Bug 385181

Summary: Gemalto 64K token detection issues
Product: Red Hat Enterprise Linux 5 Reporter: Jack Magne <jmagne>
Component: coolkeyAssignee: Jack Magne <jmagne>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: high    
Version: 5.1CC: ckannan, ddomingo, kevinu, rrelyea, shaines
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: All   
Whiteboard:
Fixed In Version: RHBA-2008-0344 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-05-21 14:30:00 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 229988, 391221    

Description Jack Magne 2007-11-15 18:18:52 UTC 
Description of problem:

We have detected various detection issues with coolkey and the Gemalto 64K
tokens based on OS platform and actual token type.



How reproducible:

Always

Steps to Reproduce:
1. Log into a machine
2. Put in a Gemalto 64K token

  
Actual results:

Based on Platform:

1. OS X everything is fine.
2. Windows. The Smart Card sized token works fine, the USB token is only
recognized once per application session.
3. Linux. The initial detection can be inconsistent.

Expected results:

The tokens should be recognized easily in all cases.

Additional info:

The main cause for this issue is the fact that these Gemalto cards now use CCID
compliant readers instead of the built in egate reader in the previous card. The
smart card sized tokens work better since the reader is usually plugged in first
(ex SCR 331) and then the card is placed in the reader. For the case of the USB
token, the reader and the card are essentially being inserted at the same time.

We have a patch in hand that resolves the Windows issue that fixes the smart
card detection event code specific to Windows. The Linux issue has also been
addressed by code that makes a few extra attempts to connect to the token.
Comment 1 RHEL Program Management 2007-12-04 18:54:28 UTC 
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release.  Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products.  This request is not yet committed for inclusion in an Update
release.
Comment 2 Bob Lord 2008-01-08 18:35:39 UTC 
devel_ack+
Comment 3 Jack Magne 2008-01-15 18:45:48 UTC 
Resolved in build coolkey-1.1.0-6.el5
Comment 4 Jack Magne 2008-01-15 19:27:37 UTC 
How to test:

1. Obtain an uninitialized gemalto 64k token usb form factor. If a smart card
form factor is used, obtain an SCR 331 smart card reader.
2. Make sure ESC is running.
3. Insert the uninitialized token into the computer.
4. Fill in the phone home information for the test TPS system.
5. Make sure the token can be formatted.
6. Make sure the token can be enrolled.
7. Make sure the pin can be reset on the token.

8 Bring up Firefox and make sure the enrolled token and its contents are visible
in the PSM or security manager UI.
Comment 6 Chandrasekar Kannan 2008-03-12 23:21:37 UTC 
Here's the new card spec that works. 
Cyberflex Access 64K v2 Standard with DER SHA1 value configured as in PKCS1 v2
.1
Comment 7 Chandrasekar Kannan 2008-03-13 00:40:12 UTC 
with the above card, I can do :

(1) smartcard format, enroll, password reset operations.
(2) smartcard login with HIEMDAL kerberos kdc for pkinit
(3) firefox webpage smartcard detection when the module is loaded.

I tried to play with card detection. Approx after about 15 insertions/removals,
the apps becomes unresponsive. Jack tells me that this is a pcscd slot
availability issue. So, ignoring that for now. 

This card seems to work ok. 

marking bug verified.
Comment 8 Scott Haines 2008-03-13 13:54:05 UTC 
RHEL 5.2 now supports this new card type and we need it added to the Release
Notes (and the single-sign-on chapter of the Deployment Guide). Info needed
within bug, but will work with ChandraK and KevinU to assist with verbiage as
required.
Comment 9 Don Domingo 2008-03-14 00:18:53 UTC 
thanks Scott, adding to RHEL5.2 release notes under "Resolved Issues":

<quote>
Gemalto 64K smart cards now use readers compliant with Chip/Smart Card Interface
Devices (CCID). Previously, this smart card used the built-in e-gate reader,
which essentially meant that the card and reader were being inserted at the same
time. As a result, coolkey did not consistently recognize Gemalto 64K smart cards.

In this update, coolkey now works correctly with Gemalto 64k smart cards.
</quote>

please advise if any further revisions are required to the release notes. i'll
track the Deployment Guide revisions through the RT ticket mhideo wrote on your
behalf.
Comment 11 Don Domingo 2008-04-02 02:14:47 UTC 
Hi,
the RHEL5.2 release notes will be dropped to translation on April 15, 2008, at
which point no further additions or revisions will be entertained.

a mockup of the RHEL5.2 release notes can be viewed at the following link:
http://intranet.corp.redhat.com/ic/intranet/RHEL5u2relnotesmockup.html

please use the aforementioned link to verify if your bugzilla is already in the
release notes (if it needs to be). each item in the release notes contains a
link to its original bug; as such, you can search through the release notes by
bug number.

Cheers,
Don
Comment 12 errata-xmlrpc 2008-05-21 14:30:00 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2008-0344.html