Darren Reed wrote:
> On 3/08/09 06:08 PM, Scott Rotondo wrote:
>> Darren Reed wrote:
>>> On 3/08/09 06:03 PM, Scott Rotondo wrote:
>>>> Darren Reed wrote:
>>>>> Every now and then, I bfu a system and thereafter receive lots
>>>>> of crypto messages on the console. In this case, the path to
>>>>> trouble was "jumpstart install, bfu, create zone, boot zone"
>>>>> (shared is a zone with a shared IP instance.) What did I do
>>>>> to deserve this?
>>>>>
>>>>> Is there some master switch I can throw once and for all and
>>>>> turn these messages off?
>>>>>
>>>>> Darren
>>>>
>>>> You're building without usr/closed, I presume. I think your only
>>>> good alternative is to install the closed bins after you bfu.
>>>
>>> Building with usr/closed - it is not possible to build without it.
>>>
>>> Darren
>>>
>>
>> Then it's not clear to me why you're getting the errors you are. Does
>> elfsign verify show that the crypto modules are really not signed
>> (with any key/cert pair)?
>
> Is this what you mean?
> # elfsign verify pkcs11_softtoken.so
> elfsign: verification of pkcs11_softtoken.so failed.
> # elfsign list -f signer -e pkcs11_softtoken.so
> O=Sun Microsystems Inc, OU=Corporate Object Signing, OU=Solaris
> Cryptographic Framework, CN=Solaris INTERNAL DEVELOPMENT USE ONLY
> # elfsign list -f subject -e pkcs11_softtoken.so
> # elfsign list -f issuer -e pkcs11_softtoken.so
> # elfsign list -f format -e pkcs11_softtoken.so
> rsa_sha1
> # elfsign list -f time -e pkcs11_softtoken.so
> Mon Aug 03 17:25:42 2009
>
> Darren
>
Yes, that's what I mean. So the files are signed, but you don't have the
corresponding certificate installed. Get it from
$CLOSED/cmd/cmd-crypto/etc/certs. Normally, bfu does this for you
automatically.
Scott
--
Scott Rotondo
Principal Engineer, Solaris Security Technologies
President, Trusted Computing Group
Phone/FAX: +1 408 850 3655 (Internal x68278)
