Hi,
just FYI, another detail:
I was trying to build the latest version on a different host using the
instructions from
and also had some trouble there; right now the issue is that the TPM I have
does not have an endorsement credential;
could this be an issue with the RHEL packages as well?
/Nicolae.
On 15 November 2013 16:31, Nicolae Paladi <n.paladi(a)gmail.com> wrote:
Hi,
ok I understand that this may seem really strange now, but I have deployed
this on a different, clear host with CentOS which has not had oat installed
earlier; again both appraiser and client are on the same host.
The only think in the tomcat6 log is:
before invoke........................
Here's the error trace:
oat client attestation config ...ok
oat client provisioner config ...ok
oat client installation ...ok
oat appraiser hostname: beijing.sics.se
### ecStorage = NVRAM###
Performing TPM provisioning...Error getting PubEK:
gov.niarl.his.privacyca.TpmModule$TpmModuleException:
TpmModule.setCredential returned nonzero error: 2()
DONE
Successfully initialized TPM
Performing HIS identity provisioning...FAILED
gov.niarl.his.privacyca.TpmModule$TpmModuleException:
TpmModule.getCredential returned nonzero error: 2()
at
gov.niarl.his.privacyca.TpmModule.getCredential(TpmModule.java:594)
at
gov.niarl.his.privacyca.HisIdentityProvisioner.main(HisIdentityProvisioner.java:217)
Failed to receive AIC from Privacy CA, error 1
Registering identity with server...FAILED
java.io.FileNotFoundException: /usr/share/oat-client/aik.cer (No such file
or directory)
at java.io.FileInputStream.open(Native Method)
at java.io.FileInputStream.<init>(FileInputStream.java:140)
at java.io.FileInputStream.<init>(FileInputStream.java:96)
at gov.niarl.his.privacyca.TpmUtils.certFromFile(TpmUtils.java:612)
at
gov.niarl.his.privacyca.HisRegisterIdentity.main(HisRegisterIdentity.java:99)
Failed to register identity with appraiser, error 1
Any ideas?..
Cheers,
/Nicolae
On 15 November 2013 10:45, Wei, Gang <gang.wei(a)intel.com> wrote:
> So you will not see below error after copying the .cer & .jks again,
> right?
>
> ### ecStorage = NVRAM###
> Performing TPM provisioning...FAILED
> javax.xml.ws.WebServiceException: Failed to access the WSDL at:
>
>
https://seoul:8443/HisPrivacyCAWebServices2/hisPrivacyCAWebService2FactorySe
>
rvice?wsdl<https://seoul:8443/HisPrivacyCAWebServices2/hisPrivacyCAWebService2FactoryService?wsdl>.
> It failed with:
> Connection refused.
>
> As to below errors:
>
> Performing HIS identity provisioning...FAILED
> java.util.NoSuchElementException
> at java.util.StringTokenizer.nextToken(StringTokenizer.java:349)
> at
> gov.niarl.his.privacyca.TpmModule.executeVer2Command(TpmModule.java:215)
> at
>
> gov.niarl.his.privacyca.TpmModule.collateIdentityRequest(TpmModule.java:292)
> at
>
> gov.niarl.his.privacyca.HisIdentityProvisioner.main(HisIdentityProvisioner.j
> ava:225)
> Failed to receive AIC from Privacy CA, error 1
> Registering identity with server...FAILED
> java.io.FileNotFoundException: /usr/share/oat-client/aik.cer (No such file
> or directory)
> at java.io.FileInputStream.open(Native Method)
> at java.io.FileInputStream.<init>(FileInputStream.java:137)
> at java.io.FileInputStream.<init>(FileInputStream.java:96)
> at
> gov.niarl.his.privacyca.TpmUtils.certFromFile(TpmUtils.java:612)
> at
>
> gov.niarl.his.privacyca.HisRegisterIdentity.main(HisRegisterIdentity.java:99
> )
> Failed to register identity with appraiser, error 1
>
> Missing of aik.cer is the subsequence of HIS identity provisioning
> failure.
> The key is:
> java.util.NoSuchElementException
> at java.util.StringTokenizer.nextToken(StringTokenizer.java:349)
> at
> gov.niarl.his.privacyca.TpmModule.executeVer2Command(TpmModule.java:215)
>
> Which is mostly caused by incorrect tpm owner auth. This is actually the
> issue occurred in your first try. So I doubt the oat-client rpm you
> reinstalled is still the old one in your local cache.
>
> Please try to uninstall oat-client, yum clean, then yum install
> oat-client,
> and then try again.
>
> Thanks
> Jimmy
>
>
> > -----Original Message-----
> > From: Nicolae Paladi [mailto:n.paladi@gmail.com]
> > Sent: Friday, November 15, 2013 4:08 PM
> > To: Wei, Gang
> > Cc: Doron Fediuck; users(a)ovirt.org
> > Subject: Re: [Users] Trusted Pools and CentOS 6 packages
> >
> > Hi,
> >
> > I have done that and reran provisioner.sh with the same result.
> >
> > As I understand, I am copying the files _PrivacyCA.cer_ and
> _TrustStore.jks_ to
> > /usr/share/oat-client,
> > while the java error complains about the missing file _aik.cer_, as
> follows:
> >
> > java.io.FileNotFoundException: /usr/share/oat-client/aik.cer (No such
> file
> or
> > directory)
> > at java.io.FileInputStream.open(Native Method)
> > at java.io.FileInputStream.<init>(FileInputStream.java:146)
> > at java.io.FileInputStream.<init>(FileInputStream.java:101)
> > at gov.niarl.his.privacyca.TpmUtils.certFromFile(TpmUtils.java:612)
> > at
>
> gov.niarl.his.privacyca.HisRegisterIdentity.main(HisRegisterIdentity.java:99
> )
> >
> > is the file _aik.cer_ supposed to be generated at some point here?
> >
> > Just to clarify, I am using CentOS 6.4, TruSerS and tpm-tools.
> >
> > Cheers,
> > /Nicolae.
> >
> >
> >
> > On 15 November 2013 03:23, Wei, Gang <gang.wei(a)intel.com> wrote:
> >
> >
> > So, just as what I suggested in last mail, please copy the files
> from server
> > to client again and run provisioner.sh:
> >
> >
> >
> > 1.3.1 copy PrivacyCA.cer and TrustStore.jks from appraiser to
> client.
> >
> > Copy :/var/lib/oat-appraiser/ClientFiles/PrivacyCA.cer
> > to :/usr/share/oat-client/
> >
> > Copy :/var/lib/oat-appraiser/ClientFiles/TrustStore.jks
> > to :/usr/share/oat-client/
> >
> > Notes: please repeat above steps in case you have re-deployed your
> oat
> > appraiser.
> >
> >
> >
> > Thanks
> >
> > Jimmy
> >
> >
> >
> > From: Nicolae Paladi [mailto:n.paladi@gmail.com]
> > Sent: Thursday, November 14, 2013 6:30 PM
> >
> >
> > To: Wei, Gang
> > Cc: Doron Fediuck; users(a)ovirt.org
> > Subject: Re: [Users] Trusted Pools and CentOS 6 packages
> >
> >
> >
> >
> >
> > Hi,
> >
> >
> >
> >
> >
> > As far as I see, port 8443 is not occupied and tomcat6 is running:
> >
> >
> >
> > root@host /usr/share/oat-client/script # netstat -anp | grep 8443
> >
> > root@host /usr/share/oat-client/script # service tomcat6 status
> >
> > tomcat6 (pid 30950) is running... [ OK
> ]
> >
> >
> >
> >
> >
> > Also, just in case, I've checked if disabling iptables helps, and
> it
> doesn't;
> >
> >
> >
> >
> >
> > In the error trace, there is a line:
> >
> > java.io.FileNotFoundException: /usr/share/oat-client/aik.cer (No
> such file
> > or directory)
> >
> >
> >
> > and indeed, there is not file aik.cer at
> /usr/share/oat-client/aik.cer; when
> > is it supposed to
> >
> > be generated?
> >
> >
> >
> > cheers,
> >
> > /Nicolae
> >
> >
> >
> >
> >
> > On 14 November 2013 04:32, Wei, Gang <gang.wei(a)intel.com> wrote:
> >
> > And you need to copy files from server to client before you try to
> run
> > provisioner.sh every time you run OAT_configure.sh again.
> >
> > Jimmy
> >
> >
> >
> > > -----Original Message-----
> > > From: Wei, Gang
> > > Sent: Thursday, November 14, 2013 11:26 AM
> > > To: Nicolae Paladi
> > > Cc: Doron Fediuck; users(a)ovirt.org; Wei, Gang
> > > Subject: RE: [Users] Trusted Pools and CentOS 6 packages
> > >
> > > Can you try netstat -anp | grep 8443? Maybe it is occupied by
> apache.
> > >
> > > Meanwhile check whether tomcat is up.
> > >
> > > Jimmy
> > >
> > >
> > > > -----Original Message-----
> > > > From: Nicolae Paladi [mailto:n.paladi@gmail.com]
> > > > Sent: Wednesday, November 13, 2013 10:43 PM
> > > > To: Wei, Gang
> > > > Cc: Doron Fediuck; users(a)ovirt.org
> > > > Subject: Re: [Users] Trusted Pools and CentOS 6 packages
> > > >
> > > > Hi,
> > > >
> > > > I am using port 8443, since no other process -- as far as I
> know
> -- is
> > > using it;
> > > >
> > > > below you will find all of the requested configuration files:
> > > >
> > > > Contents of /etc/oat_client/*:
> > > > log4j.properties:
http://pastebin.com/MQLM68vs
> > > > OAT.properties:
http://pastebin.com/LwHihxah
> > > > OATprovisioner.properties:
http://pastebin.com/0x5TShtZ
> > > > TPMModule.properties:
http://pastebin.com/hvw9gfRE
> > > >
> > > >
> > > > server.xml:
http://pastebin.com/VZ9Vk6iC
> > > > OAT_client.sh:
http://pastebin.com/St4yCGcF
> > > >
> > > > provisioner.sh:
http://pastebin.com/RedqQt8V
> > > >
> > > >
> > > > cheers,
> > > > /Nicolae.
> > > >
> > > >
> > > > On 13 November 2013 14:47, Wei, Gang <gang.wei(a)intel.com>
> > wrote:
> > > >
> > > >
> > > > This time it failed earlier. Looks like the PCA
> webservice2
> was not
> > > > listening on 8443 port. Have you replaced the port 8443
> with
> > 8442 in
> > > > server
> > > > side ($TOMCAT_HOME/conf/server.xml) but not change it in
> > client side
> > > > (/usr/share/oat-client/script/OAT_client.sh)? Or the 8443
> port is
> > > occupied
> > > > by another app?
> > > >
> > > > Please copy the content from your current server.xml,
> > OAT_client.sh,
> > > > provisioner.sh and /etc/oat-client/* into the content of
> your reply
> > > for
> > > > analysis. (don't attach *.sh as attachments, that will
get
> filtered
> > > by my
> > > > company's mailing system).
> > > >
> > > > Thanks
> > > > Jimmy
> > > >
> > > >
> > > >
> > > > > -----Original Message-----
> > > > > From: Nicolae Paladi [mailto:n.paladi@gmail.com]
> > > > > Sent: Wednesday, November 13, 2013 7:01 PM
> > > > > To: Wei, Gang
> > > > > Cc: Doron Fediuck; users(a)ovirt.org
> > > > > Subject: Re: [Users] Trusted Pools and CentOS 6
packages
> > > > >
> > > >
> > > > > Hi,
> > > > >
> > > > > thank you for the feedback;
> > > > > I've gone through the steps again, but obtained
the
> exactly
> > same
> > > > problem:
> > > > >
> > > > > 1. I removed all of the previously installed packaged
> related to
> > > OAT.
> > > > >
> > > > > 2. I followed the tutorial, until this command:
> > > > >
> > > > > bash provisioner.sh
> > > > >
> > > > > provisioner.sh: line 7: systemctl: command not found
> > > > > ### ecStorage = NVRAM###
> > > > > Performing TPM provisioning...FAILED
> > > > > javax.xml.ws.WebServiceException: Failed to access the
> WSDL
> > at:
> > > > >
> > > >
> > >
> >
>
https://seoul:8443/HisPrivacyCAWebServices2/hisPrivacyCAWebService2Factor
> > > > > yService?wsdl. It failed with:
> > > > > Connection refused.
> > > > > at
> > > > >
> > > >
> > >
> > com.sun.xml.ws.wsdl.parser.RuntimeWSDLParser.tryWithMex(RuntimeWSDLP
> > > > > arser.java:162)
> > > > > at
> > > > >
> > > >
> > >
> > com.sun.xml.ws.wsdl.parser.RuntimeWSDLParser.parse(RuntimeWSDLParser.j
> > > > > ava:144)
> > > > > at
> > > > >
> > > >
> > >
> > com.sun.xml.ws.client.WSServiceDelegate.parseWSDL(WSServiceDelegate.jav
> > > > > a:265)
> > > > > at
> > > > >
> > > >
> > >
> >
> com.sun.xml.ws.client.WSServiceDelegate.<init>(WSServiceDelegate.java:228)
> > > > > at
> > > > >
> > > >
> > >
> >
> com.sun.xml.ws.client.WSServiceDelegate.<init>(WSServiceDelegate.java:176)
> > > > > at
> > > > >
> > > >
> > >
> > com.sun.xml.ws.spi.ProviderImpl.createServiceDelegate(ProviderImpl.jav
> > > > a:104
> > > > > )
> > > > > at
javax.xml.ws.Service.<init>(Service.java:77)
> > > > > at
> > > > >
> > > >
> > >
> > gov.niarl.his.webservices.hisprivacycawebservice2.server.HisPrivacyCAWe
> > > > bSer
> > > > >
> > > >
> > >
> > vice2FactoryServiceService.<init>(HisPrivacyCAWebService2FactoryService
> > > > Servi
> > > > > ce.java:42)
> > > > > at
> > > > >
> > > >
> > >
> > gov.niarl.his.webservices.hisPrivacyCAWebService2.client.HisPrivacyCAWe
> > > > bSer
> > > > >
> > > >
> > >
> >
> vices2ClientInvoker.getHisPrivacyCAWebService2(HisPrivacyCAWebServices2Cli
> > > > > entInvoker.java:32)
> > > > > at
> > > > >
> > > >
> >
> gov.niarl.his.privacyca.HisTpmProvisioner.main(HisTpmProvisioner.java:20
> > 5)
> > > > > Caused by: java.net.ConnectException: Connection
refused
> > > > > at
java.net.PlainSocketImpl.socketConnect(Native
> > Method)
> > > > > at
> > > > >
> > > >
> > >
> > java.net.AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.jav
> > > > a:339
> > > > > )
> > > > > at
> > > > >
> > > >
> > >
> > java.net.AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketI
> > > > mpl.j
> > > > > ava:200)
> > > > > at
> > > > >
> > > >
> >
> java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:1
> > 82)
> > > > > at
> > > > java.net.SocksSocketImpl.connect(SocksSocketImpl.java:392)
> > > > > at java.net.Socket.connect(Socket.java:579)
> > > > > at
> > > > sun.security.ssl.SSLSocketImpl.connect(SSLSocketImpl.java:618)
> > > > > at
> > > > >
> > > >
> > sun.security.ssl.BaseSSLSocketImpl.connect(BaseSSLSocketImpl.java:160)
> > > > > at
> > sun.net.NetworkClient.doConnect(NetworkClient.java:180)
> > > > > at
> > > > sun.net.www.http.HttpClient.openServer(HttpClient.java:432)
> > > > > at
> > > > sun.net.www.http.HttpClient.openServer(HttpClient.java:527)
> > > > > at
> > > > >
> > >
> sun.net.www.protocol.https.HttpsClient.<init>(HttpsClient.java:275)
> > > > > at
> > > > >
> > sun.net.www.protocol.https.HttpsClient.New(HttpsClient.java:371)
> > > > > at
> > > > >
> > > >
> > >
> > sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.getNewHt
> > > > > tpClient(AbstractDelegateHttpsURLConnection.java:191)
> > > > > at
> > > > >
> > > >
> > >
> > sun.net.www.protocol.http.HttpURLConnection.plainConnect(HttpURLConnec
> > > > > tion.java:932)
> > > > > at
> > > > >
> > > >
> > >
> > sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(A
> > > > > bstractDelegateHttpsURLConnection.java:177)
> > > > > at
> > > > >
> > > >
> > >
> > sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConn
> > > > > ection.java:1300)
> > > > > at
> > > > >
> > > >
> > >
> > sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsU
> > > > > RLConnectionImpl.java:254)
> > > > > at java.net.URL.openStream(URL.java:1037)
> > > > > at
> > > > >
> > > >
> > >
> > com.sun.xml.ws.wsdl.parser.RuntimeWSDLParser.createReader(RuntimeWSD
> > > > > LParser.java:804)
> > > > > at
> > > > >
> > > >
> > >
> > com.sun.xml.ws.wsdl.parser.RuntimeWSDLParser.resolveWSDL(RuntimeWSDL
> > > > > Parser.java:262)
> > > > > at
> > > > >
> > > >
> > >
> > com.sun.xml.ws.wsdl.parser.RuntimeWSDLParser.parse(RuntimeWSDLParser.j
> > > > > ava:129)
> > > > > ... 8 more
> > > > > Failed to initialize the TPM, error 1
> > > > > Performing HIS identity provisioning...FAILED
> > > > > gov.niarl.his.privacyca.TpmModule$TpmModuleException:
> > > > > TpmModule.getCredential returned nonzero error: 2()
> > > > > at
> > > > >
> > >
> gov.niarl.his.privacyca.TpmModule.getCredential(TpmModule.java:594)
> > > > > at
> > > > >
> > > >
> > >
> >
>
> gov.niarl.his.privacyca.HisIdentityProvisioner.main(HisIdentityProvisioner.j
> > > > ava:
> > > > > 217)
> > > > > Failed to receive AIC from Privacy CA, error 1
> > > > > Registering identity with server...FAILED
> > > > > java.io.FileNotFoundException:
> /usr/share/oat-client/aik.cer
> > (No
> > > such file
> > > > or
> > > > > directory)
> > > > > at java.io.FileInputStream.open(Native Method)
> > > > > at
> > > java.io.FileInputStream.<init>(FileInputStream.java:146)
> > > > > at
> > > java.io.FileInputStream.<init>(FileInputStream.java:101)
> > > > > at
> > > >
> gov.niarl.his.privacyca.TpmUtils.certFromFile(TpmUtils.java:612)
> > > > > at
> > > > >
> > > >
> > > >
> > >
> >
>
> gov.niarl.his.privacyca.HisRegisterIdentity.main(HisRegisterIdentity.java:9
> > > > 9
> > > > )
> > > > > Failed to register identity with appraiser, error 1
> > > > >
> > > >
> > > > > Should I have updated anything else?
> > > > >
> > > > > cheers,
> > > > > /Nicolae.
> > > > >
> > > > >
> > > > >
> > > > > On 1 November 2013 10:14, Wei, Gang
<gang.wei(a)intel.com
> >
> > wrote:
> > > > >
> > > > >
> > > > > This is indeed an issue caused by the
> incompatibility
> > > between
> > > > OAT
> > > > tpm
> > > > > access
> > > > > code & tpm-tools(tpm_takeownership -z). It
has
> > already been
> > > > fixed.
> > > > > Please
> > > > > follow below wiki and try again.
> > > > >
> > > >
> > >
> >
https://github.com/OpenAttestation/OpenAttestation/wiki/OAT-for-RHEL-
> > > > > Recipe.
> > > > >
> > > > > Thanks
> > > > > Jimmy
> > > > >
> > > > > Nicolae Paladi wrote on 2013-10-28:
> > > > >
> > > > > > Hi, I've followed the recipe
> > > > > >
> > > > >
> > > >
> > >
> > (
>
https://github.com/OpenAttestation/OpenAttestation/wiki/OAT-for-RHEL-Rec
> > > > >
> > > > > > i pe) but didn't get it to run yet; I
think a
> step
> is
> > > missing --
> > > > the AIK
> > > > >
> > > > > > is not available is /usr/share/oat-client
(it
> was
> not
> > > available in
> > > > > > /var/lig/oat-appraiser/ClientFiles either);
> when I
> try
> > to
> > > run
> > > > > > provisioner.sh, I get the following:
> provisioner.sh: line
> > > 7:
> > > > systemctl:
> > > > > > command not found ### ecStorage = NVRAM###
> > Performing
> > > > TPM
> > > > > > provisioning...710 DONE Successfully
initialized
> TPM
> > > > Performing
> > > > HIS
> > > > > > identity provisioning...FAILED
> > > > java.util.NoSuchElementException
> > > > > > at
> > > > >
> java.util.StringTokenizer.nextToken(StringTokenizer.java:349)
> > > > > > at
> > > > > >
> > > > >
> > > >
> > >
> > gov.niarl.his.privacyca.TpmModule.executeVer2Command(TpmModule.java:21
> > > > > > 5)
> > > > > > at
> > > > > >
> > > > >
> > > >
> > >
> >
> gov.niarl.his.privacyca.TpmModule.collateIdentityRequest(TpmModule.java:29
> > > > > > 2)
> > > > > > at
> > > > > >
> > > >
> > >
> gov.niarl.his.privacyca.HisIdentityProvisioner.main(HisIdentityProvisione
> > > > >
> > > > > > r.java: 225) Failed to receive AIC from
Privacy
> CA,
> > error
> > > 1
> > > > Registering
> > > > >
> > > > > > identity with server...FAILED
> > > java.io.FileNotFoundException:
> > > > > > /usr/share/oat-client/aik.cer (No such file
or
> > directory)
> > > > > > at
java.io.FileInputStream.open(Native
> > Method)
> > > > > > at
> > > >
java.io.FileInputStream.<init>(FileInputStream.java:137)
> > > > > > at
> > > > java.io.FileInputStream.<init>(FileInputStream.java:96)
> > > > > > at
> > > > >
> > > gov.niarl.his.privacyca.TpmUtils.certFromFile(TpmUtils.java:612)
> > > > > > at
> > > > > >
> > > > >
> > > >
> > >
> >
>
> gov.niarl.his.privacyca.HisRegisterIdentity.main(HisRegisterIdentity.java:9
> > > > > 9
> > > > > )
> > > > > > Failed to register identity with appraiser,
> error
> 1
> > > > > >
> > > > > >
> > > > > >
> > > > > > Thanks,
> > > > > > /Nicolae
> > > > > >
> > > > > >
> > > > > > On 27 October 2013 22:55, Nicolae Paladi
> > > > <n.paladi(a)gmail.com>
> > > > wrote:
> > > > > >
> > > > > >
> > > > > > Awesome, thanks!
> > > > > >
> > > > > > I'll try this out in the morning
> > > > > >
> > > > > > /Nicolae
> > > > > >
> > > > > >
> > > > > > On 27 October 2013 17:03, Wei, Gang
> > > > <gang.wei(a)intel.com>
> > > > > wrote:
> > > > > >
> > > > > >
> > > > > > Please refer to
> > > > > >
> > > > > >
> > > > >
> > > >
> > >
> >
https://github.com/OpenAttestation/OpenAttestation/wiki/OAT-for-RHEL-
> > > > > > Recipe.
> > > > > >
> > > > > > Jimmy
> > > > >
> > > > >
> > > >
> > > >
> > > >
> >
> >
> >
>
>