The session with the device is not open jakarta. Working on bugs, or what kind of feedback does Jakarta have?
Good afternoon!. The last two days I had an interesting task of finding a solution to this situation: there is a physical or virtual server, probably well-known to many people, CryptoPRO, is installed on it. Connected to the server , which is used to sign documents for VTB24 DBO. Everything works locally on Windows 10, but on the server platform Windows Server 2016 and 2012 R2, Cryptopro does not see the JaCarta key. Let's figure out what the problem is and how to fix it.
Description of the environment
There is a virtual machine on Vmware ESXi 6.5, Windows Server 2012 R2 is installed as the operating system. The server is running CryptoPRO 4.0.9944, the latest version at the moment. A JaCarta dongle is connected from a USB network hub using USB over ip technology. Key in the system it seems, but not in CryptoPRO.
Algorithm for solving problems with JaCarta
CryptoPRO very often causes various errors in Windows, a simple example (Windows installer service could not be accessed). This is what the situation looks like when the CryptoPRO utility does not see the certificate in the container.
As you can see in the UTN Manager utility, the key is connected, it is seen in the system in smart cards as a Microsoft Usbccid (WUDF) device, but CryptoPRO does not detect this container and you do not have the opportunity to install the certificate. The token was connected locally, everything was the same. We began to think about what to do.
Possible reasons with container definition
- Firstly, this is a problem with the drivers, for example, in Windows Server 2012 R2, JaCarta should ideally be defined in the list of smart cards as JaCarta Usbccid Smartcard, and not Microsoft Usbccid (WUDF)
- Secondly, if the device is seen as Microsoft Usbccid (WUDF), then the driver version may be outdated, which is why your utilities will not detect a protected USB drive.
- Outdated version of CryptoPRO
How to solve the problem that cryptopro does not see the USB key?
We created a new virtual machine and began installing the software sequentially.
Before installing any software that works with USB drives that contain certificates and private keys. Need to NECESSARILY disable the token, if inserted locally, then disable it, if over the network, terminate the session
- First of all, we update your operating system with all available updates, since Microsoft fixes many errors and bugs, including drivers.
- The second point is, in the case of a physical server, to install all the latest drivers on the motherboard and all peripheral equipment.
- Next, install the Unified JaCarta Client.
- Install the latest version of CryptoPRO
Installing a single JaCarta PKI client
Single JaCarta Client is a special utility from the Aladdin company for proper work with JaCarta tokens. You can download the latest version of this software product from the official website, or from my cloud, if suddenly you can’t get it from the manufacturer’s website.
Next, you unpack the resulting archive and run the installation file for your Windows architecture, mine is 64-bit. Let's start installing the Jacarta driver. A single Jacarta client, it’s very easy to install (I REMIND you that your token must be disabled at the time of installation). On the first window of the installation wizard, simply click next.
Accept the license agreement and click "Next"
In order for the JaCarta token drivers to work correctly for you, you just need to perform a standard installation.
If you choose "Custom installation", be sure to check the following boxes:
- JaCarta Drivers
- Support modules
- Support module for CryptoPRO
After a couple of seconds, Jacarta Unified Client is successfully installed.
Be sure to restart the server or computer so that the system sees the latest drivers.
After installing JaCarta PKI, you need to install CryptoPRO, to do this, go to the official website.
https://www.cryptopro.ru/downloads
Currently, the latest version of CryptoPro CSP is 4.0.9944. Run the installer, leave the "Install root certificates" checkbox and click "Install (Recommended)"
The installation of CryptoPRO will be performed in the background, after which you will see a prompt to restart the browser, but I advise you to reboot completely.
After reboot, connect your JaCarta USB token. My connection is via the network, from a DIGI device, via . In the Anywhere View client, my Jacarta USB drive is successfully detected, but as Microsoft Usbccid (WUDF), and ideally it should be defined as JaCarta Usbccid Smartcard, but you need to check it anyway, since everything can work like that.
Having opened the Jacarta PKI Unified Client utility, no connected token was found, which means there is something wrong with the drivers.
Microsoft Usbccid (WUDF) is a standard Microsoft driver that is installed by default on various tokens, and sometimes it works, but not always. The Windows operating system by default puts them in mind due to its architecture and settings; I personally don’t need this at the moment. What we do is we need to remove the Microsoft Usbccid (WUDF) drivers and install the drivers for the Jacarta media.
Open Windows Device Manager, find "Smart card readers", click Microsoft Usbccid (WUDF) and select "Properties". Go to the "Drivers" tab and click Uninstall
Agree to remove the Microsoft Usbccid (WUDF) driver.
You will be notified that a system reboot is required for the changes to take effect; we must agree.
After rebooting the system, you can see the installation of the ARDS Jacarta device and drivers.
Open the device manager, you should see that your device is now identified as JaCarta Usbccid Smartcar and if you go to its properties, you will see that the jacarta smart card is now using driver version 6.1.7601 from ALADDIN R.D.ZAO, this is how it should be .
If you open the Jacarta unified client, you will see your electronic signature, which means that the smart card has been correctly identified.
We open CryptoPRO, and we see that CryptoPRO does not see the certificate in the container, although all the drivers have been identified as needed. There is one more trick.
- In the RDP session you will not see your token, only locally, that’s how the token works, or I haven’t found how to fix it. You can try following the recommendations to resolve the "Unable to connect to the smart card management service" error.
- You need to uncheck one box in CryptoPRO
BE SURE to uncheck the "Do not use outdated cipher suites" checkbox and reboot.
After these manipulations, CryptoPRO saw my certificate and the jacarta smart card became working, you can sign documents.
You can also see your JaCarta device in devices and printers,
If you, like me, have the jacarta token installed in a virtual machine, then you will have to install the certificate through the console of the virtual machine, and also give the rights to it to the responsible person. If this is a physical server, then you will have to give rights to the management port, which also has a virtual console.
When you have installed all the drivers for Jacarta tokens, you may see the following error message when connecting via RDP and opening the Jacarta PKI Unified Client utility:
- The smart card service is not running on the local machine. The architecture of the RDP session developed by Microsoft does not provide for the use of key media connected to the remote computer, so in the RDP session the remote computer uses the smart card service of the local computer. It follows from this that starting the smart card service inside an RDP session is not enough for normal operation.
- The smart card management service on the local computer is running, but is not available to the program within an RDP session due to Windows and/or RDP client settings.\
How to fix the error "Unable to connect to the smart card management service."
- Start the smart card service on the local machine from which you are initiating the remote access session. Configure it to start automatically when your computer starts.
- Allow the use of local devices and resources during the remote session (particularly smart cards). To do this, in the "Remote Desktop Connection" dialog, select the "Local Resources" tab in the parameters, then in the "Local devices and resources" group, click the "More details..." button, and in the dialog that opens, select "Smart cards" and click "OK", then "Connect".
- Make sure your RDP connection settings are safe. By default, they are saved in the Default.rdp file in the “My Documents” directory. Make sure that this file contains the line “redirectsmartcards:i:1”.
- Make sure that Group Policy is not activated on the remote computer to which you are making an RDP connection
-[Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Device and Resource Redirection\Do not allow smart card reader redirection]. If it is Enabled, then disable it and reboot the computer. - If you have Windows 7 SP1 or Windows 2008 R2 SP1 installed and you are using RDC 8.1 to connect to computers running Windows 8 or higher, then you need to install the operating system update https://support.microsoft.com/en-us/ kb/2913751
This was the troubleshooting for setting up the Jacarta token, CryptoPRO on the terminal server, for signing documents in VTB24 RBS. If you have any comments or corrections, please write them in the comments.
Description of the problem. To work with EGAIS, the JaCarta PKI/GOST/SE carrier is used. Often one of the sections is blocked (PKI section). In this case, further work with EGAIS is impossible.
Reason for blocking– frequent access of the universal transport module to the JaCarta media. If ten unsuccessful authorization attempts are made, the media locks the section and prevents further work.
There are two ways to solve the problem:
- Contact the certification center that issued the media.
- Unlock the JaCarta media yourself according to the instructions.
Instructions using Microsoft Windows 10 as an example.
Step-by-step instructions on how to unlock a PKI partition
Step 1. Switch to administration mode
In the Start menu, find the JaCarta Unified Client application and open it.
Rice. 1. Single JaCarta client
The program workspace will open.
Rice. 2. Switch to administration mode
The program workspace will open. If the PKI section is locked, the PKI tab will be red.
Rice. 3. Token information
Step 2. Checking the PKI partition blocking
To understand that the PKI section is really blocked, click on the “Full information...” link in the “Token Information” tab.
The “Token Details” will open. In the new window, find the PKI Application Information section. If the status in the “PIN code” line is “Blocked,” then close the window and proceed to the next step in the instructions.
Rice. 4. Token details
Step 3. Unlocking the PKI partition
Go to the "PKI" tab. In the Application Operations panel, select Unblock User PIN....
The “User PIN Unlock” window will open, in which specify:
- The current administrator PIN is 00000000 by default;
- New user PIN - default 11111111;
- Confirmation of the code (meaning the user's PIN code).
Rice. 6. Unlock user PIN code
After specifying PIN codes, click “Run”.
If everything is entered correctly, a notification will appear. Click "OK" to complete.
Rice. 7. Notification of successful unlocking
Go to the "Token Information" tab and click on the "Full Information" link to check the current status of the PKI application. The status should be "Installed".
Rice. 8. Status check
If the status has changed, the unlocking is complete.
Greetings, reader!
After communicating with some actively interested readers, I decided to repeat my “search” experiment, which I did when I wrote the first review materials on token topics. This time I decided to collect unsuccessful experiences using tokens and collect Jacarta errors. I’m writing with specifics right away, since I’m thinking of making different selections for each brand. Let's start with the market leader, Aladdin R.D. and their product Jacarta, a token that is used specifically for EGAIS.
What this post won't include:
1. I won't give solutions for Jacarta errors because every situation is different.
2. It may also be that the Jakarta token is not the cause of the error. This could be UTM, etc. Therefore, each case must be analyzed separately
3. Multiplication of errors in order to denigrate the product. My task is to give an extremely third-party summary of what Jacarta token users most often encounter in EGAIS.
Selection and systematization of reviews about Jakarta
Last time my research was limited to the official EGAIS forum (http://egais2016.ru/), now I have expanded the range of study of forums to make the material more extensive.
So, the Jakarta token for EGAIS will be analyzed based on reviews from the following sources:
Naturally, most of the results were found on the EGAS forum
In total, we received 630 messages based on the request.
Found 3 thick branches
For example, here is a case when it flew 8 JaCarta tokens in a row because, I quote:
“Error 0x00000006 in the PKI partition when trying to format. Either Jakarta is simply not detected as a device. Updated the client to version 2.9. We tried it through jacarta format. Not a single method has ever helped."
The problem when the system simply does not see Jacarta is really serious and, perhaps, the most common. Another question is that the reasons for the appearance of this error may be various violations.
Another bug discovered, when again Jakarta is not detected, the devices do not see Jacarta. It's funny to note that Aladdin gives response letters to user indignation, but for a different problem =)))) But they do! It is important.
There are often errors during detection and installation, but there may also be problems with UTM distribution kits, which also happens very often. I carefully read all the threads and therefore rest assured that I will not point out errors for Jacarta that do not exist here. Although the question here is very complicated, since when the system does not see Jacarta, this can be a mutual problem.
In one of the already mentioned threads there is such an interesting comment
What should Jacarta token users do now that the ties between Gemalto and Aladdin have been severed?
On the forum egaisa.net
Found 5 discussion threads
Mainly typical errors when initializing the work, as well as when all the settings have already been made, inconsistent operation of Jakarta. There are also frequent errors after updates when the system does not find or see Jacarta
If you read the forums more carefully, it turns out that at the initial stage everyone was sold the Jacarta token for EGAISA, without delving into the details and without educating clients at all that not only Jakarta could be... But we have already talked about this more than once, and you can see .
Let's return to the EGAIS forum.
In total, we have 630 answers to the search engine during our entire work. Naturally, there is no point in considering problems that are more than a year old.
For example, one of the most common mistakes
- Errors when trying to generate an RSA certificate
- Synchronization errors with UTM
- Error during update
- Error 610
- Jacarta detection error
Why does Jakarta have bad reviews?
To summarize, the Jakarta token is used by many people, but its stability is poor. I also found the opinion that this might be. depending on the “delivery batch”, this is probably very strange, since the software should be the same for everyone. Perhaps this is the result of the fact that in the end Jakarta is assembled from many disparate parts, which leads to unstable work and the death of the entire organism as a whole.
In the next series we’ll talk about Rutoken, smart cards and other CIPF products.
Thanks for staying in touch.
All functions from the PKCS#11 standard return different error codes. All returned error codes are divided into two large groups:
All functions from the implementation of the PKCS#11 standard return special error codes (defined by the manufacturer).
All functions from the PKCS#11 standard extension implementation return special error codes (defined by the manufacturer).
Standard error codes
Due to the implementation features of the rtPKCS11 and rtPKCS11ECP libraries, some standard functions may return a standard PKCS#11 error code that is not included in the list of acceptable ones for this function. This situation is an exception. The standard error codes returned by each function in exceptional situations are listed in the description for each function separately.
Table 2.29 shows a list of error codes of the PKCS#11 standard and their descriptions supported by Rutoken devices. Detailed information on each error code can be found in the standard (English) or annex (Russian).
Table2.29 . Standard error codes
Error code | Description |
CKR_ARGUMENTS_BAD | Invalid argument |
CKR_ATTRIBUTE_READ_ONLY | Cannot set or change attribute value by application |
CKR_ATTRIBUTE_SENSITIVE | The attribute is not readable |
CKR_ATTRIBUTE_TYPE_INVALID | Invalid attribute type |
CKR_ATTRIBUTE_VALUE_INVALID | Invalid attribute value |
CKR_BUFFER_TOO_SMALL | The size of the specified buffer is insufficient to display the results of the function execution |
The library does not support locking to protect threads; returns only when calling the function C_Initialize |
|
CKR_CRYPTOKI_ALREADY_INITIALIZED | The library has already been initialized (previous function call C_Initialize was not accompanied by a corresponding function call С_Finalize); returns only when calling the function C_Initialize |
CKR_CRYPTOKI_NOT_INITIALIZED | The function cannot be executed because the library is not initialized; is returned only when calling any function except C_Initialize And С_Finalize |
CKR_DATA_INVALID | Invalid input data for performing a cryptographic operation |
CKR_DATA_LEN_RANGE | The input data is not the correct size to perform a cryptographic operation |
CKR_DEVICE_ERROR | Error when accessing token or slot |
CKR_DEVICE_MEMORY | There is not enough token memory to perform the requested function |
CKR_DEVICE_REMOVED | The token was removed from the slot while the function was executing |
CKR_DOMAIN_PARAMS_INVALID | Incorrect or unsupported domain parameters were passed to the function |
CKR_ENCRYPTED_DATA_INVALID | Incorrectly encrypted data was transferred for decryption operation |
CKR_ENCRYPTED_DATA_LEN_RANGE | Encrypted data of incorrect size was passed for decryption operation |
CKR_FUNCTION_CANCELED | The function was interrupted |
CKR_FUNCTION_FAILED | An error occurred while executing the function |
CKR_FUNCTION_NOT_SUPPORTED | The requested function is not supported by the library |
CKR_FUNCTION_REJECTED | The signature request was rejected by the user |
CKR_GENERAL_ERROR | Critical hardware error |
There is not enough memory to run the function on the workstation where the library is installed |
|
CKR_KEY_FUNCTION_NOT_PERMITTED | The key attributes do not allow the operation to be performed |
CKR_KEY_HANDLE_INVALID | An incorrect key identifier (handle) was passed to the function |
CKR_KEY_NOT_WRAPPABLE | Unable to encrypt key |
CKR_KEY_SIZE_RANGE | Invalid key size |
CKR_KEY_TYPE_INCONSISTENT | The key type does not match this mechanism |
CKR_KEY_UNEXTRACTABLE | The key cannot be encrypted because the CKA_UNEXTRACTABLE attribute is set to CK_TRUE |
CKR_MECHANISM_INVALID | Incorrect mechanism specified to perform cryptographic operation |
CKR_MECHANISM_PARAM_INVALID | Incorrect engine parameters specified for performing a cryptographic operation |
CKR_NEED_TO_CREATE_THREADS | The program does not support internal operating system methods for creating new threads |
CKR_OBJECT_HANDLE_INVALID | An incorrect object identifier (handle) was passed to the function |
CKR_OPERATION_ACTIVE | The operation cannot be performed because the operation is already in progress |
CKR_OPERATION_NOT_INITIALIZED | The operation cannot be performed in this session |
PIN has expired |
|
CKR_PIN_INCORRECT | The function was passed a PIN code that does not match the one stored on the token |
PIN value contains invalid characters |
|
CKR_PIN_LEN_RANGE | Invalid PIN length |
CKR_RANDOM_NO_RNG | This token does not support random number generation |
CKR_SESSION_CLOSED | The session was closed while the function was executing |
CKR_SESSION_COUNT | The limit on the number of open sessions for this token has been reached |
CKR_SESSION_EXISTS | The session with the token is already open and therefore the token cannot be initialized |
CKR_SESSION_HANDLE_INVALID | An incorrect session identifier (handle) was passed to the function |
CKR_SESSION_PARALLEL_NOT_SUPPORTED | This token does not support parallel sessions |
CKR_SESSION_READ_ONLY | The action cannot be performed because this is an R/O session |
CKR_SESSION_READ_WRITE_SO_EXISTS | An R/W session is already open, so it is not possible to open an R/O session |
CKR_SIGNATURE_INVALID | Invalid digital signature value |
CKR_SIGNATURE_LEN_RANGE | The digital signature value is incorrect in length |
CKR_SLOT_ID_INVALID | There is no slot with this ID |
CKR_TEMPLATE_INCOMPLETE | There are not enough attributes to create an object |
CKR_TEMPLATE_INCONSISTENT | The specified attributes contradict each other |
CKR_TOKEN_NOT_PRESENT | Token is missing from slot during function call |
CKR_UNWRAPPING_KEY_HANDLE_INVALID | An incorrect identifier (handle) of the decryption key was passed to the function |
CKR_UNWRAPPING_KEY_SIZE_RANGE | Invalid decryption key size |
CKR_UNWRAPPING_KEY_TYPE_INCONSISTENT | The decryption key type does not match this mechanism |
CKR_USER_ALREADY_LOGGED_IN | |
CKR_USER_ANOTHER_ALREADY_LOGGED_IN | |
CKR_USER_NOT_LOGGED_IN | |
CKR_USER_PIN_NOT_INITIALIZED | User PIN not initialized |
CKR_USER_TOO_MANY_TYPES | |
CKR_USER_TYPE_INVALID | Invalid user type specified |
CKR_WRAPPED_KEY_INVALID | Incorrect encrypted key specified |
CKR_WRAPPED_KEY_LEN_RANGE | Incorrect encrypted key length specified |
CKR_WRAPPING_KEY_HANDLE_INVALID | An incorrect encryption key identifier (handle) was passed to the function |
CKR_WRAPPING_KEY_SIZE_RANGE | Invalid encryption key size |
CKR_WRAPPING_KEY_TYPE_INCONSISTENT | The encryption key type does not match this mechanism |
Special error codes
Table 2.30 provides a list of all PKCS #11 extended error codes along with their description. Extended error codes can be returned by both standard and extension functions.
Table 2.30. Standard error codesPKCS #11 supported by Rutoken devices
Error code | Description |
CKR_CORRUPTED_MAPFILE | This error is returned when the MAP file is corrupted (while reading the MAP file, the MAP file header tag (2 bytes) was found to be invalid) |
CKR_RTPKCS11_DATA_CORRUPTED | This error is returned if a data integrity violation was detected on the token (while reading a file containing a PKCS#11 object, the object header tag (2 bytes) was found to be invalid) |
CKR_WRONG_VERSION_FIELD | This error is returned if the file containing the PKCS#11 object has an invalid version (when reading any file (MAP file or file containing a PKCS#11 object), the header version (4 bytes) was found to be invalid) |
CKR_WRONG_PKCS1_ENCODING | This error is returned if the decrypted message is in an incorrect form |
CKR_RTPKCS11_RSF_DATA_CORRUPTED | This error is returned if an attempt to use the RSF file fails |
The Jacarta PKI/GOST carrier is blocked when multiple attempts are made to enter an incorrect PIN code. In this case, the connection with the FSRAR server is lost, and invoice data does not enter your accounting system. How to quickly unlock the key and restore work with EGAIS?
By default, all new media have the following passwords:
PKI | 11 11 11 11 |
PKI Administrator | 00 00 00 00 |
GOST | 0987654321 |
GOST Administrator | 1234567890 |
To remove the lock, the Jacarta Unified Client must be installed on your computer. If the configuration and installation of EGAIS was carried out by our specialists, then you already have this program.
Run the program and wait until information about the Jacarta PKI/GOST media appears in the Unified Client window.
Removing the GOST lock
The GOST section contains the KEP certificate issued by the certification center. be careful- You cannot remove any components from this section. After deletion, you will have to contact the certification center again to issue a key.
To unlock the GOST PIN code, in the top menu “Application Operations” select the first item “Unblock user PIN code”. A notification will appear on the screen that removing the lock will reset the counter of incorrect input attempts.
Click “OK” and in the newly opened window enter Jacarta administrator pin code GOST 1234567890. After resetting the error counter, enter the standard user PIN code GOST 0987654321.
Important: this procedure will only help reset the counter, but will not change the forgotten password to a new one. If you changed the default GOST password and forgot it, you will have to initialize and record the key again at the certification center.
Unblocking PKI
The PKI container contains an RSA key, which is generated in your personal account on the website egais.ru. If you lose your PIN code, this section can be initialized (completely cleared), since you can re-record the key yourself and for free, without contacting a certification center.