Created attachment 338810 [details] zip of logs and error message Description of problem: Cannot enroll a token if the RE_ENROLL policy is set to no. You should be able to enroll the token the first time! Version-Release number of selected component (if applicable): How reproducible: Always Steps to Reproduce: 1.Edit the tps CS.cfg to specify the RE_ENROLL policy has a default of no. 2.If you have used the token before, delete it's record from the tps internal database. The easiest way is through the admin pages. 3.Format the token. Verify it has been formated and shows up in the internal tps database. 4. Attempt to enroll the token. Actual results: Unable to enroll the card! -- Erroneous error message logged as a separate bug. Expected results: Able to enroll the card Additional info: Zip with logs and screen shot of error message
Bug about error message https://bugzilla.redhat.com/show_bug.cgi?id=494981
Created attachment 340610 [details] Fix for this issue. Proposed fix for this issue. CFU please review.
Basically, you can check in. +cfu I want to add a note here. I took the opportunity of reviewing the code to also test out whether the renewal feature I just added would play nicely with the existing policy. Here is some info (my test result) that's worth noting (probably deserves to be in the doc): RE_ENROLL=NO enrollment is allowed on uninitialized token re-enrollment not allowed on active token. RE_ENROLL=YES enrollment is allowed if token uninitialized. re-enrollment allowed if token active. RENEW=NO enrollment is allowed on uninitialized token renew not allowed on active token RENEW=YES enrollment is allowed if token uninitialized. renew allowed if token active. RE_ENROLL=NO;RENEW=YES renew will happen if token active RE_ENROLL=YES;RENEW=YES - hey, we'll decide for you if you can't, so, renew will happen if token active You know you are renewing if you see the enrollment goes very fast after 1/4 way through on the status bar. That's because no new key generation happens. Your keys remain on the token with only the renewed certs injected.
svn -m "Fix for #494983, unable to re-enroll token." commit tus_db.c Sending tus_db.c Transmitting file data . Committed revision 425.
svn -m "Fix for #494983, unable to re-enroll token." commit pki-tps.spec Sending pki-tps.spec Transmitting file data . Committed revision 426.
svn -m "Typo related to bug#494983" commit CS.cfg Sending CS.cfg Transmitting file data . Committed revision 427.
1.Edit the tps CS.cfg to specify the RE_ENROLL policy has a default of no. 2.If you have used the token before, delete it's record from the tps internal database. The easiest way is through the admin pages. 3.Format the token. Verify it has been formated and shows up in the internal tps database. 4. Attempt to enroll the token. Enrollment succeeds. Marking bug verified.