk.substract(ByteChunk.java:390) at org.apache.catalina.connector.InputBuffer.readByte(InputBuffer.java:304) at org.apache.catalina.connector.CoyoteInputStream$1.run(CoyoteInputStream.java:91) at org.apache.catalina.connector.CoyoteInputStream$1.run(CoyoteInputStream.java:87) at java.security.AccessController.doPrivileged(Native Method) at org.apache.catalina.connector.CoyoteInputStream.read(CoyoteInputStream.java:85) at org.dogtagpki.tps.TPSConnection.read(TPSConnection.java:55) at org.dogtagpki.server.tps.TPSSession.read(TPSSession.java:72) at org.dogtagpki.server.tps.processor.TPSProcessor.handleAPDURequest(TPSProcessor.java:311) at org.dogtagpki.server.tps.processor.TPSProcessor.selectApplet(TPSProcessor.java:279) at org.dogtagpki.server.tps.processor.TPSProcessor.selectCardManager(TPSProcessor.java:2968) at org.dogtagpki.server.tps.processor.TPSProcessor.getAppletInfo(TPSProcessor.java:2900) at org.dogtagpki.server.tps.processor.TPSProcessor.format(TPSProcessor.java:1831) at org.dogtagpki.server.tps.processor.TPSProcessor.process(TPSProcessor.java:2852) at org.dogtagpki.server.tps.TPSSession.process(TPSSession.java:119) at org.dogtagpki.server.tps.TPSServlet.service(TPSServlet.java:60) at javax.servlet.http.HttpServlet.service(HttpServlet.java:731) at sun.reflect.GeneratedMethodAccessor48.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:288) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:285) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.doAsPrivileged(Subject.java:549) ----------------------------------------------------------- Dennis Gnatowski dgnatowski at yahoo.com _______________________________________________ Pki-users mailing list Pki-users at redhat.com https://www.redhat.com/mailman/listinfo/pki-users -------------- next part -------------- An HTML attachment was scrubbed... URL: From dgnatowski at yahoo.com Fri Jul 7 17:48:15 2017 From: dgnatowski at yahoo.com (Dennis Gnatowski) Date: Fri, 7 Jul 2017 17:48:15 +0000 (UTC) Subject: [Pki-users] Build Dogtag 10.4.8 References: <1511996913.763476.1499449695258.ref@mail.yahoo.com> Message-ID: <1511996913.763476.1499449695258@mail.yahoo.com> What is the best way to build and test Dogtag 10.4.8?I'm not really finding instructions on the Dogtag wiki. ?Is Fedora rawhide a hard requirement??-----------------------------------------------------------Dennis Gnatowski?dgnatowski at yahoo.com -------------- next part -------------- An HTML attachment was scrubbed... URL: From cfu at redhat.com Fri Jul 7 23:25:33 2017 From: cfu at redhat.com (Christina Fu) Date: Fri, 7 Jul 2017 16:25:33 -0700 Subject: [Pki-users] Build Dogtag 10.4.8 In-Reply-To: <1511996913.763476.1499449695258@mail.yahoo.com> References: <1511996913.763476.1499449695258.ref@mail.yahoo.com> <1511996913.763476.1499449695258@mail.yahoo.com> Message-ID: <9cbf7f52-031b-45d5-cec6-01a39b1b7294@redhat.com> try this? http://pki.fedoraproject.org/wiki/Building_Dogtag_10 and http://pki.fedoraproject.org/wiki/Advanced_Installation I don't think you need rawhide. Christina On 07/07/2017 10:48 AM, Dennis Gnatowski wrote: > What is the best way to build and test Dogtag 10.4.8? > I'm not really finding instructions on the Dogtag wiki. Is Fedora > rawhide a hard requirement? > ----------------------------------------------------------- > Dennis Gnatowski > dgnatowski at yahoo.com > > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users -------------- next part -------------- An HTML attachment was scrubbed... URL: From dgnatowski at yahoo.com Mon Jul 10 19:04:05 2017 From: dgnatowski at yahoo.com (Dennis Gnatowski) Date: Mon, 10 Jul 2017 19:04:05 +0000 (UTC) Subject: [Pki-users] SCP03 configuration/settings? References: <313010964.2484778.1499713445561.ref@mail.yahoo.com> Message-ID: <313010964.2484778.1499713445561@mail.yahoo.com> Is there a document that specifies what changes are required to the configuration file(s) to support SCP03? I have dogtag 10.4.8 installed and operational and now would like to test SCP03 support.My first attempt to format a card supporting SCP03 failed.? TPS debug log reports: computeSessionKeysSCP03() response missing name-value pair for:? encSessionKey computeSessionKeysSCP03() response missing name-value pair for:? drm_trans_desKeycomputeSessionKeysSCP03() response missing name-value pair for:? macSessionKey computeSessionKeysSCP03() response missing name-value pair for:? kekSessionKey computeSessionKeysSCP03() response missing name-value pair for:? kek_wrapped_desKey computeSessionKeysSCP03() response missing name-value pair for:? keycheckcomputeSessionKeysSCP03() response missing name-value pair for:? hostCryptogram ?-----------------------------------------------------------Dennis Gnatowski?dgnatowski at yahoo.com -------------- next part -------------- An HTML attachment was scrubbed... URL: From jmagne at redhat.com Mon Jul 10 20:49:18 2017 From: jmagne at redhat.com (John Magne) Date: Mon, 10 Jul 2017 16:49:18 -0400 (EDT) Subject: [Pki-users] SCP03 configuration/settings? In-Reply-To: <313010964.2484778.1499713445561@mail.yahoo.com> References: <313010964.2484778.1499713445561.ref@mail.yahoo.com> <313010964.2484778.1499713445561@mail.yahoo.com> Message-ID: <1653180788.15206433.1499719758852.JavaMail.zimbra@redhat.com> We are still working on that. I can send you something quick out of band. Just let me know what token you are using to make sure it is supported. Thx. ----- Original Message ----- From: "Dennis Gnatowski" To: pki-users at redhat.com Sent: Monday, July 10, 2017 12:04:05 PM Subject: [Pki-users] SCP03 configuration/settings? Is there a document that specifies what changes are required to the configuration file(s) to support SCP03? I have dogtag 10.4.8 installed and operational and now would like to test SCP03 support. My first attempt to format a card supporting SCP03 failed. TPS debug log reports: computeSessionKeysSCP03() response missing name-value pair for: encSessionKey computeSessionKeysSCP03() response missing name-value pair for: drm_trans_desKey computeSessionKeysSCP03() response missing name-value pair for: macSessionKey computeSessionKeysSCP03() response missing name-value pair for: kekSessionKey computeSessionKeysSCP03() response missing name-value pair for: kek_wrapped_desKey computeSessionKeysSCP03() response missing name-value pair for: keycheck computeSessionKeysSCP03() response missing name-value pair for: hostCryptogram ----------------------------------------------------------- Dennis Gnatowski dgnatowski at yahoo.com _______________________________________________ Pki-users mailing list Pki-users at redhat.com https://www.redhat.com/mailman/listinfo/pki-users From dgnatowski at yahoo.com Wed Jul 12 19:48:23 2017 From: dgnatowski at yahoo.com (Dennis Gnatowski) Date: Wed, 12 Jul 2017 19:48:23 +0000 (UTC) Subject: [Pki-users] failed to update tokendb entry References: <2081963930.4162316.1499888903728.ref@mail.yahoo.com> Message-ID: <2081963930.4162316.1499888903728@mail.yahoo.com> I've had to setup an older 8.x environment (CA, TKS, and TPS) for testing. I am getting an error when formatting a card.? Things seem to progress nicely, but at the end the ESC displays an error and the TPS logs have the following errors: RA::tdb_update - searching for tokendb entry: xxxxxxxRA:tdb_update - failed to add tokendb entryRA_Processor::Format - Failed to update the token databaseRA_Processor::Format - returning status 41 The system has access to and authenticates fine to the LDAP Server. Any ideas why the system can't add the token??-----------------------------------------------------------Dennis Gnatowski?dgnatowski at yahoo.com -------------- next part -------------- An HTML attachment was scrubbed... URL: From jmagne at redhat.com Wed Jul 12 20:27:02 2017 From: jmagne at redhat.com (John Magne) Date: Wed, 12 Jul 2017 16:27:02 -0400 (EDT) Subject: [Pki-users] failed to update tokendb entry In-Reply-To: <2081963930.4162316.1499888903728@mail.yahoo.com> References: <2081963930.4162316.1499888903728.ref@mail.yahoo.com> <2081963930.4162316.1499888903728@mail.yahoo.com> Message-ID: <1245226332.16034053.1499891222181.JavaMail.zimbra@redhat.com> Hello: It looks like from below you are getting through the hard part, which is formatting the token. Then for some reason the update to the tokendb is failing. Access to the tokendb should be set up automatically when running the installation wizard. It might help to look at your CS.cfg and an entry like this: tokendb.hostport=your.host.com:389 Make sure that the DS is running and available on that port. ----- Original Message ----- > From: "Dennis Gnatowski" > To: pki-users at redhat.com > Sent: Wednesday, July 12, 2017 12:48:23 PM > Subject: [Pki-users] failed to update tokendb entry > > I've had to setup an older 8.x environment (CA, TKS, and TPS) for testing. > I am getting an error when formatting a card. Things seem to progress nicely, > but at the end the ESC displays an error and the TPS logs have the following > errors: > > > > > RA::tdb_update - searching for tokendb entry: xxxxxxx > RA:tdb_update - failed to add tokendb entry > RA_Processor::Format - Failed to update the token database > RA_Processor::Format - returning status 41 > The system has access to and authenticates fine to the LDAP Server. > Any ideas why the system can't add the token? > ----------------------------------------------------------- > Dennis Gnatowski > dgnatowski at yahoo.com > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users From dgnatowski at yahoo.com Wed Jul 12 20:59:55 2017 From: dgnatowski at yahoo.com (Dennis Gnatowski) Date: Wed, 12 Jul 2017 20:59:55 +0000 (UTC) Subject: [Pki-users] failed to update tokendb entry In-Reply-To: <1245226332.16034053.1499891222181.JavaMail.zimbra@redhat.com> References: <2081963930.4162316.1499888903728.ref@mail.yahoo.com> <2081963930.4162316.1499888903728@mail.yahoo.com> <1245226332.16034053.1499891222181.JavaMail.zimbra@redhat.com> Message-ID: <169770908.4198163.1499893195706@mail.yahoo.com> Yes, that is there and correct in the TPS's CS.cfg file. That's what's so puzzling. -----------------------------------------------------------Dennis Gnatowski?dgnatowski at yahoo.com From: John Magne To: Dennis Gnatowski Cc: pki-users at redhat.com Sent: Wednesday, July 12, 2017 4:27 PM Subject: Re: [Pki-users] failed to update tokendb entry Hello: It looks like from below you are getting through the hard part, which is formatting the token. Then for some reason the update to the tokendb is failing. Access to the tokendb should be set up automatically when running the installation wizard. It might help to look at your CS.cfg and an entry like this: tokendb.hostport=your.host.com:389 Make sure that the DS is running and available on that port. ----- Original Message ----- > From: "Dennis Gnatowski" > To: pki-users at redhat.com > Sent: Wednesday, July 12, 2017 12:48:23 PM > Subject: [Pki-users] failed to update tokendb entry > > I've had to setup an older 8.x environment (CA, TKS, and TPS) for testing. > I am getting an error when formatting a card. Things seem to progress nicely, > but at the end the ESC displays an error and the TPS logs have the following > errors: > > > > > RA::tdb_update - searching for tokendb entry: xxxxxxx > RA:tdb_update - failed to add tokendb entry > RA_Processor::Format - Failed to update the token database > RA_Processor::Format - returning status 41 > The system has access to and authenticates fine to the LDAP Server. > Any ideas why the system can't add the token? > ----------------------------------------------------------- > Dennis Gnatowski > dgnatowski at yahoo.com > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users -------------- next part -------------- An HTML attachment was scrubbed... URL: From ftweedal at redhat.com Mon Jul 31 05:14:26 2017 From: ftweedal at redhat.com (Fraser Tweedale) Date: Mon, 31 Jul 2017 15:14:26 +1000 Subject: [Pki-users] [Freeipa-users] Removal of obsolete certificates from o=ipaca In-Reply-To: <20170728140343.GA6236@atkac-gd> References: <20170728140343.GA6236@atkac-gd> Message-ID: <20170731051426.GX4186@dhcp-40-8.bne.redhat.com> On Fri, Jul 28, 2017 at 04:03:44PM +0200, Adam Tkac via FreeIPA-users wrote: > Hello all, > > we are currently facing issue with huge number of outdated certificate entries > in o=ipaca LDAP subtree (many servers no longer exists, certificates already expired etc) > and we would like to remove them to decrease number of entries in LDAP and also > to speed-up initial replication of o=ipaca subtree (we have more than 700 000 > DNs in o=ipaca and deploy of new replica takes quite long). > > Does anyone tried to do something like this? I'm quite affraid if simple > ldapdelete of many DNs in o=ipaca subtree wouldn't break DogTag somehow. > > Do you have any ideas if something can break by removal of old (expired and also > non-expired) certificates from o=ipaca ? Thanks in advance for any advice. > > Regards, Adam > It is not a supported operation, but I cannot think of any problems that would arise from removing the certificate records under o=ipaca. But I am copying pki-users@ to get the attention of the rest of the Dogtag team in case there is something I am not thinking of. Strictly speaking, you should only remove expired certificates, even if a host has disappeared the validity period is a promise by a CA to maintain knowledge about a certificate for that whole period. (Note to Dogtag team: FreeIPA configures Dogtag to use sequential serial numbers. The usual range mechanism applies for CA clones). HTH, Fraser From cfu at redhat.com Mon Jul 31 16:20:12 2017 From: cfu at redhat.com (Christina Fu) Date: Mon, 31 Jul 2017 09:20:12 -0700 Subject: [Pki-users] [Freeipa-users] Removal of obsolete certificates from o=ipaca In-Reply-To: <20170731051426.GX4186@dhcp-40-8.bne.redhat.com> References: <20170728140343.GA6236@atkac-gd> <20170731051426.GX4186@dhcp-40-8.bne.redhat.com> Message-ID: <5136aa2b-28b7-cf08-770b-79755da4c8f2@redhat.com> I agree with what Fraser says. Non-expired certs (revoked or not) should never be removed from the CA repository as that will affect the CRL I believe someone asked about this before, and we also warned them about that. Though I have no recollection how it worked out for them in the end. You could do a backup before you try. regards, Christina On 07/30/2017 10:14 PM, Fraser Tweedale wrote: > On Fri, Jul 28, 2017 at 04:03:44PM +0200, Adam Tkac via FreeIPA-users wrote: >> Hello all, >> >> we are currently facing issue with huge number of outdated certificate entries >> in o=ipaca LDAP subtree (many servers no longer exists, certificates already expired etc) >> and we would like to remove them to decrease number of entries in LDAP and also >> to speed-up initial replication of o=ipaca subtree (we have more than 700 000 >> DNs in o=ipaca and deploy of new replica takes quite long). >> >> Does anyone tried to do something like this? I'm quite affraid if simple >> ldapdelete of many DNs in o=ipaca subtree wouldn't break DogTag somehow. >> >> Do you have any ideas if something can break by removal of old (expired and also >> non-expired) certificates from o=ipaca ? Thanks in advance for any advice. >> >> Regards, Adam >> > It is not a supported operation, but I cannot think of any problems > that would arise from removing the certificate records under > o=ipaca. But I am copying pki-users@ to get the attention of the > rest of the Dogtag team in case there is something I am not thinking > of. > > Strictly speaking, you should only remove expired certificates, even > if a host has disappeared the validity period is a promise by a CA > to maintain knowledge about a certificate for that whole period. > > (Note to Dogtag team: FreeIPA configures Dogtag to use sequential > serial numbers. The usual range mechanism applies for CA clones). > > HTH, > Fraser > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users