provisioner_debug - nsacyber/HIRS GitHub Wiki
There are several potential issues with the hirs-provisioner application that can occur while running 'sudo tpm_provision -p'. HIRS will output the error message to the command line and it will log the error in the provisioner log file (located at /var/log/hirs/provisioner/HIRS_Provisioner.log).
Background: The HIRS Provisioner communicates to the TPM via the tscd service. The tcsd service needs the TPM to be enabled and activated before it can communicate to the TPM.
Provisioner Error OutputException in thread "main" hirs.tpm.tss.command.CommandException: Encountered Error Connect Context 12305
Solution: Check that tscd is running. The Linux tcsd service needs running in order to communicate with the TPM. To check that the tcsd service (run the TPMs Trusted Software Stack) is running.
- Centos 6: service tcsd status
- Centos 7: systemctl status tcsd
Check that the TPM was activated in the BIOS/UEFI from a command line
- Centos 6: (1 if the BIOS/UEFI setting were set, 0 implies the TPM must be activated in the UEFI/BIOS setup) * cat /sys/class/misc/tpm0/device/enabled * cat /sys/class/misc/tpm0/device/active
- Centos 7: * cat /sys/class/tpm/tpm0/device/enabled * cat /sys/class/tpm/tpm0/device/active
Check that the PCR values can be read: * For Centos 7: * cat /sys/class/tpm/tpm0/device/pcrs (should display a list of 24 pcr values)
Check that the tpm_module has been installed:
- sudo yum list installed| grep tpm_module
Background: The Provisioner needs the certs from the the AttestationCA for establishing a TLS tunnel. It needs to download a "Truststore" that contains the certificate for use with TLS. If the Truststore cannot be downloaded, the process cannot continue.
Provisioner Error Output: hirs install cannot download Truststore
Solution: If the hirs client fails the install command and outputs an error indicating that the Trsustore.jks cannot be downloaded:
- Insure tomcat is running on the HIRS server and that HIRS_PrivacyCA has been deployed (e.g. the HIRS_PrivacyCA exists under the tomcat webapp directory and that files were expanded under that directory).
- Check all firewalls, including device firewalls (e.g. iptables or firewalld) to see if PrivacyCA Port (8443) is being blocked.
- Use tracetroute, netcat, or other test to see if port is being blocked from a client: traceroute -p 8443 AttestationCAaddress
- Or Download Truststore manually: wget https://://AttestationCAaddress:port/HIRS_AttestationCA/client-files/TrustStore.jks --no-check-certificate --secure-protocol=TLSV1
Background: HIRS uses server side TLS to provide confidentiality during the TPMs provisioning process. Hanshake failures occur during the TLS session setup.
Provisioner Error Output: Handshake_failure: Exception in thread "main" org.springframework.web.client.ResourceAccessException: I/O error on GET request for "https://hirserver.dod.mil:8443/HIRS_PrivacyCA/public-key":Received fatal alert: handshake_failure; nested exception is javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
Solution: This problem can be fixed by downloading the Unlimited JCE Policy zip from Oracle for whichever Java version you're running. Then install the jar files into ../jre/lib/security/.