Kcfd / Crypto certificate files are missing in NGZ after patching (Doc ID 1634157.1)

Last updated on AUGUST 17, 2016

Applies to:

Solaris SPARC Operating System - Version 10 5/09 U7 and later
Information in this document applies to any platform.

Goal

After patching in global zone, customer observered the error message below in non-global zone:

Feb 21 11:34:57  kcfd[10790]: [ID 991991 user.error] kcfd: unable to find a certificate for DN: O=Oracle Corpora
tion, OU=Corporate Object Signing, OU=Solaris Cryptographic Framework, CN=Solaris 10
Feb 21 11:34:57  java[18697]: [ID 978904 user.error] libpkcs11: /usr/lib/security/pkcs11_kernel.so unexpected fa
ilure in ELF signature verification. See cryptoadm(1M). Skipping this plug-in.
Feb 21 11:34:57  kcfd[10790]: [ID 991991 user.error] kcfd: unable to find a certificate for DN: O=Oracle Corpora
tion, OU=Corporate Object Signing, OU=Solaris Cryptographic Framework, CN=Solaris 10
Feb 21 11:34:57  java[18697]: [ID 360237 user.error] libpkcs11: /usr/lib/security/pkcs11_softtoken.so unexpected
failure in ELF signature verification. See cryptoadm(1M). Skipping this plug-in.
Feb 21 11:52:05  kcfd[10790]: [ID 991991 user.error] kcfd: unable to find a certificate for DN: O=Oracle Corpora
tion, OU=Corporate Object Signing, OU=Solaris Cryptographic Framework, CN=Solaris 10
Feb 21 11:52:05  java[28927]: [ID 978904 user.error] libpkcs11: /usr/lib/security/pkcs11_kernel.so unexpected fa
ilure in ELF signature verification. See cryptoadm(1M). Skipping this plug-in.
Feb 21 11:52:05  kcfd[10790]: [ID 991991 user.error] kcfd: unable to find a certificate for DN: O=Oracle Corpora
tion, OU=Corporate Object Signing, OU=Solaris Cryptographic Framework, CN=Solaris 10
Feb 21 11:52:05  java[28927]: [ID 360237 user.error] libpkcs11: /usr/lib/security/pkcs11_softtoken.so unexpected
failure in ELF signature verification. See cryptoadm(1M). Skipping this plug-in

You will also see messages like this


May  5 08:44:25 kcfd[1111]: [ID 543274 user.error] kcfd: unable to open certificate file /etc/crypto/certs/SolarisCA: No such file or directory
May  5 08:44:25 zonename1  last message repeated 91 times" zonename1  last message repeated 91 times"

 

These messages indicate the kcfd daemon running inside the non-global zone is unable to find the required Solaris certificates.

These missing certificates are part of the SUNWcsr (core Solaris root) package and are therefore mandatory and always there. The files itself
are in /etc/certs/ and /etc/crypto/certs/. So it means one of these directories is not completely installed inside the non-global zone. 

Solution

Sign In with your My Oracle Support account

Don't have a My Oracle Support account? Click to get started

My Oracle Support provides customers with access to over a
Million Knowledge Articles and hundreds of Community platforms