Bug 492180 - Security officer: token recovery for a security officer throws error 28 'connection to server lost'.
Security officer: token recovery for a security officer throws error 28 'conn...
Status: CLOSED ERRATA
Product: Dogtag Certificate System
Classification: Community
Component: TPS (Show other bugs)
unspecified
All Linux
urgent Severity urgent
: ---
: ---
Assigned To: Matthew Harmsen
Chandrasekar Kannan
:
Depends On:
Blocks: 443788
  Show dependency treegraph
 
Reported: 2009-03-25 14:50 EDT by Asha Akkiangady
Modified: 2015-01-04 18:37 EST (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-07-22 19:33:42 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Error when erolling a security officer token for the so who lost token temporarily. (128.64 KB, image/jpeg)
2009-03-25 14:50 EDT, Asha Akkiangady
no flags Details
TPS debug log messages attached. (115.55 KB, text/plain)
2009-03-25 14:55 EDT, Asha Akkiangady
no flags Details
kra debug log attached. (8.99 KB, text/plain)
2009-03-27 19:19 EDT, Asha Akkiangady
no flags Details
mod_revocator integration (52 bytes, text/plain)
2009-03-28 23:35 EDT, Matthew Harmsen
no flags Details
mod_revocator integration (specfiles) (52 bytes, text/plain)
2009-03-28 23:36 EDT, Matthew Harmsen
no flags Details

  None (edit)
Description Asha Akkiangady 2009-03-25 14:50:50 EDT
Created attachment 336690 [details]
Error when erolling a security officer token for the so who lost token temporarily.

Description of problem:
Token recovery - Enroll a token for a security officer who temporarily lost first token throws error 28 with message "Connection to Smart Card server lost".

Version-Release number of selected component (if applicable):
CS 8.0

How reproducible:


Steps to Reproduce:
1. Set phone home URL and Enroll Security Officer SOfficer#1 with a token#1.
2. From tps agent page select SOfficer#1 token and put it to a status "This token has been temporarily lost".
3. From agent page select the token again and make sure token status is 'lost'
and Reason is 'onHold'.
4. Set phone home url of security officer on a blank token, token#2. 
5. Try to enroll SOfficer#1 with a token#2. (I used both tokens of type 64k gemalto).

  
Actual results:
error 28 with message "Connection to Smart Card server lost".

Expected results:
Enrollment is complete.

Additional info:
Comment 1 Asha Akkiangady 2009-03-25 14:55:00 EDT
Created attachment 336691 [details]
TPS debug log messages attached.
Comment 2 Jack Magne 2009-03-27 17:29:45 EDT
It looks like TPS  is getting something back it doesn't like from the KRA. Would it be possible to see the KRA debug log for this?
Comment 3 Asha Akkiangady 2009-03-27 19:19:23 EDT
Created attachment 337079 [details]
kra debug log attached.
Comment 4 Jack Magne 2009-03-27 20:20:19 EDT
Looking at the test installation, I noted that the following block of config entries in /var/lib/pki-tps/CS.cfg is configured incorrectly by the installation wizard:

op.enroll.soKey.keyGen.encryption.serverKeygen.enable=[SERVER_KEYGEN]
op.enroll.soKey.keyGen.encryption.serverKeygen.drm.conn=drm1
op.enroll.soKey.keyGen.encryption.serverKeygen.archive=true


The first entry is supposed to enable server side keygen for the Security Officer types of keys. As is evident, the template variable did not get set to "true" by the installation wizard which asks the user if they want server side keygen or not.

If this had been set properly , I suspect that the key would be generated on the server and properly archived. The included kra debug log stated that the key record could not be found when attempting to recover the key back to the token. This would be consistent with the above theory that the key was not getting archived in the first place.
Comment 5 Matthew Harmsen 2009-03-28 23:35:32 EDT
Created attachment 337142 [details]
mod_revocator integration
Comment 6 Matthew Harmsen 2009-03-28 23:36:05 EDT
Created attachment 337143 [details]
mod_revocator integration (specfiles)
Comment 8 Jack Magne 2009-03-28 23:47:56 EDT
Attachments (id=337139, id = 337140) +jmagne
Comment 10 Matthew Harmsen 2009-03-29 00:03:09 EDT
cd pki

% svn status
M      dogtag/setup/pki-setup.spec
M      dogtag/ra/pki-ra.spec
M      dogtag/tps/pki-tps.spec
M      base/setup/pkicreate
M      base/ra/apache/conf/httpd.conf
A      base/ra/apache/conf/revocator.conf
M      base/ra/lib/perl/PKI/RA/DonePanel.pm
M      base/tps/Makefile.in
M      base/tps/lib/perl/PKI/TPS/DonePanel.pm
M      base/tps/lib/perl/PKI/TPS/DRMInfoPanel.pm
M      base/tps/apache/conf/httpd.conf
A      base/tps/apache/conf/revocator.conf
M      base/tps/Makefile.am

% svn commit
Sending        base/ra/apache/conf/httpd.conf
Adding         base/ra/apache/conf/revocator.conf
Sending        base/ra/lib/perl/PKI/RA/DonePanel.pm
Sending        base/setup/pkicreate
Sending        base/tps/Makefile.am
Sending        base/tps/Makefile.in
Sending        base/tps/apache/conf/httpd.conf
Adding         base/tps/apache/conf/revocator.conf
Sending        base/tps/lib/perl/PKI/TPS/DRMInfoPanel.pm
Sending        base/tps/lib/perl/PKI/TPS/DonePanel.pm
Sending        dogtag/ra/pki-ra.spec
Sending        dogtag/setup/pki-setup.spec
Sending        dogtag/tps/pki-tps.spec
Transmitting file data .............
Committed revision 348.
Comment 12 Asha Akkiangady 2009-05-29 13:21:22 EDT
Verified that /var/lib/pki-tps/CS.cfg is configured correctly for [SERVER_KEYGEN] during the configuration in the wizard:

op.enroll.soKey.keyGen.encryption.serverKeygen.enable=true

Successfully erolled a security officer token for the so who lost token
temporarily.
Comment 13 Asha Akkiangady 2009-05-29 13:21:53 EDT
Verified that /var/lib/pki-tps/CS.cfg is configured correctly for [SERVER_KEYGEN] during the configuration in the wizard:

op.enroll.soKey.keyGen.encryption.serverKeygen.enable=true

Successfully enrolled a security officer token for the so who lost token
temporarily.

Note You need to log in before you can comment on or make changes to this bug.