This service will be undergoing maintenance at 00:00 UTC, 2016-08-01. It is expected to last about 1 hours

Bug 494983

Summary: CS 8.0 Alpha -- Cannot enroll a token if the RE_ENROLL policy is set to no
Product: [Community] Dogtag Certificate System Reporter: Sean Veale <sean.veale>
Component: TPSAssignee: Jack Magne <jmagne>
Status: CLOSED ERRATA QA Contact: Chandrasekar Kannan <ckannan>
Severity: high Docs Contact:
Priority: urgent    
Version: 1.0CC: alee, benl, cfu, dlackey, jgalipea, jmagne
Target Milestone: ---Keywords: TechPreview
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Technology Preview
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-07-22 19:34:11 EDT Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Bug Depends On:    
Bug Blocks: 443788    
Attachments:
Description Flags
zip of logs and error message
none
Fix for this issue. none

Description Sean Veale 2009-04-08 17:34:38 EDT
Created attachment 338810 [details]
zip of logs and error message

Description of problem: Cannot enroll a token if the RE_ENROLL policy is set to no. You should be able to enroll the token the first time!


Version-Release number of selected component (if applicable):


How reproducible:
Always

Steps to Reproduce:
1.Edit the tps CS.cfg to specify the RE_ENROLL policy has a default of no. 
2.If you have used the token before, delete it's record from the tps internal database. The easiest way is through the admin pages. 
3.Format the token. Verify it has been formated and shows up in the internal tps database. 
4. Attempt to enroll the token. 
  
Actual results:
Unable to enroll the card! -- Erroneous error message logged as a separate bug. 

Expected results:
Able to enroll the card 

Additional info:
Zip with logs and screen shot of error message
Comment 1 Sean Veale 2009-04-08 17:36:11 EDT
Bug about error message
https://bugzilla.redhat.com/show_bug.cgi?id=494981
Comment 2 Jack Magne 2009-04-21 15:00:34 EDT
Created attachment 340610 [details]
Fix for this issue.

Proposed fix for this issue. CFU please review.
Comment 3 Christina Fu 2009-05-01 16:46:59 EDT
Basically, you can check in.
+cfu

I want to add a note here.  I took the opportunity of reviewing the code to also test out whether the renewal feature I just added would play nicely with the existing policy.

Here is some info (my test result) that's worth noting (probably deserves to be in the doc):

RE_ENROLL=NO
 enrollment is allowed on uninitialized token
 re-enrollment not allowed on active token.

RE_ENROLL=YES
 enrollment is allowed if token uninitialized.
 re-enrollment allowed if token active.

RENEW=NO
  enrollment is allowed on uninitialized token
  renew not allowed on active token

RENEW=YES
 enrollment is allowed if token uninitialized.
 renew allowed if token active.

RE_ENROLL=NO;RENEW=YES
 renew will happen if token active

RE_ENROLL=YES;RENEW=YES
 - hey, we'll decide for you if you can't, so,
 renew will happen if token active

You know you are renewing if you see the enrollment goes very fast after 1/4 way through on the status bar.  That's because no new key generation happens.  Your keys remain on the token with only the renewed certs injected.
Comment 4 Jack Magne 2009-05-01 17:09:32 EDT
svn -m "Fix for #494983, unable to re-enroll token." commit tus_db.c
Sending        tus_db.c
Transmitting file data .
Committed revision 425.
Comment 5 Jack Magne 2009-05-01 17:21:27 EDT
svn -m "Fix for #494983, unable to re-enroll token." commit pki-tps.spec
Sending        pki-tps.spec
Transmitting file data .
Committed revision 426.
Comment 6 Jack Magne 2009-05-01 18:42:23 EDT
svn -m "Typo related to bug#494983" commit CS.cfg
Sending        CS.cfg
Transmitting file data .
Committed revision 427.
Comment 7 Chandrasekar Kannan 2009-07-05 08:52:29 EDT
1.Edit the tps CS.cfg to specify the RE_ENROLL policy has a default of no. 
2.If you have used the token before, delete it's record from the tps internal
database. The easiest way is through the admin pages. 
3.Format the token. Verify it has been formated and shows up in the internal
tps database. 
4. Attempt to enroll the token. 

Enrollment succeeds.

Marking bug verified.