Bug 492180
Summary: | Security officer: token recovery for a security officer throws error 28 'connection to server lost'. | ||
---|---|---|---|
Product: | [Retired] Dogtag Certificate System | Reporter: | Asha Akkiangady <aakkiang> |
Component: | TPS | Assignee: | Matthew Harmsen <mharmsen> |
Status: | CLOSED ERRATA | QA Contact: | Chandrasekar Kannan <ckannan> |
Severity: | urgent | Docs Contact: | |
Priority: | urgent | ||
Version: | unspecified | CC: | alee, benl, jmagne |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2009-07-22 23:33:42 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 443788 | ||
Attachments: |
Created attachment 336691 [details]
TPS debug log messages attached.
It looks like TPS is getting something back it doesn't like from the KRA. Would it be possible to see the KRA debug log for this? Created attachment 337079 [details]
kra debug log attached.
Looking at the test installation, I noted that the following block of config entries in /var/lib/pki-tps/CS.cfg is configured incorrectly by the installation wizard: op.enroll.soKey.keyGen.encryption.serverKeygen.enable=[SERVER_KEYGEN] op.enroll.soKey.keyGen.encryption.serverKeygen.drm.conn=drm1 op.enroll.soKey.keyGen.encryption.serverKeygen.archive=true The first entry is supposed to enable server side keygen for the Security Officer types of keys. As is evident, the template variable did not get set to "true" by the installation wizard which asks the user if they want server side keygen or not. If this had been set properly , I suspect that the key would be generated on the server and properly archived. The included kra debug log stated that the key record could not be found when attempting to recover the key back to the token. This would be consistent with the above theory that the key was not getting archived in the first place. Created attachment 337142 [details]
mod_revocator integration
Created attachment 337143 [details]
mod_revocator integration (specfiles)
Attachments (id=337139, id = 337140) +jmagne cd pki % svn status M dogtag/setup/pki-setup.spec M dogtag/ra/pki-ra.spec M dogtag/tps/pki-tps.spec M base/setup/pkicreate M base/ra/apache/conf/httpd.conf A base/ra/apache/conf/revocator.conf M base/ra/lib/perl/PKI/RA/DonePanel.pm M base/tps/Makefile.in M base/tps/lib/perl/PKI/TPS/DonePanel.pm M base/tps/lib/perl/PKI/TPS/DRMInfoPanel.pm M base/tps/apache/conf/httpd.conf A base/tps/apache/conf/revocator.conf M base/tps/Makefile.am % svn commit Sending base/ra/apache/conf/httpd.conf Adding base/ra/apache/conf/revocator.conf Sending base/ra/lib/perl/PKI/RA/DonePanel.pm Sending base/setup/pkicreate Sending base/tps/Makefile.am Sending base/tps/Makefile.in Sending base/tps/apache/conf/httpd.conf Adding base/tps/apache/conf/revocator.conf Sending base/tps/lib/perl/PKI/TPS/DRMInfoPanel.pm Sending base/tps/lib/perl/PKI/TPS/DonePanel.pm Sending dogtag/ra/pki-ra.spec Sending dogtag/setup/pki-setup.spec Sending dogtag/tps/pki-tps.spec Transmitting file data ............. Committed revision 348. Verified that /var/lib/pki-tps/CS.cfg is configured correctly for [SERVER_KEYGEN] during the configuration in the wizard: op.enroll.soKey.keyGen.encryption.serverKeygen.enable=true Successfully erolled a security officer token for the so who lost token temporarily. Verified that /var/lib/pki-tps/CS.cfg is configured correctly for [SERVER_KEYGEN] during the configuration in the wizard: op.enroll.soKey.keyGen.encryption.serverKeygen.enable=true Successfully enrolled a security officer token for the so who lost token temporarily. |
Created attachment 336690 [details] Error when erolling a security officer token for the so who lost token temporarily. Description of problem: Token recovery - Enroll a token for a security officer who temporarily lost first token throws error 28 with message "Connection to Smart Card server lost". Version-Release number of selected component (if applicable): CS 8.0 How reproducible: Steps to Reproduce: 1. Set phone home URL and Enroll Security Officer SOfficer#1 with a token#1. 2. From tps agent page select SOfficer#1 token and put it to a status "This token has been temporarily lost". 3. From agent page select the token again and make sure token status is 'lost' and Reason is 'onHold'. 4. Set phone home url of security officer on a blank token, token#2. 5. Try to enroll SOfficer#1 with a token#2. (I used both tokens of type 64k gemalto). Actual results: error 28 with message "Connection to Smart Card server lost". Expected results: Enrollment is complete. Additional info: