Bug 518241 - pkiconsole does not launch when CA is configured with ECC
pkiconsole does not launch when CA is configured with ECC
Status: CLOSED CURRENTRELEASE
Product: Dogtag Certificate System
Classification: Community
Component: Console (Show other bugs)
1.1
All Linux
high Severity medium
: ---
: ---
Assigned To: Christina Fu
Chandrasekar Kannan
:
Depends On:
Blocks: 445047
  Show dependency treegraph
 
Reported: 2009-08-19 11:57 EDT by Kashyap Chamarthy
Modified: 2015-01-04 18:39 EST (History)
6 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-06-04 16:05:05 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
pkiconsole debug output after loading ecc module into .mcc directory (16.93 KB, text/plain)
2009-08-25 07:11 EDT, Kashyap Chamarthy
no flags Details
Phase 1 - enable cipher suites (3.49 KB, patch)
2010-10-10 18:00 EDT, Christina Fu
no flags Details | Diff
eanble all available cipher suites (3.67 KB, patch)
2010-10-11 15:06 EDT, Christina Fu
no flags Details | Diff

  None (edit)
Description Kashyap Chamarthy 2009-08-19 11:57:24 EDT
Description of problem:

pkiconsole https://cahost:9445/ca does not fire up successfully when the CA is configured with certicom ECC

Env: RHEL 5.3 fully updated (x86_64)

How reproducible:
Every time


Steps to Reproduce:

1) Configure CA with Certicom ECC (with fixes for errata) - as on aug 18 2009

2) do a vi /usr/bin/pkiconsole and add

   - enable debugging  in /usr/bin/pkiconsole  (as suggested by andrew)
============================================
 ${JAVA} ${JAVA_OPTIONS} -cp ${CP} -Djava.util.prefs.systemRoot=/tmp/.java -Djava.util.prefs.userRoot=/tmp/java com.netscape.admin.certsrv.Console -s instanceID -D 9:all -a $1
----------
note: "-D 9:all" is for verbose output on the console.
============================================ 
  
Expected results:
console should be launched successfully.

Actual Results: 
---------------------------------------------------------------------------
[user1@tornado ~]$ hostname
tornado.pnq.redhat.com
[user1@tornado ~]$ pkiconsole https://tornado.pnq.redhat.com:9445/ca/
1 14:07:48.117 L9 (Console.java:1568) java.util.prefs.userRoot=/tmp/java
2 14:07:48.119 (0.002) L9 (Console.java:1568) java.runtime.name=OpenJDK  Runtime Environment
3 14:07:48.120 (0.001) L9 (Console.java:1568) sun.boot.library.path=/usr/lib/jvm/java-1.6.0-openjdk-1.6.0.0.x86_64/jre/lib/amd64
4 14:07:48.121 (0.001) L9 (Console.java:1568) java.vm.version=1.6.0-b09
5 14:07:48.121 (0.0) L9 (Console.java:1568) java.vm.vendor=Sun Microsystems Inc.
6 14:07:48.122 (0.001) L9 (Console.java:1568) java.vendor.url=http://java.sun.com/
7 14:07:48.122 (0.0) L9 (Console.java:1568) path.separator=:
8 14:07:48.123 (0.001) L9 (Console.java:1568) java.vm.name=OpenJDK 64-Bit Server VM
9 14:07:48.124 (0.001) L9 (Console.java:1568) file.encoding.pkg=sun.io
10 14:07:48.125 (0.001) L9 (Console.java:1568) sun.java.launcher=SUN_STANDARD
11 14:07:48.125 (0.0) L9 (Console.java:1568) user.country=US
12 14:07:48.126 (0.001) L9 (Console.java:1568) sun.os.patch.level=unknown
13 14:07:48.127 (0.001) L9 (Console.java:1568) java.vm.specification.name=Java Virtual Machine Specification
14 14:07:48.132 (0.005) L9 (Console.java:1568) user.dir=/home/user1
15 14:07:48.133 (0.001) L9 (Console.java:1568) java.runtime.version=1.6.0-b09
16 14:07:48.134 (0.001) L9 (Console.java:1568) java.awt.graphicsenv=sun.awt.X11GraphicsEnvironment
17 14:07:48.134 (0.0) L9 (Console.java:1568) java.endorsed.dirs=/usr/lib/jvm/java-1.6.0-openjdk-1.6.0.0.x86_64/jre/lib/endorsed
18 14:07:48.135 (0.001) L9 (Console.java:1568) os.arch=amd64
19 14:07:48.136 (0.001) L9 (Console.java:1568) java.io.tmpdir=/tmp
20 14:07:48.136 (0.0) L9 (Console.java:1568) line.separator=

21 14:07:48.137 (0.001) L9 (Console.java:1568) java.vm.specification.vendor=Sun Microsystems Inc.
22 14:07:48.155 (0.018) L9 (Console.java:1568) os.name=Linux
23 14:07:48.155 (0.0) L9 (Console.java:1568) sun.jnu.encoding=UTF-8
24 14:07:48.156 (0.001) L9 (Console.java:1568) java.library.path=/usr/lib/jvm/java-1.6.0-openjdk-1.6.0.0.x86_64/jre/lib/amd64/server:/usr/lib/jvm/java-1.6.0-openjdk-1.6.0.0.x86_64/jre/lib/amd64:/usr/lib/jvm/java-1.6.0-openjdk-1.6.0.0.x86_64/jre/../lib/amd64:/usr/lib64/pki:/usr/lib64/dirsec:/usr/lib64:/lib64:/usr/lib/pki:/usr/lib/dirsec:/usr/lib:/lib:/usr/java/packages/lib/amd64:/usr/lib64:/lib64:/lib:/usr/lib
25 14:07:48.161 (0.005) L9 (Console.java:1568) java.specification.name=Java Platform API Specification
26 14:07:48.168 (0.007) L9 (Console.java:1568) java.class.version=50.0
27 14:07:48.169 (0.001) L9 (Console.java:1568) sun.management.compiler=HotSpot 64-Bit Server Compiler
28 14:07:48.170 (0.001) L9 (Console.java:1568) os.version=2.6.18-128.el5
29 14:07:48.170 (0.0) L9 (Console.java:1568) user.home=/home/user1
30 14:07:48.174 (0.004) L9 (Console.java:1568) user.zoneinfo.dir=/usr/share/javazi
31 14:07:48.174 (0.0) L9 (Console.java:1568) user.timezone=Asia/Kolkata
32 14:07:48.175 (0.001) L9 (Console.java:1568) java.awt.printerjob=sun.print.PSPrinterJob
33 14:07:48.175 (0.0) L9 (Console.java:1568) file.encoding=UTF-8
34 14:07:48.176 (0.001) L9 (Console.java:1568) java.specification.version=1.6
35 14:07:48.177 (0.001) L9 (Console.java:1568) java.class.path=/usr/share/pki/classes:/usr/share/java/pki/console-cms.jar:/usr/share/java/pki/console-cms_en.jar:/usr/share/java/pki/cms-theme_en.jar:/usr/share/java/fedora-idm-console_en.jar:/usr/share/java/idm-console-base.jar:/usr/share/java/idm-console-mcc_en.jar:/usr/share/java/idm-console-mcc.jar:/usr/share/java/idm-console-nmclf_en.jar:/usr/share/java/idm-console-nmclf.jar:/usr/share/java/ldapjdk.jar:/usr/lib/java/dirsec/jss4.jar:/usr/lib/java/jss4.jar
36 14:07:48.177 (0.0) L9 (Console.java:1568) user.name=user1
37 14:07:48.178 (0.001) L9 (Console.java:1568) java.vm.specification.version=1.0
38 14:07:48.178 (0.0) L9 (Console.java:1568) java.home=/usr/lib/jvm/java-1.6.0-openjdk-1.6.0.0.x86_64/jre
39 14:07:48.179 (0.001) L9 (Console.java:1568) sun.arch.data.model=64
40 14:07:48.179 (0.0) L9 (Console.java:1568) java.util.prefs.systemRoot=/tmp/.java
41 14:07:48.180 (0.001) L9 (Console.java:1568) user.language=en
42 14:07:48.180 (0.0) L9 (Console.java:1568) java.specification.vendor=Sun Microsystems Inc.
43 14:07:48.181 (0.001) L9 (Console.java:1568) java.vm.info=mixed mode
44 14:07:48.181 (0.0) L9 (Console.java:1568) java.version=1.6.0
45 14:07:48.182 (0.001) L9 (Console.java:1568) java.ext.dirs=/usr/lib/jvm/java-1.6.0-openjdk-1.6.0.0.x86_64/jre/lib/ext:/usr/java/packages/lib/ext
46 14:07:48.194 (0.012) L9 (Console.java:1568) sun.boot.class.path=/usr/lib/jvm/java-1.6.0-openjdk-1.6.0.0.x86_64/jre/lib/resources.jar:/usr/lib/jvm/java-1.6.0-openjdk-1.6.0.0.x86_64/jre/lib/rt.jar:/usr/lib/jvm/java-1.6.0-openjdk-1.6.0.0.x86_64/jre/lib/sunrsasign.jar:/usr/lib/jvm/java-1.6.0-openjdk-1.6.0.0.x86_64/jre/lib/jsse.jar:/usr/lib/jvm/java-1.6.0-openjdk-1.6.0.0.x86_64/jre/lib/jce.jar:/usr/lib/jvm/java-1.6.0-openjdk-1.6.0.0.x86_64/jre/lib/charsets.jar:/usr/lib/jvm/java-1.6.0-openjdk-1.6.0.0.x86_64/jre/classes
47 14:07:48.195 (0.001) L9 (Console.java:1568) java.vendor=Sun Microsystems Inc.
48 14:07:48.196 (0.001) L9 (Console.java:1568) file.separator=/
49 14:07:48.196 (0.0) L9 (Console.java:1568) java.vendor.url.bug=http://java.sun.com/cgi-bin/bugreport.cgi
50 14:07:48.197 (0.001) L9 (Console.java:1568) sun.io.unicode.encoding=UnicodeLittle
51 14:07:48.197 (0.0) L9 (Console.java:1568) sun.cpu.endian=little
52 14:07:48.198 (0.001) L9 (Console.java:1568) sun.desktop=gnome
53 14:07:48.198 (0.0) L9 (Console.java:1568) sun.cpu.isalist=
54 14:07:48.199 (0.001) L1 (Unknown Source) ResourceSet:getString():Unable to resolve console-displayVersion
55 14:07:48.200 (0.001) L0 (Console.java:1574) Management-Console/null B2009.062.2213
56 14:07:48.224 (0.024) L9 (Unknown Source) ResourceSet: NOT found in cache loader1007660009:com.netscape.management.client.default
57 14:07:48.234 (0.01) L9 (Unknown Source) ResourceSet: NOT found in cache loader1007660009:com.netscape.management.client.topology.topology
58 14:07:48.849 (0.615) L9 (Unknown Source) ResourceSet: NOT found in cache loader1007660009:CMSAdminRS
59 14:07:48.919 (0.07) L9 (Unknown Source) ResourceSet: found in cache loader1007660009:CMSAdminRS

Warning: Potentially incorrect URL path: ca/
         Default supported URL paths are 'ca', 'kra', 'ocsp', and 'tks'.

60 14:07:48.960 (0.041) L9 (Unknown Source) ResourceSet: NOT found in cache loader1007660009:com.netscape.admin.certsrv.certsrv-help
61 14:07:48.961 (0.001) L0 (Unknown Source) ResourceSet(): unable to open com.netscape.admin.certsrv.certsrv-help
62 14:07:48.962 (0.001) L9 (Unknown Source) ResourceSet: NOT found in cache loader1007660009:com.netscape.admin.certsrv.certsrv
63 14:07:48.963 (0.001) L0 (Unknown Source) ResourceSet(): unable to open com.netscape.admin.certsrv.certsrv
64 14:07:49.092 (0.129) L9 (Unknown Source) RemoteImage: NOT found in cache loader1007660009:com/netscape/admin/certsrv/images/CertificateServer.gif
65 14:07:49.374 (0.282) L9 (Unknown Source) RemoteImage: Create RemoteImage cache for loader1007660009
66 14:07:49.376 (0.002) L5 (CMSAdmin.java:108) initialized CMSAdmin (Standalone mode)
67 14:07:49.377 (0.001) L5 (CMSAdmin.java:112) initialized CMSAdmin for null
68 14:07:49.378 (0.001) L5 (CMSAdmin.java:437) The user double click the icon null
69 14:07:49.379 (0.001) L5 (CMSAdmin.java:438) View instance in the run method -> null
70 14:07:49.379 (0.0) L5 (CMSAdmin.java:592) Check server status
71 14:07:49.412 (0.033) L5 (CMSServerInfo.java:78) CMSServerInfo: host tornado.pnq.redhat.com port 9445 userid  serverRoot null serverid instanceID
72 14:07:49.428 (0.016) L9 (Unknown Source) ResourceSet: found in cache loader1007660009:com.netscape.management.client.default
73 14:07:49.429 (0.001) L9 (Unknown Source) ResourceSet: found in cache loader1007660009:com.netscape.management.client.theme.theme
74 14:07:49.431 (0.002) L9 (Unknown Source) ResourceSet: found in cache loader1007660009:com.netscape.management.client.default
75 14:07:49.443 (0.012) L5 (AdminConnection.java:128) AdminConnection: 600000 com.netscape.management.client.preferences.FilePreferenceManager
76 14:07:49.555 (0.112) L5 (JSSConnection.java:103) NSS Cipher Supported '0xc00a'
77 14:07:49.556 (0.001) L5 (JSSConnection.java:103) NSS Cipher Supported '0xc014'
78 14:07:49.557 (0.001) L5 (JSSConnection.java:103) NSS Cipher Supported '0x39'
79 14:07:49.562 (0.005) L5 (JSSConnection.java:103) NSS Cipher Supported '0x38'
80 14:07:49.563 (0.001) L5 (JSSConnection.java:103) NSS Cipher Supported '0xc00f'
81 14:07:49.564 (0.001) L5 (JSSConnection.java:103) NSS Cipher Supported '0xc005'
82 14:07:49.565 (0.001) L5 (JSSConnection.java:103) NSS Cipher Supported '0x35'
83 14:07:49.566 (0.001) L5 (JSSConnection.java:103) NSS Cipher Supported '0xc007'
84 14:07:49.567 (0.001) L5 (JSSConnection.java:103) NSS Cipher Supported '0xc009'
85 14:07:49.568 (0.001) L5 (JSSConnection.java:103) NSS Cipher Supported '0xc011'
86 14:07:49.568 (0.0) L5 (JSSConnection.java:103) NSS Cipher Supported '0xc013'
87 14:07:49.569 (0.001) L5 (JSSConnection.java:103) NSS Cipher Supported '0x66'
88 14:07:49.570 (0.001) L5 (JSSConnection.java:103) NSS Cipher Supported '0x33'
89 14:07:49.591 (0.021) L5 (JSSConnection.java:103) NSS Cipher Supported '0x32'
90 14:07:49.592 (0.001) L5 (JSSConnection.java:103) NSS Cipher Supported '0xc00c'
91 14:07:49.593 (0.001) L5 (JSSConnection.java:103) NSS Cipher Supported '0xc00e'
92 14:07:49.593 (0.0) L5 (JSSConnection.java:103) NSS Cipher Supported '0xc002'
93 14:07:49.594 (0.001) L5 (JSSConnection.java:103) NSS Cipher Supported '0xc004'
94 14:07:49.600 (0.006) L5 (JSSConnection.java:103) NSS Cipher Supported '0x4'
95 14:07:49.608 (0.008) L5 (JSSConnection.java:103) NSS Cipher Supported '0x5'
96 14:07:49.609 (0.001) L5 (JSSConnection.java:103) NSS Cipher Supported '0x2f'
97 14:07:49.609 (0.0) L5 (JSSConnection.java:103) NSS Cipher Supported '0xc008'
98 14:07:49.610 (0.001) L5 (JSSConnection.java:103) NSS Cipher Supported '0xc012'
99 14:07:49.611 (0.001) L5 (JSSConnection.java:103) NSS Cipher Supported '0x16'
100 14:07:49.611 (0.0) L5 (JSSConnection.java:103) NSS Cipher Supported '0x13'
101 14:07:49.612 (0.001) L5 (JSSConnection.java:103) NSS Cipher Supported '0xc00d'
102 14:07:49.612 (0.0) L5 (JSSConnection.java:103) NSS Cipher Supported '0xc003'
103 14:07:49.613 (0.001) L5 (JSSConnection.java:103) NSS Cipher Supported '0xfeff'
104 14:07:49.614 (0.001) L5 (JSSConnection.java:103) NSS Cipher Supported '0xa'
105 14:07:49.614 (0.0) L5 (JSSConnection.java:103) NSS Cipher Supported '0x15'
106 14:07:49.615 (0.001) L5 (JSSConnection.java:103) NSS Cipher Supported '0x12'
107 14:07:49.616 (0.001) L5 (JSSConnection.java:103) NSS Cipher Supported '0xfefe'
108 14:07:49.616 (0.0) L5 (JSSConnection.java:103) NSS Cipher Supported '0x9'
109 14:07:49.617 (0.001) L5 (JSSConnection.java:103) NSS Cipher Supported '0x64'
110 14:07:49.621 (0.004) L5 (JSSConnection.java:103) NSS Cipher Supported '0x62'
111 14:07:49.622 (0.001) L5 (JSSConnection.java:103) NSS Cipher Supported '0x3'
112 14:07:49.622 (0.0) L5 (JSSConnection.java:103) NSS Cipher Supported '0x6'
113 14:07:49.623 (0.001) L5 (JSSConnection.java:103) NSS Cipher Supported '0xc006'
114 14:07:49.624 (0.001) L5 (JSSConnection.java:103) NSS Cipher Supported '0xc010'
115 14:07:49.634 (0.01) L5 (JSSConnection.java:103) NSS Cipher Supported '0xc00b'
116 14:07:49.634 (0.0) L5 (JSSConnection.java:103) NSS Cipher Supported '0xc001'
117 14:07:49.635 (0.001) L5 (JSSConnection.java:103) NSS Cipher Supported '0x2'
118 14:07:49.636 (0.001) L5 (JSSConnection.java:103) NSS Cipher Supported '0x1'
119 14:07:49.638 (0.002) L5 (JSSConnection.java:103) NSS Cipher Supported '0xff01'
120 14:07:49.639 (0.001) L5 (JSSConnection.java:103) NSS Cipher Supported '0xff03'
121 14:07:49.640 (0.001) L5 (JSSConnection.java:103) NSS Cipher Supported '0xff07'
122 14:07:49.640 (0.0) L5 (JSSConnection.java:103) NSS Cipher Supported '0xff06'
123 14:07:49.641 (0.001) L5 (JSSConnection.java:103) NSS Cipher Supported '0xff02'
124 14:07:49.641 (0.0) L5 (JSSConnection.java:103) NSS Cipher Supported '0xff04'
125 14:07:49.750 (0.109) L5 (JSSConnection.java:103) NSS Cipher Supported '0xc00a'
126 14:07:49.751 (0.001) L5 (JSSConnection.java:103) NSS Cipher Supported '0xc014'
127 14:07:49.751 (0.0) L5 (JSSConnection.java:103) NSS Cipher Supported '0x39'
128 14:07:49.752 (0.001) L5 (JSSConnection.java:103) NSS Cipher Supported '0x38'
129 14:07:49.753 (0.001) L5 (JSSConnection.java:103) NSS Cipher Supported '0xc00f'
130 14:07:49.753 (0.0) L5 (JSSConnection.java:103) NSS Cipher Supported '0xc005'
131 14:07:49.754 (0.001) L5 (JSSConnection.java:103) NSS Cipher Supported '0x35'
132 14:07:49.754 (0.0) L5 (JSSConnection.java:103) NSS Cipher Supported '0xc007'
133 14:07:49.755 (0.001) L5 (JSSConnection.java:103) NSS Cipher Supported '0xc009'
134 14:07:49.756 (0.001) L5 (JSSConnection.java:103) NSS Cipher Supported '0xc011'
135 14:07:49.757 (0.001) L5 (JSSConnection.java:103) NSS Cipher Supported '0xc013'
136 14:07:49.757 (0.0) L5 (JSSConnection.java:103) NSS Cipher Supported '0x66'
137 14:07:49.758 (0.001) L5 (JSSConnection.java:103) NSS Cipher Supported '0x33'
138 14:07:49.758 (0.0) L5 (JSSConnection.java:103) NSS Cipher Supported '0x32'
139 14:07:49.759 (0.001) L5 (JSSConnection.java:103) NSS Cipher Supported '0xc00c'
140 14:07:49.760 (0.001) L5 (JSSConnection.java:103) NSS Cipher Supported '0xc00e'
141 14:07:49.761 (0.001) L5 (JSSConnection.java:103) NSS Cipher Supported '0xc002'
142 14:07:49.762 (0.001) L5 (JSSConnection.java:103) NSS Cipher Supported '0xc004'
143 14:07:49.762 (0.0) L5 (JSSConnection.java:103) NSS Cipher Supported '0x4'
144 14:07:49.763 (0.001) L5 (JSSConnection.java:103) NSS Cipher Supported '0x5'
145 14:07:49.764 (0.001) L5 (JSSConnection.java:103) NSS Cipher Supported '0x2f'
146 14:07:49.764 (0.0) L5 (JSSConnection.java:103) NSS Cipher Supported '0xc008'
147 14:07:49.765 (0.001) L5 (JSSConnection.java:103) NSS Cipher Supported '0xc012'
148 14:07:49.766 (0.001) L5 (JSSConnection.java:103) NSS Cipher Supported '0x16'
149 14:07:49.766 (0.0) L5 (JSSConnection.java:103) NSS Cipher Supported '0x13'
150 14:07:49.767 (0.001) L5 (JSSConnection.java:103) NSS Cipher Supported '0xc00d'
151 14:07:49.768 (0.001) L5 (JSSConnection.java:103) NSS Cipher Supported '0xc003'
152 14:07:49.768 (0.0) L5 (JSSConnection.java:103) NSS Cipher Supported '0xfeff'
153 14:07:49.781 (0.013) L5 (JSSConnection.java:103) NSS Cipher Supported '0xa'
154 14:07:49.782 (0.001) L5 (JSSConnection.java:103) NSS Cipher Supported '0x15'
155 14:07:49.783 (0.001) L5 (JSSConnection.java:103) NSS Cipher Supported '0x12'
156 14:07:49.787 (0.004) L5 (JSSConnection.java:103) NSS Cipher Supported '0xfefe'
157 14:07:49.789 (0.002) L5 (JSSConnection.java:103) NSS Cipher Supported '0x9'
158 14:07:49.789 (0.0) L5 (JSSConnection.java:103) NSS Cipher Supported '0x64'
159 14:07:49.790 (0.001) L5 (JSSConnection.java:103) NSS Cipher Supported '0x62'
160 14:07:49.790 (0.0) L5 (JSSConnection.java:103) NSS Cipher Supported '0x3'
161 14:07:49.791 (0.001) L5 (JSSConnection.java:103) NSS Cipher Supported '0x6'
162 14:07:49.792 (0.001) L5 (JSSConnection.java:103) NSS Cipher Supported '0xc006'
163 14:07:49.793 (0.001) L5 (JSSConnection.java:103) NSS Cipher Supported '0xc010'
164 14:07:49.793 (0.0) L5 (JSSConnection.java:103) NSS Cipher Supported '0xc00b'
165 14:07:49.794 (0.001) L5 (JSSConnection.java:103) NSS Cipher Supported '0xc001'
166 14:07:49.804 (0.01) L5 (JSSConnection.java:103) NSS Cipher Supported '0x2'
167 14:07:49.805 (0.001) L5 (JSSConnection.java:103) NSS Cipher Supported '0x1'
168 14:07:49.806 (0.001) L5 (JSSConnection.java:103) NSS Cipher Supported '0xff01'
169 14:07:49.806 (0.0) L5 (JSSConnection.java:103) NSS Cipher Supported '0xff03'
170 14:07:49.807 (0.001) L5 (JSSConnection.java:103) NSS Cipher Supported '0xff07'
171 14:07:49.808 (0.001) L5 (JSSConnection.java:103) NSS Cipher Supported '0xff06'
172 14:07:49.808 (0.0) L5 (JSSConnection.java:103) NSS Cipher Supported '0xff02'
173 14:07:49.809 (0.001) L5 (JSSConnection.java:103) NSS Cipher Supported '0xff04'
java.io.IOException: SocketException cannot read on socket
        at org.mozilla.jss.ssl.SSLSocket.read(SSLSocket.java:1014)
        at org.mozilla.jss.ssl.SSLInputStream.read(SSLInputStream.java:70)
        at com.netscape.admin.certsrv.connection.JSSConnection.readLineFromStream(JSSConnection.java:447)
        at com.netscape.admin.certsrv.connection.JSSConnection.readHeader(JSSConnection.java:464)
        at com.netscape.admin.certsrv.connection.JSSConnection.initReadResponse(JSSConnection.java:436)
        at com.netscape.admin.certsrv.connection.JSSConnection.sendRequest(JSSConnection.java:350)
        at com.netscape.admin.certsrv.connection.AdminConnection.processRequest(AdminConnection.java:729)
        at com.netscape.admin.certsrv.connection.AdminConnection.sendRequest(AdminConnection.java:634)
        at com.netscape.admin.certsrv.connection.AdminConnection.sendRequest(AdminConnection.java:601)
        at com.netscape.admin.certsrv.connection.AdminConnection.authType(AdminConnection.java:334)
        at com.netscape.admin.certsrv.CMSServerInfo.getAuthType(CMSServerInfo.java:125)
        at com.netscape.admin.certsrv.CMSAdmin.run(CMSAdmin.java:511)
        at com.netscape.admin.certsrv.CMSAdmin.run(CMSAdmin.java:560)
        at com.netscape.admin.certsrv.Console.main(Console.java:1724)
[user1@tornado ~]$ 
-----------------------------------------------------------------------------
Comment 1 Chandrasekar Kannan 2009-08-24 19:55:26 EDT
kashyap to try with client auth instructions

 - creating .mcc directory with cert8/key3/secmod db
 - attach ecc pkcs11 module to secmod
 - then use that to launch console
Comment 2 Kashyap Chamarthy 2009-08-25 07:10:32 EDT
chandra, I did try this, but was kinda struck as below.

1) mkdir /home/user1/.mcc
2) certutil -N /home/user1/.mcc
3) Now, I loaded the ecc module as below

[user1@tornado .mcc]# modutil -dbdir /home/user1/.mcc -nocertdb -add
certicom -libfile /usr/lib64/libsbcpgse.so

 - module loads successfully, but now the questions are (but still I went ahead)

a) do we need to run the initpin tool in .mcc directory ? 
b) if a) is yes, doesn't it conflict with the already existing token databases(/home/user1/.certicom , which gets created initially when the ecc module is loaded into user's firefox nss dbs?

=============

I went ahead and ran the initpin tool in .mcc directory and the pin is set.

- now, set the NSS flag on the user's shell as below and launch console
export NSS_USE_DECODED_CKA_EC_POINT=1

- still the pkiconsole does not launch.(see the console debugging output as attachment)

any hints here?
Comment 3 Kashyap Chamarthy 2009-08-25 07:11:28 EDT
Created attachment 358554 [details]
pkiconsole debug output after loading ecc module into .mcc directory
Comment 4 Chandrasekar Kannan 2009-08-25 09:12:09 EDT
(In reply to comment #2)
> 
> any hints here?  

yeah .. whatever steps you took to get firefox going.
Comment 5 Kashyap Chamarthy 2009-09-28 14:28:31 EDT
Chandra, (if you recollect,may be a month ago??),
 we've noticed with ssltap, the console JSS is not using ECC ciphers on it's cipher list.

cipher suites from ssltap output...
===========================================================
cipher-suites = {
                (0x010080) SSL2/RSA/RC4-128/MD5
                (0x030080) SSL2/RSA/RC2CBC128/MD5
                (0x0700c0) SSL2/RSA/3DES192EDE-CBC/MD5
                (0x060040) SSL2/RSA/DES56-CBC/MD5
                (0x020080) SSL2/RSA/RC4-40/MD5
                (0x040080) SSL2/RSA/RC2CBC40/MD5
                (0x000004) SSL3/RSA/RC4-128/MD5
                (0x00feff) SSL3/RSA-FIPS/3DESEDE-CBC/SHA
                (0x00000a) SSL3/RSA/3DES192EDE-CBC/SHA
                (0x00fefe) SSL3/RSA-FIPS/DES-CBC/SHA
                (0x000009) SSL3/RSA/DES56-CBC/SHA
                (0x000064) TLS/RSA-EXPORT1024/RC4-56/SHA
                (0x000062) TLS/RSA-EXPORT1024/DES56-CBC/SHA
                (0x000003) SSL3/RSA/RC4-40/MD5
                (0x000006) SSL3/RSA/RC2CBC40/MD5
                }
===========================================================
Comment 7 Kashyap Chamarthy 2010-02-04 07:47:06 EST
I retried with the nightly builds

-x86_64(RHEL5.4)
- CA configured with Certicom ECC

and I still see the same "cannot read on socket" exception mentioned in comment#1 

note 1: pkiconsole still fails to launch, when tried with creating /home/alice/.mcc , load the ECC module, set the  'NSS_USE_DECODED_CKA_EC_POINT=1' on the user's shell and then launch console (as outlined in comment#1)

    -- is this the right way? something needs to be added here? because I think, there are *two* certicom databases as I mentioned in comment#2 
         - one in /home/alice/.certicom
         - the other: /home/alice/.mcc/.certicom


note 2: I tried capturing ssltap output (while running pkiconsole), but ssltap stays quiet without output..

==============================
[alice@autocs ~]$ ssltap -vhsfx -p 1925  autocs.pnq.redhat.com:9745
Version: $Revision: 1.13 $ ($Date: 2009/03/13 02:24:07 $) $Author: nelson%bolyard.com $
<HTML><HEAD><TITLE>SSLTAP output</TITLE></HEAD>
<BODY><PRE>
Looking up "autocs.pnq.redhat.com"...
Proxy socket ready and listening
===============================


If someone wants to take a look into the machine, please ping me for connection info.
Comment 9 Christina Fu 2010-10-10 18:00:06 EDT
Created attachment 452617 [details]
Phase 1 - enable cipher suites

Phase 1 code enables all available cipher suites.  Differences (BEFORE and AFTER) could be seen with ssltap.

BEFORE:
           cipher-suites = { 
                (0x010080) SSL2/RSA/RC4-128/MD5
                (0x030080) SSL2/RSA/RC2CBC128/MD5
                (0x0700c0) SSL2/RSA/3DES192EDE-CBC/MD5
                (0x060040) SSL2/RSA/DES56-CBC/MD5
                (0x020080) SSL2/RSA/RC4-40/MD5
                (0x040080) SSL2/RSA/RC2CBC40/MD5
                (0x000004) SSL3/RSA/RC4-128/MD5
                (0x00feff) SSL3/RSA-FIPS/3DESEDE-CBC/SHA
                (0x00000a) SSL3/RSA/3DES192EDE-CBC/SHA
                (0x00fefe) SSL3/RSA-FIPS/DES-CBC/SHA
                (0x000009) SSL3/RSA/DES56-CBC/SHA
                (0x000064) TLS/RSA-EXPORT1024/RC4-56/SHA
                (0x000062) TLS/RSA-EXPORT1024/DES56-CBC/SHA
                (0x000003) SSL3/RSA/RC4-40/MD5
                (0x000006) SSL3/RSA/RC2CBC40/MD5
                (0x0000ff) ????/????????/?????????/???
                }


AFTER:
non-ec client to RSA server:
           cipher-suites = { 
                (0x010080) SSL2/RSA/RC4-128/MD5
                (0x030080) SSL2/RSA/RC2CBC128/MD5
                (0x0700c0) SSL2/RSA/3DES192EDE-CBC/MD5
                (0x060040) SSL2/RSA/DES56-CBC/MD5
                (0x020080) SSL2/RSA/RC4-40/MD5
                (0x040080) SSL2/RSA/RC2CBC40/MD5
                (0x000039) TLS/DHE-RSA/AES256-CBC/SHA
                (0x000038) TLS/DHE-DSS/AES256-CBC/SHA
                (0x000035) TLS/RSA/AES256-CBC/SHA
                (0x000066) TLS/DHE-DSS/RC4-128/SHA
                (0x000033) TLS/DHE-RSA/AES128-CBC/SHA
                (0x000032) TLS/DHE-DSS/AES128-CBC/SHA
                (0x000004) SSL3/RSA/RC4-128/MD5
                (0x000005) SSL3/RSA/RC4-128/SHA
                (0x00002f) TLS/RSA/AES128-CBC/SHA
                (0x000016) SSL3/DHE-RSA/3DES192EDE-CBC/SHA
                (0x000013) SSL3/DHE-DSS/DES192EDE3CBC/SHA
                (0x00feff) SSL3/RSA-FIPS/3DESEDE-CBC/SHA
                (0x00000a) SSL3/RSA/3DES192EDE-CBC/SHA
                (0x000015) SSL3/DHE-RSA/DES56-CBC/SHA
                (0x000012) SSL3/DHE-DSS/DES56-CBC/SHA
                (0x00fefe) SSL3/RSA-FIPS/DES-CBC/SHA
                (0x000009) SSL3/RSA/DES56-CBC/SHA
                (0x000064) TLS/RSA-EXPORT1024/RC4-56/SHA
                (0x000062) TLS/RSA-EXPORT1024/DES56-CBC/SHA
                (0x000003) SSL3/RSA/RC4-40/MD5
                (0x000006) SSL3/RSA/RC2CBC40/MD5
                (0x000002) SSL3/RSA/NULL/SHA
                (0x000001) SSL3/RSA/NULL/MD5
                (0x0000ff) TLS_EMPTY_RENEGOTIATION_INFO_SCSV
                }

ec client in ClientHello:

           cipher-suites = { 
                (0x010080) SSL2/RSA/RC4-128/MD5
                (0x030080) SSL2/RSA/RC2CBC128/MD5
                (0x0700c0) SSL2/RSA/3DES192EDE-CBC/MD5
                (0x060040) SSL2/RSA/DES56-CBC/MD5
                (0x020080) SSL2/RSA/RC4-40/MD5
                (0x040080) SSL2/RSA/RC2CBC40/MD5
                (0x00c00a) TLS/ECDHE-ECDSA/AES256-CBC/SHA
                (0x00c014) TLS/ECDHE-RSA/AES256-CBC/SHA
                (0x000039) TLS/DHE-RSA/AES256-CBC/SHA
                (0x000038) TLS/DHE-DSS/AES256-CBC/SHA
                (0x00c00f) TLS/ECDH-RSA/AES256-CBC/SHA
                (0x00c005) TLS/ECDH-ECDSA/AES256-CBC/SHA
                (0x000035) TLS/RSA/AES256-CBC/SHA
                (0x00c007) TLS/ECDHE-ECDSA/RC4-128/SHA
                (0x00c009) TLS/ECDHE-ECDSA/AES128-CBC/SHA
                (0x00c011) TLS/ECDHE-RSA/RC4-128/SHA
                (0x00c013) TLS/ECDHE-RSA/AES128-CBC/SHA
                (0x000066) TLS/DHE-DSS/RC4-128/SHA
                (0x000033) TLS/DHE-RSA/AES128-CBC/SHA
                (0x000032) TLS/DHE-DSS/AES128-CBC/SHA
                (0x00c00c) TLS/ECDH-RSA/RC4-128/SHA
                (0x00c00e) TLS/ECDH-RSA/AES128-CBC/SHA
                (0x00c002) TLS/ECDH-ECDSA/RC4-128/SHA
                (0x00c004) TLS/ECDH-ECDSA/AES128-CBC/SHA
                (0x000004) SSL3/RSA/RC4-128/MD5
                (0x000005) SSL3/RSA/RC4-128/SHA
                (0x00002f) TLS/RSA/AES128-CBC/SHA
                (0x00c008) TLS/ECDHE-ECDSA/3DES-EDE-CBC/SHA
                (0x00c012) TLS/ECDHE-RSA/3DES-EDE-CBC/SHA
                (0x000016) SSL3/DHE-RSA/3DES192EDE-CBC/SHA
                (0x000013) SSL3/DHE-DSS/DES192EDE3CBC/SHA
                (0x00c00d) TLS/ECDH-RSA/3DES-EDE-CBC/SHA
                (0x00c003) TLS/ECDH-ECDSA/3DES-EDE-CBC/SHA
                (0x00feff) SSL3/RSA-FIPS/3DESEDE-CBC/SHA
                (0x00000a) SSL3/RSA/3DES192EDE-CBC/SHA
                (0x000015) SSL3/DHE-RSA/DES56-CBC/SHA
                (0x000012) SSL3/DHE-DSS/DES56-CBC/SHA
                (0x00fefe) SSL3/RSA-FIPS/DES-CBC/SHA
                (0x000009) SSL3/RSA/DES56-CBC/SHA
                (0x000064) TLS/RSA-EXPORT1024/RC4-56/SHA
                (0x000062) TLS/RSA-EXPORT1024/DES56-CBC/SHA
                (0x000003) SSL3/RSA/RC4-40/MD5
                (0x000006) SSL3/RSA/RC2CBC40/MD5
                (0x00c006) TLS/ECDHE-ECDSA/NULL/SHA
                (0x00c010) TLS/ECDHE-RSA/NULL/SHA
                (0x00c00b) TLS/ECDH-RSA/NULL/SHA
                (0x00c001) TLS/ECDH-ECDSA/NULL/SHA
                (0x000002) SSL3/RSA/NULL/SHA
                (0x000001) SSL3/RSA/NULL/MD5
                (0x0000ff) TLS_EMPTY_RENEGOTIATION_INFO_SCSV
                }
Comment 10 Christina Fu 2010-10-10 18:06:20 EDT
note: phase 1 fix also fixes the old issue of no higher strength ciphers available.

status: after all available cipher suites are turned on, EC conn still fails with pkiconsole at various places for different scenarios. ECDH, ECDHE for certicom results are different, nethsm is also different from certicom.
This will be phase 2 to resolve.
Comment 11 Christina Fu 2010-10-11 12:49:14 EDT
awnuk, please review phase 1 attachment.  Thanks.
Comment 12 Andrew Wnuk 2010-10-11 14:25:44 EDT
attachment 452617 [details] +awnuk
- please add back password callback setup
Comment 13 Christina Fu 2010-10-11 15:06:15 EDT
Created attachment 452777 [details]
eanble all available cipher suites

addressed review comments.  Awnuk please review.
Comment 14 Andrew Wnuk 2010-10-11 16:28:57 EDT
attachment 452777 [details] +awnuk
Comment 15 Christina Fu 2010-10-11 17:10:19 EDT
Note: phase 1 enables all available cipher suites.  You can only see the differences when running debugging such as ssltap.

RHCS8.1:
$ svn commit
Sending        console/src/com/netscape/admin/certsrv/connection/JSSConnection.java
Transmitting file data .
Committed revision 1345.


TIP:
$ svn commit
Sending        console/src/com/netscape/admin/certsrv/connection/JSSConnection.java
Transmitting file data .
Committed revision 1346.
Comment 16 Christina Fu 2010-10-24 17:40:20 EDT
Update:
I suspected certicom quirkiness, so I tried hooking up console (with fix from phase 1 above) with nethsm2k and it now works.

I did not try ssl client auth. File a separate bug if it fails, as it might have different priority.
Comment 17 Kashyap Chamarthy 2010-11-10 01:23:05 EST
Verified:

RHEL5.6(x86_64)
CS8.1 nightly builds(Nov 02 2010)

Notes:

(1) For ECC configured subsystems do the below:

(a) Create(if they do not exist already) NSS dbs in /root/.redhat-idm-console

# certutil -N -d .

(b) If we're using nethsm, add the pkcs11 module to /root/.redhat-idm-console

# modutil -dbdir /root/.redhat-idm-console -nocertdb -add nethsm2k -libfile
/opt/nfast/toolkits/pkcs11/libknfast.so

When pkiconosle is launched, and when prompted for password, provide nethsm2k
password as well, and select the CA admin cert, and proceed ahead.


(2) NOTE: SSL Client auth also works successfully for ECC CA.

Setup Instructions here:
https://bugzilla.redhat.com/show_bug.cgi?id=512493#c8

Note You need to log in before you can comment on or make changes to this bug.