Bug 239891 - Prompt for CoolKey PIN once per application (in tokend)
Prompt for CoolKey PIN once per application (in tokend)
Product: Red Hat Certificate System
Classification: Red Hat
Component: ESC (Show other bugs)
All Linux
medium Severity medium
: 8.0
: ---
Assigned To: Jack Magne
Chandrasekar Kannan
Depends On:
Blocks: 445047 512842
  Show dependency treegraph
Reported: 2007-05-11 18:55 EDT by Issue Tracker
Modified: 2015-01-04 18:26 EST (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2010-06-01 15:43:17 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Issue Tracker 2007-05-11 18:55:03 EDT
Escalated to Bugzilla from IssueTracker
Comment 2 Issue Tracker 2007-06-21 15:38:25 EDT

Per our conversation, we are closing this ticket as it is basically the
same issue as ticket 120718.  We will use that ticket to track bug 239891


Internal Status set to 'Resolved'
Status set to: Closed by Tech
Resolution set to: 'Netscape Applications'

This event sent from IssueTracker by klamb@redhat.com 
 issue 120880
Comment 6 Jack Magne 2007-06-21 20:26:54 EDT
Thanks Mark:

I agree that this is confusing. It should be under the conrol of the TokenD to
modify this behavior.
Comment 9 Thomas Kwan 2007-07-09 13:42:31 EDT
Set target fix to 8.0
Comment 16 Jack Magne 2010-04-15 21:01:51 EDT
How To Test:

1. Use ESC to enroll a smart card that contains your email address. The TPS
back-end server can be configured to consult the Ldap directory in order to
populate the proper email address into the certificates that will be written to
the smart card. Instruction for this can be found here: <add link>

2. Make sure that the Apple KeyChain has imported and trusted the cert chain of
the CA used to issue the certificates on the smart card. 

  a) With a working CS Certsytem instance, proceed to the following url for the
EE interface:


  b) Click on "Import CA Certificate Chain". Select the radio button:
      "Display certificates in the CA certificate chain for importing
individually into a server"

  c) Your browser will display a list of certificates in base64 format. Pick
the first blob displayed and create a text file called something like "ca.cer".
Save the file.

  d) Import this file using the Apple KeyChain utility as follows:

     - Click on the "System" keyhchain.

     - Go to the main menu and click File|Import Items

     - Use the file finder to locate and select "ca.cert"

     - During the import operation, you will be asked to trust the certificate
"always". Do so.

3. Insert your enrolled CoolKey token into the computer.

4. Watch the display for the "KeyChain access" utility. After a few seconds a
new keychain will appear with your name displayed.

5. Locate the two or three certificates that exist under the smart card's

6. Drag and drop the two or three certificates into the "login" keychain.

7. Now that the enrolled token is ready to use, open the Apple Safari browser:

8. Proceed to the TPS client auth protected interface:


9. Type in the requested PIN and note that the site shows up successfully.

10. Go to another random site and return to the one in comment #8.

11. Note that the PIN is not requested again.

Comment 17 Jack Magne 2010-04-16 17:17:03 EDT
Testing Cont:

12. Send a signed and encrypted email to yourself.

13. Open Apple Mail and address an email to yourself. Make sure that a properly enrolled token is inserted and that the COOLKEY TokenD is running.

14. If everything has been properly set up, Apple Mail should have two visible icons that engage encryption and signing. After composing the simple email, make sure those two icons are engaged.

15. Send the email.

16. When the email shows up in your inbox, click the email to read it.

17. At some point during either sending or reading the mail, the PIN will be requested.

18. At this point simply compose and send another email to verify that the PIN is not requested too often. It is possible from time to time for the system to require the PIN in case the PKC#11 module has logged out, but for the most part, the instances of typing in the PIN should be much less often.
Comment 19 Asha Akkiangady 2010-05-18 15:46:02 EDT
Tested sending/reading encrypted e-mails in Apple Mail using an enrolled token  as commented in 'How To Test'. With the certificates dropped in the 'login' keychain, the token PIN is not requested too often. Tested with Gemalto 64K usb token and Safenet 330J. 

With the token certificates installed properly in the keychain, inserted Coolkey token and using Safari browser visit TPS client auth protected interface: https://test.host.com:7889/nk_service. Token pin is requested. Enter the correct pin displays the web page data. Visit another random webpage and go to tps auth protected interface, token PIN is not requested again.

Marking the bug verified.
Comment 20 errata-xmlrpc 2010-06-01 15:43:17 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.


Note You need to log in before you can comment on or make changes to this bug.