Bug 1331471
| Summary: | Cannot get coolkey working with Windows 7 | ||||||
|---|---|---|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 6 | Reporter: | Frank DeLorey <fdelorey> | ||||
| Component: | libcacard | Assignee: | Default Assignee for SPICE Bugs <rh-spice-bugs> | ||||
| Status: | CLOSED NOTABUG | QA Contact: | SPICE QE bug list <spice-qe-bugs> | ||||
| Severity: | medium | Docs Contact: | Jiri Herrmann <jherrman> | ||||
| Priority: | unspecified | ||||||
| Version: | 6.7 | CC: | astepano, cnagarka, dblechte, djasa, dsirrine, fdelorey, kresss, marcandre.lureau, mkalinin, rh-spice-bugs, sraje, tpelka, uril | ||||
| Target Milestone: | rc | ||||||
| Target Release: | --- | ||||||
| Hardware: | Unspecified | ||||||
| OS: | Unspecified | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | Doc Type: | Known Issue | |||||
| Doc Text: |
*Coolkey* does not load on Windows 7 guests
Loading the *Coolkey* module on Windows 7 guest virtual machines currently fails, which prevents smart card redirection from working properly on these guests.
|
Story Points: | --- | ||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2017-02-14 17:52:07 UTC | Type: | Bug | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Bug Depends On: | 917867 | ||||||
| Bug Blocks: | 1269194, 1356656 | ||||||
| Attachments: |
|
||||||
It may help to configure coolkey in a Linux VM first. I am not really familiar with Windows support, David Jasa could perhaps help. On Linux/Fedora, you can do sudo modutil -add "coolkey" -dbdir sql:/etc/pki/nssdb -libfile /usr/lib64/pkcs11/libcoolkeypk11.so. I suppose on Windows, it should work similarly. Make sure you have permissions to modify the file too. Btw, the path is likely C:\Documents and Settings\All Users\Application Data\pki\nssdb. (CSIDL_COMMON_APPDATA\pki\nss) The customer has been able to successfully do the following: RHEL 6.7 client to RHEL 6.7 guest. Both client and guest using coolkey. On Windows they typically use ActivClient which would be OK if the client was Windows however it is not the Guest is Windows so according to BZ 961964 they cannot use ActivClient in a guest so we recommend using coolkey. The problem is that we have no real documentation for setting up coolkey in Windows. I could not find any examples of this actually working so I am not sure if we have tested it or not. Frank This is the actual command they used: C:\>"C:\Program Files\VirtViewer v2.0-128\bin\modutil.exe" -add "Coolkey" -libfi le "C:\Windows\System32\libcoolkeypk11.dll" -dbdir "C:\ProgramData\pki\nssdb" WARNING: Performing this operation while the browser is running could cause corruption of your security databases. If the browser is currently running, you should exit browser before continuing this operation. Type 'q <enter>' to abort, or <enter> to continue: ERROR: Failed to add module "Coolkey". Probable cause : "Unknown error". Frank, just to make sure, is the system they're using 64bit or 32bit? If 64bit, is coolkey 64bit as well as virt-viewer (paths suggest that this should be the case). Could they get debug output (by setting NSPR_LOG_MODULES=all:5 before running modutil)? Can they add ActivClient dll to the database (IOW is the problem with nss/modutil or in coolkey)? I'm afraid that we'll have to defer to NSS people here if none of suggestions above help... The system is 64 bit and installed virt viewer is 64 bit. The coolkey files seem to only be available in 32 bit, if you look at the download page (win32). https://www.nabber.org/download/?file=coolkey- Here is the debug output from modutil: C:\>"C:\Program Files\VirtViewer v2.0-128\bin\modutil.exe" -dbdir %PROGRAMDATA%\pki\nssdb -add CoolKey -libfile "C:\Windows\System32\libcoolkeypk11.dll" 0[3b7260]: Loaded library Executable (init) WARNING: Performing this operation while the browser is running could cause corruption of your security databases. If the browser is currently running, you should exit browser before continuing this operation. Type 'q <enter>' to abort, or <enter> to continue: 3[3b7940]: ExpireWaits: elapsed=2 usec 3[3b7940]: switching to 4[453fe0] 4[453fe0]: PR_Wait: cvar=3baf80 waiting for -1 4[453fe0]: pausing 0[3b7260]: write -> 263 4[453fe0]: switching to 3[3b7940] 3[3b7940]: ExpireWaits: elapsed=5004 usec 3[3b7940]: pausing 3[3b7940]: switching to 3[3b7940] 0[3b7260]: read -> 1 0[3b7260]: read -> 1 0[3b7260]: write -> 1 0[3b7260]: Loaded library C:\Program Files\VirtViewer v2.0-128\bin\softokn3.dll (load lib) 0[3b7260]: Loaded library C:\Program Files\VirtViewer v2.0-128\bin\nssdbm3.dll (load lib) 0[3b7260]: Loaded library C:\Program Files\VirtViewer v2.0-128\bin\freebl3.dll (load lib) ERROR: Failed to add module "CoolKey". Probable cause : "Unknown error". 0[3b7260]: write -> 73 0[3b7260]: Unloaded library C:\Program Files\VirtViewer v2.0-128\bin\nssdbm3.dll 0[3b7260]: Unloaded library C:\Program Files\VirtViewer v2.0-128\bin\freebl3.dll 0[3b7260]: Unloaded library C:\Program Files\VirtViewer v2.0-128\bin\softokn3.dll 0[3b7260]: PR_Cleanup: shutting down NSPR 0[3b7260]: PR_Cleanup: clean up before destroying thread I tried adding ActivClient to nssdb and it worked: C:\>"C:\Program Files\VirtViewer v2.0-128\bin\modutil.exe" -dbdir %PROGRAMDATA%\pki\nssdb -add ActivClient -libfile "C:\Program Files\ActivIdentity\ActivClient\acpkcs211.dll" WARNING: Performing this operation while the browser is running could cause corruption of your security databases. If the browser is currently running, you should exit browser before continuing this operation. Type 'q <enter>' to abort, or <enter> to continue: Module "ActivClient" added to database. C:\>"C:\Program Files\VirtViewer v2.0-128\bin\modutil.exe" -dbdir C:\ProgramData\pki\nssdb -list Listing of PKCS #11 Modules ----------------------------------------------------------- 1. NSS Internal PKCS #11 Module slots: 2 slots attached status: loaded slot: NSS Internal Cryptographic Services token: NSS Generic Crypto Services slot: NSS User Private Key and Certificate Services token: NSS Certificate DB 2. ActivClient library name: C:\Program Files\ActivIdentity\ActivClient\acpkcs211.dll slots: 1 slot attached status: loaded slot: QEMU QEMU USB CCID 0 token: ----------------------------------------------------------- nabber.org seems to redistribute RH binaries but can you be absolutely sure they're intact? We do distribute the binaries ourselves in Customer Portal, here: https://access.redhat.com/downloads/content/216/ver=8/rhel---5/8.0/i386/product-software CoolKey for both architectures is available there. IMO that should resolve your problem. ---- I'm actually suprised in two ways: * that 32b library wasn't installed to %WINDIR%\SysWOW64 directory * modutil had issues adding library to db. It didn't care about architecture I'd expect that the module was added fine but then it would be unusable by 64b virt-viewer. Sachin, Frank, does this customer need card in both client and guest? If not, they could redirect whole reader using USB redirection and use ActivClient-compatible smartcard as in physical Windows 7 Frank, Could your draw some comparisons with situation in solution to your "inverse" bug 1297533 comment 31? Does the same card work in Windows/ActivClient client and Linux/coolkey guest? If so, details about smartcard setup would be valuable to avoid compatibility issues elsewhere. What info is required from me? I see the flag was set? Frank A "short" comment from SpiceQE. We also have problems with Windows guest and QEMU USB CCID: https://bugzilla.redhat.com/show_bug.cgi?id=1356656 We have IDBridge CT40 http://support.gemalto.com/?id=pc_usb_sl It is a quite popular device. It is well supported in Linux. Manufacturer provides official drivers for all Windows versions. We cannot get it worked in Windows guests. https://access.redhat.com/downloads/content/216/ver=8/rhel---5/8.0/x86_64/product-downloads provides coolkey for Windows x64 It is not clear what drivers we should use for Windows for our tests: * Unsupported ESC (https://bugzilla.redhat.com/show_bug.cgi?id=1356656#c4) * Unsupported coolkey from http://www.nabber.org/projects/coolkey * PC/SC from Gemalto. We tried all above methods. All of them have some problems. If we had a clear & "official" test-case we would be able to provide more logs. What drivers we should use and how to make sure that our smartcard is passed successfully? The real problem is that ActivClient, which is the correct tool for Windows, does not work correctly. I have moved the customer's case from this BZ to the BZ for ActivClient support. |
Created attachment 1151937 [details] Version of coolkey being used. Description of problem:Customer trying to get coolkey working in Windows 7 VM as ActivClient in a guest is not supported. Version-Release number of selected component (if applicable): Client RHEL 6.7 Guest Windows 7 RHEV 3.6 How reproducible: Everytime Steps to Reproduce: 1.Customer downloads coolkey for Windows 2.Tries to load coolkey: modutil -dbdir %PROGRAMDATA%\pki\nssdb -add CoolKey -libfile coolkeypkcs11.dll Actual results: Reports error: ERROR: Failed to add module "CoolKey". Probable cause : "Unknown error". Expected results: Should load Additional info: Checked to see what is loaded: C:\>"C:\Program Files\VirtViewer v2.0-128\bin\modutil.exe" -dbdir "C:\ProgramData\pki\nssdb" -list Listing of PKCS #11 Modules ----------------------------------------------------------- 1. NSS Internal PKCS #11 Module slots: 2 slots attached status: loaded slot: NSS Internal Cryptographic Services token: NSS Generic Crypto Services slot: NSS User Private Key and Certificate Services token: NSS Certificate DB ----------------------------------------------------------- No coolkey provider is reported. They are using coolkey version 1.0.1-6-2