[Pki-users] "Format" button never enabled in Enterprise Security Client

John Magne jmagne at redhat.com
Tue Sep 24 00:20:54 UTC 2013


Steve greetings:

Comments below:



----- Original Message -----
> From: "Steve Ross" <sross at trustedcs.com>
> To: "John Magne" <jmagne at redhat.com>
> Cc: pki-users at redhat.com
> Sent: Monday, September 23, 2013 4:45:22 PM
> Subject: Re: [Pki-users] "Format" button never enabled in Enterprise Security Client
> 
> Jack,
> 
> Thanks for your quick reply.
> 
> Regarding "Phone Home", I believe that both TPS and ESC are set up
> correctly by default.  For example, the TPS "CS.cfg" file contains the
> lines:
> ...
> op.enroll.userKey.issuerinfo.enable=true
> op.enroll.userKey.issuerinfo.value=http://dhcp-12-90.il.tcs-sec.com:7888/cgi-bin/home/index.cgi
> ...
> op.format.userKey.issuerinfo.enable=true
> op.format.userKey.issuerinfo.value=http://dhcp-12-90.il.tcs-sec.com:7888/cgi-bin/home/index.cgi
> 
> By using the "netstat" command, I can see that my TPS process is
> listening on ports 7888, 7889, and 7890.
> 
> The file "/var/lib/pki-tps/cgi-bin/home/index.cgi", which I haven't
> edited, produces:
> 
> <ServiceInfo>
>    <IssuerName>Fedora Project</IssuerName>
>    <Services>
> <Operation>http://dhcp-12-90.il.tcs-sec.com:7888/nk_service</Operation>
> <UI>http://dhcp-12-90.il.tcs-sec.com:7888/cgi-bin/home/enroll.cgi</UI>
> <EnrolledTokenBrowserURL>http://www.fedora.redhat.com</EnrolledTokenBrowserURL>
>    <EnrolledTokenURL></EnrolledTokenURL>
>    <TokenType>userKey</TokenType>
>    </Services>
> </ServiceInfo>
> 
> which again references port 7888.
> 
> 
> I have edited the file
> "user/lib/esc-1.1.0/defaults/preferences/esc-prefs.js", where I've set:
> 
> pref("esc.global.phone.home.url","http://dhcp-12-90.il.tcs-sec.com:7888/cgi-bin/home/index.cgi");

OK, here is why you aren't getting the phone home dialog. This optional config param was put in for those that didn't
want to be able to use a different phone home url for every token they use. This should prevent the dialog from coming up
and the system should use that particular phone home url to contact the TPS server.

One thing you could do is to hit that URL in a browser to make sure it is available. You should a printout of that tiny
XML file you referenced above.

Based on this, it sounds like that maybe your token was not properly recognized by the client.


You could do the following:

1. Stop the pcscd daemon, I think it's service pcscd stop.

2. Run it in interactive mode.    /usr/sbin/pcscd -d -f -a

This will print out what is going on.

3. Bring up ESC again and insert the token.

Have a look at the output and something might be useful for us to debug. Let us know.


If this doesn't give us any useful info, we can get some debug output from our PKCS#11 module coolkey.

1. In a terminal, with esc dead, set this env var:

COOL_KEY_LOG_FILE=/tmp/cool.log

2. Start ESC in the terminal : esc.

3. Take a look at the cool.log file and show us. There may be some obvious log statement that could be helpful.





> 
> 
> So, I'm confused as to why I don't see the "Phone Home Configuration
> Information" dialog that you mention.
> 
> By default, does ESC communicate with TPS over HTTP port 7888?  It is
> necessary to switch ESC to use HTTPS port 7890?
> 
> Is there part of installation or configuration of ESC and TPS that
> people (like me) regularly get wrong?
> 
> Thanks,
> -- Steve Ross
> 
> 
> On 09/20/2013 06:39 PM, John Magne wrote:
> > Steve:
> >
> > Thanks for the query.
> >
> >
> > When you put in a blank token such as you have probably described, the ESC
> > should pop up
> > a "Phone Home" Dialog that asks you to type in a URL pointing to the TPS
> > Server that is part
> > of Dogtag Certificate System.
> >
> > If you do not get this Phone Home dialog there is possibly something wrong
> > there.
> >
> > As for smart card support we only have tested the main cards supported. If
> > there is some alternate
> > card being attempted, it MAY work but we can make no assurances there.
> >
> > thanks,
> > jack
> >
> >
> >
> > ----- Original Message -----
> >> From: "Steve Ross" <sross at trustedcs.com>
> >> To: pki-users at redhat.com
> >> Sent: Friday, September 20, 2013 3:20:22 PM
> >> Subject: [Pki-users] "Format" button never enabled in Enterprise Security
> >> 	Client
> >>
> >> I'm a new user of the Dogtag Certificate System...
> >>
> >> I am trying to create a certificate and write it to a smart card.
> >>
> >> My problem is that my Enterprise Security Client (ESC) does not allow me
> >> to format the smart card. When I insert the blank smart card, the ESC
> >> GUI shows
> >>       Issuer = Unknown
> >>       Issued To = Unknown
> >>       Status = Unformatted
> >>
> >> However, the "Format" button is disabled and remains so.  Why?  Is there
> >> any configuration that I need to do in one of the PKI subsystems or ESC
> >> itself?
> >>
> >> When I instead insert a Common Access Card (CAC), the ESC GUI shows
> >>       Issuer = U.S Government
> >>       Issued To = <name>
> >>       Status = Enrolled
> >>
> >> and ESC is able to display thethree certificates of the CAC.  So, my
> >> hardware/software is working to the extent that it can read another card.
> >>
> >> I see the section in the Red Hat Certificate System (RHCS) 8.1
> >> "Deployment, Planning, and Installation" guide that says:
> >>
> >>       The Certificate System subsystems have been tested using the
> >> following tokens:
> >>           Gemalto TOP IM FIPS CY2 64K token, both as a smart card and
> >> GemPCKey USB form factor key
> >>           Gemalto Cyberflex e-gate 32K token
> >>           Safenet 330J Java smart card
> >>
> >> I also see the section of the RHCS "Managing Smart Cards with the
> >> Enterprise Security Client" that says:
> >>
> >>       The Enterprise Security Client supports smart cards which are
> >> JavaCard 2.1 or higher and Global
> >>       Platform 2.01-compliant and was tested using the following cards:
> >>           Safenet 330J Java smart cards
> >>           Gemalto 64K V2 tokens, both as a smart card and GemPCKey USB
> >> form factor key
> >>           Gemalto GCx4 72K and TOPDLGX4 144K common access cards (CAC)
> >>           Oberthur ID One V5.2 common access cards (CAC)
> >>           Personal identity verification (PIV) cards, compliant with FIPS
> >>           201
> >>
> >> The smart card that I'm using is none of the above, though it exceeds
> >> the standards that the ESC manual describes.
> >>
> >>
> >> Following are the details of my smart card, reader, and installed
> >> software:
> >>
> >> Smart card:
> >>     J2A080 - NXP JAVA based smart card, 80k EEPROM
> >>     This is supposed to meet the standards JCOP 2.4.1, JC 2.2.2, and GP
> >> 2.1.1.
> >>     It is a new card and is not supposed to have any applets on it.
> >>
> >>
> >> Smart card reader:
> >>     OmniKey 3121
> >>
> >>
> >> Operating system:
> >>     CentOS 5.9
> >>
> >>
> >> Software packages installed:
> >>     esc-1.1.0-14.el5.centos.1
> >>     pki-ca-1.3.6-1.el5
> >>     pki-tks-1.3.3-1.el5
> >>     pki-tps-1.3.1-1.el5
> >>     coolkey-1.1.0-15.el5
> >>     tomcat5-5.5.23-0jpp.40.el5_9
> >>     httpd-2.2.3-82.el5.centos
> >>
> >>
> >> Thanks in advance for any help,
> >> -- Steve Ross
> >>
> >>
> >>
> >>
> >>
> >> _______________________________________________
> >> Pki-users mailing list
> >> Pki-users at redhat.com
> >> https://www.redhat.com/mailman/listinfo/pki-users
> >>
> 
> 




More information about the Pki-users mailing list