ODSEE - Issues On T3-1 System Using SCF
(Doc ID 1458852.1)
Last updated on APRIL 18, 2022
Applies to:
Oracle Directory Server Enterprise Edition - Version 6.3.1 SP1 DPS6.3.1.1 and laterInformation in this document applies to any platform.
Symptoms
T5220 with DS 6.3.1_JJ_6712614 and ciphers RSA offloaded to SCF/ncp0 (*) and ciphers RC2:RC4:RC5:DES:DH:SHA1:MD5:MD2:SSL:TLS:AES offloaded to SCF/n2cp (*) works fine, e.g.
dsconf and ldapsearch -Z comes back with expected results
T3-1 with DS 6.3.1_JJ_6712614 and ciphers RSA offloaded to SCF/ncp0 and ciphers RC2:RC4:RC5:DES:DH:SHA1:MD5:MD2:SSL:TLS:AES offloaded to SCF/n2cp doesn't work, e.g. dsconf and ldapsearch -Z do not work.
The following message appears when the not working configuration is active:
------------------------------------------------------------------------------------------------
# /<DS_INSTALL_PATH>/ds6/bin/dsconf info
Unable to bind securely on "<HOSTNAME>:<PORT>".
"<HOSTNAME>:<PORT>" and "dsconf" could not negotiate the desired level of security.
Details: Received fatal alert: decrypt_error
The "info" operation failed on "<HOSTNAME>:<PORT>".
*Core problem*:
If only ciphers RSA offloaded to SCF/ncp0 and RC4:SSL:TLS:AES are offloaded to SCF/n2cp then dsconf and ldapsearch -Z work.
So, the key question is: What is the difference between RC2:RC5:DES:DH:SHA1:MD5:MD2 within SCF on T3-1 and SCF on T5220 ?
(*) Notes.-
SCF = Sun Crypto Framework
ncp are drivers for the cryptographic accelerator. For example, the Sun Crypto Accelerator 6000 board (mca), the ncp driver for the cryptographic accelerator on the UltraSPARC T1 and T2 processors (ncp), and the n2cp driver for the UltraSPARC T2 processors (n2cp) plug hardware mechanisms into the framework.
For more information reference:
How to List Hardware Providers
For more info about Sparc T3 and T5220 Systems read:
http://docs.oracle.com/cd/E20689_01/index.html
Changes
*Cause
Explain what caused the issue.
This due to bug 7129244 - SSL connections fail with SSL alert number 40 when CKM_SHA_1, CKM_MD5 are offloaded to n2cp on T3 HW
Cause
To view full details, sign in with your My Oracle Support account. |
|
Don't have a My Oracle Support account? Click to get started! |
In this Document
| Symptoms |
| Changes |
| Cause |
| Solution |