Procedure 'tpsclient'

From Dogtag
Jump to: navigation, search

Overview

The following represents an example procedure for running tpsclient to verify communication between a TKS instance and a TPS instance.

The example below assumes Dogtag 10 utilizing a Tomcat7-based TKS instance stored under /var/lib/pki/pki-tomcat/tks and an Apache-based TPS instance stored under /var/lib/pki-tps.

tpsclient

  • Install a CA instance (e. g. - /var/lib/pki/pki-tomcat/ca)
  • Optionally, install a DRM instance (e. g. - /var/lib/pki/pki-tomcat/kra)
  • Install a TKS instance (e. g. - /var/lib/pki/pki-tomcat/tks)
  • Install a TPS instance (e. g. - /var/lib/pki-tps)
  • Obtain the TPS instance ports by running something similar to the following command:
 # pkicontrol status tps pki-tps
  • Shutdown this TPS instance:
 # systemctl stop pki-tpsd@pki-tps
  • Shutdown the CA, optional DRM, and TKS instances:
 # systemctl stop pki-tomcatd@pki-tomcat.service
 
 NOTE:  This example assumes that the CA instance and the optional DRM instance are all located inside a common PKI instance which contains the TKS (e. g. - /var/lib/pki/pki-tomcat).
        If the deployment being used contains their CA instance and/or optional DRM instances in containers which are separate from the TKS, these too should be shutdown.
  • Shutdown the DS instance:
 # systemctl stop dirsrv.target
  • Turn-off syntax checking in the DS instance replacing <instance> with the appropriate value:
 Edit dse.ldif to turn off syntax checking:
 
 # vi /etc/dirsrv/slapd-<instance>/dse.ldif
 
   nsslapd-syntaxcheck: off
  • Edit the TKS CS.cfg file (e. g. - /etc/pki/pki-tomcat/tks/CS.cfg) adding values similar to the following replacing <hostname>, and <TPS secure clientauth port> with the appropriate values:
 # vi /etc/pki/pki-tomcat/tks/CS.cfg
 
   tps.0.host=<hostname>
   tps.0.nickname=sharedSecret
   tps.0.port=<TPS secure clientauth port>
   tps.0.userid=TPS-<hostname>-<TPS secure clientauth port>
   tps.list=0
  • Restart the DS instance:
 # systemctl start dirsrv.target
  • Restart the CA, optional DRM, and TKS instances (see NOTE below):
 # systemctl start pki-tomcatd@pki-tomcat.service
 
 NOTE:  This example assumes that the CA instance and the optional DRM instance are all located inside a common PKI instance which contains the TKS (e. g. - /var/lib/pki/pki-tomcat).
        If the deployment being used contains their CA instance and/or optional DRM instances in containers which are separate from the TKS, these too should be restarted.
  • Restart the TPS instance:
 # systemctl start pki-tpsd@pki-tps
  • Create an ldif file (e. g. - sample.ldif) similar to the following replacing <uid>, <domain>, and <password> with the appropriate values:
 # vi sample.ldif
 
   dn: uid=<uid>,ou=People,dc=example,dc=com
   objectClass: person
   objectClass: organizationalPerson
   objectClass: inetorgperson
   objectClass: top
   objectClass: extensibleobject
   cn: <uid>
   sn: <uid>
   uid: <uid>
   givenName: <uid>
   mail: <uid>@<domain>
   firstname: <uid>
   edipi: 123456789
   pcc: AA
   exec-edipi: 999999999
   exec-pcc: BB
   exec-mail: <uid>@<domain>
   userPassword: <password>
  • Execute an ldapadd command similar to the following to add this entry (e. g. - located in sample.ldif) to the DS instance replacing <password> with the appropriate value:
 # ldapadd -x -D "cn=Directory Manager" -w <password> -h localhost -f sample.ldif
  • Create a sample test tpsclient format file (e. g. - format.tst) similar to the following replacing <hostname>, <TPS unsecure port>, <uid>, and <password> with the appropriate values:
 # vi format.tst
 
   op=var_set name=ra_host value=<hostname>
   op=var_set name=ra_port value=<TPS unsecure port>
   op=var_set name=ra_uri value=/nk_service
   op=token_set cuid=40906145C76224192D2B msn=01020304 app_ver=6FBBC105 key_info=0101 major_ver=0 minor_ver=0
   op=token_set auth_key=404142434445464748494a4b4c4d4e4f
   op=token_set mac_key=404142434445464748494a4b4c4d4e4f
   op=token_set kek_key=404142434445464748494a4b4c4d4e4f
   op=ra_format uid=<uid> pwd=<password> new_pin=<password> num_threads=1
   op=exit
  • Create a sample test tpsclient enrollment file (e. g. - enroll.tst) similar to the following replacing <hostname>, <TPS unsecure port>, <uid>, and <password> with the appropriate values:
 # vi enroll.tst
 
   op=var_set name=ra_host value=<hostname>
   op=var_set name=ra_port value=<TPS unsecure port>
   op=var_set name=ra_uri value=/nk_service
   #op=var_set name=test_enable value=true
   #op=var_set name=test_apdu_ea_return_enable value=true
   #op=var_set name=test_apdu_ea_return value=9100
   op=token_set cuid=4090002901010000C05F  msn=01020304 app_ver=6FBBC105 key_info=0101 major_ver=0 minor_ver=0
   op=token_set auth_key=404142434445464748494a4b4c4d4e4f
   op=token_set mac_key=404142434445464748494a4b4c4d4e4f
   op=token_set kek_key=404142434445464748494a4b4c4d4e4f
   op=ra_enroll uid=<uid> pwd=<password> new_pin=<password> num_threads=1
   op=exit
  • Run a tpsclient format test using the sample format file (e. g. - format.tst):
 # tpsclient < format.tst
 
 which should finish successfully with something similar to this:
 
     .
     .
     .
     Output> Thread (0) status='1' time='1702 msec'
     Result> Success - Operation 'ra_format' Success (1703 msec)
     Command>op=exit
  • Run a tpsclient enrollment test using the sample enrollment file (e. g. - enroll.tst):
 # tpsclient < enroll.tst
 
 which should finish successfully with something similar to this:
 
     .
     .
     .
     Output> Thread (0) status='1' time='6042 msec'
     Result> Success - Operation 'ra_enroll' Success (6043 msec)
     Command>op=exit