Red Hat Bugzilla – Bug 239891
Prompt for CoolKey PIN once per application (in tokend)
Last modified: 2017-04-10 10:19 EDT
Escalated to Bugzilla from IssueTracker
Per our conversation, we are closing this ticket as it is basically the
same issue as ticket 120718. We will use that ticket to track bug 239891
Internal Status set to 'Resolved'
Status set to: Closed by Tech
Resolution set to: 'Netscape Applications'
This event sent from IssueTracker by firstname.lastname@example.org
I agree that this is confusing. It should be under the conrol of the TokenD to
modify this behavior.
Set target fix to 8.0
How To Test:
1. Use ESC to enroll a smart card that contains your email address. The TPS
back-end server can be configured to consult the Ldap directory in order to
populate the proper email address into the certificates that will be written to
the smart card. Instruction for this can be found here: <add link>
2. Make sure that the Apple KeyChain has imported and trusted the cert chain of
the CA used to issue the certificates on the smart card.
a) With a working CS Certsytem instance, proceed to the following url for the
b) Click on "Import CA Certificate Chain". Select the radio button:
"Display certificates in the CA certificate chain for importing
individually into a server"
c) Your browser will display a list of certificates in base64 format. Pick
the first blob displayed and create a text file called something like "ca.cer".
Save the file.
d) Import this file using the Apple KeyChain utility as follows:
- Click on the "System" keyhchain.
- Go to the main menu and click File|Import Items
- Use the file finder to locate and select "ca.cert"
- During the import operation, you will be asked to trust the certificate
"always". Do so.
3. Insert your enrolled CoolKey token into the computer.
4. Watch the display for the "KeyChain access" utility. After a few seconds a
new keychain will appear with your name displayed.
5. Locate the two or three certificates that exist under the smart card's
6. Drag and drop the two or three certificates into the "login" keychain.
7. Now that the enrolled token is ready to use, open the Apple Safari browser:
8. Proceed to the TPS client auth protected interface:
9. Type in the requested PIN and note that the site shows up successfully.
10. Go to another random site and return to the one in comment #8.
11. Note that the PIN is not requested again.
12. Send a signed and encrypted email to yourself.
13. Open Apple Mail and address an email to yourself. Make sure that a properly enrolled token is inserted and that the COOLKEY TokenD is running.
14. If everything has been properly set up, Apple Mail should have two visible icons that engage encryption and signing. After composing the simple email, make sure those two icons are engaged.
15. Send the email.
16. When the email shows up in your inbox, click the email to read it.
17. At some point during either sending or reading the mail, the PIN will be requested.
18. At this point simply compose and send another email to verify that the PIN is not requested too often. It is possible from time to time for the system to require the PIN in case the PKC#11 module has logged out, but for the most part, the instances of typing in the PIN should be much less often.
Tested sending/reading encrypted e-mails in Apple Mail using an enrolled token as commented in 'How To Test'. With the certificates dropped in the 'login' keychain, the token PIN is not requested too often. Tested with Gemalto 64K usb token and Safenet 330J.
With the token certificates installed properly in the keychain, inserted Coolkey token and using Safari browser visit TPS client auth protected interface: https://test.host.com:7889/nk_service. Token pin is requested. Enter the correct pin displays the web page data. Visit another random webpage and go to tps auth protected interface, token PIN is not requested again.
Marking the bug verified.
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.