[Users] Trusted Pools and CentOS 6 packages

Wei, Gang gang.wei at intel.com
Fri Nov 15 02:23:18 UTC 2013


So, just as what I suggested in last mail, please copy the files from server
to client again and run provisioner.sh:

 

1.3.1 copy PrivacyCA.cer and TrustStore.jks from appraiser to client.

Copy :/var/lib/oat-appraiser/ClientFiles/PrivacyCA.cer to
:/usr/share/oat-client/

Copy :/var/lib/oat-appraiser/ClientFiles/TrustStore.jks to
:/usr/share/oat-client/

Notes: please repeat above steps in case you have re-deployed your oat
appraiser.

 

Thanks

Jimmy

 

From: Nicolae Paladi [mailto:n.paladi at gmail.com] 
Sent: Thursday, November 14, 2013 6:30 PM
To: Wei, Gang
Cc: Doron Fediuck; users at ovirt.org
Subject: Re: [Users] Trusted Pools and CentOS 6 packages

 

Hi, 

 

 

As far as I see, port 8443 is not occupied and tomcat6 is running:

 

root at host /usr/share/oat-client/script # netstat -anp | grep 8443

root at host /usr/share/oat-client/script # service tomcat6 status

tomcat6 (pid 30950) is running...                          [  OK  ]

 

 

Also, just in case, I've checked if disabling iptables helps, and it
doesn't;

 

 

In the error trace, there is a line: 

java.io.FileNotFoundException: /usr/share/oat-client/aik.cer (No such file
or directory)

 

and indeed, there is not file aik.cer at /usr/share/oat-client/aik.cer; when
is it supposed to

be generated?

 

cheers,

/Nicolae

 

 

On 14 November 2013 04:32, Wei, Gang <gang.wei at intel.com> wrote:

And you need to copy files from server to client before you try to run
provisioner.sh every time you run OAT_configure.sh again.

Jimmy



> -----Original Message-----
> From: Wei, Gang
> Sent: Thursday, November 14, 2013 11:26 AM
> To: Nicolae Paladi
> Cc: Doron Fediuck; users at ovirt.org; Wei, Gang
> Subject: RE: [Users] Trusted Pools and CentOS 6 packages
>
> Can you try netstat -anp | grep 8443? Maybe it is occupied by apache.
>
> Meanwhile check whether tomcat is up.
>
> Jimmy
>
>
> > -----Original Message-----
> > From: Nicolae Paladi [mailto:n.paladi at gmail.com]
> > Sent: Wednesday, November 13, 2013 10:43 PM
> > To: Wei, Gang
> > Cc: Doron Fediuck; users at ovirt.org
> > Subject: Re: [Users] Trusted Pools and CentOS 6 packages
> >
> > Hi,
> >
> > I am using port 8443, since no other process -- as far as I know -- is
> using it;
> >
> > below you will find all of the requested configuration files:
> >
> > Contents of /etc/oat_client/*:
> > log4j.properties: http://pastebin.com/MQLM68vs
> > OAT.properties: http://pastebin.com/LwHihxah
> > OATprovisioner.properties: http://pastebin.com/0x5TShtZ
> > TPMModule.properties: http://pastebin.com/hvw9gfRE
> >
> >
> > server.xml: http://pastebin.com/VZ9Vk6iC
> > OAT_client.sh: http://pastebin.com/St4yCGcF
> >
> > provisioner.sh: http://pastebin.com/RedqQt8V
> >
> >
> > cheers,
> > /Nicolae.
> >
> >
> > On 13 November 2013 14:47, Wei, Gang <gang.wei at intel.com> wrote:
> >
> >
> >     This time it failed earlier. Looks like the PCA webservice2 was not
> >     listening on 8443 port. Have you replaced the port 8443 with 8442 in
> > server
> >     side ($TOMCAT_HOME/conf/server.xml) but not change it in client side
> >     (/usr/share/oat-client/script/OAT_client.sh)? Or the 8443 port is
> occupied
> >     by another app?
> >
> >     Please copy the content from your current server.xml, OAT_client.sh,
> >     provisioner.sh and /etc/oat-client/* into the content of your reply
> for
> >     analysis. (don't attach *.sh as attachments, that will get filtered
> by my
> >     company's mailing system).
> >
> >     Thanks
> >     Jimmy
> >
> >
> >
> >     > -----Original Message-----
> >     > From: Nicolae Paladi [mailto:n.paladi at gmail.com]
> >     > Sent: Wednesday, November 13, 2013 7:01 PM
> >     > To: Wei, Gang
> >     > Cc: Doron Fediuck; users at ovirt.org
> >     > Subject: Re: [Users] Trusted Pools and CentOS 6 packages
> >     >
> >
> >     > Hi,
> >     >
> >     > thank you for the feedback;
> >     > I've gone through the steps again, but obtained the exactly same
> > problem:
> >     >
> >     > 1. I removed all of the previously installed packaged related to
> OAT.
> >     >
> >     > 2. I followed the tutorial, until this command:
> >     >
> >     > bash provisioner.sh
> >     >
> >     > provisioner.sh: line 7: systemctl: command not found
> >     > ### ecStorage = NVRAM###
> >     > Performing TPM provisioning...FAILED
> >     > javax.xml.ws.WebServiceException: Failed to access the WSDL at:
> >     >
> >
> https://seoul:8443/HisPrivacyCAWebServices2/hisPrivacyCAWebService2Factor
> >     > yService?wsdl. It failed with:
> >     >         Connection refused.
> >     >         at
> >     >
> >
> com.sun.xml.ws.wsdl.parser.RuntimeWSDLParser.tryWithMex(RuntimeWSDLP
> >     > arser.java:162)
> >     >         at
> >     >
> >
> com.sun.xml.ws.wsdl.parser.RuntimeWSDLParser.parse(RuntimeWSDLParser.j
> >     > ava:144)
> >     >         at
> >     >
> >
> com.sun.xml.ws.client.WSServiceDelegate.parseWSDL(WSServiceDelegate.jav
> >     > a:265)
> >     >         at
> >     >
> >
> com.sun.xml.ws.client.WSServiceDelegate.<init>(WSServiceDelegate.java:228)
> >     >         at
> >     >
> >
> com.sun.xml.ws.client.WSServiceDelegate.<init>(WSServiceDelegate.java:176)
> >     >         at
> >     >
> >
> com.sun.xml.ws.spi.ProviderImpl.createServiceDelegate(ProviderImpl.jav
> > a:104
> >     > )
> >     >         at javax.xml.ws.Service.<init>(Service.java:77)
> >     >         at
> >     >
> >
> gov.niarl.his.webservices.hisprivacycawebservice2.server.HisPrivacyCAWe
> > bSer
> >     >
> >
> vice2FactoryServiceService.<init>(HisPrivacyCAWebService2FactoryService
> > Servi
> >     > ce.java:42)
> >     >         at
> >     >
> >
> gov.niarl.his.webservices.hisPrivacyCAWebService2.client.HisPrivacyCAWe
> > bSer
> >     >
> >
> vices2ClientInvoker.getHisPrivacyCAWebService2(HisPrivacyCAWebServices2Cli
> >     > entInvoker.java:32)
> >     >         at
> >     >
> >
gov.niarl.his.privacyca.HisTpmProvisioner.main(HisTpmProvisioner.java:205)
> >     > Caused by: java.net.ConnectException: Connection refused
> >     >         at java.net.PlainSocketImpl.socketConnect(Native Method)
> >     >         at
> >     >
> >
> java.net.AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.jav
> > a:339
> >     > )
> >     >         at
> >     >
> >
> java.net.AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketI
> > mpl.j
> >     > ava:200)
> >     >         at
> >     >
> >
java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:182)
> >     >         at
> > java.net.SocksSocketImpl.connect(SocksSocketImpl.java:392)
> >     >         at java.net.Socket.connect(Socket.java:579)
> >     >         at
> > sun.security.ssl.SSLSocketImpl.connect(SSLSocketImpl.java:618)
> >     >         at
> >     >
> > sun.security.ssl.BaseSSLSocketImpl.connect(BaseSSLSocketImpl.java:160)
> >     >         at sun.net.NetworkClient.doConnect(NetworkClient.java:180)
> >     >         at
> > sun.net.www.http.HttpClient.openServer(HttpClient.java:432)
> >     >         at
> > sun.net.www.http.HttpClient.openServer(HttpClient.java:527)
> >     >         at
> >     >
> sun.net.www.protocol.https.HttpsClient.<init>(HttpsClient.java:275)
> >     >         at
> >     > sun.net.www.protocol.https.HttpsClient.New(HttpsClient.java:371)
> >     >         at
> >     >
> >
> sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.getNewHt
> >     > tpClient(AbstractDelegateHttpsURLConnection.java:191)
> >     >         at
> >     >
> >
> sun.net.www.protocol.http.HttpURLConnection.plainConnect(HttpURLConnec
> >     > tion.java:932)
> >     >         at
> >     >
> >
> sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(A
> >     > bstractDelegateHttpsURLConnection.java:177)
> >     >         at
> >     >
> >
> sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConn
> >     > ection.java:1300)
> >     >         at
> >     >
> >
> sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsU
> >     > RLConnectionImpl.java:254)
> >     >         at java.net.URL.openStream(URL.java:1037)
> >     >         at
> >     >
> >
> com.sun.xml.ws.wsdl.parser.RuntimeWSDLParser.createReader(RuntimeWSD
> >     > LParser.java:804)
> >     >         at
> >     >
> >
> com.sun.xml.ws.wsdl.parser.RuntimeWSDLParser.resolveWSDL(RuntimeWSDL
> >     > Parser.java:262)
> >     >         at
> >     >
> >
> com.sun.xml.ws.wsdl.parser.RuntimeWSDLParser.parse(RuntimeWSDLParser.j
> >     > ava:129)
> >     >         ... 8 more
> >     > Failed to initialize the TPM, error 1
> >     > Performing HIS identity provisioning...FAILED
> >     > gov.niarl.his.privacyca.TpmModule$TpmModuleException:
> >     > TpmModule.getCredential returned nonzero error: 2()
> >     >         at
> >     >
> gov.niarl.his.privacyca.TpmModule.getCredential(TpmModule.java:594)
> >     >         at
> >     >
> >
>
gov.niarl.his.privacyca.HisIdentityProvisioner.main(HisIdentityProvisioner.j
> >     ava:
> >     > 217)
> >     > Failed to receive AIC from Privacy CA, error 1
> >     > Registering identity with server...FAILED
> >     > java.io.FileNotFoundException: /usr/share/oat-client/aik.cer (No
> such file
> >     or
> >     > directory)
> >     >         at java.io.FileInputStream.open(Native Method)
> >     >         at
> java.io.FileInputStream.<init>(FileInputStream.java:146)
> >     >         at
> java.io.FileInputStream.<init>(FileInputStream.java:101)
> >     >         at
> >     gov.niarl.his.privacyca.TpmUtils.certFromFile(TpmUtils.java:612)
> >     >         at
> >     >
> >
> >
>
gov.niarl.his.privacyca.HisRegisterIdentity.main(HisRegisterIdentity.java:9
> > 9
> >     )
> >     > Failed to register identity with appraiser, error 1
> >     >
> >
> >     > Should I have updated anything else?
> >     >
> >     > cheers,
> >     > /Nicolae.
> >     >
> >     >
> >     >
> >     > On 1 November 2013 10:14, Wei, Gang <gang.wei at intel.com> wrote:
> >     >
> >     >
> >     >       This is indeed an issue caused by the incompatibility
> between
> > OAT
> >     tpm
> >     > access
> >     >       code & tpm-tools(tpm_takeownership -z). It has already been
> > fixed.
> >     > Please
> >     >       follow below wiki and try again.
> >     >
> >
> https://github.com/OpenAttestation/OpenAttestation/wiki/OAT-for-RHEL-
> >     > Recipe.
> >     >
> >     >       Thanks
> >     >       Jimmy
> >     >
> >     >       Nicolae Paladi wrote on 2013-10-28:
> >     >
> >     >       > Hi, I've followed the recipe
> >     >       >
> >     >
> >
> (https://github.com/OpenAttestation/OpenAttestation/wiki/OAT-for-RHEL-Rec
> >     >
> >     >       > i pe) but didn't get it to run yet; I think a step is
> missing --
> >     the AIK
> >     >
> >     >       > is not available is /usr/share/oat-client (it was not
> available in
> >     >       > /var/lig/oat-appraiser/ClientFiles either); when I try to
> run
> >     >       > provisioner.sh, I get the following: provisioner.sh: line
> 7:
> >     systemctl:
> >     >       > command not found ### ecStorage = NVRAM### Performing
> > TPM
> >     >       > provisioning...710 DONE Successfully initialized TPM
> > Performing
> >     HIS
> >     >       > identity provisioning...FAILED
> > java.util.NoSuchElementException
> >     >       >         at
> >     > java.util.StringTokenizer.nextToken(StringTokenizer.java:349)
> >     >       >         at
> >     >       >
> >     >
> >
> gov.niarl.his.privacyca.TpmModule.executeVer2Command(TpmModule.java:21
> >     >       > 5)
> >     >       >         at
> >     >       >
> >     >
> >
> gov.niarl.his.privacyca.TpmModule.collateIdentityRequest(TpmModule.java:29
> >     >       > 2)
> >     >       >         at
> >     >       >
> >
> gov.niarl.his.privacyca.HisIdentityProvisioner.main(HisIdentityProvisione
> >     >
> >     >       > r.java: 225) Failed to receive AIC from Privacy CA, error
> 1
> >     Registering
> >     >
> >     >       > identity with server...FAILED
> java.io.FileNotFoundException:
> >     >       > /usr/share/oat-client/aik.cer (No such file or directory)
> >     >       >         at java.io.FileInputStream.open(Native Method)
> >     >       >         at
> >     java.io.FileInputStream.<init>(FileInputStream.java:137)
> >     >       >         at
> > java.io.FileInputStream.<init>(FileInputStream.java:96)
> >     >       >         at
> >     >
> gov.niarl.his.privacyca.TpmUtils.certFromFile(TpmUtils.java:612)
> >     >       >         at
> >     >       >
> >     >
> >
>
gov.niarl.his.privacyca.HisRegisterIdentity.main(HisRegisterIdentity.java:9
> >     > 9
> >     >       )
> >     >       > Failed to register identity with appraiser, error 1
> >     >       >
> >     >       >
> >     >       >
> >     >       > Thanks,
> >     >       > /Nicolae
> >     >       >
> >     >       >
> >     >       > On 27 October 2013 22:55, Nicolae Paladi
> > <n.paladi at gmail.com>
> >     wrote:
> >     >       >
> >     >       >
> >     >       >       Awesome, thanks!
> >     >       >
> >     >       >       I'll try this out in the morning
> >     >       >
> >     >       >       /Nicolae
> >     >       >
> >     >       >
> >     >       >       On 27 October 2013 17:03, Wei, Gang
> > <gang.wei at intel.com>
> >     > wrote:
> >     >       >
> >     >       >
> >     >       >               Please refer to
> >     >       >
> >     >       >
> >     >
> >
> https://github.com/OpenAttestation/OpenAttestation/wiki/OAT-for-RHEL-
> >     >       > Recipe.
> >     >       >
> >     >       >               Jimmy
> >     >
> >     >
> >
> >
> >

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ovirt.org/pipermail/users/attachments/20131115/fe55c137/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 9634 bytes
Desc: not available
URL: <http://lists.ovirt.org/pipermail/users/attachments/20131115/fe55c137/attachment-0001.p7s>


More information about the Users mailing list