Good afternoon!. For the last two days, I had an interesting task of finding a solution to such a situation, there is a physical or virtual server, on which the well-known CryptoPRO is probably installed. Connected to the server , which is used to sign documents for VTB24 DBO. Locally on Windows 10 everything works, but on the server platform Windows Server 2016 and 2012 R2, Cryptopro does not see the JaCarta key. Let's figure out what the problem is and how to fix it.
Description of the environment
There is a virtual machine on Vmware ESXi 6.5, Windows Server 2012 R2 is installed as the operating system. The server is running CryptoPRO 4.0.9944, the latest version at the moment. A JaCarta key is connected from the network USB hub using USB over ip technology. Key in the system sees, but not in CryptoPRO.
Algorithm for solving problems with JaCarta
CryptoPRO very often causes various errors in Windows, a simple example (Windows installer service could not be accessed). This is how the situation looks when the CryptoPRO utility does not see the certificate in the container.
As you can see in the UTN Manager utility, the key is connected, it is seen in the system in smart cards as a Microsoft Usbccid (WUDF) device, but CryptoPRO does not detect this container and you do not have the opportunity to install a certificate. Locally, the token was connected, everything was the same. Began to think what to do.
Possible causes with container definition
- Firstly, this is a driver issue, for example in Windows Server 2012 R2, JaCarta should ideally be listed as JaCarta Usbccid Smartcard in the smart card list, not Microsoft Usbccid (WUDF)
- Secondly, if the device is seen as Microsoft Usbccid (WUDF), then the driver version may be outdated, and because of which your utilities will not detect the protected USB drive.
- Legacy version of CryptoPRO
How to solve the problem that the cryptopro does not see the USB key?
We created a new virtual machine and began to install the software all in sequence.
Before installing any software that works with USB media containing certificates and private keys. Necessary NECESSARILY disable the token, if stuck locally, then disable it, if over the network, break the session
- First of all, we update your operating system with all available updates, as Microsoft fixes many errors and bugs, including drivers.
- The second point is, in the case of a physical server, install all the latest drivers on the motherboard and all peripheral equipment.
- Next, install the JaCarta Unified Client.
- Install the latest version of CryptoPRO
Installing a single JaCarta PKI client
Single Client JaCarta is a special utility from the Aladdin company for the correct work with JaCarta tokens. You can download the latest version of this software product from the official website, or from my cloud, if it doesn’t work out from the manufacturer’s website.
Next, you unpack the resulting archive and run the installation file for your Windows architecture, I have it 64-bit. Let's start installing the Jacarta driver. A single Jacarta client, very easy to install (REMINDER your token at the time of installation, must be disabled). On the first window of the installation wizard, just click next.
Accept the license agreement and click "Next"
In order for JaCarta token drivers to work correctly for you, it is enough to perform a standard installation.
If you choose "Custom installation", then be sure to check the boxes:
- Drivers
- Support modules
- Support module for CryptoPRO
After a couple of seconds, the Jacarta Unified Client is successfully installed.
Be sure to restart the server or computer so that the system sees the latest drivers.
After installing JaCarta PKI, you need to install CryptoPRO, for this go to the official website.
https://www.cryptopro.ru/downloads
At the moment, the latest version of CryptoPro CSP is 4.0.9944. Run the installer, check "Install root certificates" and click "Install (Recommended)"
CryptoPRO installation will be performed in the background, after which you will see a suggestion to restart the browser, but I advise you to completely restart.
After reboot connect your JaCarta USB token. I have a network connection, from a DIGI device, via . In the Anywhere View client, my Jacarta USB drive is successfully defined, but as Microsoft Usbccid (WUDF), and ideally it should be defined as JaCarta Usbccid Smartcard, but you need to check anyway, since everything can work like that.
When opening the "Jacarta PKI Unified Client" utility, the connected token was not found, which means that something is wrong with the drivers.
Microsoft Usbccid (WUDF) is a standard Microsoft driver that is installed by default on various tokens, and it happens that everything works, but not always. The Windows operating system, by default, puts them in mind for its architecture and settings, I personally don’t need this at the moment. What we do is we need to uninstall the Microsoft Usbccid (WUDF) drivers and install the drivers for the Jacarta media.
Open Windows Device Manager, find "Smart card readers", click on Microsoft Usbccid (WUDF) and select "Properties". Click the Drivers tab and click Uninstall
Agree to remove the Microsoft Usbccid (WUDF) driver.
You will be notified that for the changes to take effect, you need to restart the system, be sure to agree.
After rebooting the system, you can see the installation of the ARDS Jacarta device and drivers.
Open the device manager, you should see that your device is now defined as JaCarta Usbccid Smartcar and if you go to its properties, you will see that the jacarta smart card is now using driver version 6.1.7601 from ALADDIN RDZAO, as it should be .
If you open a single Jacarta client, you will see your electronic signature, which means that the smart card has been correctly identified.
We open CryptoPRO, and we see that the cryptopro does not see the certificate in the container, although all the drivers are defined as needed. There is one more feature.
- In the RDP session, you will not see your token, only locally, this is how the token works, or I did not find how to fix it. You can try the suggestions to resolve the error "Unable to connect to the smart card management service".
- You need to uncheck one checkbox in CryptoPRO
MUST uncheck "Do not use outdated cipher suites" and reboot.
After these manipulations, CryptoPRO saw my certificate and the jacarta smart card became working, you can sign documents.
You can also see your JaCarta device in Devices and Printers,
If you, like me, have the jacarta token installed in the virtual machine, then you will have to install the certificate through the console of the virtual machine, and also give rights to it to the responsible person. If this is a physical server, then you will have to give rights to the control port, which also has a virtual console.
When you have installed all the drivers for Jacarta tokens, you may see the following error message when connecting via RDP and opening the Jacarta PKI Unified Client utility:
- The smart card service is not running on the local machine. The architecture of the RDP session developed by Microsoft does not provide for the use of key media connected to the remote computer, therefore, in the RDP session, the remote computer uses the local computer's smart card service. It follows from this that starting the smart card service inside an RDP session is not enough for normal operation.
- The smart card management service on the local computer is running, but is not available to the program inside the RDP session due to Windows and/or RDP client settings.\
How to fix "Unable to connect to smart card management service" error.
- Start the smart card service on the local machine from which you are initiating the remote access session. Set it to start automatically when the computer starts.
- Allow the use of local devices and resources during the remote session (in particular, smart cards). To do this, in the "Remote Desktop Connection" dialog, select the "Local Resources" tab in the settings, then in the "Local Devices and Resources" group, click the "Details..." button, and in the dialog that opens, select the "Smart cards" item and click "OK", then "Connect".
- Make sure the RDP connection settings are saved. By default, they are saved in the Default.rdp file in the "My Documents" directory. Make sure that the line "redirectsmartcards: i: 1" is present in this file.
- Make sure that group policy is not activated on the remote computer to which you are making an RDP connection
-[Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Device and Resource Redirection\Do not allow smart card reader redirection]. If it is enabled (Enabled), then disable it and restart the computer. - If you have Windows 7 SP1 or Windows 2008 R2 SP1 installed and you are using RDC 8.1 to connect to computers running Windows 8 and above, then you need to install an operating system update https://support.microsoft.com/en-us/ kb/2913751
Here was the troubleshooting for setting up the Jacarta token, CryptoPRO on the terminal server, for signing documents in VTB24 RBS. If you have comments or corrections, then write them in the comments.
The Jacarta PKI/GOST media is blocked by multiple attempts to enter the wrong pin code. In this case, the connection with the FSRAR server is lost, and the data on invoices does not enter your accounting system. How to quickly unlock the key and restore work with EGAIS?
By default, the following passwords are set on all new media:
PKI | 11 11 11 11 |
PKI Administrator | 00 00 00 00 |
GOST | 0987654321 |
GOST administrator | 1234567890 |
To unlock the computer, the Jacarta Unified Client program must be installed. If the setup and installation of EGAIS was carried out by our specialists, then you already have this program.
Run the program and wait until information about the Jacarta PKI/GOST media appears in the Unified Client window.
Unblock GOST
The GOST section contains a QEP certificate issued by a certification authority. be careful- you can not remove any components from this section. After deletion, you will have to re-apply to the certification authority to issue the key.
To unlock the GOST pin code, in the top menu “Application operations”, select the first item “Unlock user PIN code”. A notification will appear on the screen that unlocking will reset the counter of erroneous input attempts.
Click "OK" and in the newly opened window enter administrator pin code Jacarta GOST 1234567890. After resetting the error counter, enter the standard user pin code GOST 0987654321.
Important: this procedure will only help reset the counter, but not change the forgotten password to a new one. If you changed the default GOST password and forgot it, you will have to initialize and write the key again in the certification center.
Unblock PKI
The PKI container contains an RSA key, which is generated in your account on the egais.ru website. In case of loss of the pin code, this section can be initialized (completely cleared), since you can rewrite the key yourself and for free, without contacting a certification authority.
All functions from the implementation of the PKCS#11 standard return various error codes. All returned error codes are divided into two large groups:
All functions from the implementation of the PKCS#11 standard return special error codes (manufacturer-defined).
All functions from the implementation of the PKCS#11 standard extension return special error codes (manufacturer-defined).
Standard error codes
Due to the peculiarities of the implementation of the rtPKCS11 and rtPKCS11ECP libraries, some standard functions can return a standard PKCS#11 error code that is not included in the list of valid ones for this function. This situation is an exception. Standard error codes returned by each function in exceptional situations are listed in the description for each function separately.
Table 2.29 lists the PKCS#11 standard error codes and their descriptions supported by Rutoken devices. Detailed information on each error code can be found in the standard (English) or appendix (Russian).
table2.29 . Standard Error Codes
Error code | Description |
CKR_ARGUMENTS_BAD | Invalid argument |
CKR_ATTRIBUTE_READ_ONLY | Unable to set or change attribute value by application |
CKR_ATTRIBUTE_SENSITIVE | Attribute not readable |
CKR_ATTRIBUTE_TYPE_INVALID | Incorrect attribute type |
CKR_ATTRIBUTE_VALUE_INVALID | Incorrect attribute value |
CKR_BUFFER_TOO_SMALL | The size of the specified buffer is insufficient to display the results of the function execution |
The library does not support locking to protect threads; returned only when the function is called C_Initialize |
|
CKR_CRYPTOKI_ALREADY_INITIALIZED | The library has already been initialized (the previous function call C_Initialize was not followed by a corresponding function call C_Finalize); returned only when the function is called C_Initialize |
CKR_CRYPTOKI_NOT_INITIALIZED | The function cannot be executed because the library has not been initialized; is returned only when any function is called, except C_Initialize And C_Finalize |
CKR_DATA_INVALID | Incorrect input data for performing a cryptographic operation |
CKR_DATA_LEN_RANGE | The input data is not the correct size to perform a cryptographic operation |
CKR_DEVICE_ERROR | Error when accessing token or slot |
CKR_DEVICE_MEMORY | Not enough token memory to perform the requested function |
CKR_DEVICE_REMOVED | The token was removed from the slot while the function was executing |
CKR_DOMAIN_PARAMS_INVALID | Incorrect or unsupported domain parameters passed to function |
CKR_ENCRYPTED_DATA_INVALID | Incorrectly encrypted data was sent for the decryption operation |
CKR_ENCRYPTED_DATA_LEN_RANGE | Encrypted data of incorrect size passed for decryption operation |
CKR_FUNCTION_CANCELED | The function was interrupted |
CKR_FUNCTION_FAILED | An error occurred while executing a function |
CKR_FUNCTION_NOT_SUPPORTED | The requested function is not supported by the library |
CKR_FUNCTION_REJECTED | The signing request was rejected by the user |
CKR_GENERAL_ERROR | Critical hardware related error |
There is not enough memory to execute the function on the workstation where the library is installed |
|
CKR_KEY_FUNCTION_NOT_PERMITTED | Key attributes do not allow operation |
CKR_KEY_HANDLE_INVALID | An invalid key identifier (handle) was passed to the function |
CKR_KEY_NOT_WRAPPABLE | Unable to encrypt key |
CKR_KEY_SIZE_RANGE | Invalid key size |
CKR_KEY_TYPE_INCONSISTENT | Key type does not match this mechanism |
CKR_KEY_UNEXTRACTABLE | The key cannot be encrypted because the CKA_UNEXTRACTABLE attribute is set to CK_TRUE |
CKR_MECHANISM_INVALID | Incorrect mechanism specified to perform a cryptographic operation |
CKR_MECHANISM_PARAM_INVALID | Incorrect engine parameters specified to perform a cryptographic operation |
CKR_NEED_TO_CREATE_THREADS | The program does not support internal operating system methods for creating new threads |
CKR_OBJECT_HANDLE_INVALID | Incorrect object identifier (handle) passed to function |
CKR_OPERATION_ACTIVE | The operation cannot be performed because the operation is already in progress |
CKR_OPERATION_NOT_INITIALIZED | Unable to perform operation in this session |
PIN expired |
|
CKR_PIN_INCORRECT | A PIN code passed to the function does not match the one stored on the token |
PIN value contains invalid characters |
|
CKR_PIN_LEN_RANGE | Invalid PIN length |
CKR_RANDOM_NO_RNG | This token does not support random number generation |
CKR_SESSION_CLOSED | The session was closed while the function was executing |
CKR_SESSION_COUNT | The maximum number of open sessions for this token has been reached |
CKR_SESSION_EXISTS | The session with the token is already open and therefore the token cannot be initialized |
CKR_SESSION_HANDLE_INVALID | Invalid session ID (handle) passed to function |
CKR_SESSION_PARALLEL_NOT_SUPPORTED | This token does not support parallel sessions |
CKR_SESSION_READ_ONLY | Unable to perform action because it is an R/O session |
CKR_SESSION_READ_WRITE_SO_EXISTS | An R/W session is already open, so it is not possible to open an R/O session |
CKR_SIGNATURE_INVALID | Invalid EDS value |
CKR_SIGNATURE_LEN_RANGE | EDS value is incorrect in length |
CKR_SLOT_ID_INVALID | Slot with given ID does not exist |
CKR_TEMPLATE_INCOMPLETE | Not enough attributes to create an object |
CKR_TEMPLATE_INCONSISTENT | The given attributes contradict each other |
CKR_TOKEN_NOT_PRESENT | Token not in slot during function call |
CKR_UNWRAPPING_KEY_HANDLE_INVALID | An incorrect identifier (handle) of the decryption key was passed to the function |
CKR_UNWRAPPING_KEY_SIZE_RANGE | Invalid decryption key size |
CKR_UNWRAPPING_KEY_TYPE_INCONSISTENT | Decryption key type does not match this mechanism |
CKR_USER_ALREADY_LOGGED_IN | |
CKR_USER_ANOTHER_ALREADY_LOGGED_IN | |
CKR_USER_NOT_LOGGED_IN | |
CKR_USER_PIN_NOT_INITIALIZED | User PIN not initialized |
CKR_USER_TOO_MANY_TYPES | |
CKR_USER_TYPE_INVALID | Invalid user type specified |
CKR_WRAPPED_KEY_INVALID | Invalid encrypted key specified |
CKR_WRAPPED_KEY_LEN_RANGE | Encrypted key length specified incorrectly |
CKR_WRAPPING_KEY_HANDLE_INVALID | An incorrect identifier (handle) of the encryption key was passed to the function |
CKR_WRAPPING_KEY_SIZE_RANGE | Invalid encryption key size |
CKR_WRAPPING_KEY_TYPE_INCONSISTENT | Encryption key type does not match this mechanism |
Special error codes
Table 2.30 lists all PKCS #11 extended error codes along with their descriptions. Extended error codes can return both standard functions and extension functions.
Table 2.30. Standard Error CodesPKCS #11 supported by Rutoken devices
Error code | Description |
CKR_CORRUPTED_MAPFILE | This error is returned when the MAP file is corrupted (when reading the MAP file, the MAP file header tag (2 bytes) was found to be invalid) |
CKR_RTPKCS11_DATA_CORRUPTED | This error is returned if a data integrity violation was detected on the token (when reading a file containing a PKCS#11 object, the object's header tag (2 bytes) was found to be invalid) |
CKR_WRONG_VERSION_FIELD | This error is returned if the file containing the PKCS#11 object has an invalid version (when reading any file (MAP file or file containing the PKCS#11 object), the header version (4 bytes) was found to be invalid) |
CKR_WRONG_PKCS1_ENCODING | This error is returned if the decrypted message is not in the correct form. |
CKR_RTPKCS11_RSF_DATA_CORRUPTED | This error is returned if an attempt to use the RSF file fails. |
Description of the problem. To work with EGAIS, the JaCarta PKI / GOST / SE carrier is used. Often one of the partitions is blocked (the PKI partition). In this case, further work with EGAIS is impossible.
Reason for blocking– frequent access of the universal transport module to the JaCarta carrier. With ten unsuccessful authorization attempts, the media locks the partition and excludes further work.
There are two ways to solve the problem:
- Contact the certification authority that issued the media.
- Unlock the JaCarta media on your own according to the instructions.
Instructions on the example of Microsoft Windows 10.
Step-by-step instructions on how to unlock a PKI partition
Step 1: Switching to admin mode
From the Start menu, find the JaCarta Unified Client app and open it.
Rice. 1. Single client JaCarta
The workspace of the program will open.
Rice. 2. Switch to administration mode
The workspace of the program will open. If the PKI section is locked, the PKI tab will be red.
Rice. 3. Information about the token
Step 2: Checking the PKI lock on the partition
To understand that the PKI section is really blocked, click on the link "Full information ..." in the "Token information" tab.
"Detailed information about the token" will open. In the new window, find the "PKI Application Information" section. If the status in the "PIN-code" line is "Blocked", then close the window and proceed to the next paragraph of the instruction.
Rice. 4. Detailed information about the token
Step 3Unlock the PKI Partition
Go to the "PKI" tab. In the Application Actions panel, select the Unlock User PIN... option.
The "User PIN Unlock" window will open, in which you can specify:
- The current administrator PIN is 00000000 by default;
- The new user PIN is 11111111 by default;
- Confirmation of the code (meaning the user's PIN code).
Rice. 6. User PIN Unlock
After specifying the PIN codes, click "Run".
If everything is entered correctly, a notification will appear. Click "OK" to complete.
Rice. 7. Notification of successful unlock
Go to the "Token Information" tab and click on the "Full Information" link to check the current status of the PKI application. The status should be "Installed".
Rice. 8. Status check
If the status has changed, the unlock is complete.