Bug 239891
Summary: | Prompt for CoolKey PIN once per application (in tokend) | ||
---|---|---|---|
Product: | Red Hat Certificate System | Reporter: | Issue Tracker <tao> |
Component: | ESC | Assignee: | Jack Magne <jmagne> |
Status: | CLOSED ERRATA | QA Contact: | Chandrasekar Kannan <ckannan> |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | 7.1 | CC: | aakkiang, benl, jgalipea, tao |
Target Milestone: | rc | ||
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2010-06-01 19:43:17 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 445047, 512842 |
Description
Issue Tracker
2007-05-11 22:55:03 UTC
Bill, Per our conversation, we are closing this ticket as it is basically the same issue as ticket 120718. We will use that ticket to track bug 239891 kent Internal Status set to 'Resolved' Status set to: Closed by Tech Resolution set to: 'Netscape Applications' This event sent from IssueTracker by klamb issue 120880 Thanks Mark: I agree that this is confusing. It should be under the conrol of the TokenD to modify this behavior. Set target fix to 8.0 How To Test: 1. Use ESC to enroll a smart card that contains your email address. The TPS back-end server can be configured to consult the Ldap directory in order to populate the proper email address into the certificates that will be written to the smart card. Instruction for this can be found here: <add link> 2. Make sure that the Apple KeyChain has imported and trusted the cert chain of the CA used to issue the certificates on the smart card. a) With a working CS Certsytem instance, proceed to the following url for the EE interface: http://test.host.com:9180/ca/ee/ca/ b) Click on "Import CA Certificate Chain". Select the radio button: "Display certificates in the CA certificate chain for importing individually into a server" c) Your browser will display a list of certificates in base64 format. Pick the first blob displayed and create a text file called something like "ca.cer". Save the file. d) Import this file using the Apple KeyChain utility as follows: - Click on the "System" keyhchain. - Go to the main menu and click File|Import Items - Use the file finder to locate and select "ca.cert" - During the import operation, you will be asked to trust the certificate "always". Do so. 3. Insert your enrolled CoolKey token into the computer. 4. Watch the display for the "KeyChain access" utility. After a few seconds a new keychain will appear with your name displayed. 5. Locate the two or three certificates that exist under the smart card's keychain. 6. Drag and drop the two or three certificates into the "login" keychain. 7. Now that the enrolled token is ready to use, open the Apple Safari browser: 8. Proceed to the TPS client auth protected interface: https://test.host.com:7890/nk_service 9. Type in the requested PIN and note that the site shows up successfully. 10. Go to another random site and return to the one in comment #8. 11. Note that the PIN is not requested again. 12. Testing Cont: 12. Send a signed and encrypted email to yourself. 13. Open Apple Mail and address an email to yourself. Make sure that a properly enrolled token is inserted and that the COOLKEY TokenD is running. 14. If everything has been properly set up, Apple Mail should have two visible icons that engage encryption and signing. After composing the simple email, make sure those two icons are engaged. 15. Send the email. 16. When the email shows up in your inbox, click the email to read it. 17. At some point during either sending or reading the mail, the PIN will be requested. 18. At this point simply compose and send another email to verify that the PIN is not requested too often. It is possible from time to time for the system to require the PIN in case the PKC#11 module has logged out, but for the most part, the instances of typing in the PIN should be much less often. Tested sending/reading encrypted e-mails in Apple Mail using an enrolled token as commented in 'How To Test'. With the certificates dropped in the 'login' keychain, the token PIN is not requested too often. Tested with Gemalto 64K usb token and Safenet 330J. With the token certificates installed properly in the keychain, inserted Coolkey token and using Safari browser visit TPS client auth protected interface: https://test.host.com:7889/nk_service. Token pin is requested. Enter the correct pin displays the web page data. Visit another random webpage and go to tps auth protected interface, token PIN is not requested again. Marking the bug verified. An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2010-0448.html |