Automatic Key Recovery to a token failing with "Internal Smart Card server error 36"
Issue
Attempted to automatically recover a 'lost - damaged' token's encryption certificate to a new smart card using the guidance from this link:
http://docs.redhat.com/docs/en-US/Red_Hat_Certificate_System/7.3/html/Administration_Guide/Administration_Guide-Enrolling_Smart_Cards_through_the_Enterprise_Security_Client-Automating_Encryption_Key_Recovery.html.
Set the following in the TPS CS.cfg
## Recover Destroyed cert declarations
op.enroll.userKey.keyGen.recovery.destroyed.keyType.num=3
op.enroll.userKey.keyGen.recovery.destroyed.keyType.value.0=identity
op.enroll.userKey.keyGen.recovery.destroyed.keyType.value.1=signing
op.enroll.userKey.keyGen.recovery.destroyed.keyType.value.2=encryption
## identity cert
## Revoke & Generate a new key
op.enroll.userKey.keyGen.identity.recovery.destroyed.revokeCert=true
op.enroll.userKey.keyGen.identity.recovery.destroyed.revokeCert.reason=0
op.enroll.userKey.keyGen.identity.recovery.destroyed.scheme=GenerateNewKey
## signing cert
## Revoke and Generate a new key
op.enroll.userKey.keyGen.signing.recovery.destroyed.revokeCert=true
op.enroll.userKey.keyGen.signing.recovery.destroyed.revokeCert.reason=0
op.enroll.userKey.keyGen.signing.recovery.destroyed.scheme=GenerateNewKey
## Encryption Cert
## Do NOT revoke the cert, RecoverLast key
op.enroll.userKey.keyGen.encryption.recovery.destroyed.revokeCert=false
op.enroll.userKey.keyGen.encryption.recovery.destroyed.revokeCert.reason=0
op.enroll.userKey.keyGen.encryption.recovery.destroyed.scheme=RecoverLast
How to reproduce this error:
o Make the above changes, save file, restart TPS
o Register user
o Enroll user on a token
o Go to TPS Agent page, change token's status to 'lost - physically damaged'
o Search for token, verify status change was committed
o Re-register user
o Format a new token
o Enroll - observer error.
Here is tps-error.log right before the error happens:
==> tps-debug.log <==
[2011-04-11 19:46:09] edbc5d40 AP_Session::ReadMsg - msg_len=36
[2011-04-11 19:46:09] edbc5d40 AP_Session::ReadMsg - Received len='36' msg='msg_type=10&pdu_size=2&pdu_data=o%00'
[2011-04-11 19:46:09] edbc5d40 AP_Session::create_pblock - Data 'msg_type=10&pdu_size=2&pdu_data=o%00'
[2011-04-11 19:46:09] edbc5d40 AP_Session::create_pblock - Found Arguments=3, nalloc=50
[2011-04-11 19:46:09] edbc5d40 AP_Session::create_pblock - entry name=msg_type, value=10
[2011-04-11 19:46:09] edbc5d40 AP_Session::create_pblock - entry name=pdu_size, value=2
[2011-04-11 19:46:09] edbc5d40 AP_Session::create_pblock - entry name=pdu_data, value=o%00
[2011-04-11 19:46:09] edbc5d40 AP_Session::ReadMsg - Found msg_type=TOKEN_PDU_RESPONSE (10)
[2011-04-11 19:46:09] edbc5d40 AP_Session::ReadMsg - Found pdu_size=2
[2011-04-11 19:46:09] edbc5d40 AP_Session::ReadMsg - decoded_pdu size= 2
[2011-04-11 19:46:09] edbc5d40 AP_Session::ReadMsg - decoded pdu = (length='2')
[2011-04-11 19:46:09] edbc5d40 AP_Session::ReadMsg - 6f 00
[2011-04-11 19:46:09] edbc5d40 RA_pblock::free_pblock - in free_pblock
[2011-04-11 19:46:09] edbc5d40 RA_pblock::free_pblock - in free_pblock done
[2011-04-11 19:46:09] edbc5d40 AP_Session::ReadMsg - ========= ReadMsg Ends =========
[2011-04-11 19:46:09] edbc5d40 RA_Processor::ImportKeyEnc - Error Response from Token 6f 0
[2011-04-11 19:46:09] edbc5d40 RA_Enroll_Processor::ProcessRecovery - Filter to find certificates = (&(tokenKeyType=encryption)(tokenID=40708517797900872590))
[2011-04-11 19:46:09] edbc5d40 RA_Enroll_Processor::ProcessRecovery - Recover key for encryption
[2011-04-11 19:46:09] edbc5d40 RA_Enroll_Processor::GenerateCertsAfterRecoveryPolicy - returning boolean = 0
[2011-04-11 19:46:09] edbc5d40 RA_Enroll_Processor::Process - - GenerateCertsAfterRecoveryPolicy returns false
[2011-04-11 19:46:09] edbc5d40 RA_Enroll_Processor::Process - before CERT_DestroyCertificate. certNums=3
[2011-04-11 19:46:09] edbc5d40 RA_Enroll_Processor::Process - CERT_DestroyCertificate: i=0
[2011-04-11 19:46:09] edbc5d40 RA_Enroll_Processor::Process - CERT_DestroyCertificate: i=0 done
[2011-04-11 19:46:09] edbc5d40 RA_Enroll_Processor::Process - CERT_DestroyCertificate: i=1
[2011-04-11 19:46:09] edbc5d40 RA_Enroll_Processor::Process - CERT_DestroyCertificate: i=1 done
[2011-04-11 19:46:09] edbc5d40 RA_Enroll_Processor::Process - CERT_DestroyCertificate: i=2
[2011-04-11 19:46:09] edbc5d40 RA_Enroll_Processor::Process - CERT_DestroyCertificate: i=2 done
[2011-04-11 19:46:09] edbc5d40 RA_Enroll_Processor::Process - after CERT_DestroyCertificate
[2011-04-11 19:46:09] edbc5d40 RA_Enroll_Processor::Process - returning status
[2011-04-11 19:46:09] edbc5d40 AP_Session::WriteMsg - Sent 's=48&msg_type=13&operation=1&result=1&message=36
'
==> tps-error.log <==
[2011-04-11 19:46:09] edbc5d40 RA_Processor::ImportKeyEnc - Error Response from Token 6f 0
Subscriber exclusive content
A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.
