Bug 239891

Summary: Prompt for CoolKey PIN once per application (in tokend)
Product: Red Hat Certificate System Reporter: Issue Tracker <tao>
Component: ESCAssignee: Jack Magne <jmagne>
Status: CLOSED ERRATA QA Contact: Chandrasekar Kannan <ckannan>
Severity: medium Docs Contact:
Priority: medium    
Version: 7.1CC: aakkiang, benl, jgalipea, tao
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-06-01 19:43:17 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 445047, 512842    

Description Issue Tracker 2007-05-11 22:55:03 UTC
Escalated to Bugzilla from IssueTracker

Comment 2 Issue Tracker 2007-06-21 19:38:25 UTC
Bill,

Per our conversation, we are closing this ticket as it is basically the
same issue as ticket 120718.  We will use that ticket to track bug 239891


kent


Internal Status set to 'Resolved'
Status set to: Closed by Tech
Resolution set to: 'Netscape Applications'

This event sent from IssueTracker by klamb 
 issue 120880

Comment 6 Jack Magne 2007-06-22 00:26:54 UTC
Thanks Mark:

I agree that this is confusing. It should be under the conrol of the TokenD to
modify this behavior.

Comment 9 Thomas Kwan 2007-07-09 17:42:31 UTC
Set target fix to 8.0

Comment 16 Jack Magne 2010-04-16 01:01:51 UTC
How To Test:

1. Use ESC to enroll a smart card that contains your email address. The TPS
back-end server can be configured to consult the Ldap directory in order to
populate the proper email address into the certificates that will be written to
the smart card. Instruction for this can be found here: <add link>

2. Make sure that the Apple KeyChain has imported and trusted the cert chain of
the CA used to issue the certificates on the smart card. 

  a) With a working CS Certsytem instance, proceed to the following url for the
EE interface:

       http://test.host.com:9180/ca/ee/ca/

  b) Click on "Import CA Certificate Chain". Select the radio button:
      "Display certificates in the CA certificate chain for importing
individually into a server"

  c) Your browser will display a list of certificates in base64 format. Pick
the first blob displayed and create a text file called something like "ca.cer".
Save the file.

  d) Import this file using the Apple KeyChain utility as follows:

     - Click on the "System" keyhchain.

     - Go to the main menu and click File|Import Items

     - Use the file finder to locate and select "ca.cert"

     - During the import operation, you will be asked to trust the certificate
"always". Do so.

3. Insert your enrolled CoolKey token into the computer.

4. Watch the display for the "KeyChain access" utility. After a few seconds a
new keychain will appear with your name displayed.

5. Locate the two or three certificates that exist under the smart card's
keychain.

6. Drag and drop the two or three certificates into the "login" keychain.

7. Now that the enrolled token is ready to use, open the Apple Safari browser:

8. Proceed to the TPS client auth protected interface:

https://test.host.com:7890/nk_service

9. Type in the requested PIN and note that the site shows up successfully.

10. Go to another random site and return to the one in comment #8.

11. Note that the PIN is not requested again.

12.

Comment 17 Jack Magne 2010-04-16 21:17:03 UTC
Testing Cont:

12. Send a signed and encrypted email to yourself.

13. Open Apple Mail and address an email to yourself. Make sure that a properly enrolled token is inserted and that the COOLKEY TokenD is running.

14. If everything has been properly set up, Apple Mail should have two visible icons that engage encryption and signing. After composing the simple email, make sure those two icons are engaged.

15. Send the email.

16. When the email shows up in your inbox, click the email to read it.

17. At some point during either sending or reading the mail, the PIN will be requested.

18. At this point simply compose and send another email to verify that the PIN is not requested too often. It is possible from time to time for the system to require the PIN in case the PKC#11 module has logged out, but for the most part, the instances of typing in the PIN should be much less often.

Comment 19 Asha Akkiangady 2010-05-18 19:46:02 UTC
Tested sending/reading encrypted e-mails in Apple Mail using an enrolled token  as commented in 'How To Test'. With the certificates dropped in the 'login' keychain, the token PIN is not requested too often. Tested with Gemalto 64K usb token and Safenet 330J. 

With the token certificates installed properly in the keychain, inserted Coolkey token and using Safari browser visit TPS client auth protected interface: https://test.host.com:7889/nk_service. Token pin is requested. Enter the correct pin displays the web page data. Visit another random webpage and go to tps auth protected interface, token PIN is not requested again.

Marking the bug verified.

Comment 20 errata-xmlrpc 2010-06-01 19:43:17 UTC
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2010-0448.html