[Pki-users] ESC Format / Enroll Error
Jack Magne
jmagne at redhat.com
Wed Jan 7 23:04:29 UTC 2009
Thanks:
I will take a look in an effort to figure out what we have.
John Whitelock wrote:
> Jack,
>
> Thanks again for the help. Below I have pasted the log you asked for from
> that same test.
>
>
> [07/Jan/2009:11:20:42][http-13443-Processor25]: Authentication: client
> certificate found
> [07/Jan/2009:11:20:42][http-13443-Processor25]: getConn: mNumConns now 2
> [07/Jan/2009:11:20:42][http-13443-Processor25]: returnConn: mNumConns now 3
> [07/Jan/2009:11:20:42][http-13443-Processor25]: Authentication: mapped
> certificate to user
> [07/Jan/2009:11:20:42][http-13443-Processor25]: authenticated
> uid=TPS-localhost.localdomain-7889,ou=People,dc=localhost.localdomain-pki-tk
> s
> [07/Jan/2009:11:20:42][http-13443-Processor25]: SignedAuditEventFactory:
> create()
> message=[AuditEvent=AUTH_SUCCESS][SubjectID=TPS-localhost.localdomain-7889][
> Outcome=Success][AuthMgr=certUserDBAuthMgr] authentication success
>
> [07/Jan/2009:11:20:42][http-13443-Processor25]: checkACLS(): ACLEntry
> expressions= group="Token Key Service Manager Agents"
> [07/Jan/2009:11:20:42][http-13443-Processor25]: evaluating expressions:
> group="Token Key Service Manager Agents"
> [07/Jan/2009:11:20:42][http-13443-Processor25]: getConn: mNumConns now 2
> [07/Jan/2009:11:20:42][http-13443-Processor25]: returnConn: mNumConns now 3
> [07/Jan/2009:11:20:42][http-13443-Processor25]: UGSubsystem.isMemberOf()
> using new lookup code
> [07/Jan/2009:11:20:42][http-13443-Processor25]: getConn: mNumConns now 2
> [07/Jan/2009:11:20:42][http-13443-Processor25]: authorization search base:
> cn=Token Key Service Manager
> Agents,ou=groups,dc=localhost.localdomain-pki-tks
> [07/Jan/2009:11:20:42][http-13443-Processor25]: authorization search filter:
> (uniquemember=uid=TPS-localhost.localdomain-7889,ou=People,dc=localhost.loca
> ldomain-pki-tks)
> [07/Jan/2009:11:20:42][http-13443-Processor25]: authorization result: true
> [07/Jan/2009:11:20:42][http-13443-Processor25]: returnConn: mNumConns now 3
> [07/Jan/2009:11:20:42][http-13443-Processor25]: evaluated expression:
> group="Token Key Service Manager Agents" to be true
> [07/Jan/2009:11:20:42][http-13443-Processor25]: DirAclAuthz: authorization
> passed
> [07/Jan/2009:11:20:42][http-13443-Processor25]: SignedAuditEventFactory:
> create()
> message=[AuditEvent=AUTHZ_SUCCESS][SubjectID=TPS-localhost.localdomain-7889]
> [Outcome=Success][aclResource=certServer.tks.sessionkey][Op=read]
> authorization success
>
> [07/Jan/2009:11:20:42][http-13443-Processor25]: getConn: mNumConns now 2
> [07/Jan/2009:11:20:42][http-13443-Processor25]: returnConn: mNumConns now 3
> [07/Jan/2009:11:20:42][http-13443-Processor25]: SignedAuditEventFactory:
> create()
> message=[AuditEvent=ROLE_ASSUME][SubjectID=TPS-localhost.localdomain-7889][O
> utcome=Success][Role=Token Key Service Manager Agents] assume privileged
> role
>
> [07/Jan/2009:11:20:42][http-13443-Processor25]: keySet selected: defKeySet
> [07/Jan/2009:11:20:42][http-13443-Processor25]: keySet selected: defKeySet
> [07/Jan/2009:11:20:42][http-13443-Processor25]: processComputeSessionKey:
> [07/Jan/2009:11:20:42][http-13443-Processor25]: TokenServlet:
> serversideKeygen requested
> [07/Jan/2009:11:20:42][http-13443-Processor25]: TokenServlet about to try
> ComputeSessionKey selectedToken=Internal Key Storage Token
> keyNickName=#FF#02
> [07/Jan/2009:11:20:42][http-13443-Processor25]: TokenServlet:Tried
> ComputeSessionKey, got NULL
> java.lang.Exception: Can't compute session key!
> at
> com.netscape.cms.servlet.tks.TokenServlet.processComputeSessionKey(TokenServ
> let.java:336)
> at
> com.netscape.cms.servlet.tks.TokenServlet.process(TokenServlet.java:945)
> at
> com.netscape.cms.servlet.base.CMSServlet.service(CMSServlet.java:482)
> at
> com.netscape.cms.servlet.tks.TokenServlet.service(TokenServlet.java:964)
> at javax.servlet.http.HttpServlet.service(HttpServlet.java:729)
> at
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Application
> FilterChain.java:269)
> at
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterCh
> ain.java:188)
> at
> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.ja
> va:213)
> at
> org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.ja
> va:172)
> at
> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127
> )
> at
> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:117
> )
> at
> org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:548)
> at
> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java
> :108)
> at
> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:174)
> at
> org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:875)
> at
> org.apache.coyote.http11.Http11BaseProtocol$Http11ConnectionHandler.processC
> onnection(Http11BaseProtocol.java:665)
> at
> org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.jav
> a:528)
> at
> org.apache.tomcat.util.net.LeaderFollowerWorkerThread.runIt(LeaderFollowerWo
> rkerThread.java:81)
> at
> org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.jav
> a:689)
> at java.lang.Thread.run(Thread.java:636)
> [07/Jan/2009:11:20:42][http-13443-Processor25]: TokenServlet Computing
> Session Key: java.lang.Exception: Can't compute session key!
> [07/Jan/2009:11:20:42][http-13443-Processor25]:
> TokenServlet:outputString.encode status=3
> [07/Jan/2009:11:20:42][http-13443-Processor25]:
> TokenServlet:outputString.length 8
> [07/Jan/2009:11:20:42][http-13443-Processor25]: CMSServlet: curDate=Wed Jan
> 07 11:20:42 GMT-05:00 2009 id=tksSessionKey time=430
>
> -----Original Message-----
> From: Jack Magne [mailto:jmagne at redhat.com]
> Sent: Wednesday, January 07, 2009 4:24 PM
> To: Zach Casper
> Cc: pki-users at redhat.com; 'John Whitelock'
> Subject: Re: [Pki-users] ESC Format / Enroll Error
>
> Zach:
>
> It looks like with your second test, you have managed to get by the
> hurdle of the failed "InitializeUpdate" command. This is due to using 0
> and 0 for the defKeyVersion and defKeyIndex.
>
> Now it looks like the TKS system is not acting as expected.
>
> It would be great to have a look at the TKS debug log found in
> /var/lib/pki-tks/logs
>
> I suspect we are having an issue with computing the session key in the TKS.
>
> thanks,
> jack
>
>
> Zach Casper wrote:
>
>> Thanks Jack.
>>
>> It appears we are using the same keys so on to troubleshooting our
>> error logs. Below are our current logs file contents.
>>
>> When we use the default values:
>>
>> channel.defKeyVersion=1
>>
>> channel. defKeyIndex=1
>>
>> Ther error we get is:
>>
>> [2009-01-07 11:05:07] ba6ec600 LDAP_Authentication::Authenticate -
>> User bind required 'uid=testuser1,ou=People,dc=localdomain' 'envieta123'
>>
>> [2009-01-07 11:05:07] ba6ec600 LDAP_Authentication::Authenticate -
>> Attributes mail,cn,uid
>>
>> [2009-01-07 11:05:07] ba6ec600 LDAP_Authentication::Authenticate -
>> Exposed cn=Test User1
>>
>> [2009-01-07 11:05:07] ba6ec600 LDAP_Authentication::Authenticate - Size 3
>>
>> [2009-01-07 11:05:07] ba6ec600 LDAP_Authentication::Authenticate -
>> Exposed uid=testuser1
>>
>> [2009-01-07 11:05:07] ba6ec600 LDAP_Authentication::Authenticate - Size 4
>>
>> [2009-01-07 11:05:07] ba6ec600 RA_Format_Processor::Process -
>> Authenticate returns: 0
>>
>> [2009-01-07 11:05:07] ba6ec600 AP_Session::WriteMsg - Sent
>> 's=67&msg_type=14¤t_state=10&next_task_name=PROGRESS_APPLET_UPGRADE'
>>
>> [2009-01-07 11:05:07] ba6ec600 RA_Processor::UpgradeApplet - path =
>> /usr/share/pki/tps/applets/1.3.44724DDE.ijc
>>
>> [2009-01-07 11:05:07] ba6ec600 AP_Session::WriteMsg - pdu_len='12'
>>
>> [2009-01-07 11:05:07] ba6ec600 AP_Session::WriteMsg - Sent
>>
>>
> 's=68&msg_type=9&pdu_size=12&pdu_data=%00%A4%04%00%07%A0%00%00%00%03%00%00'
>
>> [2009-01-07 11:05:07] ba6ec600 AP_Session::ReadMsg - decoded pdu =
>> (length='20')
>>
>> [2009-01-07 11:05:07] ba6ec600 AP_Session::ReadMsg - 6f 10 84 08 a0 00
>> 00 00 03 00
>>
>> [2009-01-07 11:05:07] ba6ec600 AP_Session::ReadMsg - 00 00 a5 04 9f 65
>> 01 ff 90 00
>>
>> [2009-01-07 11:05:07] ba6ec600 AP_Session::ReadMsg -
>>
>> [2009-01-07 11:05:07] ba6ec600 AP_Session::WriteMsg - pdu_len='13'
>>
>> [2009-01-07 11:05:07] ba6ec600 AP_Session::WriteMsg - Sent
>>
>>
> 's=71&msg_type=9&pdu_size=13&pdu_data=%80%50%01%01%08%09%CD%60%A7%11%EC%23%A
> 5'
>
>> [2009-01-07 11:05:08] ba6ec600 AP_Session::ReadMsg - decoded pdu =
>> (length='2')
>>
>> [2009-01-07 11:05:08] ba6ec600 AP_Session::ReadMsg - 6a 86
>>
>> [2009-01-07 11:05:08] ba6ec600 RA_Format_Processor::Process - applet
>> upgrade failed
>>
>> [2009-01-07 11:05:08] ba6ec600 AP_Session::WriteMsg - pdu_len='12'
>>
>> [2009-01-07 11:05:08] ba6ec600 AP_Session::WriteMsg - Sent
>>
>>
> 's=68&msg_type=9&pdu_size=12&pdu_data=%00%A4%04%00%07%62%76%01%FF%00%00%00'
>
>> [2009-01-07 11:05:08] ba6ec600 AP_Session::ReadMsg - decoded pdu =
>> (length='2')
>>
>> [2009-01-07 11:05:08] ba6ec600 AP_Session::ReadMsg - 90 00
>>
>> [2009-01-07 11:05:08] ba6ec600 AP_Session::WriteMsg - Sent
>> 's=43&msg_type=13&operation=5&result=1&message=19'
>>
>> When we switch the values to be:
>>
>> channel.defKeyVersion=0
>>
>> channel. defKeyIndex=0
>>
>> The error now looks like this:
>>
>> [2009-01-07 11:20:41] bacd2d28 LDAP_Authentication::Authenticate -
>> User bind required 'uid=testuser1,ou=People,dc=localdomain' 'envieta123'
>>
>> [2009-01-07 11:20:41] bacd2d28 LDAP_Authentication::Authenticate -
>> Attributes mail,cn,uid
>>
>> [2009-01-07 11:20:41] bacd2d28 LDAP_Authentication::Authenticate -
>> Exposed cn=Test User1
>>
>> [2009-01-07 11:20:41] bacd2d28 LDAP_Authentication::Authenticate - Size 3
>>
>> [2009-01-07 11:20:41] bacd2d28 LDAP_Authentication::Authenticate -
>> Exposed uid=testuser1
>>
>> [2009-01-07 11:20:41] bacd2d28 LDAP_Authentication::Authenticate - Size 4
>>
>> [2009-01-07 11:20:41] bacd2d28 RA_Format_Processor::Process -
>> Authenticate returns: 0
>>
>> [2009-01-07 11:20:41] bacd2d28 AP_Session::WriteMsg - Sent
>> 's=67&msg_type=14¤t_state=10&next_task_name=PROGRESS_APPLET_UPGRADE'
>>
>> [2009-01-07 11:20:41] bacd2d28 RA_Processor::UpgradeApplet - path =
>> /usr/share/pki/tps/applets/1.3.44724DDE.ijc
>>
>> [2009-01-07 11:20:41] bacd2d28 AP_Session::WriteMsg - pdu_len='12'
>>
>> [2009-01-07 11:20:41] bacd2d28 AP_Session::WriteMsg - Sent
>>
>>
> 's=68&msg_type=9&pdu_size=12&pdu_data=%00%A4%04%00%07%A0%00%00%00%03%00%00'
>
>> [2009-01-07 11:20:41] bacd2d28 AP_Session::ReadMsg - decoded pdu =
>> (length='20')
>>
>> [2009-01-07 11:20:41] bacd2d28 AP_Session::ReadMsg - 6f 10 84 08 a0 00
>> 00 00 03 00
>>
>> [2009-01-07 11:20:41] bacd2d28 AP_Session::ReadMsg - 00 00 a5 04 9f 65
>> 01 ff 90 00
>>
>> [2009-01-07 11:20:41] bacd2d28 AP_Session::ReadMsg -
>>
>> [2009-01-07 11:20:41] bacd2d28 AP_Session::WriteMsg - pdu_len='13'
>>
>> [2009-01-07 11:20:41] bacd2d28 AP_Session::WriteMsg - Sent
>>
>>
> 's=71&msg_type=9&pdu_size=13&pdu_data=%80%50%00%00%08%95%74%0B%AC%37%C9%DE%8
> 0'
>
>> [2009-01-07 11:20:41] bacd2d28 AP_Session::ReadMsg - decoded pdu =
>> (length='30')
>>
>> [2009-01-07 11:20:41] bacd2d28 AP_Session::ReadMsg - 00 00 71 61 57 01
>> 0e 0d 90 bd
>>
>> [2009-01-07 11:20:41] bacd2d28 AP_Session::ReadMsg - ff 02 00 21 2e 6b
>> ec 9e 33 2b
>>
>> [2009-01-07 11:20:41] bacd2d28 AP_Session::ReadMsg - a5 26 d0 02 e6 64
>> c9 3c 90 00
>>
>> [2009-01-07 11:20:41] bacd2d28 AP_Session::ReadMsg -
>>
>> [2009-01-07 11:20:41] bacd2d28 HttpConnection::getResponse - Send
>> request to host localhost.localdomain:13443 servlet
>> /tks/agent/tks/computeSessionKey
>>
>> [2009-01-07 11:20:42] bacd2d28 RA::Engine - Pre-processing content
>> 'HTTP/1.1 200 OK
>>
>> Server: Apache-Coyote/1.1
>>
>> Content-Type: text/html
>>
>> Content-Length: 8
>>
>> Date: Wed, 07 Jan 2009 16:20:42 GMT
>>
>> status=3
>>
>> [2009-01-07 11:20:42] bacd2d28 RA::Engine - Post-processing content
>> 'status=3
>>
>> [2009-01-07 11:20:42] bacd2d28 RA_Format_Processor::Process - applet
>> upgrade failed
>>
>> [2009-01-07 11:20:42] bacd2d28 AP_Session::WriteMsg - pdu_len='12'
>>
>> [2009-01-07 11:20:42] bacd2d28 AP_Session::WriteMsg - Sent
>>
>>
> 's=68&msg_type=9&pdu_size=12&pdu_data=%00%A4%04%00%07%62%76%01%FF%00%00%00'
>
>> [2009-01-07 11:20:42] bacd2d28 AP_Session::ReadMsg - decoded pdu =
>> (length='2')
>>
>> [2009-01-07 11:20:42] bacd2d28 AP_Session::ReadMsg - 90 00
>>
>> [2009-01-07 11:20:42] bacd2d28 AP_Session::WriteMsg - Sent
>> 's=43&msg_type=13&operation=5&result=1&message=19'
>>
>> In addition - the following is the pki-tps.tps-error.log snippet
>>
>> [2008-12-23 12:09:39] ba5de4e0 RA_Processor::SetupSecureChannel -
>> Failed to create a secure channel - potentially due to an RA/TKS key
>> mismatch or differing RA/TKS key versions.
>> [2008-12-23 12:09:39] ba5de4e0 RA_Processor::UpgradeApplet - channel
>> creation failure
>> [2008-12-23 12:10:20] ba5cb398 RA_Processor::SetupSecureChannel -
>> Failed to create a secure channel - potentially due to an RA/TKS key
>> mismatch or differing RA/TKS key versions.
>> [2008-12-23 12:10:20] ba5cb398 RA_Processor::UpgradeApplet - channel
>> creation failure
>> [2008-12-23 12:11:14] b8e04520 RA_Processor::SetupSecureChannel -
>> Failed to create a secure channel - potentially due to an RA/TKS key
>> mismatch or differing RA/TKS key versions.
>> [2008-12-23 12:11:14] b8e04520 RA_Processor::UpgradeApplet - channel
>> creation failure
>> [2008-12-23 12:39:38] ba5c00e0 RA_Processor::SetupSecureChannel -
>> Failed to create a secure channel - potentially due to an RA/TKS key
>> mismatch or differing RA/TKS key versions.
>> [2008-12-23 12:39:38] ba5c00e0 RA_Processor::UpgradeApplet - channel
>> creation failure
>> [2008-12-23 12:44:27] ba5b14c8 RA_Processor::SetupSecureChannel -
>> Failed to create a secure channel - potentially due to an RA/TKS key
>> mismatch or differing RA/TKS key versions.
>> [2008-12-23 12:44:27] ba5b14c8 RA_Processor::UpgradeApplet - channel
>> creation failure
>> [2008-12-23 12:45:54] ba5f2590 RA_Processor::SetupSecureChannel -
>> Failed to create a secure channel - potentially due to an RA/TKS key
>> mismatch or differing RA/TKS key versions.
>> [2008-12-23 12:45:54] ba5f2590 RA_Processor::UpgradeApplet - channel
>> creation failure
>>
>> I'm also bringing John Whitelock, another one of our engineers in on
>> discussions. He just joined the pki-users list.
>>
>> Zach Casper
>>
>> _____________________________________________
>> *From:* Jack Magne [mailto:jmagne at redhat.com]
>> *Sent:* Wednesday, January 07, 2009 1:09 PM
>> *To:* Zach Casper
>> *Cc:* pki-users at redhat.com
>> *Subject:* Re: [Pki-users] ESC Format / Enroll Error
>>
>> Zach:
>>
>> Sorry for the delay....
>>
>> The default developer keyset we use for our keys with TPS is the
>>
>> standard like follows:
>>
>> tks.defKeySet.auth_key=#40#41...#4f
>>
>> tks.defKeySet.kek_key=#40#41...#4f
>>
>> tks.defKeySet.mac_key=#40#41.. #4f
>>
>> If you look in the CS.cfg file under
>>
>> /var/lib/pki-tks/conf
>>
>> We have an entire procedure documented in the CS 7.3 documentation to
>>
>> perform a key changeover if required.
>>
>> Feel free to post any further logs you might obtain after further testing.
>>
>> thanks,
>>
>> jack
>>
>> Zach Casper wrote:
>>
>>
>>> Could there be an issue with the default key our card is loaded with
>>>
>>> (VISA Key) not being able to create the secure connection? What are
>>>
>>> the default key(s) used/needed by Dogtag?
>>>
>>> _____________________________________________
>>>
>>> *From:* Jack Magne [mailto:jmagne at redhat.com]
>>>
>>> *Sent:* Tuesday, December 23, 2008 5:35 PM
>>>
>>> *To:* Zach Casper
>>>
>>> *Cc:* pki-users at redhat.com
>>>
>>> *Subject:* Re: [Pki-users] ESC Format / Enroll Error
>>>
>>> I'll have to take a closer look later but there is a quick thing you can
>>>
>>> try.
>>>
>>> Also, remember depending upon your card, if you make too many failed
>>>
>>> attempts at a secure channel, the card can lock itself up.
>>>
>>> In /var/lib/pki-tps/conf/CS.cfg you will have a block like this:
>>>
>>> channel.defKeyVersion=1
>>>
>>> channel. defKeyIndex=1
>>>
>>> We have experimented with some other cards where the following works:
>>>
>>> channel.defKeyVersion=0
>>>
>>> channel.defKeyIndex=0
>>>
>>> Zach Casper wrote:
>>>
>>>> tps-error.log
>>>>
>>>> ...
>>>>
>>>> [2008-12-23 12:09:39] ba5de4e0 RA_Processor::SetupSecureChannel -
>>>>
>>>> Failed to create a secure channel - potentially due to an RA/TKS key
>>>>
>>>> mismatch or differing RA/TKS key versions.
>>>>
>>>> [2008-12-23 12:09:39] ba5de4e0 RA_Processor::UpgradeApplet - channel
>>>>
>>>> creation failure
>>>>
>>>> [2008-12-23 12:10:20] ba5cb398 RA_Processor::SetupSecureChannel -
>>>>
>>>> Failed to create a secure channel - potentially due to an RA/TKS key
>>>>
>>>> mismatch or differing RA/TKS key versions.
>>>>
>>>> [2008-12-23 12:10:20] ba5cb398 RA_Processor::UpgradeApplet - channel
>>>>
>>>> creation failure
>>>>
>>>> [2008-12-23 12:11:14] b8e04520 RA_Processor::SetupSecureChannel -
>>>>
>>>> Failed to create a secure channel - potentially due to an RA/TKS key
>>>>
>>>> mismatch or differing RA/TKS key versions.
>>>>
>>>> [2008-12-23 12:11:14] b8e04520 RA_Processor::UpgradeApplet - channel
>>>>
>>>> creation failure
>>>>
>>>> [2008-12-23 12:39:38] ba5c00e0 RA_Processor::SetupSecureChannel -
>>>>
>>>> Failed to create a secure channel - potentially due to an RA/TKS key
>>>>
>>>> mismatch or differing RA/TKS key versions.
>>>>
>>>> [2008-12-23 12:39:38] ba5c00e0 RA_Processor::UpgradeApplet - channel
>>>>
>>>> creation failure
>>>>
>>>> [2008-12-23 12:44:27] ba5b14c8 RA_Processor::SetupSecureChannel -
>>>>
>>>> Failed to create a secure channel - potentially due to an RA/TKS key
>>>>
>>>> mismatch or differing RA/TKS key versions.
>>>>
>>>> [2008-12-23 12:44:27] ba5b14c8 RA_Processor::UpgradeApplet - channel
>>>>
>>>> creation failure
>>>>
>>>> [2008-12-23 12:45:54] ba5f2590 RA_Processor::SetupSecureChannel -
>>>>
>>>> Failed to create a secure channel - potentially due to an RA/TKS key
>>>>
>>>> mismatch or differing RA/TKS key versions.
>>>>
>>>> [2008-12-23 12:45:54] ba5f2590 RA_Processor::UpgradeApplet - channel
>>>>
>>>> creation failure
>>>>
>>>> tps-debug.log
>>>>
>>>> ...
>>>>
>>>> [2008-12-23 12:45:54] ba5f2590 RA_Format_Processor::Process -
>>>>
>>>> Authenticate returns: 0
>>>>
>>>> [2008-12-23 12:45:54] ba5f2590 AP_Session::WriteMsg - Sent
>>>>
>> 's=67&msg_type=14¤t_state=10&next_task_name=PROGRESS_APPLET_UPGRADE'
>>
>>
>>>> [2008-12-23 12:45:54] ba5f2590 RA_Processor::UpgradeApplet - path =
>>>>
>>>> /usr/share/pki/tps/applets/1.3.44724DDE.ijc
>>>>
>>>> [2008-12-23 12:45:54] ba5f2590 AP_Session::WriteMsg - pdu_len='12'
>>>>
>>>> [2008-12-23 12:45:54] ba5f2590 AP_Session::WriteMsg - Sent
>>>>
> 's=68&msg_type=9&pdu_size=12&pdu_data=%00%A4%04%00%07%A0%00%00%00%03%00%00'
>
>>>> [2008-12-23 12:45:54] ba5f2590 AP_Session::ReadMsg - decoded pdu =
>>>>
>>>> (length='20')
>>>>
>>>> [2008-12-23 12:45:54] ba5f2590 AP_Session::ReadMsg - 6f 10 84 08 a0 00
>>>>
>>>> 00 00 03 00
>>>>
>>>> [2008-12-23 12:45:54] ba5f2590 AP_Session::ReadMsg - 00 00 a5 04 9f 65
>>>>
>>>> 01 ff 90 00
>>>>
>>>> [2008-12-23 12:45:54] ba5f2590 AP_Session::ReadMsg -
>>>>
>>>> [2008-12-23 12:45:54] ba5f2590 AP_Session::WriteMsg - pdu_len='13'
>>>>
>>>> [2008-12-23 12:45:54] ba5f2590 AP_Session::WriteMsg - Sent
>>>>
> 's=71&msg_type=9&pdu_size=13&pdu_data=%80%50%01%01%08%56%F5%29%9D%7B%8F%6F%A
> 7'
>
>>>> [2008-12-23 12:45:54] ba5f2590 AP_Session::ReadMsg - decoded pdu =
>>>>
>>>> (length='2')
>>>>
>>>> [2008-12-23 12:45:54] ba5f2590 AP_Session::ReadMsg - 6a 86
>>>>
>>>> [2008-12-23 12:45:54] ba5f2590 RA_Format_Processor::Process - applet
>>>>
>>>> upgrade failed
>>>>
>>>> [2008-12-23 12:45:54] ba5f2590 AP_Session::WriteMsg - pdu_len='12'
>>>>
>>>> [2008-12-23 12:45:54] ba5f2590 AP_Session::WriteMsg - Sent
>>>>
> 's=68&msg_type=9&pdu_size=12&pdu_data=%00%A4%04%00%07%62%76%01%FF%00%00%00'
>
>>>> [2008-12-23 12:45:54] ba5f2590 AP_Session::ReadMsg - decoded pdu =
>>>>
>>>> (length='2')
>>>>
>>>> [2008-12-23 12:45:54] ba5f2590 AP_Session::ReadMsg - 90 00
>>>>
>>>> [2008-12-23 12:45:54] ba5f2590 AP_Session::WriteMsg - Sent
>>>>
>>>> 's=43&msg_type=13&operation=5&result=1&message=19'
>>>>
>>>> zach
>>>>
>>>> _____________________________________________
>>>>
>>>> *From:* Jack Magne [mailto:jmagne at redhat.com]
>>>>
>>>> *Sent:* Tuesday, December 23, 2008 2:38 PM
>>>>
>>>> *To:* Adewumi, Julius-p99373
>>>>
>>>> *Cc:* Zach Casper; pki-users at redhat.com
>>>>
>>>> *Subject:* Re: [Pki-users] ESC Format / Enroll Error
>>>>
>>>> You are having a problem creating a secure channel. Perhaps posting a
>>>>
>>>> snippet of the log might help.
>>>>
>>>> Adewumi, Julius-p99373 wrote:
>>>>
>>>>> You might want to play with changing "false" to "true in the
>>>>>
>> CS.cfg for
>>
>>
>>>>> op.enroll.userKey.update.applet.emptyToken.enable=false or the
>>>>>
>>>>> op.format... equivalent , etc.
>>>>>
>>>>> /From: Julius Adewumi/
>>>>>
>>>>> /@GDC4S.com/
>>>>>
>>>>> /Ph:480-441-6768/
>>>>>
>>>>> /Contract Corp:MTSI/
>>>>>
>>> ------------------------------------------------------------------------
>>>
>>>>> *From:* pki-users-bounces at redhat.com
>>>>>
>>>>> [mailto:pki-users-bounces at redhat.com] *On Behalf Of *Zach Casper
>>>>>
>>>>> *Sent:* Tuesday, December 23, 2008 12:00 PM
>>>>>
>>>>> *To:* pki-users at redhat.com
>>>>>
>>>>> *Subject:* RE: [Pki-users] ESC Format / Enroll Error
>>>>>
>>>>> Tps-debug log shows the following:
>>>>>
>>>>> RA_Format_Processor::Process - applet upgrade failed
>>>>>
>>>>> Tps-error log show the following:
>>>>>
>>>>> RA_Processor::SetupSecureChannel - Failed to create a secure channel
>>>>>
>>>>> 0- potentially due to an RA/TKS key mismatch or differing RA/TKS key
>>>>>
>>>>> versions.
>>>>>
>>>>> RA_Processor::UpgradeApplet -0 channel create failure
>>>>>
>>>>> And a series of Bad Response when trying to SelectApplet or
>>>>>
> GetStatus
>
>>>>> zach
>>>>>
>>>>> _____________________________________________
>>>>>
>>>>> *From:* Jack Magne [mailto:jmagne at redhat.com]
>>>>>
>>>>> *Sent:* Tuesday, December 23, 2008 1:10 PM
>>>>>
>>>>> *To:* Zach Casper
>>>>>
>>>>> *Subject:* Re: [Pki-users] ESC Format / Enroll Error
>>>>>
>>>>> The first step would be to take a look at the tps log or smart card
>>>>>
>>>>> server.
>>>>>
>>>>> These can be found at:
>>>>>
>>>>> /var/lib/pki-tps/logs/tps-debug.log
>>>>>
>>>>> Search the bottom of the log for error 19 and it should give you an
>>>>>
>>> idea
>>>
>>>>> of what TPS was trying to do at the time.
>>>>>
>>>>> Zach Casper wrote:
>>>>>
>>>>>> We have an Infineon Smart Card and currently we are unable to
>>>>>>
>>>>>> Format/Enroll due to the following ESC Error
>>>>>>
>>>>>> "Formatting of smart card failed. Error: The Smart Card Server
>>>>>>
>> cannot
>>
>>
>>>>>> upgrade the software on your smart card."
>>>>>>
>>>>>> And Diagnostics show this error:
>>>>>>
>>>>>> "Attempting to Format Key, ID: ####### - Key Format failure,
>>>>>>
> Error:
>
>>>> 19."
>>>>
>>>>>> This card comes up as "Formatted" because we've manually
>>>>>>
>> installed a
>>
>>
>>>>>> version of the Dogtag applet prior to using ESC & Dogtag.
>>>>>>
>>>>>> Any advice on how we can troubleshoot?
>>>>>>
>>>>>> --
>>>>>>
>>>>>> Zach Casper
>>>>>>
>>>>>> Envieta LLC
>>>>>>
>>>>>> ----------------------------------------
>>>>>>
>> ------------------------------------------------------------------------
>>
>>
>>>>>> _______________________________________________
>>>>>>
>>>>>> Pki-users mailing list
>>>>>>
>>>>>> Pki-users at redhat.com
>>>>>>
>>>>>> https://www.redhat.com/mailman/listinfo/pki-users
>>>>>>
>>> ------------------------------------------------------------------------
>>>
>>>>> _______________________________________________
>>>>>
>>>>> Pki-users mailing list
>>>>>
>>>>> Pki-users at redhat.com
>>>>>
>>>>> https://www.redhat.com/mailman/listinfo/pki-users
>>>>>
>> ------------------------------------------------------------------------
>>
>>
>>>> _______________________________________________
>>>>
>>>> Pki-users mailing list
>>>>
>>>> Pki-users at redhat.com
>>>>
>>>> https://www.redhat.com/mailman/listinfo/pki-users
>>>>
>
>
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3237 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/pki-users/attachments/20090107/a6eb5677/attachment.bin>
More information about the Pki-users
mailing list