How do I stop kcfd messages, permanently?

Tue, 4 Aug 2009 07:18:12 -0700 (PDT) 

> From: Darren Reed <Darren.Reed at sun.com>
> On  3/08/09 06:31 PM, Scott Rotondo wrote:
> > Darren Reed wrote:
> >> On  3/08/09 06:08 PM, Scott Rotondo wrote:
> >>> Darren Reed wrote:
> >>>> On  3/08/09 06:03 PM, Scott Rotondo wrote:
> >>>>> Darren Reed wrote:
> >>>>>> Every now and then, I bfu a system and thereafter receive lots
> >>>>>> of crypto messages on the console. In this case, the path to
> >>>>>> trouble was "jumpstart install, bfu, create zone, boot zone"
> >>>>>> (shared is a zone with a shared IP instance.) What did I do
> >>>>>> to deserve this?
> >>>>>>
> >>>>>> Is there some master switch I can throw once and for all and
> >>>>>> turn these messages off?
> >>>>>>
> >>>>>> Darren
> >>>>>
> >>>>> You're building without usr/closed, I presume. I think your only 
> >>>>> good alternative is to install the closed bins after you bfu.
> >>>>
> >>>> Building with usr/closed - it is not possible to build without it.
> >>>>
> >>>> Darren
> >>>
> >>> Then it's not clear to me why you're getting the errors you are. 
> >>> Does elfsign verify show that the crypto modules are really not 
> >>> signed (with any key/cert pair)?
> >>
> >> Is this what you mean?
> >> # elfsign verify pkcs11_softtoken.so
> >> elfsign: verification of pkcs11_softtoken.so failed.
> >> # elfsign list -f signer -e pkcs11_softtoken.so
> >> O=Sun Microsystems Inc, OU=Corporate Object Signing, OU=Solaris 
> >> Cryptographic Framework, CN=Solaris INTERNAL DEVELOPMENT USE ONLY
> >> # elfsign list -f subject -e pkcs11_softtoken.so
> >> # elfsign list -f issuer -e pkcs11_softtoken.so
> >> # elfsign list -f format -e pkcs11_softtoken.so
> >> rsa_sha1
> >> # elfsign list -f time -e pkcs11_softtoken.so
> >> Mon Aug 03 17:25:42 2009
> >>
> > Yes, that's what I mean. So the files are signed, but you don't have 
> > the corresponding certificate installed. Get it from 
> > $CLOSED/cmd/cmd-crypto/etc/certs. Normally, bfu does this for you 
> > automatically.
> 
> In this case, the problem is with a zone that was created after bfu'ing.
> Shouldn't be a problem, should it?

Ah!  The BFU update populated the required certificate into the global
zone, but the associated packaging information for SUNWcryptoint wasn't
generated.  As a result, zone creation has no indication that the
certificate should be propagated into your local zone.

                                                -JZ

Reply via email to