Bug 496342 - unable to do smartcard enrollment/format. TPS cannot talk to TKS. (nethsm 2000)
unable to do smartcard enrollment/format. TPS cannot talk to TKS. (nethsm 2000)
Status: CLOSED ERRATA
Product: Dogtag Certificate System
Classification: Community
Component: TPS (Show other bugs)
unspecified
All Linux
urgent Severity urgent
: ---
: ---
Assigned To: Christina Fu
Chandrasekar Kannan
:
: 496187 (view as bug list)
Depends On: 498542
Blocks: 443788
  Show dependency treegraph
 
Reported: 2009-04-17 17:58 EDT by Chandrasekar Kannan
Modified: 2015-01-04 18:37 EST (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-07-22 19:34:28 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Chandrasekar Kannan 2009-04-17 17:58:47 EDT
With SELinux in permissive mode, I have setup all of these subsystems
to use the nCipher nethsm 2000 hsm. We do know about accessing the agent
page issues which have been filed as a separate bug. 

Now I'm trying to do a smart card format operation. It fails. 
This is all I see in the TPS error logs..

[2009-04-17 07:37:59] 2c866140 mod_tps::mod_tps_initialize - The TPS module has been successfully loaded!
[2009-04-17 07:37:59] 2c866140 mod_tokendb::mod_tokendb_initialize - Initializing TUS database
[2009-04-17 07:37:59] 2c866140 mod_tokendb::mod_tokendb_initialize - Token DB initialization succeeded
[2009-04-17 07:37:59] 2c866140 mod_tokendb::mod_tokendb_initialize - The Tokendb module has been successfully loaded!
[2009-04-17 07:37:59] 2c866140 RA::InitializeInChild - begins: 2
[2009-04-17 07:37:59] 2c866140 RA::InitializeInChild - NSS already initialized
[2009-04-17 07:37:59] 2c866140 RA::InitializeHttpConnections - A ca certificate nicknamed "nethsm2k:subsystemCert cert-pki-tps-delta" could NOT be found in the certificate database for connection 1!
[2009-04-17 07:37:59] 2c866140 RA::InitializeInChild - Failed to initialize CA Connection, rc=-2
[2009-04-17 07:37:59] 2c866140 RA::InitializeHttpConnections - A tks certificate nicknamed "nethsm2k:subsystemCert cert-pki-tps-delta" could NOT be found in the certificate database for connection 1!
[2009-04-17 07:37:59] 2c866140 RA::InitializeInChild - Failed to initialize TKS Connection, rc=-2
[2009-04-17 07:37:59] 2c866140 RA::InitializeHttpConnections - A drm certificate nicknamed "nethsm2k:subsystemCert cert-pki-tps-delta" could NOT be found in the certificate database for connection 1!
[2009-04-17 07:37:59] 2c866140 RA::InitializeInChild - Failed to initialize DRM Connection, rc=-2
[2009-04-17 07:37:59] 2c866140 RA::InitializeInChild - nSignedAuditInitCount=2
[2009-04-17 07:37:59] 2c866140 RA:: InitializeSignedAudit - begins
[root@delta pki-tps]# pwd
/var/log/pki-tps

[root@delta alias]# modutil -dbdir . -nocertdb -list

Listing of PKCS #11 Modules
-----------------------------------------------------------
  1. NSS Internal PKCS #11 Module
         slots: 2 slots attached
        status: loaded

         slot: NSS Internal Cryptographic Services                            
        token: NSS Generic Crypto Services

         slot: NSS User Private Key and Certificate Services                  
        token: NSS Certificate DB

  2. nfast
        library name: /opt/nfast/toolkits/pkcs11/libcknfast.so
         slots: 2 slots attached
        status: loaded

         slot: C54A-81FD-A5F1 Rt1
        token: accelerator

         slot: C54A-81FD-A5F1 Rt1 slot 0
        token: nethsm2k
-----------------------------------------------------------
[root@delta alias]# certutil -L -d . -h nethsm2k

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

Enter Password or Pin for "nethsm2k":
nethsm2k:Server-Cert cert-pki-kra-delta                      u,u,u
nethsm2k:Server-Cert cert-pki-tks-delta                      u,u,u
nethsm2k:auditSigningCert cert-pki-tps-delta                 u,u,u
nethsm2k:Server-Cert cert-pki-tps-delta                      u,u,u
nethsm2k:auditSigningCert cert-pki-ca-delta                  u,u,u
nethsm2k:subsystemCert cert-pki-ca-delta                     u,u,u
nethsm2k:ocspSigningCert cert-pki-ca-delta                   u,u,u
nethsm2k:subsystemCert cert-pki-tks-delta                    u,u,u
nethsm2k:storageCert cert-pki-kra-delta                      u,u,u
nethsm2k:auditSigningCert cert-pki-tks-delta                 u,u,u
nethsm2k:transportCert cert-pki-kra-delta                    u,u,u
nethsm2k:Server-Cert cert-pki-ca-delta                       u,u,u
nethsm2k:auditSigningCert cert-pki-kra-delta                 u,u,u
nethsm2k:caSigningCert cert-pki-ca-delta                     CTu,Cu,Cu
nethsm2k:subsystemCert cert-pki-tps-delta                    u,u,u
nethsm2k:subsystemCert cert-pki-kra-delta                    u,u,u


during the format operation I get message=19 in tps debug log.
and 

[2009-04-17 07:36:12] e9a95170 Start ComputeSessionKey - 
[2009-04-17 07:36:12] e9a95170 RA::ComputeSessionKey - Failed to get TKSConnection tks1
[2009-04-17 07:36:12] e9a95170 RA_Processor::Setup_Secure_Channel - RA_Processor::GenerateSecureChannel - did not get session_key
[2009-04-17 07:36:12] e9a95170 RA_Processor::Setup_Secure_Channel - Resetting security level ...
[2009-04-17 07:36:12] e9a95170 RA_Processor::SetupSecureChannel - Failed to create a secure channel - potentially due to an RA/TKS key mismatch or differing RA/TKS key versions.
[2009-04-17 07:36:12] e9a95170 RA_Processor::UpgradeApplet - channel creation failure
[2009-04-17 07:36:12] e9a95170 RA_Format_Processor::Process - applet upgrade failed


Looks like tps is not able to get access to its own subSystem cert to connect
to tks
Comment 2 Christina Fu 2009-05-01 16:54:12 EDT
*** Bug 496187 has been marked as a duplicate of this bug. ***

Note You need to log in before you can comment on or make changes to this bug.