Jack,
Thanks for your quick reply.
Regarding "Phone Home", I believe that both TPS and ESC are set up
correctly by default. For example, the TPS "CS.cfg" file contains the
lines:
...
op.enroll.userKey.issuerinfo.enable=true
op.enroll.userKey.issuerinfo.value=http://dhcp-12-90.il.tcs-sec.com:7888/cgi-bin/home/index.cgi
...
op.format.userKey.issuerinfo.enable=true
op.format.userKey.issuerinfo.value=http://dhcp-12-90.il.tcs-sec.com:7888/cgi-bin/home/index.cgi
By using the "netstat" command, I can see that my TPS process is
listening on ports 7888, 7889, and 7890.
The file "/var/lib/pki-tps/cgi-bin/home/index.cgi", which I haven't
edited, produces:
<ServiceInfo>
<IssuerName>Fedora Project</IssuerName>
<Services>
<Operation>http://dhcp-12-90.il.tcs-sec.com:7888/nk_service</Operation>
<UI>http://dhcp-12-90.il.tcs-sec.com:7888/cgi-bin/home/enroll.cgi</UI>
<EnrolledTokenBrowserURL>http://www.fedora.redhat.com</EnrolledTokenBrowserURL>
<EnrolledTokenURL></EnrolledTokenURL>
<TokenType>userKey</TokenType>
</Services>
</ServiceInfo>
which again references port 7888.
I have edited the file
"user/lib/esc-1.1.0/defaults/preferences/esc-prefs.js", where I've set:
pref("esc.global.phone.home.url","http://dhcp-12-90.il.tcs-sec.com:7888/cgi-bin/home/index.cgi");
So, I'm confused as to why I don't see the "Phone Home Configuration
Information" dialog that you mention.
By default, does ESC communicate with TPS over HTTP port 7888? It is
necessary to switch ESC to use HTTPS port 7890?
Is there part of installation or configuration of ESC and TPS that
people (like me) regularly get wrong?
Thanks,
-- Steve Ross
On 09/20/2013 06:39 PM, John Magne wrote:
Steve:
Thanks for the query.
When you put in a blank token such as you have probably described, the ESC should pop up
a "Phone Home" Dialog that asks you to type in a URL pointing to the TPS Server
that is part
of Dogtag Certificate System.
If you do not get this Phone Home dialog there is possibly something wrong there.
As for smart card support we only have tested the main cards supported. If there is some
alternate
card being attempted, it MAY work but we can make no assurances there.
thanks,
jack
----- Original Message -----
> From: "Steve Ross" <sross(a)trustedcs.com>
> To: pki-users(a)redhat.com
> Sent: Friday, September 20, 2013 3:20:22 PM
> Subject: [Pki-users] "Format" button never enabled in Enterprise
Security Client
>
> I'm a new user of the Dogtag Certificate System...
>
> I am trying to create a certificate and write it to a smart card.
>
> My problem is that my Enterprise Security Client (ESC) does not allow me
> to format the smart card. When I insert the blank smart card, the ESC
> GUI shows
> Issuer = Unknown
> Issued To = Unknown
> Status = Unformatted
>
> However, the "Format" button is disabled and remains so. Why? Is there
> any configuration that I need to do in one of the PKI subsystems or ESC
> itself?
>
> When I instead insert a Common Access Card (CAC), the ESC GUI shows
> Issuer = U.S Government
> Issued To = <name>
> Status = Enrolled
>
> and ESC is able to display thethree certificates of the CAC. So, my
> hardware/software is working to the extent that it can read another card.
>
> I see the section in the Red Hat Certificate System (RHCS) 8.1
> "Deployment, Planning, and Installation" guide that says:
>
> The Certificate System subsystems have been tested using the
> following tokens:
> Gemalto TOP IM FIPS CY2 64K token, both as a smart card and
> GemPCKey USB form factor key
> Gemalto Cyberflex e-gate 32K token
> Safenet 330J Java smart card
>
> I also see the section of the RHCS "Managing Smart Cards with the
> Enterprise Security Client" that says:
>
> The Enterprise Security Client supports smart cards which are
> JavaCard 2.1 or higher and Global
> Platform 2.01-compliant and was tested using the following cards:
> Safenet 330J Java smart cards
> Gemalto 64K V2 tokens, both as a smart card and GemPCKey USB
> form factor key
> Gemalto GCx4 72K and TOPDLGX4 144K common access cards (CAC)
> Oberthur ID One V5.2 common access cards (CAC)
> Personal identity verification (PIV) cards, compliant with FIPS 201
>
> The smart card that I'm using is none of the above, though it exceeds
> the standards that the ESC manual describes.
>
>
> Following are the details of my smart card, reader, and installed software:
>
> Smart card:
> J2A080 - NXP JAVA based smart card, 80k EEPROM
> This is supposed to meet the standards JCOP 2.4.1, JC 2.2.2, and GP
> 2.1.1.
> It is a new card and is not supposed to have any applets on it.
>
>
> Smart card reader:
> OmniKey 3121
>
>
> Operating system:
> CentOS 5.9
>
>
> Software packages installed:
> esc-1.1.0-14.el5.centos.1
> pki-ca-1.3.6-1.el5
> pki-tks-1.3.3-1.el5
> pki-tps-1.3.1-1.el5
> coolkey-1.1.0-15.el5
> tomcat5-5.5.23-0jpp.40.el5_9
> httpd-2.2.3-82.el5.centos
>
>
> Thanks in advance for any help,
> -- Steve Ross
>
>
>
>
>
> _______________________________________________
> Pki-users mailing list
> Pki-users(a)redhat.com
>
https://www.redhat.com/mailman/listinfo/pki-users
>