Issues On T3-1 System Using SCF With DSEE 6.3.1 (Doc ID 1458852.1)

Last updated on SEPTEMBER 16, 2016

Applies to:

Oracle Directory Server Enterprise Edition - Version 6.3.1 SP1 DPS6.3.1.1 and later
Information in this document applies to any platform.

Symptoms

T5220 with DS 6.3.1_JJ_6712614 and ciphers RSA offloaded to SCF/ncp0 (*) and ciphers RC2:RC4:RC5:DES:DH:SHA1:MD5:MD2:SSL:TLS:AES offloaded to SCF/n2cp (*) works fine, e.g.
dsconf and ldapsearch -Z comes back with expected results


T3-1 with DS 6.3.1_JJ_6712614 and ciphers RSA offloaded to SCF/ncp0 and ciphers RC2:RC4:RC5:DES:DH:SHA1:MD5:MD2:SSL:TLS:AES offloaded to SCF/n2cp doesn't work, e.g. dsconf and ldapsearch -Z doesn't work.

The following message appears when the not working configuration is active:
------------------------------------------------------------------------------------------------
bash-3.00# /opt/SUNWdsee/ds6/bin/dsconf info
Unable to bind securely on "localhost:389".
"localhost:389" and "dsconf" could not negotiate the desired level of security.
Details: Received fatal alert: decrypt_error
The "info" operation failed on "localhost:389".

 

*Core problem*:

If only ciphers RSA offloaded to SCF/ncp0 and RC4:SSL:TLS:AES are offloaded to SCF/n2cp then dsconf and ldapsearch -Z work.
So, the key question is: What is the difference between RC2:RC5:DES:DH:SHA1:MD5:MD2 within SCF on T3-1 and SCF on T5220 ?

 

(*) Notes.-

SCF = Sun Crypto Framework

ncp are drivers for the cryptographic accelerator.  For example, the Sun Crypto Accelerator 6000 board (mca), the ncp driver for the cryptographic accelerator on the UltraSPARC T1 and T2 processors (ncp), and the n2cp driver for the UltraSPARC T2 processors (n2cp) plug hardware mechanisms into the framework. For more information see: http://docs.oracle.com/cd/E19253-01/816-4557/scftask-13/index.html

 

For more info about Sparc T3 and T5220 Systems read:

http://www.oracle.com/us/corporate/press/173536

http://docs.oracle.com/cd/E20689_01/index.html

https://blogs.oracle.com/deniss/entry/t5120_and_t5220_system_overview

Changes

 

*Cause
Explain what caused the issue.
This due to bug 7129244 - SSL connections fail with SSL alert number 40 when CKM_SHA_1, CKM_MD5 are offloaded to n2cp on T3 HW
 

Cause

Sign In with your My Oracle Support account

Don't have a My Oracle Support account? Click to get started

My Oracle Support provides customers with access to over a
Million Knowledge Articles and hundreds of Community platforms