Token format with external reg fails when op.format.externalRegAddToToken.revokeCert=true
Steps to Reproduce:
1. External reg is enabled in TPS 2. Enroll a externalRegAddToToken tokentype and recover certs on the token 3. The following additional config changes are made externalReg.format.loginRequest.enable=false op.format.externalRegAddToToken.revokeCert=true 4. Format the token in step 2
Actual results:
Format operation fails
Expected results:
Format should be successful and the certs on the token should be revoked
Additional info:
Log messages 04/Oct/2016:11:26:47][http-bio-25080-exec-2]: SecureChannelProtocol.unwrapWrappedSymKeyOnToken:Entering... [04/Oct/2016:11:26:47][http-bio-25080-exec-2]: SecureChannelProtocol.makeDes3KeyDerivedFromDes2: Entering ... [04/Oct/2016:11:26:47][http-bio-25080-exec-2]: SecureChannelProtocol.extractDes2FromDes3: Entering: [04/Oct/2016:11:26:47][http-bio-25080-exec-2]: SecureChannelProtocol.makeDes3KeyDerivedFromDes2: extracted8 key [04/Oct/2016:11:26:47][http-bio-25080-exec-2]: SecureChannelProtocol.unwrapWrappedSymKeyOnToken:Returning symkey... [04/Oct/2016:11:26:47][http-bio-25080-exec-2]: TPSProcessor.generateSecureChannel: retrieved session key: org.mozilla.jss.pkcs11.PK11SymKey@7877e868 [04/Oct/2016:11:26:47][http-bio-25080-exec-2]: SecureChannelProtocol.unwrapWrappedSymKeyOnToken:Entering... [04/Oct/2016:11:26:47][http-bio-25080-exec-2]: SecureChannelProtocol.makeDes3KeyDerivedFromDes2: Entering ... [04/Oct/2016:11:26:47][http-bio-25080-exec-2]: SecureChannelProtocol.extractDes2FromDes3: Entering: [04/Oct/2016:11:26:47][http-bio-25080-exec-2]: SecureChannelProtocol.makeDes3KeyDerivedFromDes2: extracted8 key [04/Oct/2016:11:26:47][http-bio-25080-exec-2]: SecureChannelProtocol.unwrapWrappedSymKeyOnToken:Returning symkey... [04/Oct/2016:11:26:47][http-bio-25080-exec-2]: TPSProcessor.generateSecureChannel: retrieved enc session key [04/Oct/2016:11:26:47][http-bio-25080-exec-2]: SecureChannel.SecureChannel: For SCP01. [04/Oct/2016:11:26:47][http-bio-25080-exec-2]: TPSProcessor.checkAndUpdradeSymKeys: Leaving successfully.... [04/Oct/2016:11:26:47][http-bio-25080-exec-2]: SecureChannel.externalAuthenticate: entering. &&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& [04/Oct/2016:11:26:47][http-bio-25080-exec-2]: SecureChannel.externalAuthenticate: about to call computeAPDUMac. &&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& [04/Oct/2016:11:26:47][http-bio-25080-exec-2]: SecureChannel.computeAPDUMac: got data To MAC [04/Oct/2016:11:26:47][http-bio-25080-exec-2]: SecureChannel.computeAPDUMac: MAC computed [04/Oct/2016:11:26:47][http-bio-25080-exec-2]: TPSConnection.write: Writing: s=95&msg_type=9&pdu_size=21pdu_data=<do not print> [04/Oct/2016:11:26:47][http-bio-25080-exec-2]: TPSSession.read() about to call read on connection : org.dogtagpki.tps.TPSConnection@3ff417eb [04/Oct/2016:11:26:47][http-bio-25080-exec-2]: TPSConnection read() [04/Oct/2016:11:26:47][http-bio-25080-exec-2]: TPSConnection.read: Reading: s=38&msg_type=10&pdu_size=2&pdu_data=%90%00 [04/Oct/2016:11:26:47][http-bio-25080-exec-2]: TPSMessage.createMessage: message: s=38&msg_type=10&pdu_size=2&pdu_data=<do not print>&pdu_size=2&pdu_data=%90%00 [04/Oct/2016:11:26:47][http-bio-25080-exec-2]: TPSMessage msg_type: 10 [04/Oct/2016:11:26:47][http-bio-25080-exec-2]: TPSMessage operation: null [04/Oct/2016:11:26:47][http-bio-25080-exec-2]: TPSMessage extensions: null [04/Oct/2016:11:26:47][http-bio-25080-exec-2]: TPSSession.read() message created [04/Oct/2016:11:26:47][http-bio-25080-exec-2]: APDUResponse.checkResult : sw1: 0x90 sw2: 0x0 [04/Oct/2016:11:26:47][http-bio-25080-exec-2]: SecureChannel.externalAuthenticate: Successfully completed, exiting ... [04/Oct/2016:11:26:47][http-bio-25080-exec-2]: SignedAuditEventFactory: create() message created for eventType=TOKEN_FORMAT_SUCCESS [04/Oct/2016:11:26:47][http-bio-25080-exec-2]: revokeCertsAtFormat: begins [04/Oct/2016:11:26:47][http-bio-25080-exec-2]: getRevocationReasonAtFormat finding config: op.format.externalRegAddToToken.revokeCert.reason [04/Oct/2016:11:26:47][http-bio-25080-exec-2]: TPSProcessor.getCAConnectorID: finding config: op.format.externalRegAddToToken.ca.conn [04/Oct/2016:11:26:47][http-bio-25080-exec-2]: TPSSession.process: Message processing failed: TPSProcessor.getCAConnectorID: Internal error finding config value:op.format.externalRegAddToToken.ca.conn [04/Oct/2016:11:26:47][http-bio-25080-exec-2]: TPSConnection.write: Writing: s=43&msg_type=13&operation=5&result=1&message=35 [04/Oct/2016:11:26:47][http-bio-25080-exec-2]: TPSSession.process: leaving: result: 1 status: STATUS_ERROR_CONTACT_ADMIN [04/Oct/2016:11:26:47][http-bio-25080-exec-2]: After session.process() exiting ...
Per PKI Bug Council Meeting of 10/04/2016: needs more investigation
Investigation result: I think work around is just to add the missing param: op.format.externalRegAddToToken.ca.conn=ca1
commit 34b0a80790d6aca7d9e2307716abf1db9d8bb562 Author: Christina Fu cfu@dhcp-16-189.sjc.redhat.com Date: Mon Oct 10 16:05:26 2016 -0700
Ticket #2498 Token format with external reg fails when op.format.externalRegAddToToken.revokeCert=true This patch adds the missing parameters in the CS.cfg for externalRegAddToToken in regards to format operation. It also changed the non-defined ldap2 and ldap3 and ldap1
Metadata Update from @rpattath: - Issue assigned to cfu - Issue set to the milestone: 10.3.8
Dogtag PKI is moving from Pagure issues to GitHub issues. This means that existing or new issues will be reported and tracked through Dogtag PKI's GitHub Issue tracker.
This issue has been cloned to GitHub and is available here: https://github.com/dogtagpki/pki/issues/2618
If you want to receive further updates on the issue, please navigate to the GitHub issue and click on Subscribe button.
Subscribe
Thank you for understanding, and we apologize for any inconvenience.
Login to comment on this ticket.