000025424 - A key recovery session only reads 1 card out of a 2 of 3 OCS  then stops

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000025424
Applies ToKeon Key Recovery Module 6.5
Sun Solaris 2.8
Microsoft Windows 2000
IssueA key recovery session only reads 1 card out of a 2 of 3 OCS, then stops
CauseCare should be taken when configuring a system to allow key recovery; the system has a number of checks in it to minimize the risk of accidental misuse
ResolutionIn an example of having a 2 of 3 administrator system (any two key recover administrators will be present out of a set of three), you must use two different PCs where each user of each PC will be using a different KRO certificate.

The first of your KRO operators goes to Screen #1, connects to the Web page (https://machine:444/xpkrs/recover.html) , puts their smartcard in the nCipher system and authenticates. Having done this, they will get the initial KRO administrator screen.

At the second screen, where a second KRO vettor certificate has been requested and downloaded and a second person connects to the Web page  (https://machine:444/xpkrs/recover.html) , they will get a slightly different result, they will get the actual screen needed to recover the specific key.

When the system is initially configured, a timeout for the OCS set is configured; thus, the two KRO operators need to have authenticated on their separate screens within that time interval.

You also need to have two KRO certificates (keypairs), as you cannot simply copy a PKCS#12 file of one KRO administrator keypair between two browsers - the system will recognize that the say keypair has been used.

Some versions of browsers will allow everything to be done on one single physical PC, where the system is able to recognize that two different browser applications should be treated independently.

Scenario 1 - correct method:

- Internet Explorer 6.0 on Windows 2000, you may launch two copies of IE, then connect both to the KKRM Web page (xpkrs/recover.html) where two different KRO keypairs exist on the PC. As you connect with each browser session, ensure that a different KRO certificate is selected for each of the sessions.

Scenario 2 - incorrect method:

- If you launch one copy of Internet Explorer, connect to the Web page, and then do "File | New Window", the second window would inherit the SSL credentials of the first, and hence both would connect with the same certificate (and therefore not work).
Legacy Article IDa16399