My Oracle Support Banner

Kcfd / Crypto certificate files are missing in NGZ after patching (Doc ID 1634157.1)

Last updated on APRIL 24, 2020

Applies to:

Solaris Operating System - Version 10 5/09 U7 and later
Information in this document applies to any platform.

Goal

After patching in global zone, customer observered the error message below in non-global zone:

Feb 21 11:34:57  kcfd[10790]: [ID 991991 user.error] kcfd: unable to find a certificate for DN: O=Oracle Corpora
tion, OU=Corporate Object Signing, OU=Solaris Cryptographic Framework, CN=Solaris 10
Feb 21 11:34:57  java[18697]: [ID 978904 user.error] libpkcs11: /usr/lib/security/pkcs11_kernel.so unexpected fa
ilure in ELF signature verification. See cryptoadm(1M). Skipping this plug-in.
Feb 21 11:34:57  kcfd[10790]: [ID 991991 user.error] kcfd: unable to find a certificate for DN: O=Oracle Corpora
tion, OU=Corporate Object Signing, OU=Solaris Cryptographic Framework, CN=Solaris 10
Feb 21 11:34:57  java[18697]: [ID 360237 user.error] libpkcs11: /usr/lib/security/pkcs11_softtoken.so unexpected
failure in ELF signature verification. See cryptoadm(1M). Skipping this plug-in.
Feb 21 11:52:05  kcfd[10790]: [ID 991991 user.error] kcfd: unable to find a certificate for DN: O=Oracle Corpora
tion, OU=Corporate Object Signing, OU=Solaris Cryptographic Framework, CN=Solaris 10
Feb 21 11:52:05  java[28927]: [ID 978904 user.error] libpkcs11: /usr/lib/security/pkcs11_kernel.so unexpected fa
ilure in ELF signature verification. See cryptoadm(1M). Skipping this plug-in.
Feb 21 11:52:05  kcfd[10790]: [ID 991991 user.error] kcfd: unable to find a certificate for DN: O=Oracle Corpora
tion, OU=Corporate Object Signing, OU=Solaris Cryptographic Framework, CN=Solaris 10
Feb 21 11:52:05  java[28927]: [ID 360237 user.error] libpkcs11: /usr/lib/security/pkcs11_softtoken.so unexpected
failure in ELF signature verification. See cryptoadm(1M). Skipping this plug-in

You will also see messages like this


May  5 08:44:25 kcfd[1111]: [ID 543274 user.error] kcfd: unable to open certificate file /etc/crypto/certs/SolarisCA: No such file or directory
May  5 08:44:25 zonename1  last message repeated 91 times" zonename1  last message repeated 91 times"

 

These messages indicate the kcfd daemon running inside the non-global zone is unable to find the required Solaris certificates.

These missing certificates are part of the SUNWcsr (core Solaris root) package and are therefore mandatory and always there. The files itself
are in /etc/certs/ and /etc/crypto/certs/. So it means one of these directories is not completely installed inside the non-global zone. 

Solution

To view full details, sign in with your My Oracle Support account.

Don't have a My Oracle Support account? Click to get started!

In this Document
Goal
Solution


My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.