Kcfd / Crypto certificate files are missing in NGZ after patching
(Doc ID 1634157.1)
Last updated on APRIL 24, 2020
Applies to:
Solaris Operating System - Version 10 5/09 U7 and laterInformation in this document applies to any platform.
Goal
After patching in global zone, customer observered the error message below in non-global zone:
Feb 21 11:34:57 kcfd[10790]: [ID 991991 user.error] kcfd: unable to find a certificate for DN: O=Oracle Corpora
tion, OU=Corporate Object Signing, OU=Solaris Cryptographic Framework, CN=Solaris 10
Feb 21 11:34:57 java[18697]: [ID 978904 user.error] libpkcs11: /usr/lib/security/pkcs11_kernel.so unexpected fa
ilure in ELF signature verification. See cryptoadm(1M). Skipping this plug-in.
Feb 21 11:34:57 kcfd[10790]: [ID 991991 user.error] kcfd: unable to find a certificate for DN: O=Oracle Corpora
tion, OU=Corporate Object Signing, OU=Solaris Cryptographic Framework, CN=Solaris 10
Feb 21 11:34:57 java[18697]: [ID 360237 user.error] libpkcs11: /usr/lib/security/pkcs11_softtoken.so unexpected
failure in ELF signature verification. See cryptoadm(1M). Skipping this plug-in.
Feb 21 11:52:05 kcfd[10790]: [ID 991991 user.error] kcfd: unable to find a certificate for DN: O=Oracle Corpora
tion, OU=Corporate Object Signing, OU=Solaris Cryptographic Framework, CN=Solaris 10
Feb 21 11:52:05 java[28927]: [ID 978904 user.error] libpkcs11: /usr/lib/security/pkcs11_kernel.so unexpected fa
ilure in ELF signature verification. See cryptoadm(1M). Skipping this plug-in.
Feb 21 11:52:05 kcfd[10790]: [ID 991991 user.error] kcfd: unable to find a certificate for DN: O=Oracle Corpora
tion, OU=Corporate Object Signing, OU=Solaris Cryptographic Framework, CN=Solaris 10
Feb 21 11:52:05 java[28927]: [ID 360237 user.error] libpkcs11: /usr/lib/security/pkcs11_softtoken.so unexpected
failure in ELF signature verification. See cryptoadm(1M). Skipping this plug-in
You will also see messages like this
May 5 08:44:25 kcfd[1111]: [ID 543274 user.error] kcfd: unable to open certificate file /etc/crypto/certs/SolarisCA: No such file or directory
May 5 08:44:25 zonename1 last message repeated 91 times" zonename1 last message repeated 91 times"
These messages indicate the kcfd daemon running inside the non-global zone is unable to find the required Solaris certificates.
These missing certificates are part of the SUNWcsr (core Solaris root) package and are therefore mandatory and always there. The files itself
are in /etc/certs/ and /etc/crypto/certs/. So it means one of these directories is not completely installed inside the non-global zone.
Solution
To view full details, sign in with your My Oracle Support account. |
|
Don't have a My Oracle Support account? Click to get started! |
In this Document
Goal |
Solution |