With SELinux in permissive mode, I have setup all of these subsystems to use the nCipher nethsm 2000 hsm. We do know about accessing the agent page issues which have been filed as a separate bug. Now I'm trying to do a smart card format operation. It fails. This is all I see in the TPS error logs.. [2009-04-17 07:37:59] 2c866140 mod_tps::mod_tps_initialize - The TPS module has been successfully loaded! [2009-04-17 07:37:59] 2c866140 mod_tokendb::mod_tokendb_initialize - Initializing TUS database [2009-04-17 07:37:59] 2c866140 mod_tokendb::mod_tokendb_initialize - Token DB initialization succeeded [2009-04-17 07:37:59] 2c866140 mod_tokendb::mod_tokendb_initialize - The Tokendb module has been successfully loaded! [2009-04-17 07:37:59] 2c866140 RA::InitializeInChild - begins: 2 [2009-04-17 07:37:59] 2c866140 RA::InitializeInChild - NSS already initialized [2009-04-17 07:37:59] 2c866140 RA::InitializeHttpConnections - A ca certificate nicknamed "nethsm2k:subsystemCert cert-pki-tps-delta" could NOT be found in the certificate database for connection 1! [2009-04-17 07:37:59] 2c866140 RA::InitializeInChild - Failed to initialize CA Connection, rc=-2 [2009-04-17 07:37:59] 2c866140 RA::InitializeHttpConnections - A tks certificate nicknamed "nethsm2k:subsystemCert cert-pki-tps-delta" could NOT be found in the certificate database for connection 1! [2009-04-17 07:37:59] 2c866140 RA::InitializeInChild - Failed to initialize TKS Connection, rc=-2 [2009-04-17 07:37:59] 2c866140 RA::InitializeHttpConnections - A drm certificate nicknamed "nethsm2k:subsystemCert cert-pki-tps-delta" could NOT be found in the certificate database for connection 1! [2009-04-17 07:37:59] 2c866140 RA::InitializeInChild - Failed to initialize DRM Connection, rc=-2 [2009-04-17 07:37:59] 2c866140 RA::InitializeInChild - nSignedAuditInitCount=2 [2009-04-17 07:37:59] 2c866140 RA:: InitializeSignedAudit - begins [root@delta pki-tps]# pwd /var/log/pki-tps [root@delta alias]# modutil -dbdir . -nocertdb -list Listing of PKCS #11 Modules ----------------------------------------------------------- 1. NSS Internal PKCS #11 Module slots: 2 slots attached status: loaded slot: NSS Internal Cryptographic Services token: NSS Generic Crypto Services slot: NSS User Private Key and Certificate Services token: NSS Certificate DB 2. nfast library name: /opt/nfast/toolkits/pkcs11/libcknfast.so slots: 2 slots attached status: loaded slot: C54A-81FD-A5F1 Rt1 token: accelerator slot: C54A-81FD-A5F1 Rt1 slot 0 token: nethsm2k ----------------------------------------------------------- [root@delta alias]# certutil -L -d . -h nethsm2k Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI Enter Password or Pin for "nethsm2k": nethsm2k:Server-Cert cert-pki-kra-delta u,u,u nethsm2k:Server-Cert cert-pki-tks-delta u,u,u nethsm2k:auditSigningCert cert-pki-tps-delta u,u,u nethsm2k:Server-Cert cert-pki-tps-delta u,u,u nethsm2k:auditSigningCert cert-pki-ca-delta u,u,u nethsm2k:subsystemCert cert-pki-ca-delta u,u,u nethsm2k:ocspSigningCert cert-pki-ca-delta u,u,u nethsm2k:subsystemCert cert-pki-tks-delta u,u,u nethsm2k:storageCert cert-pki-kra-delta u,u,u nethsm2k:auditSigningCert cert-pki-tks-delta u,u,u nethsm2k:transportCert cert-pki-kra-delta u,u,u nethsm2k:Server-Cert cert-pki-ca-delta u,u,u nethsm2k:auditSigningCert cert-pki-kra-delta u,u,u nethsm2k:caSigningCert cert-pki-ca-delta CTu,Cu,Cu nethsm2k:subsystemCert cert-pki-tps-delta u,u,u nethsm2k:subsystemCert cert-pki-kra-delta u,u,u during the format operation I get message=19 in tps debug log. and [2009-04-17 07:36:12] e9a95170 Start ComputeSessionKey - [2009-04-17 07:36:12] e9a95170 RA::ComputeSessionKey - Failed to get TKSConnection tks1 [2009-04-17 07:36:12] e9a95170 RA_Processor::Setup_Secure_Channel - RA_Processor::GenerateSecureChannel - did not get session_key [2009-04-17 07:36:12] e9a95170 RA_Processor::Setup_Secure_Channel - Resetting security level ... [2009-04-17 07:36:12] e9a95170 RA_Processor::SetupSecureChannel - Failed to create a secure channel - potentially due to an RA/TKS key mismatch or differing RA/TKS key versions. [2009-04-17 07:36:12] e9a95170 RA_Processor::UpgradeApplet - channel creation failure [2009-04-17 07:36:12] e9a95170 RA_Format_Processor::Process - applet upgrade failed Looks like tps is not able to get access to its own subSystem cert to connect to tks
*** Bug 496187 has been marked as a duplicate of this bug. ***