Last updated on AUGUST 17, 2016
Applies to:
Solaris SPARC Operating System - Version 10 5/09 U7 and laterInformation in this document applies to any platform.
Goal
After patching in global zone, customer observered the error message below in non-global zone:
Feb 21 11:34:57 kcfd[10790]: [ID 991991 user.error] kcfd: unable to find a certificate for DN: O=Oracle Corpora
tion, OU=Corporate Object Signing, OU=Solaris Cryptographic Framework, CN=Solaris 10
Feb 21 11:34:57 java[18697]: [ID 978904 user.error] libpkcs11: /usr/lib/security/pkcs11_kernel.so unexpected fa
ilure in ELF signature verification. See cryptoadm(1M). Skipping this plug-in.
Feb 21 11:34:57 kcfd[10790]: [ID 991991 user.error] kcfd: unable to find a certificate for DN: O=Oracle Corpora
tion, OU=Corporate Object Signing, OU=Solaris Cryptographic Framework, CN=Solaris 10
Feb 21 11:34:57 java[18697]: [ID 360237 user.error] libpkcs11: /usr/lib/security/pkcs11_softtoken.so unexpected
failure in ELF signature verification. See cryptoadm(1M). Skipping this plug-in.
Feb 21 11:52:05 kcfd[10790]: [ID 991991 user.error] kcfd: unable to find a certificate for DN: O=Oracle Corpora
tion, OU=Corporate Object Signing, OU=Solaris Cryptographic Framework, CN=Solaris 10
Feb 21 11:52:05 java[28927]: [ID 978904 user.error] libpkcs11: /usr/lib/security/pkcs11_kernel.so unexpected fa
ilure in ELF signature verification. See cryptoadm(1M). Skipping this plug-in.
Feb 21 11:52:05 kcfd[10790]: [ID 991991 user.error] kcfd: unable to find a certificate for DN: O=Oracle Corpora
tion, OU=Corporate Object Signing, OU=Solaris Cryptographic Framework, CN=Solaris 10
Feb 21 11:52:05 java[28927]: [ID 360237 user.error] libpkcs11: /usr/lib/security/pkcs11_softtoken.so unexpected
failure in ELF signature verification. See cryptoadm(1M). Skipping this plug-in
You will also see messages like this
May 5 08:44:25 kcfd[1111]: [ID 543274 user.error] kcfd: unable to open certificate file /etc/crypto/certs/SolarisCA: No such file or directory
May 5 08:44:25 zonename1 last message repeated 91 times" zonename1 last message repeated 91 times"
These messages indicate the kcfd daemon running inside the non-global zone is unable to find the required Solaris certificates.
These missing certificates are part of the SUNWcsr (core Solaris root) package and are therefore mandatory and always there. The files itself
are in /etc/certs/ and /etc/crypto/certs/. So it means one of these directories is not completely installed inside the non-global zone.
Solution
Sign In with your My Oracle Support account |
|
Don't have a My Oracle Support account? Click to get started |
My Oracle Support provides customers with access to over a
Million Knowledge Articles and hundreds of Community platforms