Hi, just FYI, another detail: I was trying to build the latest version on a different host using the instructions from https://github.com/OpenAttestation/OpenAttestation/wiki/Build-and-Install-Op... and also had some trouble there; right now the issue is that the TPM I have does not have an endorsement credential; could this be an issue with the RHEL packages as well? /Nicolae. On 15 November 2013 16:31, Nicolae Paladi <n.paladi@gmail.com> wrote:
Hi,
ok I understand that this may seem really strange now, but I have deployed this on a different, clear host with CentOS which has not had oat installed earlier; again both appraiser and client are on the same host.
The only think in the tomcat6 log is:
before invoke........................
Here's the error trace:
oat client attestation config ...ok oat client provisioner config ...ok oat client installation ...ok oat appraiser hostname: beijing.sics.se ### ecStorage = NVRAM### Performing TPM provisioning...Error getting PubEK: gov.niarl.his.privacyca.TpmModule$TpmModuleException: TpmModule.setCredential returned nonzero error: 2() DONE Successfully initialized TPM Performing HIS identity provisioning...FAILED gov.niarl.his.privacyca.TpmModule$TpmModuleException: TpmModule.getCredential returned nonzero error: 2() at gov.niarl.his.privacyca.TpmModule.getCredential(TpmModule.java:594) at gov.niarl.his.privacyca.HisIdentityProvisioner.main(HisIdentityProvisioner.java:217) Failed to receive AIC from Privacy CA, error 1 Registering identity with server...FAILED java.io.FileNotFoundException: /usr/share/oat-client/aik.cer (No such file or directory) at java.io.FileInputStream.open(Native Method) at java.io.FileInputStream.<init>(FileInputStream.java:140) at java.io.FileInputStream.<init>(FileInputStream.java:96) at gov.niarl.his.privacyca.TpmUtils.certFromFile(TpmUtils.java:612) at gov.niarl.his.privacyca.HisRegisterIdentity.main(HisRegisterIdentity.java:99) Failed to register identity with appraiser, error 1
Any ideas?..
Cheers, /Nicolae
On 15 November 2013 10:45, Wei, Gang <gang.wei@intel.com> wrote:
So you will not see below error after copying the .cer & .jks again, right?
### ecStorage = NVRAM### Performing TPM provisioning...FAILED javax.xml.ws.WebServiceException: Failed to access the WSDL at:
https://seoul:8443/HisPrivacyCAWebServices2/hisPrivacyCAWebService2FactorySe rvice?wsdl<https://seoul:8443/HisPrivacyCAWebServices2/hisPrivacyCAWebService2FactoryService?wsdl>. It failed with: Connection refused.
As to below errors:
Performing HIS identity provisioning...FAILED java.util.NoSuchElementException at java.util.StringTokenizer.nextToken(StringTokenizer.java:349) at gov.niarl.his.privacyca.TpmModule.executeVer2Command(TpmModule.java:215) at
gov.niarl.his.privacyca.TpmModule.collateIdentityRequest(TpmModule.java:292) at
gov.niarl.his.privacyca.HisIdentityProvisioner.main(HisIdentityProvisioner.j ava:225) Failed to receive AIC from Privacy CA, error 1 Registering identity with server...FAILED java.io.FileNotFoundException: /usr/share/oat-client/aik.cer (No such file or directory) at java.io.FileInputStream.open(Native Method) at java.io.FileInputStream.<init>(FileInputStream.java:137) at java.io.FileInputStream.<init>(FileInputStream.java:96) at gov.niarl.his.privacyca.TpmUtils.certFromFile(TpmUtils.java:612) at
gov.niarl.his.privacyca.HisRegisterIdentity.main(HisRegisterIdentity.java:99 ) Failed to register identity with appraiser, error 1
Missing of aik.cer is the subsequence of HIS identity provisioning failure. The key is: java.util.NoSuchElementException at java.util.StringTokenizer.nextToken(StringTokenizer.java:349) at gov.niarl.his.privacyca.TpmModule.executeVer2Command(TpmModule.java:215)
Which is mostly caused by incorrect tpm owner auth. This is actually the issue occurred in your first try. So I doubt the oat-client rpm you reinstalled is still the old one in your local cache.
Please try to uninstall oat-client, yum clean, then yum install oat-client, and then try again.
Thanks Jimmy
-----Original Message----- From: Nicolae Paladi [mailto:n.paladi@gmail.com] Sent: Friday, November 15, 2013 4:08 PM To: Wei, Gang Cc: Doron Fediuck; users@ovirt.org Subject: Re: [Users] Trusted Pools and CentOS 6 packages
Hi,
I have done that and reran provisioner.sh with the same result.
As I understand, I am copying the files _PrivacyCA.cer_ and _TrustStore.jks_ to /usr/share/oat-client, while the java error complains about the missing file _aik.cer_, as follows:
java.io.FileNotFoundException: /usr/share/oat-client/aik.cer (No such file or directory) at java.io.FileInputStream.open(Native Method) at java.io.FileInputStream.<init>(FileInputStream.java:146) at java.io.FileInputStream.<init>(FileInputStream.java:101) at gov.niarl.his.privacyca.TpmUtils.certFromFile(TpmUtils.java:612) at
gov.niarl.his.privacyca.HisRegisterIdentity.main(HisRegisterIdentity.java:99 )
is the file _aik.cer_ supposed to be generated at some point here?
Just to clarify, I am using CentOS 6.4, TruSerS and tpm-tools.
Cheers, /Nicolae.
On 15 November 2013 03:23, Wei, Gang <gang.wei@intel.com> wrote:
So, just as what I suggested in last mail, please copy the files
to client again and run provisioner.sh:
1.3.1 copy PrivacyCA.cer and TrustStore.jks from appraiser to client.
Copy :/var/lib/oat-appraiser/ClientFiles/PrivacyCA.cer to :/usr/share/oat-client/
Copy :/var/lib/oat-appraiser/ClientFiles/TrustStore.jks to :/usr/share/oat-client/
Notes: please repeat above steps in case you have re-deployed your oat appraiser.
Thanks
Jimmy
From: Nicolae Paladi [mailto:n.paladi@gmail.com] Sent: Thursday, November 14, 2013 6:30 PM
To: Wei, Gang Cc: Doron Fediuck; users@ovirt.org Subject: Re: [Users] Trusted Pools and CentOS 6 packages
Hi,
As far as I see, port 8443 is not occupied and tomcat6 is running:
root@host /usr/share/oat-client/script # netstat -anp | grep 8443
root@host /usr/share/oat-client/script # service tomcat6 status
tomcat6 (pid 30950) is running... [ OK ]
Also, just in case, I've checked if disabling iptables helps, and it doesn't;
In the error trace, there is a line:
java.io.FileNotFoundException: /usr/share/oat-client/aik.cer (No such file or directory)
and indeed, there is not file aik.cer at /usr/share/oat-client/aik.cer; when is it supposed to
be generated?
cheers,
/Nicolae
On 14 November 2013 04:32, Wei, Gang <gang.wei@intel.com> wrote:
And you need to copy files from server to client before you try to run provisioner.sh every time you run OAT_configure.sh again.
Jimmy
> -----Original Message----- > From: Wei, Gang > Sent: Thursday, November 14, 2013 11:26 AM > To: Nicolae Paladi > Cc: Doron Fediuck; users@ovirt.org; Wei, Gang > Subject: RE: [Users] Trusted Pools and CentOS 6 packages > > Can you try netstat -anp | grep 8443? Maybe it is occupied by apache. > > Meanwhile check whether tomcat is up. > > Jimmy > > > > -----Original Message----- > > From: Nicolae Paladi [mailto:n.paladi@gmail.com] > > Sent: Wednesday, November 13, 2013 10:43 PM > > To: Wei, Gang > > Cc: Doron Fediuck; users@ovirt.org > > Subject: Re: [Users] Trusted Pools and CentOS 6 packages > > > > Hi, > > > > I am using port 8443, since no other process -- as far as I know -- is > using it; > > > > below you will find all of the requested configuration files: > > > > Contents of /etc/oat_client/*: > > log4j.properties: http://pastebin.com/MQLM68vs > > OAT.properties: http://pastebin.com/LwHihxah > > OATprovisioner.properties: http://pastebin.com/0x5TShtZ > > TPMModule.properties: http://pastebin.com/hvw9gfRE > > > > > > server.xml: http://pastebin.com/VZ9Vk6iC > > OAT_client.sh: http://pastebin.com/St4yCGcF > > > > provisioner.sh: http://pastebin.com/RedqQt8V > > > > > > cheers, > > /Nicolae. > > > > > > On 13 November 2013 14:47, Wei, Gang <gang.wei@intel.com> wrote: > > > > > > This time it failed earlier. Looks like the PCA webservice2 was not > > listening on 8443 port. Have you replaced the port 8443 with 8442 in > > server > > side ($TOMCAT_HOME/conf/server.xml) but not change it in client side > > (/usr/share/oat-client/script/OAT_client.sh)? Or the 8443
from server port is
> occupied > > by another app? > > > > Please copy the content from your current server.xml, OAT_client.sh, > > provisioner.sh and /etc/oat-client/* into the content of
your reply
> for > > analysis. (don't attach *.sh as attachments, that will get
filtered
> by my > > company's mailing system). > > > > Thanks > > Jimmy > > > > > > > > > -----Original Message----- > > > From: Nicolae Paladi [mailto:n.paladi@gmail.com] > > > Sent: Wednesday, November 13, 2013 7:01 PM > > > To: Wei, Gang > > > Cc: Doron Fediuck; users@ovirt.org > > > Subject: Re: [Users] Trusted Pools and CentOS 6 packages > > > > > > > > Hi, > > > > > > thank you for the feedback; > > > I've gone through the steps again, but obtained the
exactly
same > > problem: > > > > > > 1. I removed all of the previously installed packaged related to > OAT. > > > > > > 2. I followed the tutorial, until this command: > > > > > > bash provisioner.sh > > > > > > provisioner.sh: line 7: systemctl: command not found > > > ### ecStorage = NVRAM### > > > Performing TPM provisioning...FAILED > > > javax.xml.ws.WebServiceException: Failed to access the WSDL at: > > > > > >
https://seoul:8443/HisPrivacyCAWebServices2/hisPrivacyCAWebService2Factor
> > > yService?wsdl. It failed with: > > > Connection refused. > > > at > > > > > > com.sun.xml.ws.wsdl.parser.RuntimeWSDLParser.tryWithMex(RuntimeWSDLP > > > arser.java:162) > > > at > > > > > > com.sun.xml.ws.wsdl.parser.RuntimeWSDLParser.parse(RuntimeWSDLParser.j > > > ava:144) > > > at > > > > > > com.sun.xml.ws.client.WSServiceDelegate.parseWSDL(WSServiceDelegate.jav > > > a:265) > > > at > > > > > >
com.sun.xml.ws.client.WSServiceDelegate.<init>(WSServiceDelegate.java:228)
> > > at > > > > > >
com.sun.xml.ws.client.WSServiceDelegate.<init>(WSServiceDelegate.java:176)
> > > at > > > > > > com.sun.xml.ws.spi.ProviderImpl.createServiceDelegate(ProviderImpl.jav > > a:104 > > > ) > > > at javax.xml.ws.Service.<init>(Service.java:77) > > > at > > > > > > gov.niarl.his.webservices.hisprivacycawebservice2.server.HisPrivacyCAWe > > bSer > > > > > > vice2FactoryServiceService.<init>(HisPrivacyCAWebService2FactoryService > > Servi > > > ce.java:42) > > > at > > > > > > gov.niarl.his.webservices.hisPrivacyCAWebService2.client.HisPrivacyCAWe > > bSer > > > > > >
vices2ClientInvoker.getHisPrivacyCAWebService2(HisPrivacyCAWebServices2Cli
> > > entInvoker.java:32) > > > at > > > > >
gov.niarl.his.privacyca.HisTpmProvisioner.main(HisTpmProvisioner.java:20
5) > > > Caused by: java.net.ConnectException: Connection refused > > > at java.net.PlainSocketImpl.socketConnect(Native Method) > > > at > > > > > > java.net.AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.jav > > a:339 > > > ) > > > at > > > > > > java.net.AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketI > > mpl.j > > > ava:200) > > > at > > > > >
java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:1
82) > > > at > > java.net.SocksSocketImpl.connect(SocksSocketImpl.java:392) > > > at java.net.Socket.connect(Socket.java:579) > > > at > > sun.security.ssl.SSLSocketImpl.connect(SSLSocketImpl.java:618) > > > at > > > > > sun.security.ssl.BaseSSLSocketImpl.connect(BaseSSLSocketImpl.java:160) > > > at sun.net.NetworkClient.doConnect(NetworkClient.java:180) > > > at > > sun.net.www.http.HttpClient.openServer(HttpClient.java:432) > > > at > > sun.net.www.http.HttpClient.openServer(HttpClient.java:527) > > > at > > > > sun.net.www.protocol.https.HttpsClient.<init>(HttpsClient.java:275) > > > at > > > sun.net.www.protocol.https.HttpsClient.New(HttpsClient.java:371) > > > at > > > > > > sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.getNewHt > > > tpClient(AbstractDelegateHttpsURLConnection.java:191) > > > at > > > > > > sun.net.www.protocol.http.HttpURLConnection.plainConnect(HttpURLConnec > > > tion.java:932) > > > at > > > > > > sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(A > > > bstractDelegateHttpsURLConnection.java:177) > > > at > > > > > > sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConn > > > ection.java:1300) > > > at > > > > > > sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsU > > > RLConnectionImpl.java:254) > > > at java.net.URL.openStream(URL.java:1037) > > > at > > > > > > com.sun.xml.ws.wsdl.parser.RuntimeWSDLParser.createReader(RuntimeWSD > > > LParser.java:804) > > > at > > > > > > com.sun.xml.ws.wsdl.parser.RuntimeWSDLParser.resolveWSDL(RuntimeWSDL > > > Parser.java:262) > > > at > > > > > > com.sun.xml.ws.wsdl.parser.RuntimeWSDLParser.parse(RuntimeWSDLParser.j > > > ava:129) > > > ... 8 more > > > Failed to initialize the TPM, error 1 > > > Performing HIS identity provisioning...FAILED > > > gov.niarl.his.privacyca.TpmModule$TpmModuleException: > > > TpmModule.getCredential returned nonzero error: 2() > > > at > > > > gov.niarl.his.privacyca.TpmModule.getCredential(TpmModule.java:594) > > > at > > > > > >
gov.niarl.his.privacyca.HisIdentityProvisioner.main(HisIdentityProvisioner.j
> > ava: > > > 217) > > > Failed to receive AIC from Privacy CA, error 1 > > > Registering identity with server...FAILED > > > java.io.FileNotFoundException:
/usr/share/oat-client/aik.cer
(No > such file > > or > > > directory) > > > at java.io.FileInputStream.open(Native Method) > > > at > java.io.FileInputStream.<init>(FileInputStream.java:146) > > > at > java.io.FileInputStream.<init>(FileInputStream.java:101) > > > at > > gov.niarl.his.privacyca.TpmUtils.certFromFile(TpmUtils.java:612) > > > at > > > > > > > >
gov.niarl.his.privacyca.HisRegisterIdentity.main(HisRegisterIdentity.java:9
> > 9 > > ) > > > Failed to register identity with appraiser, error 1 > > > > > > > > Should I have updated anything else? > > > > > > cheers, > > > /Nicolae. > > > > > > > > > > > > On 1 November 2013 10:14, Wei, Gang <gang.wei@intel.com
wrote: > > > > > > > > > This is indeed an issue caused by the
incompatibility
> between > > OAT > > tpm > > > access > > > code & tpm-tools(tpm_takeownership -z). It has already been > > fixed. > > > Please > > > follow below wiki and try again. > > > > > > https://github.com/OpenAttestation/OpenAttestation/wiki/OAT-for-RHEL- > > > Recipe. > > > > > > Thanks > > > Jimmy > > > > > > Nicolae Paladi wrote on 2013-10-28: > > > > > > > Hi, I've followed the recipe > > > > > > > > > > (
https://github.com/OpenAttestation/OpenAttestation/wiki/OAT-for-RHEL-Rec
> > > > > > > i pe) but didn't get it to run yet; I think a
step is
> missing -- > > the AIK > > > > > > > is not available is /usr/share/oat-client (it
was not
> available in > > > > /var/lig/oat-appraiser/ClientFiles either);
to > run > > > > provisioner.sh, I get the following:
when I try provisioner.sh: line
> 7: > > systemctl: > > > > command not found ### ecStorage = NVRAM### Performing > > TPM > > > > provisioning...710 DONE Successfully initialized
TPM
> > Performing > > HIS > > > > identity provisioning...FAILED > > java.util.NoSuchElementException > > > > at > > >
java.util.StringTokenizer.nextToken(StringTokenizer.java:349)
> > > > at > > > > > > > > > > gov.niarl.his.privacyca.TpmModule.executeVer2Command(TpmModule.java:21 > > > > 5) > > > > at > > > > > > > > > >
gov.niarl.his.privacyca.TpmModule.collateIdentityRequest(TpmModule.java:29
> > > > 2) > > > > at > > > > > > >
gov.niarl.his.privacyca.HisIdentityProvisioner.main(HisIdentityProvisione
> > > > > > > r.java: 225) Failed to receive AIC from Privacy
CA,
error > 1 > > Registering > > > > > > > identity with server...FAILED > java.io.FileNotFoundException: > > > > /usr/share/oat-client/aik.cer (No such file or directory) > > > > at java.io.FileInputStream.open(Native Method) > > > > at > > java.io.FileInputStream.<init>(FileInputStream.java:137) > > > > at > > java.io.FileInputStream.<init>(FileInputStream.java:96) > > > > at > > > > gov.niarl.his.privacyca.TpmUtils.certFromFile(TpmUtils.java:612) > > > > at > > > > > > > > > >
gov.niarl.his.privacyca.HisRegisterIdentity.main(HisRegisterIdentity.java:9
> > > 9 > > > ) > > > > Failed to register identity with appraiser,
error 1
> > > > > > > > > > > > > > > > Thanks, > > > > /Nicolae > > > > > > > > > > > > On 27 October 2013 22:55, Nicolae Paladi > > <n.paladi@gmail.com> > > wrote: > > > > > > > > > > > > Awesome, thanks! > > > > > > > > I'll try this out in the morning > > > > > > > > /Nicolae > > > > > > > > > > > > On 27 October 2013 17:03, Wei, Gang > > <gang.wei@intel.com> > > > wrote: > > > > > > > > > > > > Please refer to > > > > > > > > > > > > > > https://github.com/OpenAttestation/OpenAttestation/wiki/OAT-for-RHEL- > > > > Recipe. > > > > > > > > Jimmy > > > > > > > > > > > >