[Pki-users] ESC Format / Enroll Error
John Whitelock
john.whitelock at envieta.com
Wed Jan 7 21:36:05 UTC 2009
Jack,
Thanks again for the help. Below I have pasted the log you asked for from
that same test.
[07/Jan/2009:11:20:42][http-13443-Processor25]: Authentication: client
certificate found
[07/Jan/2009:11:20:42][http-13443-Processor25]: getConn: mNumConns now 2
[07/Jan/2009:11:20:42][http-13443-Processor25]: returnConn: mNumConns now 3
[07/Jan/2009:11:20:42][http-13443-Processor25]: Authentication: mapped
certificate to user
[07/Jan/2009:11:20:42][http-13443-Processor25]: authenticated
uid=TPS-localhost.localdomain-7889,ou=People,dc=localhost.localdomain-pki-tk
s
[07/Jan/2009:11:20:42][http-13443-Processor25]: SignedAuditEventFactory:
create()
message=[AuditEvent=AUTH_SUCCESS][SubjectID=TPS-localhost.localdomain-7889][
Outcome=Success][AuthMgr=certUserDBAuthMgr] authentication success
[07/Jan/2009:11:20:42][http-13443-Processor25]: checkACLS(): ACLEntry
expressions= group="Token Key Service Manager Agents"
[07/Jan/2009:11:20:42][http-13443-Processor25]: evaluating expressions:
group="Token Key Service Manager Agents"
[07/Jan/2009:11:20:42][http-13443-Processor25]: getConn: mNumConns now 2
[07/Jan/2009:11:20:42][http-13443-Processor25]: returnConn: mNumConns now 3
[07/Jan/2009:11:20:42][http-13443-Processor25]: UGSubsystem.isMemberOf()
using new lookup code
[07/Jan/2009:11:20:42][http-13443-Processor25]: getConn: mNumConns now 2
[07/Jan/2009:11:20:42][http-13443-Processor25]: authorization search base:
cn=Token Key Service Manager
Agents,ou=groups,dc=localhost.localdomain-pki-tks
[07/Jan/2009:11:20:42][http-13443-Processor25]: authorization search filter:
(uniquemember=uid=TPS-localhost.localdomain-7889,ou=People,dc=localhost.loca
ldomain-pki-tks)
[07/Jan/2009:11:20:42][http-13443-Processor25]: authorization result: true
[07/Jan/2009:11:20:42][http-13443-Processor25]: returnConn: mNumConns now 3
[07/Jan/2009:11:20:42][http-13443-Processor25]: evaluated expression:
group="Token Key Service Manager Agents" to be true
[07/Jan/2009:11:20:42][http-13443-Processor25]: DirAclAuthz: authorization
passed
[07/Jan/2009:11:20:42][http-13443-Processor25]: SignedAuditEventFactory:
create()
message=[AuditEvent=AUTHZ_SUCCESS][SubjectID=TPS-localhost.localdomain-7889]
[Outcome=Success][aclResource=certServer.tks.sessionkey][Op=read]
authorization success
[07/Jan/2009:11:20:42][http-13443-Processor25]: getConn: mNumConns now 2
[07/Jan/2009:11:20:42][http-13443-Processor25]: returnConn: mNumConns now 3
[07/Jan/2009:11:20:42][http-13443-Processor25]: SignedAuditEventFactory:
create()
message=[AuditEvent=ROLE_ASSUME][SubjectID=TPS-localhost.localdomain-7889][O
utcome=Success][Role=Token Key Service Manager Agents] assume privileged
role
[07/Jan/2009:11:20:42][http-13443-Processor25]: keySet selected: defKeySet
[07/Jan/2009:11:20:42][http-13443-Processor25]: keySet selected: defKeySet
[07/Jan/2009:11:20:42][http-13443-Processor25]: processComputeSessionKey:
[07/Jan/2009:11:20:42][http-13443-Processor25]: TokenServlet:
serversideKeygen requested
[07/Jan/2009:11:20:42][http-13443-Processor25]: TokenServlet about to try
ComputeSessionKey selectedToken=Internal Key Storage Token
keyNickName=#FF#02
[07/Jan/2009:11:20:42][http-13443-Processor25]: TokenServlet:Tried
ComputeSessionKey, got NULL
java.lang.Exception: Can't compute session key!
at
com.netscape.cms.servlet.tks.TokenServlet.processComputeSessionKey(TokenServ
let.java:336)
at
com.netscape.cms.servlet.tks.TokenServlet.process(TokenServlet.java:945)
at
com.netscape.cms.servlet.base.CMSServlet.service(CMSServlet.java:482)
at
com.netscape.cms.servlet.tks.TokenServlet.service(TokenServlet.java:964)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:729)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Application
FilterChain.java:269)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterCh
ain.java:188)
at
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.ja
va:213)
at
org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.ja
va:172)
at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127
)
at
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:117
)
at
org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:548)
at
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java
:108)
at
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:174)
at
org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:875)
at
org.apache.coyote.http11.Http11BaseProtocol$Http11ConnectionHandler.processC
onnection(Http11BaseProtocol.java:665)
at
org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.jav
a:528)
at
org.apache.tomcat.util.net.LeaderFollowerWorkerThread.runIt(LeaderFollowerWo
rkerThread.java:81)
at
org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.jav
a:689)
at java.lang.Thread.run(Thread.java:636)
[07/Jan/2009:11:20:42][http-13443-Processor25]: TokenServlet Computing
Session Key: java.lang.Exception: Can't compute session key!
[07/Jan/2009:11:20:42][http-13443-Processor25]:
TokenServlet:outputString.encode status=3
[07/Jan/2009:11:20:42][http-13443-Processor25]:
TokenServlet:outputString.length 8
[07/Jan/2009:11:20:42][http-13443-Processor25]: CMSServlet: curDate=Wed Jan
07 11:20:42 GMT-05:00 2009 id=tksSessionKey time=430
-----Original Message-----
From: Jack Magne [mailto:jmagne at redhat.com]
Sent: Wednesday, January 07, 2009 4:24 PM
To: Zach Casper
Cc: pki-users at redhat.com; 'John Whitelock'
Subject: Re: [Pki-users] ESC Format / Enroll Error
Zach:
It looks like with your second test, you have managed to get by the
hurdle of the failed "InitializeUpdate" command. This is due to using 0
and 0 for the defKeyVersion and defKeyIndex.
Now it looks like the TKS system is not acting as expected.
It would be great to have a look at the TKS debug log found in
/var/lib/pki-tks/logs
I suspect we are having an issue with computing the session key in the TKS.
thanks,
jack
Zach Casper wrote:
>
> Thanks Jack.
>
> It appears we are using the same keys so on to troubleshooting our
> error logs. Below are our current logs file contents.
>
> When we use the default values:
>
> channel.defKeyVersion=1
>
> channel. defKeyIndex=1
>
> Ther error we get is:
>
> [2009-01-07 11:05:07] ba6ec600 LDAP_Authentication::Authenticate -
> User bind required 'uid=testuser1,ou=People,dc=localdomain' 'envieta123'
>
> [2009-01-07 11:05:07] ba6ec600 LDAP_Authentication::Authenticate -
> Attributes mail,cn,uid
>
> [2009-01-07 11:05:07] ba6ec600 LDAP_Authentication::Authenticate -
> Exposed cn=Test User1
>
> [2009-01-07 11:05:07] ba6ec600 LDAP_Authentication::Authenticate - Size 3
>
> [2009-01-07 11:05:07] ba6ec600 LDAP_Authentication::Authenticate -
> Exposed uid=testuser1
>
> [2009-01-07 11:05:07] ba6ec600 LDAP_Authentication::Authenticate - Size 4
>
> [2009-01-07 11:05:07] ba6ec600 RA_Format_Processor::Process -
> Authenticate returns: 0
>
> [2009-01-07 11:05:07] ba6ec600 AP_Session::WriteMsg - Sent
> 's=67&msg_type=14¤t_state=10&next_task_name=PROGRESS_APPLET_UPGRADE'
>
> [2009-01-07 11:05:07] ba6ec600 RA_Processor::UpgradeApplet - path =
> /usr/share/pki/tps/applets/1.3.44724DDE.ijc
>
> [2009-01-07 11:05:07] ba6ec600 AP_Session::WriteMsg - pdu_len='12'
>
> [2009-01-07 11:05:07] ba6ec600 AP_Session::WriteMsg - Sent
>
's=68&msg_type=9&pdu_size=12&pdu_data=%00%A4%04%00%07%A0%00%00%00%03%00%00'
>
> [2009-01-07 11:05:07] ba6ec600 AP_Session::ReadMsg - decoded pdu =
> (length='20')
>
> [2009-01-07 11:05:07] ba6ec600 AP_Session::ReadMsg - 6f 10 84 08 a0 00
> 00 00 03 00
>
> [2009-01-07 11:05:07] ba6ec600 AP_Session::ReadMsg - 00 00 a5 04 9f 65
> 01 ff 90 00
>
> [2009-01-07 11:05:07] ba6ec600 AP_Session::ReadMsg -
>
> [2009-01-07 11:05:07] ba6ec600 AP_Session::WriteMsg - pdu_len='13'
>
> [2009-01-07 11:05:07] ba6ec600 AP_Session::WriteMsg - Sent
>
's=71&msg_type=9&pdu_size=13&pdu_data=%80%50%01%01%08%09%CD%60%A7%11%EC%23%A
5'
>
> [2009-01-07 11:05:08] ba6ec600 AP_Session::ReadMsg - decoded pdu =
> (length='2')
>
> [2009-01-07 11:05:08] ba6ec600 AP_Session::ReadMsg - 6a 86
>
> [2009-01-07 11:05:08] ba6ec600 RA_Format_Processor::Process - applet
> upgrade failed
>
> [2009-01-07 11:05:08] ba6ec600 AP_Session::WriteMsg - pdu_len='12'
>
> [2009-01-07 11:05:08] ba6ec600 AP_Session::WriteMsg - Sent
>
's=68&msg_type=9&pdu_size=12&pdu_data=%00%A4%04%00%07%62%76%01%FF%00%00%00'
>
> [2009-01-07 11:05:08] ba6ec600 AP_Session::ReadMsg - decoded pdu =
> (length='2')
>
> [2009-01-07 11:05:08] ba6ec600 AP_Session::ReadMsg - 90 00
>
> [2009-01-07 11:05:08] ba6ec600 AP_Session::WriteMsg - Sent
> 's=43&msg_type=13&operation=5&result=1&message=19'
>
> When we switch the values to be:
>
> channel.defKeyVersion=0
>
> channel. defKeyIndex=0
>
> The error now looks like this:
>
> [2009-01-07 11:20:41] bacd2d28 LDAP_Authentication::Authenticate -
> User bind required 'uid=testuser1,ou=People,dc=localdomain' 'envieta123'
>
> [2009-01-07 11:20:41] bacd2d28 LDAP_Authentication::Authenticate -
> Attributes mail,cn,uid
>
> [2009-01-07 11:20:41] bacd2d28 LDAP_Authentication::Authenticate -
> Exposed cn=Test User1
>
> [2009-01-07 11:20:41] bacd2d28 LDAP_Authentication::Authenticate - Size 3
>
> [2009-01-07 11:20:41] bacd2d28 LDAP_Authentication::Authenticate -
> Exposed uid=testuser1
>
> [2009-01-07 11:20:41] bacd2d28 LDAP_Authentication::Authenticate - Size 4
>
> [2009-01-07 11:20:41] bacd2d28 RA_Format_Processor::Process -
> Authenticate returns: 0
>
> [2009-01-07 11:20:41] bacd2d28 AP_Session::WriteMsg - Sent
> 's=67&msg_type=14¤t_state=10&next_task_name=PROGRESS_APPLET_UPGRADE'
>
> [2009-01-07 11:20:41] bacd2d28 RA_Processor::UpgradeApplet - path =
> /usr/share/pki/tps/applets/1.3.44724DDE.ijc
>
> [2009-01-07 11:20:41] bacd2d28 AP_Session::WriteMsg - pdu_len='12'
>
> [2009-01-07 11:20:41] bacd2d28 AP_Session::WriteMsg - Sent
>
's=68&msg_type=9&pdu_size=12&pdu_data=%00%A4%04%00%07%A0%00%00%00%03%00%00'
>
> [2009-01-07 11:20:41] bacd2d28 AP_Session::ReadMsg - decoded pdu =
> (length='20')
>
> [2009-01-07 11:20:41] bacd2d28 AP_Session::ReadMsg - 6f 10 84 08 a0 00
> 00 00 03 00
>
> [2009-01-07 11:20:41] bacd2d28 AP_Session::ReadMsg - 00 00 a5 04 9f 65
> 01 ff 90 00
>
> [2009-01-07 11:20:41] bacd2d28 AP_Session::ReadMsg -
>
> [2009-01-07 11:20:41] bacd2d28 AP_Session::WriteMsg - pdu_len='13'
>
> [2009-01-07 11:20:41] bacd2d28 AP_Session::WriteMsg - Sent
>
's=71&msg_type=9&pdu_size=13&pdu_data=%80%50%00%00%08%95%74%0B%AC%37%C9%DE%8
0'
>
> [2009-01-07 11:20:41] bacd2d28 AP_Session::ReadMsg - decoded pdu =
> (length='30')
>
> [2009-01-07 11:20:41] bacd2d28 AP_Session::ReadMsg - 00 00 71 61 57 01
> 0e 0d 90 bd
>
> [2009-01-07 11:20:41] bacd2d28 AP_Session::ReadMsg - ff 02 00 21 2e 6b
> ec 9e 33 2b
>
> [2009-01-07 11:20:41] bacd2d28 AP_Session::ReadMsg - a5 26 d0 02 e6 64
> c9 3c 90 00
>
> [2009-01-07 11:20:41] bacd2d28 AP_Session::ReadMsg -
>
> [2009-01-07 11:20:41] bacd2d28 HttpConnection::getResponse - Send
> request to host localhost.localdomain:13443 servlet
> /tks/agent/tks/computeSessionKey
>
> [2009-01-07 11:20:42] bacd2d28 RA::Engine - Pre-processing content
> 'HTTP/1.1 200 OK
>
> Server: Apache-Coyote/1.1
>
> Content-Type: text/html
>
> Content-Length: 8
>
> Date: Wed, 07 Jan 2009 16:20:42 GMT
>
> status=3
>
> [2009-01-07 11:20:42] bacd2d28 RA::Engine - Post-processing content
> 'status=3
>
> [2009-01-07 11:20:42] bacd2d28 RA_Format_Processor::Process - applet
> upgrade failed
>
> [2009-01-07 11:20:42] bacd2d28 AP_Session::WriteMsg - pdu_len='12'
>
> [2009-01-07 11:20:42] bacd2d28 AP_Session::WriteMsg - Sent
>
's=68&msg_type=9&pdu_size=12&pdu_data=%00%A4%04%00%07%62%76%01%FF%00%00%00'
>
> [2009-01-07 11:20:42] bacd2d28 AP_Session::ReadMsg - decoded pdu =
> (length='2')
>
> [2009-01-07 11:20:42] bacd2d28 AP_Session::ReadMsg - 90 00
>
> [2009-01-07 11:20:42] bacd2d28 AP_Session::WriteMsg - Sent
> 's=43&msg_type=13&operation=5&result=1&message=19'
>
> In addition - the following is the pki-tps.tps-error.log snippet
>
> [2008-12-23 12:09:39] ba5de4e0 RA_Processor::SetupSecureChannel -
> Failed to create a secure channel - potentially due to an RA/TKS key
> mismatch or differing RA/TKS key versions.
> [2008-12-23 12:09:39] ba5de4e0 RA_Processor::UpgradeApplet - channel
> creation failure
> [2008-12-23 12:10:20] ba5cb398 RA_Processor::SetupSecureChannel -
> Failed to create a secure channel - potentially due to an RA/TKS key
> mismatch or differing RA/TKS key versions.
> [2008-12-23 12:10:20] ba5cb398 RA_Processor::UpgradeApplet - channel
> creation failure
> [2008-12-23 12:11:14] b8e04520 RA_Processor::SetupSecureChannel -
> Failed to create a secure channel - potentially due to an RA/TKS key
> mismatch or differing RA/TKS key versions.
> [2008-12-23 12:11:14] b8e04520 RA_Processor::UpgradeApplet - channel
> creation failure
> [2008-12-23 12:39:38] ba5c00e0 RA_Processor::SetupSecureChannel -
> Failed to create a secure channel - potentially due to an RA/TKS key
> mismatch or differing RA/TKS key versions.
> [2008-12-23 12:39:38] ba5c00e0 RA_Processor::UpgradeApplet - channel
> creation failure
> [2008-12-23 12:44:27] ba5b14c8 RA_Processor::SetupSecureChannel -
> Failed to create a secure channel - potentially due to an RA/TKS key
> mismatch or differing RA/TKS key versions.
> [2008-12-23 12:44:27] ba5b14c8 RA_Processor::UpgradeApplet - channel
> creation failure
> [2008-12-23 12:45:54] ba5f2590 RA_Processor::SetupSecureChannel -
> Failed to create a secure channel - potentially due to an RA/TKS key
> mismatch or differing RA/TKS key versions.
> [2008-12-23 12:45:54] ba5f2590 RA_Processor::UpgradeApplet - channel
> creation failure
>
> I'm also bringing John Whitelock, another one of our engineers in on
> discussions. He just joined the pki-users list.
>
> Zach Casper
>
> _____________________________________________
> *From:* Jack Magne [mailto:jmagne at redhat.com]
> *Sent:* Wednesday, January 07, 2009 1:09 PM
> *To:* Zach Casper
> *Cc:* pki-users at redhat.com
> *Subject:* Re: [Pki-users] ESC Format / Enroll Error
>
> Zach:
>
> Sorry for the delay....
>
> The default developer keyset we use for our keys with TPS is the
>
> standard like follows:
>
> tks.defKeySet.auth_key=#40#41...#4f
>
> tks.defKeySet.kek_key=#40#41...#4f
>
> tks.defKeySet.mac_key=#40#41.. #4f
>
> If you look in the CS.cfg file under
>
> /var/lib/pki-tks/conf
>
> We have an entire procedure documented in the CS 7.3 documentation to
>
> perform a key changeover if required.
>
> Feel free to post any further logs you might obtain after further testing.
>
> thanks,
>
> jack
>
> Zach Casper wrote:
>
> >
>
> > Could there be an issue with the default key our card is loaded with
>
> > (VISA Key) not being able to create the secure connection? What are
>
> > the default key(s) used/needed by Dogtag?
>
> >
>
> > _____________________________________________
>
> > *From:* Jack Magne [mailto:jmagne at redhat.com]
>
> > *Sent:* Tuesday, December 23, 2008 5:35 PM
>
> > *To:* Zach Casper
>
> > *Cc:* pki-users at redhat.com
>
> > *Subject:* Re: [Pki-users] ESC Format / Enroll Error
>
> >
>
> > I'll have to take a closer look later but there is a quick thing you can
>
> >
>
> > try.
>
> >
>
> > Also, remember depending upon your card, if you make too many failed
>
> >
>
> > attempts at a secure channel, the card can lock itself up.
>
> >
>
> > In /var/lib/pki-tps/conf/CS.cfg you will have a block like this:
>
> >
>
> > channel.defKeyVersion=1
>
> >
>
> > channel. defKeyIndex=1
>
> >
>
> > We have experimented with some other cards where the following works:
>
> >
>
> > channel.defKeyVersion=0
>
> >
>
> > channel.defKeyIndex=0
>
> >
>
> > Zach Casper wrote:
>
> >
>
> > >
>
> >
>
> > > tps-error.log
>
> >
>
> > > ...
>
> >
>
> > > [2008-12-23 12:09:39] ba5de4e0 RA_Processor::SetupSecureChannel -
>
> >
>
> > > Failed to create a secure channel - potentially due to an RA/TKS key
>
> >
>
> > > mismatch or differing RA/TKS key versions.
>
> >
>
> > > [2008-12-23 12:09:39] ba5de4e0 RA_Processor::UpgradeApplet - channel
>
> >
>
> > > creation failure
>
> >
>
> > > [2008-12-23 12:10:20] ba5cb398 RA_Processor::SetupSecureChannel -
>
> >
>
> > > Failed to create a secure channel - potentially due to an RA/TKS key
>
> >
>
> > > mismatch or differing RA/TKS key versions.
>
> >
>
> > > [2008-12-23 12:10:20] ba5cb398 RA_Processor::UpgradeApplet - channel
>
> >
>
> > > creation failure
>
> >
>
> > > [2008-12-23 12:11:14] b8e04520 RA_Processor::SetupSecureChannel -
>
> >
>
> > > Failed to create a secure channel - potentially due to an RA/TKS key
>
> >
>
> > > mismatch or differing RA/TKS key versions.
>
> >
>
> > > [2008-12-23 12:11:14] b8e04520 RA_Processor::UpgradeApplet - channel
>
> >
>
> > > creation failure
>
> >
>
> > > [2008-12-23 12:39:38] ba5c00e0 RA_Processor::SetupSecureChannel -
>
> >
>
> > > Failed to create a secure channel - potentially due to an RA/TKS key
>
> >
>
> > > mismatch or differing RA/TKS key versions.
>
> >
>
> > > [2008-12-23 12:39:38] ba5c00e0 RA_Processor::UpgradeApplet - channel
>
> >
>
> > > creation failure
>
> >
>
> > > [2008-12-23 12:44:27] ba5b14c8 RA_Processor::SetupSecureChannel -
>
> >
>
> > > Failed to create a secure channel - potentially due to an RA/TKS key
>
> >
>
> > > mismatch or differing RA/TKS key versions.
>
> >
>
> > > [2008-12-23 12:44:27] ba5b14c8 RA_Processor::UpgradeApplet - channel
>
> >
>
> > > creation failure
>
> >
>
> > > [2008-12-23 12:45:54] ba5f2590 RA_Processor::SetupSecureChannel -
>
> >
>
> > > Failed to create a secure channel - potentially due to an RA/TKS key
>
> >
>
> > > mismatch or differing RA/TKS key versions.
>
> >
>
> > > [2008-12-23 12:45:54] ba5f2590 RA_Processor::UpgradeApplet - channel
>
> >
>
> > > creation failure
>
> >
>
> > >
>
> >
>
> > > tps-debug.log
>
> >
>
> > > ...
>
> >
>
> > > [2008-12-23 12:45:54] ba5f2590 RA_Format_Processor::Process -
>
> >
>
> > > Authenticate returns: 0
>
> >
>
> > > [2008-12-23 12:45:54] ba5f2590 AP_Session::WriteMsg - Sent
>
> >
>
> > >
> 's=67&msg_type=14¤t_state=10&next_task_name=PROGRESS_APPLET_UPGRADE'
>
> >
>
> > > [2008-12-23 12:45:54] ba5f2590 RA_Processor::UpgradeApplet - path =
>
> >
>
> > > /usr/share/pki/tps/applets/1.3.44724DDE.ijc
>
> >
>
> > > [2008-12-23 12:45:54] ba5f2590 AP_Session::WriteMsg - pdu_len='12'
>
> >
>
> > > [2008-12-23 12:45:54] ba5f2590 AP_Session::WriteMsg - Sent
>
> >
>
> > >
>
's=68&msg_type=9&pdu_size=12&pdu_data=%00%A4%04%00%07%A0%00%00%00%03%00%00'
>
> >
>
> > > [2008-12-23 12:45:54] ba5f2590 AP_Session::ReadMsg - decoded pdu =
>
> >
>
> > > (length='20')
>
> >
>
> > > [2008-12-23 12:45:54] ba5f2590 AP_Session::ReadMsg - 6f 10 84 08 a0 00
>
> >
>
> > > 00 00 03 00
>
> >
>
> > > [2008-12-23 12:45:54] ba5f2590 AP_Session::ReadMsg - 00 00 a5 04 9f 65
>
> >
>
> > > 01 ff 90 00
>
> >
>
> > > [2008-12-23 12:45:54] ba5f2590 AP_Session::ReadMsg -
>
> >
>
> > > [2008-12-23 12:45:54] ba5f2590 AP_Session::WriteMsg - pdu_len='13'
>
> >
>
> > > [2008-12-23 12:45:54] ba5f2590 AP_Session::WriteMsg - Sent
>
> >
>
> > >
>
's=71&msg_type=9&pdu_size=13&pdu_data=%80%50%01%01%08%56%F5%29%9D%7B%8F%6F%A
7'
>
> >
>
> > > [2008-12-23 12:45:54] ba5f2590 AP_Session::ReadMsg - decoded pdu =
>
> >
>
> > > (length='2')
>
> >
>
> > > [2008-12-23 12:45:54] ba5f2590 AP_Session::ReadMsg - 6a 86
>
> >
>
> > > [2008-12-23 12:45:54] ba5f2590 RA_Format_Processor::Process - applet
>
> >
>
> > > upgrade failed
>
> >
>
> > > [2008-12-23 12:45:54] ba5f2590 AP_Session::WriteMsg - pdu_len='12'
>
> >
>
> > > [2008-12-23 12:45:54] ba5f2590 AP_Session::WriteMsg - Sent
>
> >
>
> > >
>
's=68&msg_type=9&pdu_size=12&pdu_data=%00%A4%04%00%07%62%76%01%FF%00%00%00'
>
> >
>
> > > [2008-12-23 12:45:54] ba5f2590 AP_Session::ReadMsg - decoded pdu =
>
> >
>
> > > (length='2')
>
> >
>
> > > [2008-12-23 12:45:54] ba5f2590 AP_Session::ReadMsg - 90 00
>
> >
>
> > > [2008-12-23 12:45:54] ba5f2590 AP_Session::WriteMsg - Sent
>
> >
>
> > > 's=43&msg_type=13&operation=5&result=1&message=19'
>
> >
>
> > >
>
> >
>
> > > zach
>
> >
>
> > >
>
> >
>
> > > _____________________________________________
>
> >
>
> > > *From:* Jack Magne [mailto:jmagne at redhat.com]
>
> >
>
> > > *Sent:* Tuesday, December 23, 2008 2:38 PM
>
> >
>
> > > *To:* Adewumi, Julius-p99373
>
> >
>
> > > *Cc:* Zach Casper; pki-users at redhat.com
>
> >
>
> > > *Subject:* Re: [Pki-users] ESC Format / Enroll Error
>
> >
>
> > >
>
> >
>
> > > You are having a problem creating a secure channel. Perhaps posting a
>
> >
>
> > >
>
> >
>
> > > snippet of the log might help.
>
> >
>
> > >
>
> >
>
> > >
>
> >
>
> > >
>
> >
>
> > > Adewumi, Julius-p99373 wrote:
>
> >
>
> > >
>
> >
>
> > > > You might want to play with changing "false" to "true in the
> CS.cfg for
>
> >
>
> > >
>
> >
>
> > > > op.enroll.userKey.update.applet.emptyToken.enable=false or the
>
> >
>
> > >
>
> >
>
> > > > op.format... equivalent , etc.
>
> >
>
> > >
>
> >
>
> > > >
>
> >
>
> > >
>
> >
>
> > > > /From: Julius Adewumi/
>
> >
>
> > >
>
> >
>
> > > > /@GDC4S.com/
>
> >
>
> > >
>
> >
>
> > > > /Ph:480-441-6768/
>
> >
>
> > >
>
> >
>
> > > > /Contract Corp:MTSI/
>
> >
>
> > >
>
> >
>
> > > >
>
> >
>
> > >
>
> >
>
> > > >
>
> >
>
> > >
>
> >
>
> > > >
>
> > ------------------------------------------------------------------------
>
> >
>
> > >
>
> >
>
> > > > *From:* pki-users-bounces at redhat.com
>
> >
>
> > >
>
> >
>
> > > > [mailto:pki-users-bounces at redhat.com] *On Behalf Of *Zach Casper
>
> >
>
> > >
>
> >
>
> > > > *Sent:* Tuesday, December 23, 2008 12:00 PM
>
> >
>
> > >
>
> >
>
> > > > *To:* pki-users at redhat.com
>
> >
>
> > >
>
> >
>
> > > > *Subject:* RE: [Pki-users] ESC Format / Enroll Error
>
> >
>
> > >
>
> >
>
> > > >
>
> >
>
> > >
>
> >
>
> > > > Tps-debug log shows the following:
>
> >
>
> > >
>
> >
>
> > > >
>
> >
>
> > >
>
> >
>
> > > > RA_Format_Processor::Process - applet upgrade failed
>
> >
>
> > >
>
> >
>
> > > >
>
> >
>
> > >
>
> >
>
> > > > Tps-error log show the following:
>
> >
>
> > >
>
> >
>
> > > >
>
> >
>
> > >
>
> >
>
> > > > RA_Processor::SetupSecureChannel - Failed to create a secure channel
>
> >
>
> > >
>
> >
>
> > > > 0- potentially due to an RA/TKS key mismatch or differing RA/TKS key
>
> >
>
> > >
>
> >
>
> > > > versions.
>
> >
>
> > >
>
> >
>
> > > >
>
> >
>
> > >
>
> >
>
> > > > RA_Processor::UpgradeApplet -0 channel create failure
>
> >
>
> > >
>
> >
>
> > > >
>
> >
>
> > >
>
> >
>
> > > > And a series of Bad Response when trying to SelectApplet or
GetStatus
>
> >
>
> > >
>
> >
>
> > > >
>
> >
>
> > >
>
> >
>
> > > > zach
>
> >
>
> > >
>
> >
>
> > > >
>
> >
>
> > >
>
> >
>
> > > > _____________________________________________
>
> >
>
> > >
>
> >
>
> > > > *From:* Jack Magne [mailto:jmagne at redhat.com]
>
> >
>
> > >
>
> >
>
> > > > *Sent:* Tuesday, December 23, 2008 1:10 PM
>
> >
>
> > >
>
> >
>
> > > > *To:* Zach Casper
>
> >
>
> > >
>
> >
>
> > > > *Subject:* Re: [Pki-users] ESC Format / Enroll Error
>
> >
>
> > >
>
> >
>
> > > >
>
> >
>
> > >
>
> >
>
> > > > The first step would be to take a look at the tps log or smart card
>
> >
>
> > >
>
> >
>
> > > > server.
>
> >
>
> > >
>
> >
>
> > > >
>
> >
>
> > >
>
> >
>
> > > > These can be found at:
>
> >
>
> > >
>
> >
>
> > > >
>
> >
>
> > >
>
> >
>
> > > > /var/lib/pki-tps/logs/tps-debug.log
>
> >
>
> > >
>
> >
>
> > > >
>
> >
>
> > >
>
> >
>
> > > > Search the bottom of the log for error 19 and it should give you an
>
> > idea
>
> >
>
> > >
>
> >
>
> > > >
>
> >
>
> > >
>
> >
>
> > > > of what TPS was trying to do at the time.
>
> >
>
> > >
>
> >
>
> > > >
>
> >
>
> > >
>
> >
>
> > > > Zach Casper wrote:
>
> >
>
> > >
>
> >
>
> > > >
>
> >
>
> > >
>
> >
>
> > > > >
>
> >
>
> > >
>
> >
>
> > > >
>
> >
>
> > >
>
> >
>
> > > > > We have an Infineon Smart Card and currently we are unable to
>
> >
>
> > >
>
> >
>
> > > >
>
> >
>
> > >
>
> >
>
> > > > > Format/Enroll due to the following ESC Error
>
> >
>
> > >
>
> >
>
> > > >
>
> >
>
> > >
>
> >
>
> > > > >
>
> >
>
> > >
>
> >
>
> > > >
>
> >
>
> > >
>
> >
>
> > > > > "Formatting of smart card failed. Error: The Smart Card Server
> cannot
>
> >
>
> > >
>
> >
>
> > > >
>
> >
>
> > >
>
> >
>
> > > > > upgrade the software on your smart card."
>
> >
>
> > >
>
> >
>
> > > >
>
> >
>
> > >
>
> >
>
> > > > >
>
> >
>
> > >
>
> >
>
> > > >
>
> >
>
> > >
>
> >
>
> > > > > And Diagnostics show this error:
>
> >
>
> > >
>
> >
>
> > > >
>
> >
>
> > >
>
> >
>
> > > > >
>
> >
>
> > >
>
> >
>
> > > >
>
> >
>
> > >
>
> >
>
> > > > > "Attempting to Format Key, ID: ####### - Key Format failure,
Error:
>
> >
>
> > > 19."
>
> >
>
> > >
>
> >
>
> > > >
>
> >
>
> > >
>
> >
>
> > > > >
>
> >
>
> > >
>
> >
>
> > > >
>
> >
>
> > >
>
> >
>
> > > > > This card comes up as "Formatted" because we've manually
> installed a
>
> >
>
> > >
>
> >
>
> > > >
>
> >
>
> > >
>
> >
>
> > > > > version of the Dogtag applet prior to using ESC & Dogtag.
>
> >
>
> > >
>
> >
>
> > > >
>
> >
>
> > >
>
> >
>
> > > > >
>
> >
>
> > >
>
> >
>
> > > >
>
> >
>
> > >
>
> >
>
> > > > > Any advice on how we can troubleshoot?
>
> >
>
> > >
>
> >
>
> > > >
>
> >
>
> > >
>
> >
>
> > > > >
>
> >
>
> > >
>
> >
>
> > > >
>
> >
>
> > >
>
> >
>
> > > > > --
>
> >
>
> > >
>
> >
>
> > > >
>
> >
>
> > >
>
> >
>
> > > > >
>
> >
>
> > >
>
> >
>
> > > >
>
> >
>
> > >
>
> >
>
> > > > > Zach Casper
>
> >
>
> > >
>
> >
>
> > > >
>
> >
>
> > >
>
> >
>
> > > > >
>
> >
>
> > >
>
> >
>
> > > >
>
> >
>
> > >
>
> >
>
> > > > > Envieta LLC
>
> >
>
> > >
>
> >
>
> > > >
>
> >
>
> > >
>
> >
>
> > > > >
>
> >
>
> > >
>
> >
>
> > > >
>
> >
>
> > >
>
> >
>
> > > > > ----------------------------------------
>
> >
>
> > >
>
> >
>
> > > >
>
> >
>
> > >
>
> >
>
> > > > >
>
> >
>
> > >
>
> >
>
> > > >
>
> >
>
> > >
>
> >
>
> > > > >
>
> >
>
> > >
> ------------------------------------------------------------------------
>
> >
>
> > >
>
> >
>
> > > >
>
> >
>
> > >
>
> >
>
> > > > >
>
> >
>
> > >
>
> >
>
> > > >
>
> >
>
> > >
>
> >
>
> > > > > _______________________________________________
>
> >
>
> > >
>
> >
>
> > > >
>
> >
>
> > >
>
> >
>
> > > > > Pki-users mailing list
>
> >
>
> > >
>
> >
>
> > > >
>
> >
>
> > >
>
> >
>
> > > > > Pki-users at redhat.com
>
> >
>
> > >
>
> >
>
> > > >
>
> >
>
> > >
>
> >
>
> > > > > https://www.redhat.com/mailman/listinfo/pki-users
>
> >
>
> > >
>
> >
>
> > > >
>
> >
>
> > >
>
> >
>
> > > > >
>
> >
>
> > >
>
> >
>
> > > >
>
> >
>
> > >
>
> >
>
> > > >
>
> > ------------------------------------------------------------------------
>
> >
>
> > >
>
> >
>
> > > >
>
> >
>
> > >
>
> >
>
> > > > _______________________________________________
>
> >
>
> > >
>
> >
>
> > > > Pki-users mailing list
>
> >
>
> > >
>
> >
>
> > > > Pki-users at redhat.com
>
> >
>
> > >
>
> >
>
> > > > https://www.redhat.com/mailman/listinfo/pki-users
>
> >
>
> > >
>
> >
>
> > > >
>
> >
>
> > >
>
> >
>
> > >
> ------------------------------------------------------------------------
>
> >
>
> > >
>
> >
>
> > > _______________________________________________
>
> >
>
> > > Pki-users mailing list
>
> >
>
> > > Pki-users at redhat.com
>
> >
>
> > > https://www.redhat.com/mailman/listinfo/pki-users
>
> >
>
> > >
>
> >
>
More information about the Pki-users
mailing list