Bug 496342

Summary: unable to do smartcard enrollment/format. TPS cannot talk to TKS. (nethsm 2000)
Product: [Retired] Dogtag Certificate System Reporter: Chandrasekar Kannan <ckannan>
Component: TPSAssignee: Christina Fu <cfu>
Status: CLOSED ERRATA QA Contact: Chandrasekar Kannan <ckannan>
Severity: urgent Docs Contact:
Priority: urgent    
Version: unspecifiedCC: alee, benl, jmagne, rcritten
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-07-22 23:34:28 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 498542    
Bug Blocks: 443788    

Description Chandrasekar Kannan 2009-04-17 21:58:47 UTC 
With SELinux in permissive mode, I have setup all of these subsystems
to use the nCipher nethsm 2000 hsm. We do know about accessing the agent
page issues which have been filed as a separate bug. 

Now I'm trying to do a smart card format operation. It fails. 
This is all I see in the TPS error logs..

[2009-04-17 07:37:59] 2c866140 mod_tps::mod_tps_initialize - The TPS module has been successfully loaded!
[2009-04-17 07:37:59] 2c866140 mod_tokendb::mod_tokendb_initialize - Initializing TUS database
[2009-04-17 07:37:59] 2c866140 mod_tokendb::mod_tokendb_initialize - Token DB initialization succeeded
[2009-04-17 07:37:59] 2c866140 mod_tokendb::mod_tokendb_initialize - The Tokendb module has been successfully loaded!
[2009-04-17 07:37:59] 2c866140 RA::InitializeInChild - begins: 2
[2009-04-17 07:37:59] 2c866140 RA::InitializeInChild - NSS already initialized
[2009-04-17 07:37:59] 2c866140 RA::InitializeHttpConnections - A ca certificate nicknamed "nethsm2k:subsystemCert cert-pki-tps-delta" could NOT be found in the certificate database for connection 1!
[2009-04-17 07:37:59] 2c866140 RA::InitializeInChild - Failed to initialize CA Connection, rc=-2
[2009-04-17 07:37:59] 2c866140 RA::InitializeHttpConnections - A tks certificate nicknamed "nethsm2k:subsystemCert cert-pki-tps-delta" could NOT be found in the certificate database for connection 1!
[2009-04-17 07:37:59] 2c866140 RA::InitializeInChild - Failed to initialize TKS Connection, rc=-2
[2009-04-17 07:37:59] 2c866140 RA::InitializeHttpConnections - A drm certificate nicknamed "nethsm2k:subsystemCert cert-pki-tps-delta" could NOT be found in the certificate database for connection 1!
[2009-04-17 07:37:59] 2c866140 RA::InitializeInChild - Failed to initialize DRM Connection, rc=-2
[2009-04-17 07:37:59] 2c866140 RA::InitializeInChild - nSignedAuditInitCount=2
[2009-04-17 07:37:59] 2c866140 RA:: InitializeSignedAudit - begins
[root@delta pki-tps]# pwd
/var/log/pki-tps

[root@delta alias]# modutil -dbdir . -nocertdb -list

Listing of PKCS #11 Modules
-----------------------------------------------------------
  1. NSS Internal PKCS #11 Module
         slots: 2 slots attached
        status: loaded

         slot: NSS Internal Cryptographic Services                            
        token: NSS Generic Crypto Services

         slot: NSS User Private Key and Certificate Services                  
        token: NSS Certificate DB

  2. nfast
        library name: /opt/nfast/toolkits/pkcs11/libcknfast.so
         slots: 2 slots attached
        status: loaded

         slot: C54A-81FD-A5F1 Rt1
        token: accelerator

         slot: C54A-81FD-A5F1 Rt1 slot 0
        token: nethsm2k
-----------------------------------------------------------
[root@delta alias]# certutil -L -d . -h nethsm2k

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

Enter Password or Pin for "nethsm2k":
nethsm2k:Server-Cert cert-pki-kra-delta                      u,u,u
nethsm2k:Server-Cert cert-pki-tks-delta                      u,u,u
nethsm2k:auditSigningCert cert-pki-tps-delta                 u,u,u
nethsm2k:Server-Cert cert-pki-tps-delta                      u,u,u
nethsm2k:auditSigningCert cert-pki-ca-delta                  u,u,u
nethsm2k:subsystemCert cert-pki-ca-delta                     u,u,u
nethsm2k:ocspSigningCert cert-pki-ca-delta                   u,u,u
nethsm2k:subsystemCert cert-pki-tks-delta                    u,u,u
nethsm2k:storageCert cert-pki-kra-delta                      u,u,u
nethsm2k:auditSigningCert cert-pki-tks-delta                 u,u,u
nethsm2k:transportCert cert-pki-kra-delta                    u,u,u
nethsm2k:Server-Cert cert-pki-ca-delta                       u,u,u
nethsm2k:auditSigningCert cert-pki-kra-delta                 u,u,u
nethsm2k:caSigningCert cert-pki-ca-delta                     CTu,Cu,Cu
nethsm2k:subsystemCert cert-pki-tps-delta                    u,u,u
nethsm2k:subsystemCert cert-pki-kra-delta                    u,u,u


during the format operation I get message=19 in tps debug log.
and 

[2009-04-17 07:36:12] e9a95170 Start ComputeSessionKey - 
[2009-04-17 07:36:12] e9a95170 RA::ComputeSessionKey - Failed to get TKSConnection tks1
[2009-04-17 07:36:12] e9a95170 RA_Processor::Setup_Secure_Channel - RA_Processor::GenerateSecureChannel - did not get session_key
[2009-04-17 07:36:12] e9a95170 RA_Processor::Setup_Secure_Channel - Resetting security level ...
[2009-04-17 07:36:12] e9a95170 RA_Processor::SetupSecureChannel - Failed to create a secure channel - potentially due to an RA/TKS key mismatch or differing RA/TKS key versions.
[2009-04-17 07:36:12] e9a95170 RA_Processor::UpgradeApplet - channel creation failure
[2009-04-17 07:36:12] e9a95170 RA_Format_Processor::Process - applet upgrade failed


Looks like tps is not able to get access to its own subSystem cert to connect
to tks
Comment 2 Christina Fu 2009-05-01 20:54:12 UTC 
*** Bug 496187 has been marked as a duplicate of this bug. ***