Invalid chunk header
by Dennis Gnatowski
I’m getting an error when attempting to format a new blankcard (sc650).Fresh, new install of CA, KRA, TKS, TPS on single instance.Insert card into reader (3121) and ESC (1.1.0-13 on Windows10) prompts for phone Home URL.Enter TPS phone Home URL then press Format button and geterror (in localhost.log). I have the same issue on RHCS 9.1 (latest patches) as wellas Dogtag 10.3.x. Not sure where theissue lies or how to fix. SEVERE: Servlet.service() for servlet [tps] in context withpath [/tps] threw exceptionjava.io.IOException: Invalid chunk header atorg.apache.coyote.http11.filters.ChunkedInputFilter.throwIOException(ChunkedInputFilter.java:615) atorg.apache.coyote.http11.filters.ChunkedInputFilter.doRead(ChunkedInputFilter.java:192) atorg.apache.coyote.http11.AbstractInputBuffer.doRead(AbstractInputBuffer.java:287) atorg.apache.coyote.Request.doRead(Request.java:438) atorg.apache.catalina.connector.InputBuffer.realReadBytes(InputBuffer.java:290) atorg.apache.tomcat.util.buf.ByteChunk.substract(ByteChunk.java:390) atorg.apache.catalina.connector.InputBuffer.readByte(InputBuffer.java:304) atorg.apache.catalina.connector.CoyoteInputStream$1.run(CoyoteInputStream.java:91) atorg.apache.catalina.connector.CoyoteInputStream$1.run(CoyoteInputStream.java:87) atjava.security.AccessController.doPrivileged(Native Method) atorg.apache.catalina.connector.CoyoteInputStream.read(CoyoteInputStream.java:85) atorg.dogtagpki.tps.TPSConnection.read(TPSConnection.java:55) atorg.dogtagpki.server.tps.TPSSession.read(TPSSession.java:72) atorg.dogtagpki.server.tps.processor.TPSProcessor.handleAPDURequest(TPSProcessor.java:311) atorg.dogtagpki.server.tps.processor.TPSProcessor.selectApplet(TPSProcessor.java:279) atorg.dogtagpki.server.tps.processor.TPSProcessor.selectCardManager(TPSProcessor.java:2968) atorg.dogtagpki.server.tps.processor.TPSProcessor.getAppletInfo(TPSProcessor.java:2900) atorg.dogtagpki.server.tps.processor.TPSProcessor.format(TPSProcessor.java:1831) atorg.dogtagpki.server.tps.processor.TPSProcessor.process(TPSProcessor.java:2852) atorg.dogtagpki.server.tps.TPSSession.process(TPSSession.java:119) atorg.dogtagpki.server.tps.TPSServlet.service(TPSServlet.java:60) at javax.servlet.http.HttpServlet.service(HttpServlet.java:731) atsun.reflect.GeneratedMethodAccessor48.invoke(Unknown Source) atsun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) atjava.lang.reflect.Method.invoke(Method.java:498) atorg.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:288) atorg.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:285) atjava.security.AccessController.doPrivileged(Native Method) atjavax.security.auth.Subject.doAsPrivileged(Subject.java:549) -----------------------------------------------------------Dennis Gnatowski dgnatowski(a)yahoo.com
7 years, 2 months
Re: [Pki-users] [Freeipa-users] Removal of obsolete certificates from o=ipaca
by Fraser Tweedale
On Fri, Jul 28, 2017 at 04:03:44PM +0200, Adam Tkac via FreeIPA-users wrote:
> Hello all,
>
> we are currently facing issue with huge number of outdated certificate entries
> in o=ipaca LDAP subtree (many servers no longer exists, certificates already expired etc)
> and we would like to remove them to decrease number of entries in LDAP and also
> to speed-up initial replication of o=ipaca subtree (we have more than 700 000
> DNs in o=ipaca and deploy of new replica takes quite long).
>
> Does anyone tried to do something like this? I'm quite affraid if simple
> ldapdelete of many DNs in o=ipaca subtree wouldn't break DogTag somehow.
>
> Do you have any ideas if something can break by removal of old (expired and also
> non-expired) certificates from o=ipaca ? Thanks in advance for any advice.
>
> Regards, Adam
>
It is not a supported operation, but I cannot think of any problems
that would arise from removing the certificate records under
o=ipaca. But I am copying pki-users@ to get the attention of the
rest of the Dogtag team in case there is something I am not thinking
of.
Strictly speaking, you should only remove expired certificates, even
if a host has disappeared the validity period is a promise by a CA
to maintain knowledge about a certificate for that whole period.
(Note to Dogtag team: FreeIPA configures Dogtag to use sequential
serial numbers. The usual range mechanism applies for CA clones).
HTH,
Fraser
7 years, 4 months
failed to update tokendb entry
by Dennis Gnatowski
I've had to setup an older 8.x environment (CA, TKS, and TPS) for testing.
I am getting an error when formatting a card. Things seem to progress nicely, but at the end the ESC displays an error and the TPS logs have the following errors:
RA::tdb_update - searching for tokendb entry: xxxxxxxRA:tdb_update - failed to add tokendb entryRA_Processor::Format - Failed to update the token databaseRA_Processor::Format - returning status 41
The system has access to and authenticates fine to the LDAP Server.
Any ideas why the system can't add the token? -----------------------------------------------------------Dennis Gnatowski dgnatowski(a)yahoo.com
7 years, 5 months
SCP03 configuration/settings?
by Dennis Gnatowski
Is there a document that specifies what changes are required to the configuration file(s) to support SCP03?
I have dogtag 10.4.8 installed and operational and now would like to test SCP03 support.My first attempt to format a card supporting SCP03 failed. TPS debug log reports:
computeSessionKeysSCP03() response missing name-value pair for: encSessionKey
computeSessionKeysSCP03() response missing name-value pair for: drm_trans_desKeycomputeSessionKeysSCP03() response missing name-value pair for: macSessionKey
computeSessionKeysSCP03() response missing name-value pair for: kekSessionKey
computeSessionKeysSCP03() response missing name-value pair for: kek_wrapped_desKey
computeSessionKeysSCP03() response missing name-value pair for: keycheckcomputeSessionKeysSCP03() response missing name-value pair for: hostCryptogram
-----------------------------------------------------------Dennis Gnatowski dgnatowski(a)yahoo.com
7 years, 5 months
Build Dogtag 10.4.8
by Dennis Gnatowski
What is the best way to build and test Dogtag 10.4.8?I'm not really finding instructions on the Dogtag wiki. Is Fedora rawhide a hard requirement? -----------------------------------------------------------Dennis Gnatowski dgnatowski(a)yahoo.com
7 years, 5 months
Invalid chunck header
by Dennis Gnatowski
I’m getting an error when attempting to format a new blankcard (sc650).Fresh, new install of CA, KRA, TKS, TPS on single instance.Insert card into reader (3121) and ESC (1.1.0-13 on Windows10) prompts for phone Home URL.Enter TPS phone Home URL then press Format button and geterror (in localhost.log). I have the same issue on RHCS 9.1 (latest patches) as wellas Dogtag 10.3.x. Not sure where theissue lies or how to fix. SEVERE: Servlet.service() for servlet [tps] in context withpath [/tps] threw exceptionjava.io.IOException: Invalid chunk header atorg.apache.coyote.http11.filters.ChunkedInputFilter.throwIOException(ChunkedInputFilter.java:615) atorg.apache.coyote.http11.filters.ChunkedInputFilter.doRead(ChunkedInputFilter.java:192) atorg.apache.coyote.http11.AbstractInputBuffer.doRead(AbstractInputBuffer.java:287) atorg.apache.coyote.Request.doRead(Request.java:438) atorg.apache.catalina.connector.InputBuffer.realReadBytes(InputBuffer.java:290) atorg.apache.tomcat.util.buf.ByteChunk.substract(ByteChunk.java:390) atorg.apache.catalina.connector.InputBuffer.readByte(InputBuffer.java:304) atorg.apache.catalina.connector.CoyoteInputStream$1.run(CoyoteInputStream.java:91) atorg.apache.catalina.connector.CoyoteInputStream$1.run(CoyoteInputStream.java:87) atjava.security.AccessController.doPrivileged(Native Method) atorg.apache.catalina.connector.CoyoteInputStream.read(CoyoteInputStream.java:85) atorg.dogtagpki.tps.TPSConnection.read(TPSConnection.java:55) atorg.dogtagpki.server.tps.TPSSession.read(TPSSession.java:72) atorg.dogtagpki.server.tps.processor.TPSProcessor.handleAPDURequest(TPSProcessor.java:311) atorg.dogtagpki.server.tps.processor.TPSProcessor.selectApplet(TPSProcessor.java:279) atorg.dogtagpki.server.tps.processor.TPSProcessor.selectCardManager(TPSProcessor.java:2968) atorg.dogtagpki.server.tps.processor.TPSProcessor.getAppletInfo(TPSProcessor.java:2900) atorg.dogtagpki.server.tps.processor.TPSProcessor.format(TPSProcessor.java:1831) atorg.dogtagpki.server.tps.processor.TPSProcessor.process(TPSProcessor.java:2852) atorg.dogtagpki.server.tps.TPSSession.process(TPSSession.java:119) atorg.dogtagpki.server.tps.TPSServlet.service(TPSServlet.java:60) at javax.servlet.http.HttpServlet.service(HttpServlet.java:731) atsun.reflect.GeneratedMethodAccessor48.invoke(Unknown Source) atsun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) atjava.lang.reflect.Method.invoke(Method.java:498) atorg.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:288) atorg.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:285) atjava.security.AccessController.doPrivileged(Native Method) atjavax.security.auth.Subject.doAsPrivileged(Subject.java:549) -----------------------------------------------------------Dennis Gnatowski dgnatowski(a)yahoo.com
7 years, 5 months