-----Original Message----- From: Nicolae Paladi [mailto:n.paladi@gmail.com] Sent: Friday, November 15, 2013 4:08 PM To: Wei, Gang Cc: Doron Fediuck; users@ovirt.org Subject: Re: [Users] Trusted Pools and CentOS 6 packages
Hi,
I have done that and reran provisioner.sh with the same result.
As I understand, I am copying the files _PrivacyCA.cer_ and _TrustStore.jks_ to /usr/share/oat-client, while the java error complains about the missing file _aik.cer_, as follows:
java.io.FileNotFoundException: /usr/share/oat-client/aik.cer (No such file or directory) at java.io.FileInputStream.open(Native Method) at java.io.FileInputStream.<init>(FileInputStream.java:146) at java.io.FileInputStream.<init>(FileInputStream.java:101) at gov.niarl.his.privacyca.TpmUtils.certFromFile(TpmUtils.java:612) at gov.niarl.his.privacyca.HisRegisterIdentity.main(HisRegisterIdentity.java:99 )
is the file _aik.cer_ supposed to be generated at some point here?
Just to clarify, I am using CentOS 6.4, TruSerS and tpm-tools.
Cheers, /Nicolae.
On 15 November 2013 03:23, Wei, Gang <gang.wei@intel.com> wrote:
So, just as what I suggested in last mail, please copy the files from server to client again and run provisioner.sh:
1.3.1 copy PrivacyCA.cer and TrustStore.jks from appraiser to client.
Copy :/var/lib/oat-appraiser/ClientFiles/PrivacyCA.cer to :/usr/share/oat-client/
Copy :/var/lib/oat-appraiser/ClientFiles/TrustStore.jks to :/usr/share/oat-client/
Notes: please repeat above steps in case you have re-deployed your oat appraiser.
Thanks
Jimmy
From: Nicolae Paladi [mailto:n.paladi@gmail.com] Sent: Thursday, November 14, 2013 6:30 PM
To: Wei, Gang Cc: Doron Fediuck; users@ovirt.org Subject: Re: [Users] Trusted Pools and CentOS 6 packages
Hi,
As far as I see, port 8443 is not occupied and tomcat6 is running:
root@host /usr/share/oat-client/script # netstat -anp | grep 8443
root@host /usr/share/oat-client/script # service tomcat6 status
tomcat6 (pid 30950) is running... [ OK ]
Also, just in case, I've checked if disabling iptables helps, and it doesn't;
In the error trace, there is a line:
java.io.FileNotFoundException: /usr/share/oat-client/aik.cer (No such file or directory)
and indeed, there is not file aik.cer at /usr/share/oat-client/aik.cer; when is it supposed to
be generated?
cheers,
/Nicolae
On 14 November 2013 04:32, Wei, Gang <gang.wei@intel.com> wrote:
And you need to copy files from server to client before you try to run provisioner.sh every time you run OAT_configure.sh again.
Jimmy
-----Original Message----- From: Wei, Gang Sent: Thursday, November 14, 2013 11:26 AM To: Nicolae Paladi Cc: Doron Fediuck; users@ovirt.org; Wei, Gang Subject: RE: [Users] Trusted Pools and CentOS 6 packages
Can you try netstat -anp | grep 8443? Maybe it is occupied by apache.
Meanwhile check whether tomcat is up.
Jimmy
-----Original Message----- From: Nicolae Paladi [mailto:n.paladi@gmail.com] Sent: Wednesday, November 13, 2013 10:43 PM To: Wei, Gang Cc: Doron Fediuck; users@ovirt.org Subject: Re: [Users] Trusted Pools and CentOS 6 packages
Hi,
I am using port 8443, since no other process -- as far as I know -- is using it;
below you will find all of the requested configuration files:
Contents of /etc/oat_client/*: log4j.properties: http://pastebin.com/MQLM68vs OAT.properties: http://pastebin.com/LwHihxah OATprovisioner.properties: http://pastebin.com/0x5TShtZ TPMModule.properties: http://pastebin.com/hvw9gfRE
server.xml: http://pastebin.com/VZ9Vk6iC OAT_client.sh: http://pastebin.com/St4yCGcF
provisioner.sh: http://pastebin.com/RedqQt8V
cheers, /Nicolae.
On 13 November 2013 14:47, Wei, Gang <gang.wei@intel.com> wrote:
This time it failed earlier. Looks like the PCA webservice2 was not listening on 8443 port. Have you replaced the port 8443 with 8442 in server side ($TOMCAT_HOME/conf/server.xml) but not change it in client side (/usr/share/oat-client/script/OAT_client.sh)? Or the 8443
------=_NextPart_000_03D5_01CEE22A.7310D5B0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit So you will not see below error after copying the .cer & .jks again, right? ### ecStorage = NVRAM### Performing TPM provisioning...FAILED javax.xml.ws.WebServiceException: Failed to access the WSDL at: https://seoul:8443/HisPrivacyCAWebServices2/hisPrivacyCAWebService2FactorySe rvice?wsdl. It failed with: Connection refused. As to below errors: Performing HIS identity provisioning...FAILED java.util.NoSuchElementException at java.util.StringTokenizer.nextToken(StringTokenizer.java:349) at gov.niarl.his.privacyca.TpmModule.executeVer2Command(TpmModule.java:215) at gov.niarl.his.privacyca.TpmModule.collateIdentityRequest(TpmModule.java:292) at gov.niarl.his.privacyca.HisIdentityProvisioner.main(HisIdentityProvisioner.j ava:225) Failed to receive AIC from Privacy CA, error 1 Registering identity with server...FAILED java.io.FileNotFoundException: /usr/share/oat-client/aik.cer (No such file or directory) at java.io.FileInputStream.open(Native Method) at java.io.FileInputStream.<init>(FileInputStream.java:137) at java.io.FileInputStream.<init>(FileInputStream.java:96) at gov.niarl.his.privacyca.TpmUtils.certFromFile(TpmUtils.java:612) at gov.niarl.his.privacyca.HisRegisterIdentity.main(HisRegisterIdentity.java:99 ) Failed to register identity with appraiser, error 1 Missing of aik.cer is the subsequence of HIS identity provisioning failure. The key is: java.util.NoSuchElementException at java.util.StringTokenizer.nextToken(StringTokenizer.java:349) at gov.niarl.his.privacyca.TpmModule.executeVer2Command(TpmModule.java:215) Which is mostly caused by incorrect tpm owner auth. This is actually the issue occurred in your first try. So I doubt the oat-client rpm you reinstalled is still the old one in your local cache. Please try to uninstall oat-client, yum clean, then yum install oat-client, and then try again. Thanks Jimmy port is
occupied
by another app?
Please copy the content from your current server.xml,
OAT_client.sh,
provisioner.sh and /etc/oat-client/* into the content of
your reply for
analysis. (don't attach *.sh as attachments, that will get
filtered by my
company's mailing system).
Thanks Jimmy
> -----Original Message----- > From: Nicolae Paladi [mailto:n.paladi@gmail.com] > Sent: Wednesday, November 13, 2013 7:01 PM > To: Wei, Gang > Cc: Doron Fediuck; users@ovirt.org > Subject: Re: [Users] Trusted Pools and CentOS 6 packages >
> Hi, > > thank you for the feedback; > I've gone through the steps again, but obtained the
exactly same
problem: > > 1. I removed all of the previously installed packaged related to OAT. > > 2. I followed the tutorial, until this command: > > bash provisioner.sh > > provisioner.sh: line 7: systemctl: command not found > ### ecStorage = NVRAM### > Performing TPM provisioning...FAILED > javax.xml.ws.WebServiceException: Failed to access the WSDL at: >
https://seoul:8443/HisPrivacyCAWebServices2/hisPrivacyCAWebService2Factor
> yService?wsdl. It failed with: > Connection refused. > at >
com.sun.xml.ws.wsdl.parser.RuntimeWSDLParser.tryWithMex(RuntimeWSDLP
> arser.java:162) > at >
com.sun.xml.ws.wsdl.parser.RuntimeWSDLParser.parse(RuntimeWSDLParser.j
> ava:144) > at >
com.sun.xml.ws.client.WSServiceDelegate.parseWSDL(WSServiceDelegate.jav
> a:265) > at >
com.sun.xml.ws.client.WSServiceDelegate.<init>(WSServiceDelegate.java:228)
> at >
com.sun.xml.ws.client.WSServiceDelegate.<init>(WSServiceDelegate.java:176)
> at >
com.sun.xml.ws.spi.ProviderImpl.createServiceDelegate(ProviderImpl.jav
a:104 > ) > at javax.xml.ws.Service.<init>(Service.java:77) > at >
gov.niarl.his.webservices.hisprivacycawebservice2.server.HisPrivacyCAWe
bSer >
vice2FactoryServiceService.<init>(HisPrivacyCAWebService2FactoryService
Servi > ce.java:42) > at >
gov.niarl.his.webservices.hisPrivacyCAWebService2.client.HisPrivacyCAWe
bSer >
vices2ClientInvoker.getHisPrivacyCAWebService2(HisPrivacyCAWebServices2Cli
> entInvoker.java:32) > at >
gov.niarl.his.privacyca.HisTpmProvisioner.main(HisTpmProvisioner.java:20
5)
> Caused by: java.net.ConnectException: Connection refused > at java.net.PlainSocketImpl.socketConnect(Native
Method)
> at >
java.net.AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.jav
a:339 > ) > at >
java.net.AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketI
mpl.j > ava:200) > at >
java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:1
82)
> at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:392) > at java.net.Socket.connect(Socket.java:579) > at sun.security.ssl.SSLSocketImpl.connect(SSLSocketImpl.java:618) > at >
sun.security.ssl.BaseSSLSocketImpl.connect(BaseSSLSocketImpl.java:160)
> at
sun.net.NetworkClient.doConnect(NetworkClient.java:180)
> at sun.net.www.http.HttpClient.openServer(HttpClient.java:432) > at sun.net.www.http.HttpClient.openServer(HttpClient.java:527) > at >
sun.net.www.protocol.https.HttpsClient.<init>(HttpsClient.java:275)
> at >
sun.net.www.protocol.https.HttpsClient.New(HttpsClient.java:371)
> at >
sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.getNewHt
> tpClient(AbstractDelegateHttpsURLConnection.java:191) > at >
sun.net.www.protocol.http.HttpURLConnection.plainConnect(HttpURLConnec
> tion.java:932) > at >
sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(A
> bstractDelegateHttpsURLConnection.java:177) > at >
sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConn
> ection.java:1300) > at >
sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsU
> RLConnectionImpl.java:254) > at java.net.URL.openStream(URL.java:1037) > at >
com.sun.xml.ws.wsdl.parser.RuntimeWSDLParser.createReader(RuntimeWSD
> LParser.java:804) > at >
com.sun.xml.ws.wsdl.parser.RuntimeWSDLParser.resolveWSDL(RuntimeWSDL
> Parser.java:262) > at >
com.sun.xml.ws.wsdl.parser.RuntimeWSDLParser.parse(RuntimeWSDLParser.j
> ava:129) > ... 8 more > Failed to initialize the TPM, error 1 > Performing HIS identity provisioning...FAILED > gov.niarl.his.privacyca.TpmModule$TpmModuleException: > TpmModule.getCredential returned nonzero error: 2() > at >
gov.niarl.his.privacyca.TpmModule.getCredential(TpmModule.java:594)
> at >
gov.niarl.his.privacyca.HisIdentityProvisioner.main(HisIdentityProvisioner.j
ava: > 217) > Failed to receive AIC from Privacy CA, error 1 > Registering identity with server...FAILED > java.io.FileNotFoundException:
/usr/share/oat-client/aik.cer (No such file
or > directory) > at java.io.FileInputStream.open(Native Method) > at
java.io.FileInputStream.<init>(FileInputStream.java:146)
> at
java.io.FileInputStream.<init>(FileInputStream.java:101)
> at
gov.niarl.his.privacyca.TpmUtils.certFromFile(TpmUtils.java:612)
> at >
9 ) > Failed to register identity with appraiser, error 1 >
> Should I have updated anything else? > > cheers, > /Nicolae. > > > > On 1 November 2013 10:14, Wei, Gang <gang.wei@intel.com> wrote: > > > This is indeed an issue caused by the incompatibility between OAT tpm > access > code & tpm-tools(tpm_takeownership -z). It has already been fixed. > Please > follow below wiki and try again. >
https://github.com/OpenAttestation/OpenAttestation/wiki/OAT-for-RHEL-
> Recipe. > > Thanks > Jimmy > > Nicolae Paladi wrote on 2013-10-28: > > > Hi, I've followed the recipe > > >
(https://github.com/OpenAttestation/OpenAttestation/wiki/OAT-for-RHEL-Rec
> > > i pe) but didn't get it to run yet; I think a step
is missing --
the AIK > > > is not available is /usr/share/oat-client (it was
not available in
> > /var/lig/oat-appraiser/ClientFiles either); when I
to
run
> > provisioner.sh, I get the following:
gov.niarl.his.privacyca.HisRegisterIdentity.main(HisRegisterIdentity.java:9 try provisioner.sh: line
7:
systemctl: > > command not found ### ecStorage = NVRAM###
Performing
TPM > > provisioning...710 DONE Successfully initialized TPM Performing HIS > > identity provisioning...FAILED java.util.NoSuchElementException > > at > java.util.StringTokenizer.nextToken(StringTokenizer.java:349) > > at > > >
gov.niarl.his.privacyca.TpmModule.executeVer2Command(TpmModule.java:21
> > 5) > > at > > >
gov.niarl.his.privacyca.TpmModule.collateIdentityRequest(TpmModule.java:29
> > 2) > > at > >
> > > r.java: 225) Failed to receive AIC from Privacy
CA, error 1
Registering > > > identity with server...FAILED
java.io.FileNotFoundException:
> > /usr/share/oat-client/aik.cer (No such file or
gov.niarl.his.privacyca.HisIdentityProvisioner.main(HisIdentityProvisione directory)
> > at java.io.FileInputStream.open(Native
Method)
> > at java.io.FileInputStream.<init>(FileInputStream.java:137) > > at java.io.FileInputStream.<init>(FileInputStream.java:96) > > at >
gov.niarl.his.privacyca.TpmUtils.certFromFile(TpmUtils.java:612)
> > at > > >
gov.niarl.his.privacyca.HisRegisterIdentity.main(HisRegisterIdentity.java:9
> 9 > ) > > Failed to register identity with appraiser, error
1
> > > > > > > > Thanks, > > /Nicolae > > > > > > On 27 October 2013 22:55, Nicolae Paladi <n.paladi@gmail.com> wrote: > > > > > > Awesome, thanks! > > > > I'll try this out in the morning > > > > /Nicolae > > > > > > On 27 October 2013 17:03, Wei, Gang <gang.wei@intel.com> > wrote: > > > > > > Please refer to > > > > >
https://github.com/OpenAttestation/OpenAttestation/wiki/OAT-for-RHEL-
> > Recipe. > > > > Jimmy > >
------=_NextPart_000_03D5_01CEE22A.7310D5B0 Content-Type: application/pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIhfjCCAyAw ggKJoAMCAQICBDXe9M8wDQYJKoZIhvcNAQEFBQAwTjELMAkGA1UEBhMCVVMxEDAOBgNVBAoTB0Vx dWlmYXgxLTArBgNVBAsTJEVxdWlmYXggU2VjdXJlIENlcnRpZmljYXRlIEF1dGhvcml0eTAeFw05 ODA4MjIxNjQxNTFaFw0xODA4MjIxNjQxNTFaME4xCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFcXVp ZmF4MS0wKwYDVQQLEyRFcXVpZmF4IFNlY3VyZSBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwgZ8wDQYJ KoZIhvcNAQEBBQADgY0AMIGJAoGBAMFdsVhnCGLuoJotHwhtkRRomAoe/toEbxOEYiHD0XzOnwXg uAHwTjTs4oqVBGSs8WtTXwWzy2eAv0ICjv7dAQns4QAUT/z78AzdQ7pbK+EfgHCZFVeTFvEPl2q3 wmgjHMxNWTCsUR47ryvW7mNFe8XZX1DS41APOojnvxT94Me5AgMBAAGjggEJMIIBBTBwBgNVHR8E aTBnMGWgY6BhpF8wXTELMAkGA1UEBhMCVVMxEDAOBgNVBAoTB0VxdWlmYXgxLTArBgNVBAsTJEVx dWlmYXggU2VjdXJlIENlcnRpZmljYXRlIEF1dGhvcml0eTENMAsGA1UEAxMEQ1JMMTAaBgNVHRAE EzARgQ8yMDE4MDgyMjE2NDE1MVowCwYDVR0PBAQDAgEGMB8GA1UdIwQYMBaAFEjmaPkr0rKV10fY IyAQTzOYkJ/UMB0GA1UdDgQWBBRI5mj5K9KylddH2CMgEE8zmJCf1DAMBgNVHRMEBTADAQH/MBoG CSqGSIb2fQdBAAQNMAsbBVYzLjBjAwIGwDANBgkqhkiG9w0BAQUFAAOBgQBYzinq/Pfetc4CuRe1 hdG54+CVzCUxDQCmkm5/tpJjnlCV0Zpv5BHeY4VumO6o/1rI01WyZnFX3sAh6z0qpyNJAQSGQnv8 7n+iFlK1Z2fTQNs7JliyKHc9rhR3Ydb6KmYnoA36p3Nc6nDxlCFlRF/6/O8paKmih3nvee9PrAd3 ODCCAz0wggKmoAMCAQICAwWw/zANBgkqhkiG9w0BAQUFADBOMQswCQYDVQQGEwJVUzEQMA4GA1UE ChMHRXF1aWZheDEtMCsGA1UECxMkRXF1aWZheCBTZWN1cmUgQ2VydGlmaWNhdGUgQXV0aG9yaXR5 MB4XDTA2MDIxNjE4MDEzMFoXDTE2MDIxOTE4MDEzMFowUjELMAkGA1UEBhMCVVMxGjAYBgNVBAoT EUludGVsIENvcnBvcmF0aW9uMScwJQYDVQQDEx5JbnRlbCBFeHRlcm5hbCBCYXNpYyBQb2xpY3kg Q0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDBpd/XOb9QVqEZ8mQ1042TdOIq3ATD IsV2xDyt30yLyMR5Wjtus0bn3B+he89BiNO/LP6+rFzEwlD55PlX+HLGIKeNNG97dqyc30FElEUj ZzTZFq2N4e3kVJ/XAEEgANzV8v9qp7qWwxugPgfc3z9BkYot+CifozexHLb/hEZj+yISCU61kRZv uSQ0E11yYL4dRgcglJeaHo3oX57rvIckaLsYV5/1Aj+R8DM1Ppk965XQAKsHfnyT7C4S50T4lVn4 lz36wOdNZn/zegG1zp41lnoTFfT4KuKVJH5x7YD1p6KbgJCKLovnujGuohquBNfdXKpZkvz6pGv+ iC1HawJdAgMBAAGjgaAwgZ0wDgYDVR0PAQH/BAQDAgEGMB0GA1UdDgQWBBQaxgxKxEdvqNutK/D0 Vgaj7TdUDDA6BgNVHR8EMzAxMC+gLaArhilodHRwOi8vY3JsLmdlb3RydXN0LmNvbS9jcmxzL3Nl Y3VyZWNhLmNybDAfBgNVHSMEGDAWgBRI5mj5K9KylddH2CMgEE8zmJCf1DAPBgNVHRMBAf8EBTAD AQH/MA0GCSqGSIb3DQEBBQUAA4GBABMQOK2kVKVIlUWwLTdywJ+e2O+PC/uQltK2F3lRyrPfBn69 tOkIP4SgDJOfsxyobIrPLe75kBLw+Dom13OBDp/EMZJZ1CglQfVV8co9mT3aZMjSGGQiMgkJLR3j Mfr900fXZKj5XeqCJ+JP0mEhJGEdVCY+FFlksJjV86fDrq1QMIIENjCCAx6gAwIBAgIBATANBgkq hkiG9w0BAQUFADBvMQswCQYDVQQGEwJTRTEUMBIGA1UEChMLQWRkVHJ1c3QgQUIxJjAkBgNVBAsT HUFkZFRydXN0IEV4dGVybmFsIFRUUCBOZXR3b3JrMSIwIAYDVQQDExlBZGRUcnVzdCBFeHRlcm5h bCBDQSBSb290MB4XDTAwMDUzMDEwNDgzOFoXDTIwMDUzMDEwNDgzOFowbzELMAkGA1UEBhMCU0Ux FDASBgNVBAoTC0FkZFRydXN0IEFCMSYwJAYDVQQLEx1BZGRUcnVzdCBFeHRlcm5hbCBUVFAgTmV0 d29yazEiMCAGA1UEAxMZQWRkVHJ1c3QgRXh0ZXJuYWwgQ0EgUm9vdDCCASIwDQYJKoZIhvcNAQEB BQADggEPADCCAQoCggEBALf3GjPm8gAELTngTlvtH7xsD821+iO2zt6bETOXpClMfZOfvUq8k+0D GuOPz+VtUFrWlymUWoCwSXrbLpX9uMq/NzgtHj6RQa1wVsfwTz/oMp50ysiQVOnGXw94nZpAPA6s YapeFI+eh6FqUNzXmk6vBbOmcZSccbNQYArHE504B4YCqOmoaSYYkKtMsE8jqzpPhNjfzp/haW+7 10LXa0Tkx63ubUFfclpxCDezeWWkWaCUN/cALw3CknLa0Dhy2xSoRcRdKn23tNbE7qzNE0S3ySvd QwAl+mG5aWpYIxG3pzOPVnVZ9c0p10a3CitlttNCbxWyuHv77+ldU9U0WicCAwEAAaOB3DCB2TAd BgNVHQ4EFgQUrb2YejS0Jvf6xCZU7wO94CTLVBowCwYDVR0PBAQDAgEGMA8GA1UdEwEB/wQFMAMB Af8wgZkGA1UdIwSBkTCBjoAUrb2YejS0Jvf6xCZU7wO94CTLVBqhc6RxMG8xCzAJBgNVBAYTAlNF MRQwEgYDVQQKEwtBZGRUcnVzdCBBQjEmMCQGA1UECxMdQWRkVHJ1c3QgRXh0ZXJuYWwgVFRQIE5l dHdvcmsxIjAgBgNVBAMTGUFkZFRydXN0IEV4dGVybmFsIENBIFJvb3SCAQEwDQYJKoZIhvcNAQEF BQADggEBALCb4IUlwtYj4g+WBpKdQZic2YR5gdkeWxQHIzZlj7DYd7usQWxHYINRsPkyPef89iYT x4AWpb9a/IfPeHmJIZriTAcKhjW88t5RxNKWt9x+Tu5w/Rw56wwCURQtjr0W4MHfRnXnJK3s9EK0 hZNwEGe6nQY1ShjTK3rMUUKhemPR5ruhxSvCNr4TDea9Y355e6cJDUCrat2PisP29owaQgVR1EX1 n6diIWgVIEM8med8vSTYqZEXc4g/VhsxOBi0cQ+azcgOno4uG+GMmIPLHzHxREzGBHNJdmAPx/i9 F4BrLunMTA5amnkPIAou1Z5jJh5VkpTYghdae9C8x49OhgQwggTrMIID06ADAgECAhBS6QLKEehE nZRlOC+jGjC7MA0GCSqGSIb3DQEBBQUAMG8xCzAJBgNVBAYTAlNFMRQwEgYDVQQKEwtBZGRUcnVz dCBBQjEmMCQGA1UECxMdQWRkVHJ1c3QgRXh0ZXJuYWwgVFRQIE5ldHdvcmsxIjAgBgNVBAMTGUFk ZFRydXN0IEV4dGVybmFsIENBIFJvb3QwHhcNMTMwMzE5MDAwMDAwWhcNMjAwNTMwMTA0ODM4WjB5 MQswCQYDVQQGEwJVUzELMAkGA1UECBMCQ0ExFDASBgNVBAcTC1NhbnRhIENsYXJhMRowGAYDVQQK ExFJbnRlbCBDb3Jwb3JhdGlvbjErMCkGA1UEAxMiSW50ZWwgRXh0ZXJuYWwgQmFzaWMgSXNzdWlu ZyBDQSA0QTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOCwzICd2ElV+gPbBPo4x92/ hd12vOs9yyyrv+lr4yHb1G8Z6M9qp75fVCkCN7BNc1EUMa34L7T9Gz4Ldbg8AHy3Oh+Xqp8ovuxa z7ExgkeIMA5qtVpE0IDQzV1IG+9Xvf+rH6vlnwg6YvEnGoJciwkae6Yf1etHG4rQb52RXpSggwYd 99kuiht2wHZzRgf75POm8A5WOqJg7Ov0bHzcM0FcKPzN6D67sesus8iKEbpX5FRDWzNP/Ua80Dpc iuFuVZOBBLH1to5QleFvN0CqkXHACiFMcNqvx6B1T22xE66y5hOkUWf/nlpZBlpfprceNhzoDpl9 AUXU0aPbx+8ngaMCAwEAAaOCAXcwggFzMB8GA1UdIwQYMBaAFK29mHo0tCb3+sQmVO8DveAky1Qa MB0GA1UdDgQWBBQeaSq03Cj+RxhOIQs/vKwRL/CY9TAOBgNVHQ8BAf8EBAMCAYYwEgYDVR0TAQH/ BAgwBgEB/wIBADA2BgNVHSUELzAtBggrBgEFBQcDBAYKKwYBBAGCNwoDBAYKKwYBBAGCNwoDDAYJ KwYBBAGCNxUFMBcGA1UdIAQQMA4wDAYKKoZIhvhNAQUBaTBJBgNVHR8EQjBAMD6gPKA6hjhodHRw Oi8vY3JsLnRydXN0LXByb3ZpZGVyLmNvbS9BZGRUcnVzdEV4dGVybmFsQ0FSb290LmNybDA6Bggr BgEFBQcBAQQuMCwwKgYIKwYBBQUHMAGGHmh0dHA6Ly9vY3NwLnRydXN0LXByb3ZpZGVyLmNvbTA1 BgNVHR4ELjAsoCowC4EJaW50ZWwuY29tMBugGQYKKwYBBAGCNxQCA6ALDAlpbnRlbC5jb20wDQYJ KoZIhvcNAQEFBQADggEBACnCzaP9kqNSZ6IvBu1uUOhUj6tX5silt7Eg39Wpr8h5IxIHduZ+zCkR xhJkccaM4jyqXJm312FPidIOetJwqOYDxe/Fne2Zs3JgnJtVBRXyMX8OkANfW0aUwvGzDGkkhJfM t/T4MGvhxDZqD2bDOtw3Wes4g5z6nEm3H2LPKnf5uXdtq6V6uSBlVLV+i1+0f4UksP97HwE5wS4I ibYpVcmOzhhpmCggEtiNOIrb0ktVrXnF07fTmQ8jW5ey7Tmwa4DC4WZKSVvqTkfX94eVRtkubipA O04fTQvRKEnHcEAgCMPlFim0kNCLI9lBS+3xyr5qlilUy/fLEc7yN7HjQuAwggWKMIIEcqADAgEC AgphIIpiAAAAAAAIMA0GCSqGSIb3DQEBBQUAMFIxCzAJBgNVBAYTAlVTMRowGAYDVQQKExFJbnRl bCBDb3Jwb3JhdGlvbjEnMCUGA1UEAxMeSW50ZWwgRXh0ZXJuYWwgQmFzaWMgUG9saWN5IENBMB4X DTA5MDUxNTE5MjcyNloXDTE1MDUxNTE5MzcyNlowVjELMAkGA1UEBhMCVVMxGjAYBgNVBAoTEUlu dGVsIENvcnBvcmF0aW9uMSswKQYDVQQDEyJJbnRlbCBFeHRlcm5hbCBCYXNpYyBJc3N1aW5nIENB IDNCMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEApAQzVaf1NT29z0L79NzsoH56JgSW atwRYTfZZR0e9Yb4hxAdVCyKROYzIoqiM0vDYHmzoh6RzyK8Oj/AJ+NnNf0nJ+0ydz4ACtzSVrzs 6XJvObwr2NcR9MG9OdRIVKIj1lh58hN2JSCqUAW6WMVkQdgpi0u6GtFpymZB8/iZXrc0p1zZtPzT gdF/pim1kVriTpg33jOWsY2sG5BDvhYXPP+MsG6xtSkSSujoy79lgU4VZCtX2UGEX1G6TzI37c3q f19Sj+oGKCIXaQSf3FWHXKSXtIIYvaMFSRfHiqBXbtrpKLyVFF2Csca038dadJaUtdMfmXnvkfgu r77vs4W/fwIDAQABo4ICXDCCAlgwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUDsYq91myCBCQ JW/D3f2KZjEwK8UwCwYDVR0PBAQDAgGGMBIGCSsGAQQBgjcVAQQFAgMBAAEwIwYJKwYBBAGCNxUC BBYEFDmgVjZ6QpD/kq2Kb5V0x5JZvhBZMBkGCSsGAQQBgjcUAgQMHgoAUwB1AGIAQwBBMB8GA1Ud IwQYMBaAFBrGDErER2+o260r8PRWBqPtN1QMMIG9BgNVHR8EgbUwgbIwga+ggayggamGTmh0dHA6 Ly93d3cuaW50ZWwuY29tL3JlcG9zaXRvcnkvQ1JML0ludGVsJTIwRXh0ZXJuYWwlMjBCYXNpYyUy MFBvbGljeSUyMENBLmNybIZXaHR0cDovL2NlcnRpZmljYXRlcy5pbnRlbC5jb20vcmVwb3NpdG9y eS9DUkwvSW50ZWwlMjBFeHRlcm5hbCUyMEJhc2ljJTIwUG9saWN5JTIwQ0EuY3JsMIHjBggrBgEF BQcBAQSB1jCB0zBjBggrBgEFBQcwAoZXaHR0cDovL3d3dy5pbnRlbC5jb20vcmVwb3NpdG9yeS9j ZXJ0aWZpY2F0ZXMvSW50ZWwlMjBFeHRlcm5hbCUyMEJhc2ljJTIwUG9saWN5JTIwQ0EuY3J0MGwG CCsGAQUFBzAChmBodHRwOi8vY2VydGlmaWNhdGVzLmludGVsLmNvbS9yZXBvc2l0b3J5L2NlcnRp ZmljYXRlcy9JbnRlbCUyMEV4dGVybmFsJTIwQmFzaWMlMjBQb2xpY3klMjBDQS5jcnQwDQYJKoZI hvcNAQEFBQADggEBALG1AQdyFVCFfKMSq0xVQx7qCSY+whzMfFJ6o1uj12wP7rFtPrklP6hiCkgC 18Sxhd5Qm7VwKGqlvbZTlswDPt5pBxblvN5+59a8DqWDbTjwHyhzMGP+r7k/k2litQ7yM6Y3iNON 8mrcSVnvIVanLusHdWb9o3oBNipZ8xtL/F+H4kLGYfd2uhSYwkjT9pkkewu2NuMWc2wcM2sllfW/ GUzvwtvWGOyRMQ0+aFtVt9OPmL9kaeG/i2YjxBk8I21x6Bcmt+FGXYP1tal1M4+taIsNSrPLVnoo vtNw5L88KXxEcIleQ9q7+2FNAKkigNrb5z7dcD76BFN8BDiy9M7brQ0wggX7MIIE46ADAgECAgoe 1fTqAAEAAJY9MA0GCSqGSIb3DQEBBQUAMFYxCzAJBgNVBAYTAlVTMRowGAYDVQQKExFJbnRlbCBD b3Jwb3JhdGlvbjErMCkGA1UEAxMiSW50ZWwgRXh0ZXJuYWwgQmFzaWMgSXNzdWluZyBDQSAzQjAe Fw0xMjA2MDgwODA1MTFaFw0xNTA1MTUxOTM3MjZaMDcxEjAQBgNVBAMTCVdlaSwgR2FuZzEhMB8G CSqGSIb3DQEJARYSZ2FuZy53ZWlAaW50ZWwuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB CgKCAQEAs3J9LjILpoOjcNn+gh33oO+LwIHlInINRwyGkpZm3Oo9faYw6pA2C/ioC0dSO3iJvI9K MZn7QQzevrffziAZxVHz67GK6KMEg4KSKzqgZD5OYGXWLbwqhuQTiM2csIRLSR6Kx813M7y8A7Eg VtP0rFCXV/Ux++xl/IZ8VgHneAcKHVXF1ntrZcpo436XZhjHannEYZm0MNvrVqNdIa90cr6owh+j ssyhmZjja3k1rCCLPByoE9Q4tH4lc63IYaJdnHfBk95GZnH94Iw8GFKV97Cm9SsrxbSQvn3Uu/Qd 5RUQnJ7Zs6aUujUN4inoof0m6MUHfcqEde82y6Bz0hhRUwIDAQABo4IC6DCCAuQwCwYDVR0PBAQD AgeAMDwGCSsGAQQBgjcVBwQvMC0GJSsGAQQBgjcVCIbDjHWEmeVRg/2BKIWOn1OCkcAJZ4HevTmV 8EMCAWQCAQgwHQYDVR0OBBYEFBh0blsEpKCOUFRDp2lSba+OWQQoMB8GA1UdIwQYMBaAFA7GKvdZ sggQkCVvw939imYxMCvFMIHPBgNVHR8EgccwgcQwgcGggb6ggbuGV2h0dHA6Ly93d3cuaW50ZWwu Y29tL3JlcG9zaXRvcnkvQ1JML0ludGVsJTIwRXh0ZXJuYWwlMjBCYXNpYyUyMElzc3VpbmclMjBD QSUyMDNCKDEpLmNybIZgaHR0cDovL2NlcnRpZmljYXRlcy5pbnRlbC5jb20vcmVwb3NpdG9yeS9D UkwvSW50ZWwlMjBFeHRlcm5hbCUyMEJhc2ljJTIwSXNzdWluZyUyMENBJTIwM0IoMSkuY3JsMIH1 BggrBgEFBQcBAQSB6DCB5TBsBggrBgEFBQcwAoZgaHR0cDovL3d3dy5pbnRlbC5jb20vcmVwb3Np dG9yeS9jZXJ0aWZpY2F0ZXMvSW50ZWwlMjBFeHRlcm5hbCUyMEJhc2ljJTIwSXNzdWluZyUyMENB JTIwM0IoMSkuY3J0MHUGCCsGAQUFBzAChmlodHRwOi8vY2VydGlmaWNhdGVzLmludGVsLmNvbS9y ZXBvc2l0b3J5L2NlcnRpZmljYXRlcy9JbnRlbCUyMEV4dGVybmFsJTIwQmFzaWMlMjBJc3N1aW5n JTIwQ0ElMjAzQigxKS5jcnQwHwYDVR0lBBgwFgYIKwYBBQUHAwQGCisGAQQBgjcKAwwwKQYJKwYB BAGCNxUKBBwwGjAKBggrBgEFBQcDBDAMBgorBgEEAYI3CgMMMEEGA1UdEQQ6MDigIgYKKwYBBAGC NxQCA6AUDBJnYW5nLndlaUBpbnRlbC5jb22BEmdhbmcud2VpQGludGVsLmNvbTANBgkqhkiG9w0B AQUFAAOCAQEAe7JxfwDGPB8LnOZYOHRCljy8NKDItdpQNgqbb4BMMkOfmQAsmDECppOG+oZMf6jP vcdDsvy/tDEzRinUhB3+TkZ6ozOG5cSg8zitw5GU6W9GrEEk1lS5jDG/JhpSktTVbwSw4HbMHfXK TN1cf3dvpml8mTvx6pm6rTTEfFT2bDg9eVY+efU0MFgPUkf+58KakWTqwETZsF/a7aaIETAehFTK gfWdu7vxo6ziYTp9EL0260iuI08jbv3RHcUBjx0taXeeulezzROtQKm1q3rW41EkMfTopd7zVAK2 8NWUEZtniCpZHc9kayckp44s47fw9C8UWbVeOzgNViI9VjIJMjCCBl8wggVHoAMCAQICCheTmVkA AgAAIfMwDQYJKoZIhvcNAQEFBQAweTELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMRQwEgYDVQQH EwtTYW50YSBDbGFyYTEaMBgGA1UEChMRSW50ZWwgQ29ycG9yYXRpb24xKzApBgNVBAMTIkludGVs IEV4dGVybmFsIEJhc2ljIElzc3VpbmcgQ0EgNEEwHhcNMTMwODE5MDAzNjM3WhcNMTYwODAzMDAz NjM3WjA3MRIwEAYDVQQDEwlXZWksIEdhbmcxITAfBgkqhkiG9w0BCQEWEmdhbmcud2VpQGludGVs LmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALmf/kfYTghoVM3q9//lzx5Bj67a fRfoUGpo5wksSMfGSu41XwViw22eCMVOhPDr7X9RqBb+8Ioqi9j3F0U3iHNt+5+mApLeoOavjGLR vh32Eogi1oKVh9t873Sp3P8a4UkHJaaOqqNabOBLWAc/yVX/uyQfzKQE9c/Wl1uL3OxHmpx1jUn2 m/r7zRb/u3prUdz9hzGIY9YEijF4Rw7DIhS8eQHdgI2JMX9vxh3Zc/tY5Ll1MLJNDOdJzh8taHj/ 724nYPA0lLCYDeL8Txim6PaeSXaw43leEfAuBk8C5ttV62cT0aFioLaAw8C0Z1qeOrz2oukeig1j FLPkMFn+oZcCAwEAAaOCAykwggMlMAsGA1UdDwQEAwIEMDA9BgkrBgEEAYI3FQcEMDAuBiYrBgEE AYI3FQiGw4x1hJnlUYP9gSiFjp9TgpHACWeEudlBh4T/TgIBZAIBDTBEBgkqhkiG9w0BCQ8ENzA1 MA4GCCqGSIb3DQMCAgIAgDAOBggqhkiG9w0DBAICAIAwBwYFKw4DAgcwCgYIKoZIhvcNAwcwHQYD VR0OBBYEFBc8HhYAlLuMYhGaZZ6WwCXSB0jLMB8GA1UdIwQYMBaAFB5pKrTcKP5HGE4hCz+8rBEv 8Jj1MIHJBgNVHR8EgcEwgb4wgbuggbiggbWGVGh0dHA6Ly93d3cuaW50ZWwuY29tL3JlcG9zaXRv cnkvQ1JML0ludGVsJTIwRXh0ZXJuYWwlMjBCYXNpYyUyMElzc3VpbmclMjBDQSUyMDRBLmNybIZd aHR0cDovL2NlcnRpZmljYXRlcy5pbnRlbC5jb20vcmVwb3NpdG9yeS9DUkwvSW50ZWwlMjBFeHRl cm5hbCUyMEJhc2ljJTIwSXNzdWluZyUyMENBJTIwNEEuY3JsMIH1BggrBgEFBQcBAQSB6DCB5TBs BggrBgEFBQcwAoZgaHR0cDovL3d3dy5pbnRlbC5jb20vcmVwb3NpdG9yeS9jZXJ0aWZpY2F0ZXMv SW50ZWwlMjBFeHRlcm5hbCUyMEJhc2ljJTIwSXNzdWluZyUyMENBJTIwNEEoMikuY3J0MHUGCCsG AQUFBzAChmlodHRwOi8vY2VydGlmaWNhdGVzLmludGVsLmNvbS9yZXBvc2l0b3J5L2NlcnRpZmlj YXRlcy9JbnRlbCUyMEV4dGVybmFsJTIwQmFzaWMlMjBJc3N1aW5nJTIwQ0ElMjA0QSgyKS5jcnQw HwYDVR0lBBgwFgYIKwYBBQUHAwQGCisGAQQBgjcKAwQwKQYJKwYBBAGCNxUKBBwwGjAKBggrBgEF BQcDBDAMBgorBgEEAYI3CgMEMEEGA1UdEQQ6MDigIgYKKwYBBAGCNxQCA6AUDBJnYW5nLndlaUBp bnRlbC5jb22BEmdhbmcud2VpQGludGVsLmNvbTANBgkqhkiG9w0BAQUFAAOCAQEAFsAaH0vOvtN2 i0FadURRHZmiFmN2Eizu8yyUVabBi+6B7Y+Q9NSFXqxQNYQTThLv4v5dQi+bkM4wKipj54lF8gPG luoARA5J/xGj7FHbOyiFKBs2I3uhyOHqyIJbYWw991XaNXXZ4Mwzgi9PknZoAwuVDwtJGrmD69pe unSV6eBc0gYRTEd5BFORAQRz9SyLFXUVUGGVSMXlzqorNI5jjFX84x4ybHOgt/6HjXNTh1pNgR5d 5ax53/+eu2hNU5hInduSjqSmc/+w5Uo3V2ZZlaLyHaGDcw/jaZNkj5+IsKAGwKo0WVt9d4L86iud GIKoquOTUoRHMgJS4gpdhuo34TGCA5gwggOUAgEBMGQwVjELMAkGA1UEBhMCVVMxGjAYBgNVBAoT EUludGVsIENvcnBvcmF0aW9uMSswKQYDVQQDEyJJbnRlbCBFeHRlcm5hbCBCYXNpYyBJc3N1aW5n IENBIDNCAgoe1fTqAAEAAJY9MAkGBSsOAwIaBQCgggIJMBgGCSqGSIb3DQEJAzELBgkqhkiG9w0B BwEwHAYJKoZIhvcNAQkFMQ8XDTEzMTExNTA5NDUxOFowIwYJKoZIhvcNAQkEMRYEFOzGFD1dYXr1 XhxNREc9q7ht0YJAMHIGCSqGSIb3DQEJDzFlMGMwCwYJYIZIAWUDBAEqMAsGCWCGSAFlAwQBFjAK BggqhkiG9w0DBzALBglghkgBZQMEAQIwBwYFKw4DAhowCwYJYIZIAWUDBAIDMAsGCWCGSAFlAwQC AjALBglghkgBZQMEAgEwgZgGCSsGAQQBgjcQBDGBijCBhzB5MQswCQYDVQQGEwJVUzELMAkGA1UE CBMCQ0ExFDASBgNVBAcTC1NhbnRhIENsYXJhMRowGAYDVQQKExFJbnRlbCBDb3Jwb3JhdGlvbjEr MCkGA1UEAxMiSW50ZWwgRXh0ZXJuYWwgQmFzaWMgSXNzdWluZyBDQSA0QQIKF5OZWQACAAAh8zCB mgYLKoZIhvcNAQkQAgsxgYqggYcweTELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMRQwEgYDVQQH EwtTYW50YSBDbGFyYTEaMBgGA1UEChMRSW50ZWwgQ29ycG9yYXRpb24xKzApBgNVBAMTIkludGVs IEV4dGVybmFsIEJhc2ljIElzc3VpbmcgQ0EgNEECCheTmVkAAgAAIfMwDQYJKoZIhvcNAQEBBQAE ggEAnzALcYgJ+xyooGcsnvu+FRx5cbEZUJs6IKhNRW6t44Lf1MRJu0KA+ko36CVLVpSxJc1pygNX xpqT5s16yJxNx4rK9e30PUHkwr4gYqXrlhmJrT4bxvkWk+AlLzHcDKftosyOBcMWSqvhW6burZCw Xo9VD9wg7pKyATpkny9ryeNplc6KctLoJSmcp7HDhcmJ+Ci9XLYyRrsBGN4UYHAxdb/oya5zpAZY H2T+JXTt+C/kEd9oqmfhze2DPdT/5WgoTz2JDSexqa6XSJrRFCI7dAXV0ti4LpCZMBV7551GOEPn XCvcx1L+NV0EYGJaubiPgXjHZrP2vCsMRIWcpnduVQAAAAAAAA== ------=_NextPart_000_03D5_01CEE22A.7310D5B0--