Bug 496342 - unable to do smartcard enrollment/format. TPS cannot talk to TKS. (nethsm 2000)
Summary: unable to do smartcard enrollment/format. TPS cannot talk to TKS. (nethsm 2000)
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Dogtag Certificate System
Classification: Retired
Component: TPS
Version: unspecified
Hardware: All
OS: Linux
urgent
urgent
Target Milestone: ---
Assignee: Christina Fu
QA Contact: Chandrasekar Kannan
URL:
Whiteboard:
: 496187 (view as bug list)
Depends On: 498542
Blocks: 443788
TreeView+ depends on / blocked
 
Reported: 2009-04-17 21:58 UTC by Chandrasekar Kannan
Modified: 2015-01-04 23:37 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2009-07-22 23:34:28 UTC
Embargoed:

Attachments (Terms of Use)

Description Chandrasekar Kannan 2009-04-17 21:58:47 UTC 
With SELinux in permissive mode, I have setup all of these subsystems
to use the nCipher nethsm 2000 hsm. We do know about accessing the agent
page issues which have been filed as a separate bug. 

Now I'm trying to do a smart card format operation. It fails. 
This is all I see in the TPS error logs..

[2009-04-17 07:37:59] 2c866140 mod_tps::mod_tps_initialize - The TPS module has been successfully loaded!
[2009-04-17 07:37:59] 2c866140 mod_tokendb::mod_tokendb_initialize - Initializing TUS database
[2009-04-17 07:37:59] 2c866140 mod_tokendb::mod_tokendb_initialize - Token DB initialization succeeded
[2009-04-17 07:37:59] 2c866140 mod_tokendb::mod_tokendb_initialize - The Tokendb module has been successfully loaded!
[2009-04-17 07:37:59] 2c866140 RA::InitializeInChild - begins: 2
[2009-04-17 07:37:59] 2c866140 RA::InitializeInChild - NSS already initialized
[2009-04-17 07:37:59] 2c866140 RA::InitializeHttpConnections - A ca certificate nicknamed "nethsm2k:subsystemCert cert-pki-tps-delta" could NOT be found in the certificate database for connection 1!
[2009-04-17 07:37:59] 2c866140 RA::InitializeInChild - Failed to initialize CA Connection, rc=-2
[2009-04-17 07:37:59] 2c866140 RA::InitializeHttpConnections - A tks certificate nicknamed "nethsm2k:subsystemCert cert-pki-tps-delta" could NOT be found in the certificate database for connection 1!
[2009-04-17 07:37:59] 2c866140 RA::InitializeInChild - Failed to initialize TKS Connection, rc=-2
[2009-04-17 07:37:59] 2c866140 RA::InitializeHttpConnections - A drm certificate nicknamed "nethsm2k:subsystemCert cert-pki-tps-delta" could NOT be found in the certificate database for connection 1!
[2009-04-17 07:37:59] 2c866140 RA::InitializeInChild - Failed to initialize DRM Connection, rc=-2
[2009-04-17 07:37:59] 2c866140 RA::InitializeInChild - nSignedAuditInitCount=2
[2009-04-17 07:37:59] 2c866140 RA:: InitializeSignedAudit - begins
[root@delta pki-tps]# pwd
/var/log/pki-tps

[root@delta alias]# modutil -dbdir . -nocertdb -list

Listing of PKCS #11 Modules
-----------------------------------------------------------
  1. NSS Internal PKCS #11 Module
         slots: 2 slots attached
        status: loaded

         slot: NSS Internal Cryptographic Services                            
        token: NSS Generic Crypto Services

         slot: NSS User Private Key and Certificate Services                  
        token: NSS Certificate DB

  2. nfast
        library name: /opt/nfast/toolkits/pkcs11/libcknfast.so
         slots: 2 slots attached
        status: loaded

         slot: C54A-81FD-A5F1 Rt1
        token: accelerator

         slot: C54A-81FD-A5F1 Rt1 slot 0
        token: nethsm2k
-----------------------------------------------------------
[root@delta alias]# certutil -L -d . -h nethsm2k

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

Enter Password or Pin for "nethsm2k":
nethsm2k:Server-Cert cert-pki-kra-delta                      u,u,u
nethsm2k:Server-Cert cert-pki-tks-delta                      u,u,u
nethsm2k:auditSigningCert cert-pki-tps-delta                 u,u,u
nethsm2k:Server-Cert cert-pki-tps-delta                      u,u,u
nethsm2k:auditSigningCert cert-pki-ca-delta                  u,u,u
nethsm2k:subsystemCert cert-pki-ca-delta                     u,u,u
nethsm2k:ocspSigningCert cert-pki-ca-delta                   u,u,u
nethsm2k:subsystemCert cert-pki-tks-delta                    u,u,u
nethsm2k:storageCert cert-pki-kra-delta                      u,u,u
nethsm2k:auditSigningCert cert-pki-tks-delta                 u,u,u
nethsm2k:transportCert cert-pki-kra-delta                    u,u,u
nethsm2k:Server-Cert cert-pki-ca-delta                       u,u,u
nethsm2k:auditSigningCert cert-pki-kra-delta                 u,u,u
nethsm2k:caSigningCert cert-pki-ca-delta                     CTu,Cu,Cu
nethsm2k:subsystemCert cert-pki-tps-delta                    u,u,u
nethsm2k:subsystemCert cert-pki-kra-delta                    u,u,u


during the format operation I get message=19 in tps debug log.
and 

[2009-04-17 07:36:12] e9a95170 Start ComputeSessionKey - 
[2009-04-17 07:36:12] e9a95170 RA::ComputeSessionKey - Failed to get TKSConnection tks1
[2009-04-17 07:36:12] e9a95170 RA_Processor::Setup_Secure_Channel - RA_Processor::GenerateSecureChannel - did not get session_key
[2009-04-17 07:36:12] e9a95170 RA_Processor::Setup_Secure_Channel - Resetting security level ...
[2009-04-17 07:36:12] e9a95170 RA_Processor::SetupSecureChannel - Failed to create a secure channel - potentially due to an RA/TKS key mismatch or differing RA/TKS key versions.
[2009-04-17 07:36:12] e9a95170 RA_Processor::UpgradeApplet - channel creation failure
[2009-04-17 07:36:12] e9a95170 RA_Format_Processor::Process - applet upgrade failed


Looks like tps is not able to get access to its own subSystem cert to connect
to tks
Comment 2 Christina Fu 2009-05-01 20:54:12 UTC 
*** Bug 496187 has been marked as a duplicate of this bug. ***
Note You need to log in before you can comment on or make changes to this bug.