Hi, this is a known bug in Solaris 10. See CR 6759852 for details (the CR was closed though as Nevada is not affected).
You can use the workaround from the quoted CR to fix the issue here. Bye, Wolfgang. chunhuan.s...@sun.com wrote: > Hi experts, > > I would like consult you some issue regarding pkcs11_softtoken.so > on global zone and non-global zone on Solaris 10. > > There are different output of cryptoadm between on global zone and > on non-global zone. > > For example, there was the following output on non-global zone > and global zone. > > -------------------------------------------- > yukinoko# uname -a > SunOS yukinoko 5.10 Generic_118833-36 sun4u sparc SUNW,A70 > > yukinoko# zlogin zone1 > [Connected to zone 'zone1' pts/5] > Last login: Tue Mar 17 21:19:53 on pts/5 > Sun Microsystems Inc. SunOS 5.10 Generic January 2005 > # > # cryptoadm list > > User-level providers: > Provider: /usr/lib/security/$ISA/pkcs11_kernel.so > Provider: /usr/lib/security/$ISA/pkcs11_softtoken.so <<===!!! > > Kernel software providers: > swrand > rsa > md5 > sha2 > sha1 > blowfish > arcfour > aes > des > > Kernel hardware providers: > # ^D > [Connection to zone 'zone1' pts/5 closed] > > yukinoko# cryptoadm list > > User-level providers: > provider: /usr/lib/security/$ISA/pkcs11_kernel.so > provider: /usr/lib/security/$ISA/pkcs11_softtoken.so <<===!!! > > Kernel software providers: > des > aes > arcfour > blowfish > sha1 > sha2 > md5 > rsa > swrand > > Kernel hardware providers: > -------------------------------------------- > -------------------------------------------- > # uname -a > SunOS m5000-0 5.10 Generic_137137-09 sun4u sparc SUNW,SPARC-Enterprise > > # cryptoadm list > > User-level providers: > Provider: /usr/lib/security/$ISA/pkcs11_kernel.so > Provider: /usr/lib/security/$ISA/pkcs11_softtoken_extra.so <<===!!! > > Kernel software providers: > des > aes256 > arcfour2048 > blowfish448 > sha1 > sha2 > md5 > rsa > swrand > > Kernel hardware providers: > # zlogin testzone > [Connected to zone 'testzone' pts/2] > Last login: Thu Feb 19 18:51:47 on console > Sun Microsystems Inc. SunOS 5.10 Generic January 2005 > # > # cryptoadm list > > User-level providers: > Provider: /usr/lib/security/$ISA/pkcs11_kernel.so > Provider: /usr/lib/security/$ISA/pkcs11_softtoken.so <<===!!! > > Kernel software providers: > swrand > rsa > md5 > sha2 > sha1 > blowfish448 > arcfour2048 > aes256 > des > > Kernel hardware providers: > -------------------------------------------- > > The cu said they installed patch 127127-11 but did not > installed 139498-04 > > Document ID: 127127-11 (applied) > Title: SunOS 5.10: kernel patch > > Document ID: 139498-04 (didn't apply) > Title: SunOS 5.10: libpkcs11.so patch > > The cu would like know > > 1) On non-global zone, why pkcs11_softtoken.so is used as default ? > Is it due to design ? > > 2) On non-global zone, if change pkcs11_softtoken.so to > pkcs11_softtoken_extra.so, is there any impact for the system ? > > 3) On non-global zone, if want to use 128-bit keylength, the following > method is correct or not ? > > # cryptoadm install > provider=/usr/lib/security/\$ISA/pkcs11_softtoken_extra.so > > # cryptoadm uninstall > provider=/usr/lib/security/\$ISA/pkcs11_softtoken.so > > There is the following man page info of pkcs11_softtoken > > === man pkcs11_softtoken === > The pkcs11_softtoken.so object contains only implementations > of symmetric key algorithms of up to 128-bit keylength. > pkcs11_softtoken_extra.so, if available, might contain > longer key lengths. > === man pkcs11_softtoken === > > Thank you very much. > Best Regards > chunhuan > _______________________________________________ > zones-discuss mailing list > zones-discuss@opensolaris.org _______________________________________________ zones-discuss mailing list zones-discuss@opensolaris.org
