Description of problem: pkiconsole https://cahost:9445/ca does not fire up successfully when the CA is configured with certicom ECC Env: RHEL 5.3 fully updated (x86_64) How reproducible: Every time Steps to Reproduce: 1) Configure CA with Certicom ECC (with fixes for errata) - as on aug 18 2009 2) do a vi /usr/bin/pkiconsole and add - enable debugging in /usr/bin/pkiconsole (as suggested by andrew) ============================================ ${JAVA} ${JAVA_OPTIONS} -cp ${CP} -Djava.util.prefs.systemRoot=/tmp/.java -Djava.util.prefs.userRoot=/tmp/java com.netscape.admin.certsrv.Console -s instanceID -D 9:all -a $1 ---------- note: "-D 9:all" is for verbose output on the console. ============================================ Expected results: console should be launched successfully. Actual Results: --------------------------------------------------------------------------- [user1@tornado ~]$ hostname tornado.pnq.redhat.com [user1@tornado ~]$ pkiconsole https://tornado.pnq.redhat.com:9445/ca/ 1 14:07:48.117 L9 (Console.java:1568) java.util.prefs.userRoot=/tmp/java 2 14:07:48.119 (0.002) L9 (Console.java:1568) java.runtime.name=OpenJDK Runtime Environment 3 14:07:48.120 (0.001) L9 (Console.java:1568) sun.boot.library.path=/usr/lib/jvm/java-1.6.0-openjdk-1.6.0.0.x86_64/jre/lib/amd64 4 14:07:48.121 (0.001) L9 (Console.java:1568) java.vm.version=1.6.0-b09 5 14:07:48.121 (0.0) L9 (Console.java:1568) java.vm.vendor=Sun Microsystems Inc. 6 14:07:48.122 (0.001) L9 (Console.java:1568) java.vendor.url=http://java.sun.com/ 7 14:07:48.122 (0.0) L9 (Console.java:1568) path.separator=: 8 14:07:48.123 (0.001) L9 (Console.java:1568) java.vm.name=OpenJDK 64-Bit Server VM 9 14:07:48.124 (0.001) L9 (Console.java:1568) file.encoding.pkg=sun.io 10 14:07:48.125 (0.001) L9 (Console.java:1568) sun.java.launcher=SUN_STANDARD 11 14:07:48.125 (0.0) L9 (Console.java:1568) user.country=US 12 14:07:48.126 (0.001) L9 (Console.java:1568) sun.os.patch.level=unknown 13 14:07:48.127 (0.001) L9 (Console.java:1568) java.vm.specification.name=Java Virtual Machine Specification 14 14:07:48.132 (0.005) L9 (Console.java:1568) user.dir=/home/user1 15 14:07:48.133 (0.001) L9 (Console.java:1568) java.runtime.version=1.6.0-b09 16 14:07:48.134 (0.001) L9 (Console.java:1568) java.awt.graphicsenv=sun.awt.X11GraphicsEnvironment 17 14:07:48.134 (0.0) L9 (Console.java:1568) java.endorsed.dirs=/usr/lib/jvm/java-1.6.0-openjdk-1.6.0.0.x86_64/jre/lib/endorsed 18 14:07:48.135 (0.001) L9 (Console.java:1568) os.arch=amd64 19 14:07:48.136 (0.001) L9 (Console.java:1568) java.io.tmpdir=/tmp 20 14:07:48.136 (0.0) L9 (Console.java:1568) line.separator= 21 14:07:48.137 (0.001) L9 (Console.java:1568) java.vm.specification.vendor=Sun Microsystems Inc. 22 14:07:48.155 (0.018) L9 (Console.java:1568) os.name=Linux 23 14:07:48.155 (0.0) L9 (Console.java:1568) sun.jnu.encoding=UTF-8 24 14:07:48.156 (0.001) L9 (Console.java:1568) java.library.path=/usr/lib/jvm/java-1.6.0-openjdk-1.6.0.0.x86_64/jre/lib/amd64/server:/usr/lib/jvm/java-1.6.0-openjdk-1.6.0.0.x86_64/jre/lib/amd64:/usr/lib/jvm/java-1.6.0-openjdk-1.6.0.0.x86_64/jre/../lib/amd64:/usr/lib64/pki:/usr/lib64/dirsec:/usr/lib64:/lib64:/usr/lib/pki:/usr/lib/dirsec:/usr/lib:/lib:/usr/java/packages/lib/amd64:/usr/lib64:/lib64:/lib:/usr/lib 25 14:07:48.161 (0.005) L9 (Console.java:1568) java.specification.name=Java Platform API Specification 26 14:07:48.168 (0.007) L9 (Console.java:1568) java.class.version=50.0 27 14:07:48.169 (0.001) L9 (Console.java:1568) sun.management.compiler=HotSpot 64-Bit Server Compiler 28 14:07:48.170 (0.001) L9 (Console.java:1568) os.version=2.6.18-128.el5 29 14:07:48.170 (0.0) L9 (Console.java:1568) user.home=/home/user1 30 14:07:48.174 (0.004) L9 (Console.java:1568) user.zoneinfo.dir=/usr/share/javazi 31 14:07:48.174 (0.0) L9 (Console.java:1568) user.timezone=Asia/Kolkata 32 14:07:48.175 (0.001) L9 (Console.java:1568) java.awt.printerjob=sun.print.PSPrinterJob 33 14:07:48.175 (0.0) L9 (Console.java:1568) file.encoding=UTF-8 34 14:07:48.176 (0.001) L9 (Console.java:1568) java.specification.version=1.6 35 14:07:48.177 (0.001) L9 (Console.java:1568) java.class.path=/usr/share/pki/classes:/usr/share/java/pki/console-cms.jar:/usr/share/java/pki/console-cms_en.jar:/usr/share/java/pki/cms-theme_en.jar:/usr/share/java/fedora-idm-console_en.jar:/usr/share/java/idm-console-base.jar:/usr/share/java/idm-console-mcc_en.jar:/usr/share/java/idm-console-mcc.jar:/usr/share/java/idm-console-nmclf_en.jar:/usr/share/java/idm-console-nmclf.jar:/usr/share/java/ldapjdk.jar:/usr/lib/java/dirsec/jss4.jar:/usr/lib/java/jss4.jar 36 14:07:48.177 (0.0) L9 (Console.java:1568) user.name=user1 37 14:07:48.178 (0.001) L9 (Console.java:1568) java.vm.specification.version=1.0 38 14:07:48.178 (0.0) L9 (Console.java:1568) java.home=/usr/lib/jvm/java-1.6.0-openjdk-1.6.0.0.x86_64/jre 39 14:07:48.179 (0.001) L9 (Console.java:1568) sun.arch.data.model=64 40 14:07:48.179 (0.0) L9 (Console.java:1568) java.util.prefs.systemRoot=/tmp/.java 41 14:07:48.180 (0.001) L9 (Console.java:1568) user.language=en 42 14:07:48.180 (0.0) L9 (Console.java:1568) java.specification.vendor=Sun Microsystems Inc. 43 14:07:48.181 (0.001) L9 (Console.java:1568) java.vm.info=mixed mode 44 14:07:48.181 (0.0) L9 (Console.java:1568) java.version=1.6.0 45 14:07:48.182 (0.001) L9 (Console.java:1568) java.ext.dirs=/usr/lib/jvm/java-1.6.0-openjdk-1.6.0.0.x86_64/jre/lib/ext:/usr/java/packages/lib/ext 46 14:07:48.194 (0.012) L9 (Console.java:1568) sun.boot.class.path=/usr/lib/jvm/java-1.6.0-openjdk-1.6.0.0.x86_64/jre/lib/resources.jar:/usr/lib/jvm/java-1.6.0-openjdk-1.6.0.0.x86_64/jre/lib/rt.jar:/usr/lib/jvm/java-1.6.0-openjdk-1.6.0.0.x86_64/jre/lib/sunrsasign.jar:/usr/lib/jvm/java-1.6.0-openjdk-1.6.0.0.x86_64/jre/lib/jsse.jar:/usr/lib/jvm/java-1.6.0-openjdk-1.6.0.0.x86_64/jre/lib/jce.jar:/usr/lib/jvm/java-1.6.0-openjdk-1.6.0.0.x86_64/jre/lib/charsets.jar:/usr/lib/jvm/java-1.6.0-openjdk-1.6.0.0.x86_64/jre/classes 47 14:07:48.195 (0.001) L9 (Console.java:1568) java.vendor=Sun Microsystems Inc. 48 14:07:48.196 (0.001) L9 (Console.java:1568) file.separator=/ 49 14:07:48.196 (0.0) L9 (Console.java:1568) java.vendor.url.bug=http://java.sun.com/cgi-bin/bugreport.cgi 50 14:07:48.197 (0.001) L9 (Console.java:1568) sun.io.unicode.encoding=UnicodeLittle 51 14:07:48.197 (0.0) L9 (Console.java:1568) sun.cpu.endian=little 52 14:07:48.198 (0.001) L9 (Console.java:1568) sun.desktop=gnome 53 14:07:48.198 (0.0) L9 (Console.java:1568) sun.cpu.isalist= 54 14:07:48.199 (0.001) L1 (Unknown Source) ResourceSet:getString():Unable to resolve console-displayVersion 55 14:07:48.200 (0.001) L0 (Console.java:1574) Management-Console/null B2009.062.2213 56 14:07:48.224 (0.024) L9 (Unknown Source) ResourceSet: NOT found in cache loader1007660009:com.netscape.management.client.default 57 14:07:48.234 (0.01) L9 (Unknown Source) ResourceSet: NOT found in cache loader1007660009:com.netscape.management.client.topology.topology 58 14:07:48.849 (0.615) L9 (Unknown Source) ResourceSet: NOT found in cache loader1007660009:CMSAdminRS 59 14:07:48.919 (0.07) L9 (Unknown Source) ResourceSet: found in cache loader1007660009:CMSAdminRS Warning: Potentially incorrect URL path: ca/ Default supported URL paths are 'ca', 'kra', 'ocsp', and 'tks'. 60 14:07:48.960 (0.041) L9 (Unknown Source) ResourceSet: NOT found in cache loader1007660009:com.netscape.admin.certsrv.certsrv-help 61 14:07:48.961 (0.001) L0 (Unknown Source) ResourceSet(): unable to open com.netscape.admin.certsrv.certsrv-help 62 14:07:48.962 (0.001) L9 (Unknown Source) ResourceSet: NOT found in cache loader1007660009:com.netscape.admin.certsrv.certsrv 63 14:07:48.963 (0.001) L0 (Unknown Source) ResourceSet(): unable to open com.netscape.admin.certsrv.certsrv 64 14:07:49.092 (0.129) L9 (Unknown Source) RemoteImage: NOT found in cache loader1007660009:com/netscape/admin/certsrv/images/CertificateServer.gif 65 14:07:49.374 (0.282) L9 (Unknown Source) RemoteImage: Create RemoteImage cache for loader1007660009 66 14:07:49.376 (0.002) L5 (CMSAdmin.java:108) initialized CMSAdmin (Standalone mode) 67 14:07:49.377 (0.001) L5 (CMSAdmin.java:112) initialized CMSAdmin for null 68 14:07:49.378 (0.001) L5 (CMSAdmin.java:437) The user double click the icon null 69 14:07:49.379 (0.001) L5 (CMSAdmin.java:438) View instance in the run method -> null 70 14:07:49.379 (0.0) L5 (CMSAdmin.java:592) Check server status 71 14:07:49.412 (0.033) L5 (CMSServerInfo.java:78) CMSServerInfo: host tornado.pnq.redhat.com port 9445 userid serverRoot null serverid instanceID 72 14:07:49.428 (0.016) L9 (Unknown Source) ResourceSet: found in cache loader1007660009:com.netscape.management.client.default 73 14:07:49.429 (0.001) L9 (Unknown Source) ResourceSet: found in cache loader1007660009:com.netscape.management.client.theme.theme 74 14:07:49.431 (0.002) L9 (Unknown Source) ResourceSet: found in cache loader1007660009:com.netscape.management.client.default 75 14:07:49.443 (0.012) L5 (AdminConnection.java:128) AdminConnection: 600000 com.netscape.management.client.preferences.FilePreferenceManager 76 14:07:49.555 (0.112) L5 (JSSConnection.java:103) NSS Cipher Supported '0xc00a' 77 14:07:49.556 (0.001) L5 (JSSConnection.java:103) NSS Cipher Supported '0xc014' 78 14:07:49.557 (0.001) L5 (JSSConnection.java:103) NSS Cipher Supported '0x39' 79 14:07:49.562 (0.005) L5 (JSSConnection.java:103) NSS Cipher Supported '0x38' 80 14:07:49.563 (0.001) L5 (JSSConnection.java:103) NSS Cipher Supported '0xc00f' 81 14:07:49.564 (0.001) L5 (JSSConnection.java:103) NSS Cipher Supported '0xc005' 82 14:07:49.565 (0.001) L5 (JSSConnection.java:103) NSS Cipher Supported '0x35' 83 14:07:49.566 (0.001) L5 (JSSConnection.java:103) NSS Cipher Supported '0xc007' 84 14:07:49.567 (0.001) L5 (JSSConnection.java:103) NSS Cipher Supported '0xc009' 85 14:07:49.568 (0.001) L5 (JSSConnection.java:103) NSS Cipher Supported '0xc011' 86 14:07:49.568 (0.0) L5 (JSSConnection.java:103) NSS Cipher Supported '0xc013' 87 14:07:49.569 (0.001) L5 (JSSConnection.java:103) NSS Cipher Supported '0x66' 88 14:07:49.570 (0.001) L5 (JSSConnection.java:103) NSS Cipher Supported '0x33' 89 14:07:49.591 (0.021) L5 (JSSConnection.java:103) NSS Cipher Supported '0x32' 90 14:07:49.592 (0.001) L5 (JSSConnection.java:103) NSS Cipher Supported '0xc00c' 91 14:07:49.593 (0.001) L5 (JSSConnection.java:103) NSS Cipher Supported '0xc00e' 92 14:07:49.593 (0.0) L5 (JSSConnection.java:103) NSS Cipher Supported '0xc002' 93 14:07:49.594 (0.001) L5 (JSSConnection.java:103) NSS Cipher Supported '0xc004' 94 14:07:49.600 (0.006) L5 (JSSConnection.java:103) NSS Cipher Supported '0x4' 95 14:07:49.608 (0.008) L5 (JSSConnection.java:103) NSS Cipher Supported '0x5' 96 14:07:49.609 (0.001) L5 (JSSConnection.java:103) NSS Cipher Supported '0x2f' 97 14:07:49.609 (0.0) L5 (JSSConnection.java:103) NSS Cipher Supported '0xc008' 98 14:07:49.610 (0.001) L5 (JSSConnection.java:103) NSS Cipher Supported '0xc012' 99 14:07:49.611 (0.001) L5 (JSSConnection.java:103) NSS Cipher Supported '0x16' 100 14:07:49.611 (0.0) L5 (JSSConnection.java:103) NSS Cipher Supported '0x13' 101 14:07:49.612 (0.001) L5 (JSSConnection.java:103) NSS Cipher Supported '0xc00d' 102 14:07:49.612 (0.0) L5 (JSSConnection.java:103) NSS Cipher Supported '0xc003' 103 14:07:49.613 (0.001) L5 (JSSConnection.java:103) NSS Cipher Supported '0xfeff' 104 14:07:49.614 (0.001) L5 (JSSConnection.java:103) NSS Cipher Supported '0xa' 105 14:07:49.614 (0.0) L5 (JSSConnection.java:103) NSS Cipher Supported '0x15' 106 14:07:49.615 (0.001) L5 (JSSConnection.java:103) NSS Cipher Supported '0x12' 107 14:07:49.616 (0.001) L5 (JSSConnection.java:103) NSS Cipher Supported '0xfefe' 108 14:07:49.616 (0.0) L5 (JSSConnection.java:103) NSS Cipher Supported '0x9' 109 14:07:49.617 (0.001) L5 (JSSConnection.java:103) NSS Cipher Supported '0x64' 110 14:07:49.621 (0.004) L5 (JSSConnection.java:103) NSS Cipher Supported '0x62' 111 14:07:49.622 (0.001) L5 (JSSConnection.java:103) NSS Cipher Supported '0x3' 112 14:07:49.622 (0.0) L5 (JSSConnection.java:103) NSS Cipher Supported '0x6' 113 14:07:49.623 (0.001) L5 (JSSConnection.java:103) NSS Cipher Supported '0xc006' 114 14:07:49.624 (0.001) L5 (JSSConnection.java:103) NSS Cipher Supported '0xc010' 115 14:07:49.634 (0.01) L5 (JSSConnection.java:103) NSS Cipher Supported '0xc00b' 116 14:07:49.634 (0.0) L5 (JSSConnection.java:103) NSS Cipher Supported '0xc001' 117 14:07:49.635 (0.001) L5 (JSSConnection.java:103) NSS Cipher Supported '0x2' 118 14:07:49.636 (0.001) L5 (JSSConnection.java:103) NSS Cipher Supported '0x1' 119 14:07:49.638 (0.002) L5 (JSSConnection.java:103) NSS Cipher Supported '0xff01' 120 14:07:49.639 (0.001) L5 (JSSConnection.java:103) NSS Cipher Supported '0xff03' 121 14:07:49.640 (0.001) L5 (JSSConnection.java:103) NSS Cipher Supported '0xff07' 122 14:07:49.640 (0.0) L5 (JSSConnection.java:103) NSS Cipher Supported '0xff06' 123 14:07:49.641 (0.001) L5 (JSSConnection.java:103) NSS Cipher Supported '0xff02' 124 14:07:49.641 (0.0) L5 (JSSConnection.java:103) NSS Cipher Supported '0xff04' 125 14:07:49.750 (0.109) L5 (JSSConnection.java:103) NSS Cipher Supported '0xc00a' 126 14:07:49.751 (0.001) L5 (JSSConnection.java:103) NSS Cipher Supported '0xc014' 127 14:07:49.751 (0.0) L5 (JSSConnection.java:103) NSS Cipher Supported '0x39' 128 14:07:49.752 (0.001) L5 (JSSConnection.java:103) NSS Cipher Supported '0x38' 129 14:07:49.753 (0.001) L5 (JSSConnection.java:103) NSS Cipher Supported '0xc00f' 130 14:07:49.753 (0.0) L5 (JSSConnection.java:103) NSS Cipher Supported '0xc005' 131 14:07:49.754 (0.001) L5 (JSSConnection.java:103) NSS Cipher Supported '0x35' 132 14:07:49.754 (0.0) L5 (JSSConnection.java:103) NSS Cipher Supported '0xc007' 133 14:07:49.755 (0.001) L5 (JSSConnection.java:103) NSS Cipher Supported '0xc009' 134 14:07:49.756 (0.001) L5 (JSSConnection.java:103) NSS Cipher Supported '0xc011' 135 14:07:49.757 (0.001) L5 (JSSConnection.java:103) NSS Cipher Supported '0xc013' 136 14:07:49.757 (0.0) L5 (JSSConnection.java:103) NSS Cipher Supported '0x66' 137 14:07:49.758 (0.001) L5 (JSSConnection.java:103) NSS Cipher Supported '0x33' 138 14:07:49.758 (0.0) L5 (JSSConnection.java:103) NSS Cipher Supported '0x32' 139 14:07:49.759 (0.001) L5 (JSSConnection.java:103) NSS Cipher Supported '0xc00c' 140 14:07:49.760 (0.001) L5 (JSSConnection.java:103) NSS Cipher Supported '0xc00e' 141 14:07:49.761 (0.001) L5 (JSSConnection.java:103) NSS Cipher Supported '0xc002' 142 14:07:49.762 (0.001) L5 (JSSConnection.java:103) NSS Cipher Supported '0xc004' 143 14:07:49.762 (0.0) L5 (JSSConnection.java:103) NSS Cipher Supported '0x4' 144 14:07:49.763 (0.001) L5 (JSSConnection.java:103) NSS Cipher Supported '0x5' 145 14:07:49.764 (0.001) L5 (JSSConnection.java:103) NSS Cipher Supported '0x2f' 146 14:07:49.764 (0.0) L5 (JSSConnection.java:103) NSS Cipher Supported '0xc008' 147 14:07:49.765 (0.001) L5 (JSSConnection.java:103) NSS Cipher Supported '0xc012' 148 14:07:49.766 (0.001) L5 (JSSConnection.java:103) NSS Cipher Supported '0x16' 149 14:07:49.766 (0.0) L5 (JSSConnection.java:103) NSS Cipher Supported '0x13' 150 14:07:49.767 (0.001) L5 (JSSConnection.java:103) NSS Cipher Supported '0xc00d' 151 14:07:49.768 (0.001) L5 (JSSConnection.java:103) NSS Cipher Supported '0xc003' 152 14:07:49.768 (0.0) L5 (JSSConnection.java:103) NSS Cipher Supported '0xfeff' 153 14:07:49.781 (0.013) L5 (JSSConnection.java:103) NSS Cipher Supported '0xa' 154 14:07:49.782 (0.001) L5 (JSSConnection.java:103) NSS Cipher Supported '0x15' 155 14:07:49.783 (0.001) L5 (JSSConnection.java:103) NSS Cipher Supported '0x12' 156 14:07:49.787 (0.004) L5 (JSSConnection.java:103) NSS Cipher Supported '0xfefe' 157 14:07:49.789 (0.002) L5 (JSSConnection.java:103) NSS Cipher Supported '0x9' 158 14:07:49.789 (0.0) L5 (JSSConnection.java:103) NSS Cipher Supported '0x64' 159 14:07:49.790 (0.001) L5 (JSSConnection.java:103) NSS Cipher Supported '0x62' 160 14:07:49.790 (0.0) L5 (JSSConnection.java:103) NSS Cipher Supported '0x3' 161 14:07:49.791 (0.001) L5 (JSSConnection.java:103) NSS Cipher Supported '0x6' 162 14:07:49.792 (0.001) L5 (JSSConnection.java:103) NSS Cipher Supported '0xc006' 163 14:07:49.793 (0.001) L5 (JSSConnection.java:103) NSS Cipher Supported '0xc010' 164 14:07:49.793 (0.0) L5 (JSSConnection.java:103) NSS Cipher Supported '0xc00b' 165 14:07:49.794 (0.001) L5 (JSSConnection.java:103) NSS Cipher Supported '0xc001' 166 14:07:49.804 (0.01) L5 (JSSConnection.java:103) NSS Cipher Supported '0x2' 167 14:07:49.805 (0.001) L5 (JSSConnection.java:103) NSS Cipher Supported '0x1' 168 14:07:49.806 (0.001) L5 (JSSConnection.java:103) NSS Cipher Supported '0xff01' 169 14:07:49.806 (0.0) L5 (JSSConnection.java:103) NSS Cipher Supported '0xff03' 170 14:07:49.807 (0.001) L5 (JSSConnection.java:103) NSS Cipher Supported '0xff07' 171 14:07:49.808 (0.001) L5 (JSSConnection.java:103) NSS Cipher Supported '0xff06' 172 14:07:49.808 (0.0) L5 (JSSConnection.java:103) NSS Cipher Supported '0xff02' 173 14:07:49.809 (0.001) L5 (JSSConnection.java:103) NSS Cipher Supported '0xff04' java.io.IOException: SocketException cannot read on socket at org.mozilla.jss.ssl.SSLSocket.read(SSLSocket.java:1014) at org.mozilla.jss.ssl.SSLInputStream.read(SSLInputStream.java:70) at com.netscape.admin.certsrv.connection.JSSConnection.readLineFromStream(JSSConnection.java:447) at com.netscape.admin.certsrv.connection.JSSConnection.readHeader(JSSConnection.java:464) at com.netscape.admin.certsrv.connection.JSSConnection.initReadResponse(JSSConnection.java:436) at com.netscape.admin.certsrv.connection.JSSConnection.sendRequest(JSSConnection.java:350) at com.netscape.admin.certsrv.connection.AdminConnection.processRequest(AdminConnection.java:729) at com.netscape.admin.certsrv.connection.AdminConnection.sendRequest(AdminConnection.java:634) at com.netscape.admin.certsrv.connection.AdminConnection.sendRequest(AdminConnection.java:601) at com.netscape.admin.certsrv.connection.AdminConnection.authType(AdminConnection.java:334) at com.netscape.admin.certsrv.CMSServerInfo.getAuthType(CMSServerInfo.java:125) at com.netscape.admin.certsrv.CMSAdmin.run(CMSAdmin.java:511) at com.netscape.admin.certsrv.CMSAdmin.run(CMSAdmin.java:560) at com.netscape.admin.certsrv.Console.main(Console.java:1724) [user1@tornado ~]$ -----------------------------------------------------------------------------
kashyap to try with client auth instructions - creating .mcc directory with cert8/key3/secmod db - attach ecc pkcs11 module to secmod - then use that to launch console
chandra, I did try this, but was kinda struck as below. 1) mkdir /home/user1/.mcc 2) certutil -N /home/user1/.mcc 3) Now, I loaded the ecc module as below [user1@tornado .mcc]# modutil -dbdir /home/user1/.mcc -nocertdb -add certicom -libfile /usr/lib64/libsbcpgse.so - module loads successfully, but now the questions are (but still I went ahead) a) do we need to run the initpin tool in .mcc directory ? b) if a) is yes, doesn't it conflict with the already existing token databases(/home/user1/.certicom , which gets created initially when the ecc module is loaded into user's firefox nss dbs? ============= I went ahead and ran the initpin tool in .mcc directory and the pin is set. - now, set the NSS flag on the user's shell as below and launch console export NSS_USE_DECODED_CKA_EC_POINT=1 - still the pkiconsole does not launch.(see the console debugging output as attachment) any hints here?
Created attachment 358554 [details] pkiconsole debug output after loading ecc module into .mcc directory
(In reply to comment #2) > > any hints here? yeah .. whatever steps you took to get firefox going.
Chandra, (if you recollect,may be a month ago??), we've noticed with ssltap, the console JSS is not using ECC ciphers on it's cipher list. cipher suites from ssltap output... =========================================================== cipher-suites = { (0x010080) SSL2/RSA/RC4-128/MD5 (0x030080) SSL2/RSA/RC2CBC128/MD5 (0x0700c0) SSL2/RSA/3DES192EDE-CBC/MD5 (0x060040) SSL2/RSA/DES56-CBC/MD5 (0x020080) SSL2/RSA/RC4-40/MD5 (0x040080) SSL2/RSA/RC2CBC40/MD5 (0x000004) SSL3/RSA/RC4-128/MD5 (0x00feff) SSL3/RSA-FIPS/3DESEDE-CBC/SHA (0x00000a) SSL3/RSA/3DES192EDE-CBC/SHA (0x00fefe) SSL3/RSA-FIPS/DES-CBC/SHA (0x000009) SSL3/RSA/DES56-CBC/SHA (0x000064) TLS/RSA-EXPORT1024/RC4-56/SHA (0x000062) TLS/RSA-EXPORT1024/DES56-CBC/SHA (0x000003) SSL3/RSA/RC4-40/MD5 (0x000006) SSL3/RSA/RC2CBC40/MD5 } ===========================================================
I retried with the nightly builds -x86_64(RHEL5.4) - CA configured with Certicom ECC and I still see the same "cannot read on socket" exception mentioned in comment#1 note 1: pkiconsole still fails to launch, when tried with creating /home/alice/.mcc , load the ECC module, set the 'NSS_USE_DECODED_CKA_EC_POINT=1' on the user's shell and then launch console (as outlined in comment#1) -- is this the right way? something needs to be added here? because I think, there are *two* certicom databases as I mentioned in comment#2 - one in /home/alice/.certicom - the other: /home/alice/.mcc/.certicom note 2: I tried capturing ssltap output (while running pkiconsole), but ssltap stays quiet without output.. ============================== [alice@autocs ~]$ ssltap -vhsfx -p 1925 autocs.pnq.redhat.com:9745 Version: $Revision: 1.13 $ ($Date: 2009/03/13 02:24:07 $) $Author: nelson%bolyard.com $ <HTML><HEAD><TITLE>SSLTAP output</TITLE></HEAD> <BODY><PRE> Looking up "autocs.pnq.redhat.com"... Proxy socket ready and listening =============================== If someone wants to take a look into the machine, please ping me for connection info.
Created attachment 452617 [details] Phase 1 - enable cipher suites Phase 1 code enables all available cipher suites. Differences (BEFORE and AFTER) could be seen with ssltap. BEFORE: cipher-suites = { (0x010080) SSL2/RSA/RC4-128/MD5 (0x030080) SSL2/RSA/RC2CBC128/MD5 (0x0700c0) SSL2/RSA/3DES192EDE-CBC/MD5 (0x060040) SSL2/RSA/DES56-CBC/MD5 (0x020080) SSL2/RSA/RC4-40/MD5 (0x040080) SSL2/RSA/RC2CBC40/MD5 (0x000004) SSL3/RSA/RC4-128/MD5 (0x00feff) SSL3/RSA-FIPS/3DESEDE-CBC/SHA (0x00000a) SSL3/RSA/3DES192EDE-CBC/SHA (0x00fefe) SSL3/RSA-FIPS/DES-CBC/SHA (0x000009) SSL3/RSA/DES56-CBC/SHA (0x000064) TLS/RSA-EXPORT1024/RC4-56/SHA (0x000062) TLS/RSA-EXPORT1024/DES56-CBC/SHA (0x000003) SSL3/RSA/RC4-40/MD5 (0x000006) SSL3/RSA/RC2CBC40/MD5 (0x0000ff) ????/????????/?????????/??? } AFTER: non-ec client to RSA server: cipher-suites = { (0x010080) SSL2/RSA/RC4-128/MD5 (0x030080) SSL2/RSA/RC2CBC128/MD5 (0x0700c0) SSL2/RSA/3DES192EDE-CBC/MD5 (0x060040) SSL2/RSA/DES56-CBC/MD5 (0x020080) SSL2/RSA/RC4-40/MD5 (0x040080) SSL2/RSA/RC2CBC40/MD5 (0x000039) TLS/DHE-RSA/AES256-CBC/SHA (0x000038) TLS/DHE-DSS/AES256-CBC/SHA (0x000035) TLS/RSA/AES256-CBC/SHA (0x000066) TLS/DHE-DSS/RC4-128/SHA (0x000033) TLS/DHE-RSA/AES128-CBC/SHA (0x000032) TLS/DHE-DSS/AES128-CBC/SHA (0x000004) SSL3/RSA/RC4-128/MD5 (0x000005) SSL3/RSA/RC4-128/SHA (0x00002f) TLS/RSA/AES128-CBC/SHA (0x000016) SSL3/DHE-RSA/3DES192EDE-CBC/SHA (0x000013) SSL3/DHE-DSS/DES192EDE3CBC/SHA (0x00feff) SSL3/RSA-FIPS/3DESEDE-CBC/SHA (0x00000a) SSL3/RSA/3DES192EDE-CBC/SHA (0x000015) SSL3/DHE-RSA/DES56-CBC/SHA (0x000012) SSL3/DHE-DSS/DES56-CBC/SHA (0x00fefe) SSL3/RSA-FIPS/DES-CBC/SHA (0x000009) SSL3/RSA/DES56-CBC/SHA (0x000064) TLS/RSA-EXPORT1024/RC4-56/SHA (0x000062) TLS/RSA-EXPORT1024/DES56-CBC/SHA (0x000003) SSL3/RSA/RC4-40/MD5 (0x000006) SSL3/RSA/RC2CBC40/MD5 (0x000002) SSL3/RSA/NULL/SHA (0x000001) SSL3/RSA/NULL/MD5 (0x0000ff) TLS_EMPTY_RENEGOTIATION_INFO_SCSV } ec client in ClientHello: cipher-suites = { (0x010080) SSL2/RSA/RC4-128/MD5 (0x030080) SSL2/RSA/RC2CBC128/MD5 (0x0700c0) SSL2/RSA/3DES192EDE-CBC/MD5 (0x060040) SSL2/RSA/DES56-CBC/MD5 (0x020080) SSL2/RSA/RC4-40/MD5 (0x040080) SSL2/RSA/RC2CBC40/MD5 (0x00c00a) TLS/ECDHE-ECDSA/AES256-CBC/SHA (0x00c014) TLS/ECDHE-RSA/AES256-CBC/SHA (0x000039) TLS/DHE-RSA/AES256-CBC/SHA (0x000038) TLS/DHE-DSS/AES256-CBC/SHA (0x00c00f) TLS/ECDH-RSA/AES256-CBC/SHA (0x00c005) TLS/ECDH-ECDSA/AES256-CBC/SHA (0x000035) TLS/RSA/AES256-CBC/SHA (0x00c007) TLS/ECDHE-ECDSA/RC4-128/SHA (0x00c009) TLS/ECDHE-ECDSA/AES128-CBC/SHA (0x00c011) TLS/ECDHE-RSA/RC4-128/SHA (0x00c013) TLS/ECDHE-RSA/AES128-CBC/SHA (0x000066) TLS/DHE-DSS/RC4-128/SHA (0x000033) TLS/DHE-RSA/AES128-CBC/SHA (0x000032) TLS/DHE-DSS/AES128-CBC/SHA (0x00c00c) TLS/ECDH-RSA/RC4-128/SHA (0x00c00e) TLS/ECDH-RSA/AES128-CBC/SHA (0x00c002) TLS/ECDH-ECDSA/RC4-128/SHA (0x00c004) TLS/ECDH-ECDSA/AES128-CBC/SHA (0x000004) SSL3/RSA/RC4-128/MD5 (0x000005) SSL3/RSA/RC4-128/SHA (0x00002f) TLS/RSA/AES128-CBC/SHA (0x00c008) TLS/ECDHE-ECDSA/3DES-EDE-CBC/SHA (0x00c012) TLS/ECDHE-RSA/3DES-EDE-CBC/SHA (0x000016) SSL3/DHE-RSA/3DES192EDE-CBC/SHA (0x000013) SSL3/DHE-DSS/DES192EDE3CBC/SHA (0x00c00d) TLS/ECDH-RSA/3DES-EDE-CBC/SHA (0x00c003) TLS/ECDH-ECDSA/3DES-EDE-CBC/SHA (0x00feff) SSL3/RSA-FIPS/3DESEDE-CBC/SHA (0x00000a) SSL3/RSA/3DES192EDE-CBC/SHA (0x000015) SSL3/DHE-RSA/DES56-CBC/SHA (0x000012) SSL3/DHE-DSS/DES56-CBC/SHA (0x00fefe) SSL3/RSA-FIPS/DES-CBC/SHA (0x000009) SSL3/RSA/DES56-CBC/SHA (0x000064) TLS/RSA-EXPORT1024/RC4-56/SHA (0x000062) TLS/RSA-EXPORT1024/DES56-CBC/SHA (0x000003) SSL3/RSA/RC4-40/MD5 (0x000006) SSL3/RSA/RC2CBC40/MD5 (0x00c006) TLS/ECDHE-ECDSA/NULL/SHA (0x00c010) TLS/ECDHE-RSA/NULL/SHA (0x00c00b) TLS/ECDH-RSA/NULL/SHA (0x00c001) TLS/ECDH-ECDSA/NULL/SHA (0x000002) SSL3/RSA/NULL/SHA (0x000001) SSL3/RSA/NULL/MD5 (0x0000ff) TLS_EMPTY_RENEGOTIATION_INFO_SCSV }
note: phase 1 fix also fixes the old issue of no higher strength ciphers available. status: after all available cipher suites are turned on, EC conn still fails with pkiconsole at various places for different scenarios. ECDH, ECDHE for certicom results are different, nethsm is also different from certicom. This will be phase 2 to resolve.
awnuk, please review phase 1 attachment. Thanks.
attachment 452617 [details] +awnuk - please add back password callback setup
Created attachment 452777 [details] eanble all available cipher suites addressed review comments. Awnuk please review.
attachment 452777 [details] +awnuk
Note: phase 1 enables all available cipher suites. You can only see the differences when running debugging such as ssltap. RHCS8.1: $ svn commit Sending console/src/com/netscape/admin/certsrv/connection/JSSConnection.java Transmitting file data . Committed revision 1345. TIP: $ svn commit Sending console/src/com/netscape/admin/certsrv/connection/JSSConnection.java Transmitting file data . Committed revision 1346.
Update: I suspected certicom quirkiness, so I tried hooking up console (with fix from phase 1 above) with nethsm2k and it now works. I did not try ssl client auth. File a separate bug if it fails, as it might have different priority.
Verified: RHEL5.6(x86_64) CS8.1 nightly builds(Nov 02 2010) Notes: (1) For ECC configured subsystems do the below: (a) Create(if they do not exist already) NSS dbs in /root/.redhat-idm-console # certutil -N -d . (b) If we're using nethsm, add the pkcs11 module to /root/.redhat-idm-console # modutil -dbdir /root/.redhat-idm-console -nocertdb -add nethsm2k -libfile /opt/nfast/toolkits/pkcs11/libknfast.so When pkiconosle is launched, and when prompted for password, provide nethsm2k password as well, and select the CA admin cert, and proceed ahead. (2) NOTE: SSL Client auth also works successfully for ECC CA. Setup Instructions here: https://bugzilla.redhat.com/show_bug.cgi?id=512493#c8