11:45 a.m.
------=_NextPart_000_03D5_01CEE22A.7310D5B0
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: 7bit
So you will not see below error after copying the .cer & .jks again, right?
### ecStorage = NVRAM###
Performing TPM provisioning...FAILED
javax.xml.ws.WebServiceException: Failed to access the WSDL at:
https://seoul:8443/HisPrivacyCAWebServices2/hisPrivacyCAWebService2FactorySe
rvice?wsdl. It failed with:
Connection refused.
As to below errors:
Performing HIS identity provisioning...FAILED
java.util.NoSuchElementException
at java.util.StringTokenizer.nextToken(StringTokenizer.java:349)
at
gov.niarl.his.privacyca.TpmModule.executeVer2Command(TpmModule.java:215)
at
gov.niarl.his.privacyca.TpmModule.collateIdentityRequest(TpmModule.java:292)
at
gov.niarl.his.privacyca.HisIdentityProvisioner.main(HisIdentityProvisioner.j
ava:225)
Failed to receive AIC from Privacy CA, error 1
Registering identity with server...FAILED
java.io.FileNotFoundException: /usr/share/oat-client/aik.cer (No such file
or directory)
at java.io.FileInputStream.open(Native Method)
at java.io.FileInputStream.<init>(FileInputStream.java:137)
at java.io.FileInputStream.<init>(FileInputStream.java:96)
at gov.niarl.his.privacyca.TpmUtils.certFromFile(TpmUtils.java:612)
at
gov.niarl.his.privacyca.HisRegisterIdentity.main(HisRegisterIdentity.java:99
)
Failed to register identity with appraiser, error 1
Missing of aik.cer is the subsequence of HIS identity provisioning failure.
The key is:
java.util.NoSuchElementException
at java.util.StringTokenizer.nextToken(StringTokenizer.java:349)
at
gov.niarl.his.privacyca.TpmModule.executeVer2Command(TpmModule.java:215)
Which is mostly caused by incorrect tpm owner auth. This is actually the
issue occurred in your first try. So I doubt the oat-client rpm you
reinstalled is still the old one in your local cache.
Please try to uninstall oat-client, yum clean, then yum install oat-client,
and then try again.
Thanks
Jimmy
-----Original Message-----
From: Nicolae Paladi [mailto:n.paladi@gmail.com]
Sent: Friday, November 15, 2013 4:08 PM
To: Wei, Gang
Cc: Doron Fediuck; users(a)ovirt.org
Subject: Re: [Users] Trusted Pools and CentOS 6 packages
Hi,
I have done that and reran provisioner.sh with the same result.
As I understand, I am copying the files _PrivacyCA.cer_ and
_TrustStore.jks_ to
/usr/share/oat-client,
while the java error complains about the missing file _aik.cer_, as
follows:
java.io.FileNotFoundException: /usr/share/oat-client/aik.cer (No such file
or
directory)
at java.io.FileInputStream.open(Native Method)
at java.io.FileInputStream.<init>(FileInputStream.java:146)
at java.io.FileInputStream.<init>(FileInputStream.java:101)
at gov.niarl.his.privacyca.TpmUtils.certFromFile(TpmUtils.java:612)
at
gov.niarl.his.privacyca.HisRegisterIdentity.main(HisRegisterIdentity.java:99
)
is the file _aik.cer_ supposed to be generated at some point here?
Just to clarify, I am using CentOS 6.4, TruSerS and tpm-tools.
Cheers,
/Nicolae.
On 15 November 2013 03:23, Wei, Gang <gang.wei(a)intel.com> wrote:
So, just as what I suggested in last mail, please copy the files
from server
to client again and run provisioner.sh:
1.3.1 copy PrivacyCA.cer and TrustStore.jks from appraiser to
client.
Copy :/var/lib/oat-appraiser/ClientFiles/PrivacyCA.cer
to :/usr/share/oat-client/
Copy :/var/lib/oat-appraiser/ClientFiles/TrustStore.jks
to :/usr/share/oat-client/
Notes: please repeat above steps in case you have re-deployed your
oat
appraiser.
Thanks
Jimmy
From: Nicolae Paladi [mailto:n.paladi@gmail.com]
Sent: Thursday, November 14, 2013 6:30 PM
To: Wei, Gang
Cc: Doron Fediuck; users(a)ovirt.org
Subject: Re: [Users] Trusted Pools and CentOS 6 packages
Hi,
As far as I see, port 8443 is not occupied and tomcat6 is running:
root@host /usr/share/oat-client/script # netstat -anp | grep 8443
root@host /usr/share/oat-client/script # service tomcat6 status
tomcat6 (pid 30950) is running... [ OK ]
Also, just in case, I've checked if disabling iptables helps, and it
doesn't;
In the error trace, there is a line:
java.io.FileNotFoundException: /usr/share/oat-client/aik.cer (No
such file
or directory)
and indeed, there is not file aik.cer at
/usr/share/oat-client/aik.cer; when
is it supposed to
be generated?
cheers,
/Nicolae
On 14 November 2013 04:32, Wei, Gang <gang.wei(a)intel.com> wrote:
And you need to copy files from server to client before you try to
run
provisioner.sh every time you run OAT_configure.sh again.
Jimmy
> -----Original Message-----
> From: Wei, Gang
> Sent: Thursday, November 14, 2013 11:26 AM
> To: Nicolae Paladi
> Cc: Doron Fediuck; users(a)ovirt.org; Wei, Gang
> Subject: RE: [Users] Trusted Pools and CentOS 6 packages
>
> Can you try netstat -anp | grep 8443? Maybe it is occupied by
apache.
>
> Meanwhile check whether tomcat is up.
>
> Jimmy
>
>
> > -----Original Message-----
> > From: Nicolae Paladi [mailto:n.paladi@gmail.com]
> > Sent: Wednesday, November 13, 2013 10:43 PM
> > To: Wei, Gang
> > Cc: Doron Fediuck; users(a)ovirt.org
> > Subject: Re: [Users] Trusted Pools and CentOS 6 packages
> >
> > Hi,
> >
> > I am using port 8443, since no other process -- as far as I know
-- is
> using it;
> >
> > below you will find all of the requested configuration files:
> >
> > Contents of /etc/oat_client/*:
> > log4j.properties: http://pastebin.com/MQLM68vs
> > OAT.properties: http://pastebin.com/LwHihxah
> > OATprovisioner.properties: http://pastebin.com/0x5TShtZ
> > TPMModule.properties: http://pastebin.com/hvw9gfRE
> >
> >
> > server.xml: http://pastebin.com/VZ9Vk6iC
> > OAT_client.sh: http://pastebin.com/St4yCGcF
> >
> > provisioner.sh: http://pastebin.com/RedqQt8V
> >
> >
> > cheers,
> > /Nicolae.
> >
> >
> > On 13 November 2013 14:47, Wei, Gang <gang.wei(a)intel.com>
wrote:
> >
> >
> > This time it failed earlier. Looks like the PCA webservice2
was not
> > listening on 8443 port. Have you replaced the port
8443 with
8442 in
> > server
> > side ($TOMCAT_HOME/conf/server.xml) but not change it in
client side
> > (/usr/share/oat-client/script/OAT_client.sh)? Or the 8443
port is
> occupied
> > by another app?
> >
> > Please copy the content from your current server.xml,
OAT_client.sh,
> > provisioner.sh and /etc/oat-client/* into the content of
your reply
> for
> > analysis. (don't attach *.sh as attachments, that will get
filtered
> by my
> > company's mailing system).
> >
> > Thanks
> > Jimmy
> >
> >
> >
> > > -----Original Message-----
> > > From: Nicolae Paladi [mailto:n.paladi@gmail.com]
> > > Sent: Wednesday, November 13, 2013 7:01 PM
> > > To: Wei, Gang
> > > Cc: Doron Fediuck; users(a)ovirt.org
> > > Subject: Re: [Users] Trusted Pools and CentOS 6 packages
> > >
> >
> > > Hi,
> > >
> > > thank you for the feedback;
> > > I've gone through the steps again, but obtained the
exactly
same
> > problem:
> > >
> > > 1. I removed all of the previously installed packaged
related
to
> OAT.
> > >
> > > 2. I followed the tutorial, until this command:
> > >
> > > bash provisioner.sh
> > >
> > > provisioner.sh: line 7: systemctl: command not found
> > > ### ecStorage = NVRAM###
> > > Performing TPM provisioning...FAILED
> > > javax.xml.ws.WebServiceException: Failed to access the
WSDL
at:
> > >
> >
>
https://seoul:8443/HisPrivacyCAWebServices2/hisPrivacyCAWebService2Factor
> > > yService?wsdl. It failed with:
> > > Connection refused.
> > > at
> > >
> >
>
com.sun.xml.ws.wsdl.parser.RuntimeWSDLParser.tryWithMex(RuntimeWSDLP
> > > arser.java:162)
> > > at
> > >
> >
>
com.sun.xml.ws.wsdl.parser.RuntimeWSDLParser.parse(RuntimeWSDLParser.j
> > > ava:144)
> > > at
> > >
> >
>
com.sun.xml.ws.client.WSServiceDelegate.parseWSDL(WSServiceDelegate.jav
> > > a:265)
> > > at
> > >
> >
>
com.sun.xml.ws.client.WSServiceDelegate.<init>(WSServiceDelegate.java:228)
> > > at
> > >
> >
>
com.sun.xml.ws.client.WSServiceDelegate.<init>(WSServiceDelegate.java:176)
> > > at
> > >
> >
>
com.sun.xml.ws.spi.ProviderImpl.createServiceDelegate(ProviderImpl.jav
> > a:104
> > > )
> > > at javax.xml.ws.Service.<init>(Service.java:77)
> > > at
> > >
> >
>
gov.niarl.his.webservices.hisprivacycawebservice2.server.HisPrivacyCAWe
> > bSer
> > >
> >
>
vice2FactoryServiceService.<init>(HisPrivacyCAWebService2FactoryService
> > Servi
> > > ce.java:42)
> > > at
> > >
> >
>
gov.niarl.his.webservices.hisPrivacyCAWebService2.client.HisPrivacyCAWe
> > bSer
> > >
> >
>
vices2ClientInvoker.getHisPrivacyCAWebService2(HisPrivacyCAWebServices2Cli
> > > entInvoker.java:32)
> > > at
> > >
> >
gov.niarl.his.privacyca.HisTpmProvisioner.main(HisTpmProvisioner.java:20
5)
> > > Caused by: java.net.ConnectException: Connection refused
> > > at java.net.PlainSocketImpl.socketConnect(Native
Method)
> > > at
> > >
> >
>
java.net.AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.jav
> > a:339
> > > )
> > > at
> > >
> >
>
java.net.AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketI
> > mpl.j
> > > ava:200)
> > > at
> > >
> >
java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:1
82)
> > > at
> > java.net.SocksSocketImpl.connect(SocksSocketImpl.java:392)
> > > at java.net.Socket.connect(Socket.java:579)
> > > at
> > sun.security.ssl.SSLSocketImpl.connect(SSLSocketImpl.java:618)
> > > at
> > >
> >
sun.security.ssl.BaseSSLSocketImpl.connect(BaseSSLSocketImpl.java:160)
> > > at
sun.net.NetworkClient.doConnect(NetworkClient.java:180)
> > > at
> > sun.net.www.http.HttpClient.openServer(HttpClient.java:432)
> > > at
> > sun.net.www.http.HttpClient.openServer(HttpClient.java:527)
> > > at
> > >
>
sun.net.www.protocol.https.HttpsClient.<init>(HttpsClient.java:275)
> > > at
> > >
sun.net.www.protocol.https.HttpsClient.New(HttpsClient.java:371)
> > > at
> > >
> >
>
sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.getNewHt
> > > tpClient(AbstractDelegateHttpsURLConnection.java:191)
> > > at
> > >
> >
>
sun.net.www.protocol.http.HttpURLConnection.plainConnect(HttpURLConnec
> > > tion.java:932)
> > > at
> > >
> >
>
sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(A
> > > bstractDelegateHttpsURLConnection.java:177)
> > > at
> > >
> >
>
sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConn
> > > ection.java:1300)
> > > at
> > >
> >
>
sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsU
> > > RLConnectionImpl.java:254)
> > > at java.net.URL.openStream(URL.java:1037)
> > > at
> > >
> >
>
com.sun.xml.ws.wsdl.parser.RuntimeWSDLParser.createReader(RuntimeWSD
> > > LParser.java:804)
> > > at
> > >
> >
>
com.sun.xml.ws.wsdl.parser.RuntimeWSDLParser.resolveWSDL(RuntimeWSDL
> > > Parser.java:262)
> > > at
> > >
> >
>
com.sun.xml.ws.wsdl.parser.RuntimeWSDLParser.parse(RuntimeWSDLParser.j
> > > ava:129)
> > > ... 8 more
> > > Failed to initialize the TPM, error 1
> > > Performing HIS identity provisioning...FAILED
> > > gov.niarl.his.privacyca.TpmModule$TpmModuleException:
> > > TpmModule.getCredential returned nonzero error: 2()
> > > at
> > >
>
gov.niarl.his.privacyca.TpmModule.getCredential(TpmModule.java:594)
> > > at
> > >
> >
>
gov.niarl.his.privacyca.HisIdentityProvisioner.main(HisIdentityProvisioner.j
> > ava:
> > > 217)
> > > Failed to receive AIC from Privacy CA, error 1
> > > Registering identity with server...FAILED
> > > java.io.FileNotFoundException:
/usr/share/oat-client/aik.cer
(No
> such file
> > or
> > > directory)
> > > at java.io.FileInputStream.open(Native Method)
> > > at
> java.io.FileInputStream.<init>(FileInputStream.java:146)
> > > at
> java.io.FileInputStream.<init>(FileInputStream.java:101)
> > > at
> >
gov.niarl.his.privacyca.TpmUtils.certFromFile(TpmUtils.java:612)
> > > at
> > >
> >
> >
>
gov.niarl.his.privacyca.HisRegisterIdentity.main(HisRegisterIdentity.java:9
> > 9
> > )
> > > Failed to register identity with appraiser, error 1
> > >
> >
> > > Should I have updated anything else?
> > >
> > > cheers,
> > > /Nicolae.
> > >
> > >
> > >
> > > On 1 November 2013 10:14, Wei, Gang <gang.wei(a)intel.com>
wrote:
> > >
> > >
> > > This is indeed an issue caused by the
incompatibility
> between
> > OAT
> > tpm
> > > access
> > > code & tpm-tools(tpm_takeownership -z). It has
already been
> > fixed.
> > > Please
> > > follow below wiki and try again.
> > >
> >
>
https://github.com/OpenAttestation/OpenAttestation/wiki/OAT-for-RHEL-
> > > Recipe.
> > >
> > > Thanks
> > > Jimmy
> > >
> > > Nicolae Paladi wrote on 2013-10-28:
> > >
> > > > Hi, I've followed the recipe
> > > >
> > >
> >
>
(https://github.com/OpenAttestation/OpenAttestation/wiki/OAT-for-RHEL-Rec
> > >
> > > > i pe) but didn't get it to run yet; I think a step
is
> missing --
> > the AIK
> > >
> > > > is not available is /usr/share/oat-client (it was
not
> available in
> > > > /var/lig/oat-appraiser/ClientFiles either); when I
try
to
> run
> > > > provisioner.sh, I get the following:
provisioner.sh:
line
> 7:
> > systemctl:
> > > > command not found ### ecStorage = NVRAM###
Performing
> > TPM
> > > > provisioning...710 DONE Successfully initialized
TPM
> > Performing
> > HIS
> > > > identity provisioning...FAILED
> > java.util.NoSuchElementException
> > > > at
> > >
java.util.StringTokenizer.nextToken(StringTokenizer.java:349)
> > > > at
> > > >
> > >
> >
>
gov.niarl.his.privacyca.TpmModule.executeVer2Command(TpmModule.java:21
> > > > 5)
> > > > at
> > > >
> > >
> >
>
gov.niarl.his.privacyca.TpmModule.collateIdentityRequest(TpmModule.java:29
> > > > 2)
> > > > at
> > > >
> >
>
gov.niarl.his.privacyca.HisIdentityProvisioner.main(HisIdentityProvisione
> > >
> > > > r.java: 225) Failed to receive AIC from Privacy
CA,
error
> 1
> > Registering
> > >
> > > > identity with server...FAILED
> java.io.FileNotFoundException:
> > > > /usr/share/oat-client/aik.cer (No such file or
directory)
> > > > at java.io.FileInputStream.open(Native
Method)
> > > > at
> > java.io.FileInputStream.<init>(FileInputStream.java:137)
> > > > at
> > java.io.FileInputStream.<init>(FileInputStream.java:96)
> > > > at
> > >
> gov.niarl.his.privacyca.TpmUtils.certFromFile(TpmUtils.java:612)
> > > > at
> > > >
> > >
> >
>
gov.niarl.his.privacyca.HisRegisterIdentity.main(HisRegisterIdentity.java:9
> > > 9
> > > )
> > > > Failed to register identity with appraiser, error
1
> > > >
> > > >
> > > >
> > > > Thanks,
> > > > /Nicolae
> > > >
> > > >
> > > > On 27 October 2013 22:55, Nicolae Paladi
> > <n.paladi(a)gmail.com>
> > wrote:
> > > >
> > > >
> > > > Awesome, thanks!
> > > >
> > > > I'll try this out in the morning
> > > >
> > > > /Nicolae
> > > >
> > > >
> > > > On 27 October 2013 17:03, Wei, Gang
> > <gang.wei(a)intel.com>
> > > wrote:
> > > >
> > > >
> > > > Please refer to
> > > >
> > > >
> > >
> >
>
https://github.com/OpenAttestation/OpenAttestation/wiki/OAT-for-RHEL-
> > > > Recipe.
> > > >
> > > > Jimmy
> > >
> > >
> >
> >
> >
------=_NextPart_000_03D5_01CEE22A.7310D5B0
Content-Type: application/pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"
MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIhfjCCAyAw
ggKJoAMCAQICBDXe9M8wDQYJKoZIhvcNAQEFBQAwTjELMAkGA1UEBhMCVVMxEDAOBgNVBAoTB0Vx
dWlmYXgxLTArBgNVBAsTJEVxdWlmYXggU2VjdXJlIENlcnRpZmljYXRlIEF1dGhvcml0eTAeFw05
ODA4MjIxNjQxNTFaFw0xODA4MjIxNjQxNTFaME4xCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFcXVp
ZmF4MS0wKwYDVQQLEyRFcXVpZmF4IFNlY3VyZSBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwgZ8wDQYJ
KoZIhvcNAQEBBQADgY0AMIGJAoGBAMFdsVhnCGLuoJotHwhtkRRomAoe/toEbxOEYiHD0XzOnwXg
uAHwTjTs4oqVBGSs8WtTXwWzy2eAv0ICjv7dAQns4QAUT/z78AzdQ7pbK+EfgHCZFVeTFvEPl2q3
wmgjHMxNWTCsUR47ryvW7mNFe8XZX1DS41APOojnvxT94Me5AgMBAAGjggEJMIIBBTBwBgNVHR8E
aTBnMGWgY6BhpF8wXTELMAkGA1UEBhMCVVMxEDAOBgNVBAoTB0VxdWlmYXgxLTArBgNVBAsTJEVx
dWlmYXggU2VjdXJlIENlcnRpZmljYXRlIEF1dGhvcml0eTENMAsGA1UEAxMEQ1JMMTAaBgNVHRAE
EzARgQ8yMDE4MDgyMjE2NDE1MVowCwYDVR0PBAQDAgEGMB8GA1UdIwQYMBaAFEjmaPkr0rKV10fY
IyAQTzOYkJ/UMB0GA1UdDgQWBBRI5mj5K9KylddH2CMgEE8zmJCf1DAMBgNVHRMEBTADAQH/MBoG
CSqGSIb2fQdBAAQNMAsbBVYzLjBjAwIGwDANBgkqhkiG9w0BAQUFAAOBgQBYzinq/Pfetc4CuRe1
hdG54+CVzCUxDQCmkm5/tpJjnlCV0Zpv5BHeY4VumO6o/1rI01WyZnFX3sAh6z0qpyNJAQSGQnv8
7n+iFlK1Z2fTQNs7JliyKHc9rhR3Ydb6KmYnoA36p3Nc6nDxlCFlRF/6/O8paKmih3nvee9PrAd3
ODCCAz0wggKmoAMCAQICAwWw/zANBgkqhkiG9w0BAQUFADBOMQswCQYDVQQGEwJVUzEQMA4GA1UE
ChMHRXF1aWZheDEtMCsGA1UECxMkRXF1aWZheCBTZWN1cmUgQ2VydGlmaWNhdGUgQXV0aG9yaXR5
MB4XDTA2MDIxNjE4MDEzMFoXDTE2MDIxOTE4MDEzMFowUjELMAkGA1UEBhMCVVMxGjAYBgNVBAoT
EUludGVsIENvcnBvcmF0aW9uMScwJQYDVQQDEx5JbnRlbCBFeHRlcm5hbCBCYXNpYyBQb2xpY3kg
Q0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDBpd/XOb9QVqEZ8mQ1042TdOIq3ATD
IsV2xDyt30yLyMR5Wjtus0bn3B+he89BiNO/LP6+rFzEwlD55PlX+HLGIKeNNG97dqyc30FElEUj
ZzTZFq2N4e3kVJ/XAEEgANzV8v9qp7qWwxugPgfc3z9BkYot+CifozexHLb/hEZj+yISCU61kRZv
uSQ0E11yYL4dRgcglJeaHo3oX57rvIckaLsYV5/1Aj+R8DM1Ppk965XQAKsHfnyT7C4S50T4lVn4
lz36wOdNZn/zegG1zp41lnoTFfT4KuKVJH5x7YD1p6KbgJCKLovnujGuohquBNfdXKpZkvz6pGv+
iC1HawJdAgMBAAGjgaAwgZ0wDgYDVR0PAQH/BAQDAgEGMB0GA1UdDgQWBBQaxgxKxEdvqNutK/D0
Vgaj7TdUDDA6BgNVHR8EMzAxMC+gLaArhilodHRwOi8vY3JsLmdlb3RydXN0LmNvbS9jcmxzL3Nl
Y3VyZWNhLmNybDAfBgNVHSMEGDAWgBRI5mj5K9KylddH2CMgEE8zmJCf1DAPBgNVHRMBAf8EBTAD
AQH/MA0GCSqGSIb3DQEBBQUAA4GBABMQOK2kVKVIlUWwLTdywJ+e2O+PC/uQltK2F3lRyrPfBn69
tOkIP4SgDJOfsxyobIrPLe75kBLw+Dom13OBDp/EMZJZ1CglQfVV8co9mT3aZMjSGGQiMgkJLR3j
Mfr900fXZKj5XeqCJ+JP0mEhJGEdVCY+FFlksJjV86fDrq1QMIIENjCCAx6gAwIBAgIBATANBgkq
hkiG9w0BAQUFADBvMQswCQYDVQQGEwJTRTEUMBIGA1UEChMLQWRkVHJ1c3QgQUIxJjAkBgNVBAsT
HUFkZFRydXN0IEV4dGVybmFsIFRUUCBOZXR3b3JrMSIwIAYDVQQDExlBZGRUcnVzdCBFeHRlcm5h
bCBDQSBSb290MB4XDTAwMDUzMDEwNDgzOFoXDTIwMDUzMDEwNDgzOFowbzELMAkGA1UEBhMCU0Ux
FDASBgNVBAoTC0FkZFRydXN0IEFCMSYwJAYDVQQLEx1BZGRUcnVzdCBFeHRlcm5hbCBUVFAgTmV0
d29yazEiMCAGA1UEAxMZQWRkVHJ1c3QgRXh0ZXJuYWwgQ0EgUm9vdDCCASIwDQYJKoZIhvcNAQEB
BQADggEPADCCAQoCggEBALf3GjPm8gAELTngTlvtH7xsD821+iO2zt6bETOXpClMfZOfvUq8k+0D
GuOPz+VtUFrWlymUWoCwSXrbLpX9uMq/NzgtHj6RQa1wVsfwTz/oMp50ysiQVOnGXw94nZpAPA6s
YapeFI+eh6FqUNzXmk6vBbOmcZSccbNQYArHE504B4YCqOmoaSYYkKtMsE8jqzpPhNjfzp/haW+7
10LXa0Tkx63ubUFfclpxCDezeWWkWaCUN/cALw3CknLa0Dhy2xSoRcRdKn23tNbE7qzNE0S3ySvd
QwAl+mG5aWpYIxG3pzOPVnVZ9c0p10a3CitlttNCbxWyuHv77+ldU9U0WicCAwEAAaOB3DCB2TAd
BgNVHQ4EFgQUrb2YejS0Jvf6xCZU7wO94CTLVBowCwYDVR0PBAQDAgEGMA8GA1UdEwEB/wQFMAMB
Af8wgZkGA1UdIwSBkTCBjoAUrb2YejS0Jvf6xCZU7wO94CTLVBqhc6RxMG8xCzAJBgNVBAYTAlNF
MRQwEgYDVQQKEwtBZGRUcnVzdCBBQjEmMCQGA1UECxMdQWRkVHJ1c3QgRXh0ZXJuYWwgVFRQIE5l
dHdvcmsxIjAgBgNVBAMTGUFkZFRydXN0IEV4dGVybmFsIENBIFJvb3SCAQEwDQYJKoZIhvcNAQEF
BQADggEBALCb4IUlwtYj4g+WBpKdQZic2YR5gdkeWxQHIzZlj7DYd7usQWxHYINRsPkyPef89iYT
x4AWpb9a/IfPeHmJIZriTAcKhjW88t5RxNKWt9x+Tu5w/Rw56wwCURQtjr0W4MHfRnXnJK3s9EK0
hZNwEGe6nQY1ShjTK3rMUUKhemPR5ruhxSvCNr4TDea9Y355e6cJDUCrat2PisP29owaQgVR1EX1
n6diIWgVIEM8med8vSTYqZEXc4g/VhsxOBi0cQ+azcgOno4uG+GMmIPLHzHxREzGBHNJdmAPx/i9
F4BrLunMTA5amnkPIAou1Z5jJh5VkpTYghdae9C8x49OhgQwggTrMIID06ADAgECAhBS6QLKEehE
nZRlOC+jGjC7MA0GCSqGSIb3DQEBBQUAMG8xCzAJBgNVBAYTAlNFMRQwEgYDVQQKEwtBZGRUcnVz
dCBBQjEmMCQGA1UECxMdQWRkVHJ1c3QgRXh0ZXJuYWwgVFRQIE5ldHdvcmsxIjAgBgNVBAMTGUFk
ZFRydXN0IEV4dGVybmFsIENBIFJvb3QwHhcNMTMwMzE5MDAwMDAwWhcNMjAwNTMwMTA0ODM4WjB5
MQswCQYDVQQGEwJVUzELMAkGA1UECBMCQ0ExFDASBgNVBAcTC1NhbnRhIENsYXJhMRowGAYDVQQK
ExFJbnRlbCBDb3Jwb3JhdGlvbjErMCkGA1UEAxMiSW50ZWwgRXh0ZXJuYWwgQmFzaWMgSXNzdWlu
ZyBDQSA0QTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOCwzICd2ElV+gPbBPo4x92/
hd12vOs9yyyrv+lr4yHb1G8Z6M9qp75fVCkCN7BNc1EUMa34L7T9Gz4Ldbg8AHy3Oh+Xqp8ovuxa
z7ExgkeIMA5qtVpE0IDQzV1IG+9Xvf+rH6vlnwg6YvEnGoJciwkae6Yf1etHG4rQb52RXpSggwYd
99kuiht2wHZzRgf75POm8A5WOqJg7Ov0bHzcM0FcKPzN6D67sesus8iKEbpX5FRDWzNP/Ua80Dpc
iuFuVZOBBLH1to5QleFvN0CqkXHACiFMcNqvx6B1T22xE66y5hOkUWf/nlpZBlpfprceNhzoDpl9
AUXU0aPbx+8ngaMCAwEAAaOCAXcwggFzMB8GA1UdIwQYMBaAFK29mHo0tCb3+sQmVO8DveAky1Qa
MB0GA1UdDgQWBBQeaSq03Cj+RxhOIQs/vKwRL/CY9TAOBgNVHQ8BAf8EBAMCAYYwEgYDVR0TAQH/
BAgwBgEB/wIBADA2BgNVHSUELzAtBggrBgEFBQcDBAYKKwYBBAGCNwoDBAYKKwYBBAGCNwoDDAYJ
KwYBBAGCNxUFMBcGA1UdIAQQMA4wDAYKKoZIhvhNAQUBaTBJBgNVHR8EQjBAMD6gPKA6hjhodHRw
Oi8vY3JsLnRydXN0LXByb3ZpZGVyLmNvbS9BZGRUcnVzdEV4dGVybmFsQ0FSb290LmNybDA6Bggr
BgEFBQcBAQQuMCwwKgYIKwYBBQUHMAGGHmh0dHA6Ly9vY3NwLnRydXN0LXByb3ZpZGVyLmNvbTA1
BgNVHR4ELjAsoCowC4EJaW50ZWwuY29tMBugGQYKKwYBBAGCNxQCA6ALDAlpbnRlbC5jb20wDQYJ
KoZIhvcNAQEFBQADggEBACnCzaP9kqNSZ6IvBu1uUOhUj6tX5silt7Eg39Wpr8h5IxIHduZ+zCkR
xhJkccaM4jyqXJm312FPidIOetJwqOYDxe/Fne2Zs3JgnJtVBRXyMX8OkANfW0aUwvGzDGkkhJfM
t/T4MGvhxDZqD2bDOtw3Wes4g5z6nEm3H2LPKnf5uXdtq6V6uSBlVLV+i1+0f4UksP97HwE5wS4I
ibYpVcmOzhhpmCggEtiNOIrb0ktVrXnF07fTmQ8jW5ey7Tmwa4DC4WZKSVvqTkfX94eVRtkubipA
O04fTQvRKEnHcEAgCMPlFim0kNCLI9lBS+3xyr5qlilUy/fLEc7yN7HjQuAwggWKMIIEcqADAgEC
AgphIIpiAAAAAAAIMA0GCSqGSIb3DQEBBQUAMFIxCzAJBgNVBAYTAlVTMRowGAYDVQQKExFJbnRl
bCBDb3Jwb3JhdGlvbjEnMCUGA1UEAxMeSW50ZWwgRXh0ZXJuYWwgQmFzaWMgUG9saWN5IENBMB4X
DTA5MDUxNTE5MjcyNloXDTE1MDUxNTE5MzcyNlowVjELMAkGA1UEBhMCVVMxGjAYBgNVBAoTEUlu
dGVsIENvcnBvcmF0aW9uMSswKQYDVQQDEyJJbnRlbCBFeHRlcm5hbCBCYXNpYyBJc3N1aW5nIENB
IDNCMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEApAQzVaf1NT29z0L79NzsoH56JgSW
atwRYTfZZR0e9Yb4hxAdVCyKROYzIoqiM0vDYHmzoh6RzyK8Oj/AJ+NnNf0nJ+0ydz4ACtzSVrzs
6XJvObwr2NcR9MG9OdRIVKIj1lh58hN2JSCqUAW6WMVkQdgpi0u6GtFpymZB8/iZXrc0p1zZtPzT
gdF/pim1kVriTpg33jOWsY2sG5BDvhYXPP+MsG6xtSkSSujoy79lgU4VZCtX2UGEX1G6TzI37c3q
f19Sj+oGKCIXaQSf3FWHXKSXtIIYvaMFSRfHiqBXbtrpKLyVFF2Csca038dadJaUtdMfmXnvkfgu
r77vs4W/fwIDAQABo4ICXDCCAlgwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUDsYq91myCBCQ
JW/D3f2KZjEwK8UwCwYDVR0PBAQDAgGGMBIGCSsGAQQBgjcVAQQFAgMBAAEwIwYJKwYBBAGCNxUC
BBYEFDmgVjZ6QpD/kq2Kb5V0x5JZvhBZMBkGCSsGAQQBgjcUAgQMHgoAUwB1AGIAQwBBMB8GA1Ud
IwQYMBaAFBrGDErER2+o260r8PRWBqPtN1QMMIG9BgNVHR8EgbUwgbIwga+ggayggamGTmh0dHA6
Ly93d3cuaW50ZWwuY29tL3JlcG9zaXRvcnkvQ1JML0ludGVsJTIwRXh0ZXJuYWwlMjBCYXNpYyUy
MFBvbGljeSUyMENBLmNybIZXaHR0cDovL2NlcnRpZmljYXRlcy5pbnRlbC5jb20vcmVwb3NpdG9y
eS9DUkwvSW50ZWwlMjBFeHRlcm5hbCUyMEJhc2ljJTIwUG9saWN5JTIwQ0EuY3JsMIHjBggrBgEF
BQcBAQSB1jCB0zBjBggrBgEFBQcwAoZXaHR0cDovL3d3dy5pbnRlbC5jb20vcmVwb3NpdG9yeS9j
ZXJ0aWZpY2F0ZXMvSW50ZWwlMjBFeHRlcm5hbCUyMEJhc2ljJTIwUG9saWN5JTIwQ0EuY3J0MGwG
CCsGAQUFBzAChmBodHRwOi8vY2VydGlmaWNhdGVzLmludGVsLmNvbS9yZXBvc2l0b3J5L2NlcnRp
ZmljYXRlcy9JbnRlbCUyMEV4dGVybmFsJTIwQmFzaWMlMjBQb2xpY3klMjBDQS5jcnQwDQYJKoZI
hvcNAQEFBQADggEBALG1AQdyFVCFfKMSq0xVQx7qCSY+whzMfFJ6o1uj12wP7rFtPrklP6hiCkgC
18Sxhd5Qm7VwKGqlvbZTlswDPt5pBxblvN5+59a8DqWDbTjwHyhzMGP+r7k/k2litQ7yM6Y3iNON
8mrcSVnvIVanLusHdWb9o3oBNipZ8xtL/F+H4kLGYfd2uhSYwkjT9pkkewu2NuMWc2wcM2sllfW/
GUzvwtvWGOyRMQ0+aFtVt9OPmL9kaeG/i2YjxBk8I21x6Bcmt+FGXYP1tal1M4+taIsNSrPLVnoo
vtNw5L88KXxEcIleQ9q7+2FNAKkigNrb5z7dcD76BFN8BDiy9M7brQ0wggX7MIIE46ADAgECAgoe
1fTqAAEAAJY9MA0GCSqGSIb3DQEBBQUAMFYxCzAJBgNVBAYTAlVTMRowGAYDVQQKExFJbnRlbCBD
b3Jwb3JhdGlvbjErMCkGA1UEAxMiSW50ZWwgRXh0ZXJuYWwgQmFzaWMgSXNzdWluZyBDQSAzQjAe
Fw0xMjA2MDgwODA1MTFaFw0xNTA1MTUxOTM3MjZaMDcxEjAQBgNVBAMTCVdlaSwgR2FuZzEhMB8G
CSqGSIb3DQEJARYSZ2FuZy53ZWlAaW50ZWwuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
CgKCAQEAs3J9LjILpoOjcNn+gh33oO+LwIHlInINRwyGkpZm3Oo9faYw6pA2C/ioC0dSO3iJvI9K
MZn7QQzevrffziAZxVHz67GK6KMEg4KSKzqgZD5OYGXWLbwqhuQTiM2csIRLSR6Kx813M7y8A7Eg
VtP0rFCXV/Ux++xl/IZ8VgHneAcKHVXF1ntrZcpo436XZhjHannEYZm0MNvrVqNdIa90cr6owh+j
ssyhmZjja3k1rCCLPByoE9Q4tH4lc63IYaJdnHfBk95GZnH94Iw8GFKV97Cm9SsrxbSQvn3Uu/Qd
5RUQnJ7Zs6aUujUN4inoof0m6MUHfcqEde82y6Bz0hhRUwIDAQABo4IC6DCCAuQwCwYDVR0PBAQD
AgeAMDwGCSsGAQQBgjcVBwQvMC0GJSsGAQQBgjcVCIbDjHWEmeVRg/2BKIWOn1OCkcAJZ4HevTmV
8EMCAWQCAQgwHQYDVR0OBBYEFBh0blsEpKCOUFRDp2lSba+OWQQoMB8GA1UdIwQYMBaAFA7GKvdZ
sggQkCVvw939imYxMCvFMIHPBgNVHR8EgccwgcQwgcGggb6ggbuGV2h0dHA6Ly93d3cuaW50ZWwu
Y29tL3JlcG9zaXRvcnkvQ1JML0ludGVsJTIwRXh0ZXJuYWwlMjBCYXNpYyUyMElzc3VpbmclMjBD
QSUyMDNCKDEpLmNybIZgaHR0cDovL2NlcnRpZmljYXRlcy5pbnRlbC5jb20vcmVwb3NpdG9yeS9D
UkwvSW50ZWwlMjBFeHRlcm5hbCUyMEJhc2ljJTIwSXNzdWluZyUyMENBJTIwM0IoMSkuY3JsMIH1
BggrBgEFBQcBAQSB6DCB5TBsBggrBgEFBQcwAoZgaHR0cDovL3d3dy5pbnRlbC5jb20vcmVwb3Np
dG9yeS9jZXJ0aWZpY2F0ZXMvSW50ZWwlMjBFeHRlcm5hbCUyMEJhc2ljJTIwSXNzdWluZyUyMENB
JTIwM0IoMSkuY3J0MHUGCCsGAQUFBzAChmlodHRwOi8vY2VydGlmaWNhdGVzLmludGVsLmNvbS9y
ZXBvc2l0b3J5L2NlcnRpZmljYXRlcy9JbnRlbCUyMEV4dGVybmFsJTIwQmFzaWMlMjBJc3N1aW5n
JTIwQ0ElMjAzQigxKS5jcnQwHwYDVR0lBBgwFgYIKwYBBQUHAwQGCisGAQQBgjcKAwwwKQYJKwYB
BAGCNxUKBBwwGjAKBggrBgEFBQcDBDAMBgorBgEEAYI3CgMMMEEGA1UdEQQ6MDigIgYKKwYBBAGC
NxQCA6AUDBJnYW5nLndlaUBpbnRlbC5jb22BEmdhbmcud2VpQGludGVsLmNvbTANBgkqhkiG9w0B
AQUFAAOCAQEAe7JxfwDGPB8LnOZYOHRCljy8NKDItdpQNgqbb4BMMkOfmQAsmDECppOG+oZMf6jP
vcdDsvy/tDEzRinUhB3+TkZ6ozOG5cSg8zitw5GU6W9GrEEk1lS5jDG/JhpSktTVbwSw4HbMHfXK
TN1cf3dvpml8mTvx6pm6rTTEfFT2bDg9eVY+efU0MFgPUkf+58KakWTqwETZsF/a7aaIETAehFTK
gfWdu7vxo6ziYTp9EL0260iuI08jbv3RHcUBjx0taXeeulezzROtQKm1q3rW41EkMfTopd7zVAK2
8NWUEZtniCpZHc9kayckp44s47fw9C8UWbVeOzgNViI9VjIJMjCCBl8wggVHoAMCAQICCheTmVkA
AgAAIfMwDQYJKoZIhvcNAQEFBQAweTELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMRQwEgYDVQQH
EwtTYW50YSBDbGFyYTEaMBgGA1UEChMRSW50ZWwgQ29ycG9yYXRpb24xKzApBgNVBAMTIkludGVs
IEV4dGVybmFsIEJhc2ljIElzc3VpbmcgQ0EgNEEwHhcNMTMwODE5MDAzNjM3WhcNMTYwODAzMDAz
NjM3WjA3MRIwEAYDVQQDEwlXZWksIEdhbmcxITAfBgkqhkiG9w0BCQEWEmdhbmcud2VpQGludGVs
LmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALmf/kfYTghoVM3q9//lzx5Bj67a
fRfoUGpo5wksSMfGSu41XwViw22eCMVOhPDr7X9RqBb+8Ioqi9j3F0U3iHNt+5+mApLeoOavjGLR
vh32Eogi1oKVh9t873Sp3P8a4UkHJaaOqqNabOBLWAc/yVX/uyQfzKQE9c/Wl1uL3OxHmpx1jUn2
m/r7zRb/u3prUdz9hzGIY9YEijF4Rw7DIhS8eQHdgI2JMX9vxh3Zc/tY5Ll1MLJNDOdJzh8taHj/
724nYPA0lLCYDeL8Txim6PaeSXaw43leEfAuBk8C5ttV62cT0aFioLaAw8C0Z1qeOrz2oukeig1j
FLPkMFn+oZcCAwEAAaOCAykwggMlMAsGA1UdDwQEAwIEMDA9BgkrBgEEAYI3FQcEMDAuBiYrBgEE
AYI3FQiGw4x1hJnlUYP9gSiFjp9TgpHACWeEudlBh4T/TgIBZAIBDTBEBgkqhkiG9w0BCQ8ENzA1
MA4GCCqGSIb3DQMCAgIAgDAOBggqhkiG9w0DBAICAIAwBwYFKw4DAgcwCgYIKoZIhvcNAwcwHQYD
VR0OBBYEFBc8HhYAlLuMYhGaZZ6WwCXSB0jLMB8GA1UdIwQYMBaAFB5pKrTcKP5HGE4hCz+8rBEv
8Jj1MIHJBgNVHR8EgcEwgb4wgbuggbiggbWGVGh0dHA6Ly93d3cuaW50ZWwuY29tL3JlcG9zaXRv
cnkvQ1JML0ludGVsJTIwRXh0ZXJuYWwlMjBCYXNpYyUyMElzc3VpbmclMjBDQSUyMDRBLmNybIZd
aHR0cDovL2NlcnRpZmljYXRlcy5pbnRlbC5jb20vcmVwb3NpdG9yeS9DUkwvSW50ZWwlMjBFeHRl
cm5hbCUyMEJhc2ljJTIwSXNzdWluZyUyMENBJTIwNEEuY3JsMIH1BggrBgEFBQcBAQSB6DCB5TBs
BggrBgEFBQcwAoZgaHR0cDovL3d3dy5pbnRlbC5jb20vcmVwb3NpdG9yeS9jZXJ0aWZpY2F0ZXMv
SW50ZWwlMjBFeHRlcm5hbCUyMEJhc2ljJTIwSXNzdWluZyUyMENBJTIwNEEoMikuY3J0MHUGCCsG
AQUFBzAChmlodHRwOi8vY2VydGlmaWNhdGVzLmludGVsLmNvbS9yZXBvc2l0b3J5L2NlcnRpZmlj
YXRlcy9JbnRlbCUyMEV4dGVybmFsJTIwQmFzaWMlMjBJc3N1aW5nJTIwQ0ElMjA0QSgyKS5jcnQw
HwYDVR0lBBgwFgYIKwYBBQUHAwQGCisGAQQBgjcKAwQwKQYJKwYBBAGCNxUKBBwwGjAKBggrBgEF
BQcDBDAMBgorBgEEAYI3CgMEMEEGA1UdEQQ6MDigIgYKKwYBBAGCNxQCA6AUDBJnYW5nLndlaUBp
bnRlbC5jb22BEmdhbmcud2VpQGludGVsLmNvbTANBgkqhkiG9w0BAQUFAAOCAQEAFsAaH0vOvtN2
i0FadURRHZmiFmN2Eizu8yyUVabBi+6B7Y+Q9NSFXqxQNYQTThLv4v5dQi+bkM4wKipj54lF8gPG
luoARA5J/xGj7FHbOyiFKBs2I3uhyOHqyIJbYWw991XaNXXZ4Mwzgi9PknZoAwuVDwtJGrmD69pe
unSV6eBc0gYRTEd5BFORAQRz9SyLFXUVUGGVSMXlzqorNI5jjFX84x4ybHOgt/6HjXNTh1pNgR5d
5ax53/+eu2hNU5hInduSjqSmc/+w5Uo3V2ZZlaLyHaGDcw/jaZNkj5+IsKAGwKo0WVt9d4L86iud
GIKoquOTUoRHMgJS4gpdhuo34TGCA5gwggOUAgEBMGQwVjELMAkGA1UEBhMCVVMxGjAYBgNVBAoT
EUludGVsIENvcnBvcmF0aW9uMSswKQYDVQQDEyJJbnRlbCBFeHRlcm5hbCBCYXNpYyBJc3N1aW5n
IENBIDNCAgoe1fTqAAEAAJY9MAkGBSsOAwIaBQCgggIJMBgGCSqGSIb3DQEJAzELBgkqhkiG9w0B
BwEwHAYJKoZIhvcNAQkFMQ8XDTEzMTExNTA5NDUxOFowIwYJKoZIhvcNAQkEMRYEFOzGFD1dYXr1
XhxNREc9q7ht0YJAMHIGCSqGSIb3DQEJDzFlMGMwCwYJYIZIAWUDBAEqMAsGCWCGSAFlAwQBFjAK
BggqhkiG9w0DBzALBglghkgBZQMEAQIwBwYFKw4DAhowCwYJYIZIAWUDBAIDMAsGCWCGSAFlAwQC
AjALBglghkgBZQMEAgEwgZgGCSsGAQQBgjcQBDGBijCBhzB5MQswCQYDVQQGEwJVUzELMAkGA1UE
CBMCQ0ExFDASBgNVBAcTC1NhbnRhIENsYXJhMRowGAYDVQQKExFJbnRlbCBDb3Jwb3JhdGlvbjEr
MCkGA1UEAxMiSW50ZWwgRXh0ZXJuYWwgQmFzaWMgSXNzdWluZyBDQSA0QQIKF5OZWQACAAAh8zCB
mgYLKoZIhvcNAQkQAgsxgYqggYcweTELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMRQwEgYDVQQH
EwtTYW50YSBDbGFyYTEaMBgGA1UEChMRSW50ZWwgQ29ycG9yYXRpb24xKzApBgNVBAMTIkludGVs
IEV4dGVybmFsIEJhc2ljIElzc3VpbmcgQ0EgNEECCheTmVkAAgAAIfMwDQYJKoZIhvcNAQEBBQAE
ggEAnzALcYgJ+xyooGcsnvu+FRx5cbEZUJs6IKhNRW6t44Lf1MRJu0KA+ko36CVLVpSxJc1pygNX
xpqT5s16yJxNx4rK9e30PUHkwr4gYqXrlhmJrT4bxvkWk+AlLzHcDKftosyOBcMWSqvhW6burZCw
Xo9VD9wg7pKyATpkny9ryeNplc6KctLoJSmcp7HDhcmJ+Ci9XLYyRrsBGN4UYHAxdb/oya5zpAZY
H2T+JXTt+C/kEd9oqmfhze2DPdT/5WgoTz2JDSexqa6XSJrRFCI7dAXV0ti4LpCZMBV7551GOEPn
XCvcx1L+NV0EYGJaubiPgXjHZrP2vCsMRIWcpnduVQAAAAAAAA==
------=_NextPart_000_03D5_01CEE22A.7310D5B0--