Bug 112542 - LTC5697-pkcsslotd daemon fails to start
LTC5697-pkcsslotd daemon fails to start
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 3
Classification: Red Hat
Component: openssl (Show other bugs)
3.0
s390x Linux
medium Severity medium
: ---
: ---
Assigned To: Phil Knirsch
Mike McLean
:
Depends On:
Blocks: 107563
  Show dependency treegraph
 
Reported: 2003-12-22 11:45 EST by IBM Bug Proxy
Modified: 2015-03-04 20:13 EST (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2004-05-11 21:24:58 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
pkcsslotd.rh (1.81 KB, text/plain)
2004-01-09 16:34 EST, IBM Bug Proxy
no flags Details
pkcsslotd.kent (1.92 KB, text/plain)
2004-01-12 18:35 EST, IBM Bug Proxy
no flags Details
pkcsslotd (1.92 KB, text/plain)
2004-02-23 15:51 EST, IBM Bug Proxy
no flags Details

  None (edit)
Description IBM Bug Proxy 2003-12-22 11:45:17 EST
The following has be reported by IBM LTC:  
pkcsslotd daemon fails to start
Hardware Environment: z990 - native lpar

Software Environment: RHEL 3 Update1

Steps to Reproduce:
Testing requirements for the PCI Cryptographic Processor

1. Enable z90crypt by issuing modprobe z90crypt.  I'm able to view my
defined 
cryptographic domain(14):
# cat /proc/driver/z90crypt

z90crypt version: 1.1.2
Cryptographic domain: 14
Total device count: 4
PCICA count: 2
PCICC count: 2
requestq count: 0
pendingq count: 0
Total open handles: 0

Mask of online devices: 1 means PCICA, 2 means PCICC
    1100220000000000 0000000000000000 0000000000000000 0000000000000000


Mask of waiting work element counts
    0000000000000000 0000000000000000 0000000000000000 0000000000000000

2.  Next, we try to start the pkcsslotd slot daemon and get the
following error:
# /usr/sbin/pkcsslotd start

Cannot open file /etc/pkcs11/pk_config_data
  ERROR log.o[975.1075221920]: Failed to read slot database.

3.  The directory and file do not exist.

Actual Results:  Failed to start pkcsslotd slot daemon.

Expected Results:  The required daemon is needed to start in order to
setup 
token.

Additional Information:
Comment 2 Bob Johnson 2003-12-22 14:16:32 EST
IBM, is is as simple as the directory and file do not exist at this
stage ?
Comment 3 Bob Johnson 2004-01-05 10:01:47 EST
Should not need to do the modprobe as the driver is in the kernel for
the Beta of Update 1.  Is this also reproducible on a z900 ?
Comment 5 IBM Bug Proxy 2004-01-05 13:41:58 EST
------ Additional Comments From chanphil@us.ibm.com  2004-01-05 13:28 -------
If I do not issue the modprobe, the file and information 
in /proc/driver/z90crypt do not exist.  This is how we determine the status of 
the crypto card.  If not for modprobe, is there another way to enable the 
crypto support?

The driver is hardware independent, and should be reproducible on both the z900 
and z990. 
Comment 7 Phil Knirsch 2004-01-07 09:29:37 EST
I've been looking at the bug today.

The problem seems to be a missing config file which needs to be
manually created by the user in

  /etc/pkcs11/pk_config_data

openCryptoki is by default configured not to use the ODM, so the file
needs to exist and be set up by the user as it is not part of the
openCryptoki software itself.

So in summary it is a setup problem rather than a package problem AFAIKT.

Read ya, Phil
Comment 9 IBM Bug Proxy 2004-01-08 11:46:54 EST
------ Additional Comments From chanphil@us.ibm.com  2004-01-08 11:34 -------
Hi,

I'm a bit confused as to how PKCS11 support is delivered here.  From my 
understanding of openCryptoki-2.x on developerworks, I see that there should be 
a minimum of two rpms:

openCryptoki-2.1.3-0.s390.rpm
openCryptoki-32bit-2.1.3-0.s390.rpm

In Update1, there is only one - openCryptoki-2.1.3-1.  Based on other 
distributors such as SuSE, they do provide both.  The additional package 
provides a startup script, that gathers and creates the directory /etc/pkcs11, 
the pk_config_data file, then starts the pkcsslotd slot daemon.  Is the 
openCryptoki package that RedHat provides from developerworks?

Using this startup script as a guideline(since there isn't any documention), 
here is the new problem we encountered:

1) Generate the configuration information(creates pk_config_data)
	/usr/lib/pkcs11/methods/pkcs11_startup start
2) Start pkcsslotd slot daemon
	/usr/sbin/pkcsslotd
3) Begin setting up the token, by first querying it
	/usr/lib/pkcs11/methods/pkcsconf -t
	Error initializing the PKCS11 library: 0x2

Taking a closer look at pk_config_data:
TRUE|0|Linux 2.4.21-6.EL Linux (Soft)|Linux 2.4.21-
6.EL|TRUE|FALSE|FALSE|0|0|1|1|NONE|/usr/lib/pkcs11/stdll/PKCS11_SW.so|ST_Initial
ize

What does 'SW' in library /usr/lib/pkcs11/stdll/PKCS11_SW.so stand for?  We've 
always used PKCS11_ICA.so which is the IBM Cryptographic Accelerator.

-Phil Chan 
Comment 10 IBM Bug Proxy 2004-01-08 14:47:06 EST
------ Additional Comments From yoder1@us.ibm.com  2004-01-08 14:33 -------
I'm not sure how Redhat has done the packaging, but PKCS11_SW.so should not 
exist on zSeries.  PKCS11_SW.so is the software token, which is only included in 
RPM's on xSeries and is only used for testing (it just calls openssl). 
 
The 3 steps in comment #9 above *should* work, but the pk_config_data 
shown is definitely wrong for zSeries, there should only be one STDLL, 
PKCS11_ICA.so. 
Comment 11 Phil Knirsch 2004-01-09 05:11:46 EST
The packages of the openCryptoki software has been done as all our
other multiarch packages. There is a separate s390 and s390x package.
The s390 package provides the software components for 31bit whereas
the s390x package contins the remaining 64bit components.

As there was no documentation about the openCryptoki package available
to us either at the time the software was simply compiled and packaged
"as is". The PKCS11_SW.so was provided during the build of the
software and thus included in the final package as well.

It would be very good if the openCryptoki would contain more
documentation about the software itself and the setup. That way a
proper compliation and installation of the software could be achived
much more easily.

Also the requirements and dependancies of openCryptoki would be an
important item to include in the documentation.

If other distributions include initscripts in their packages i'd also
like to ask to include them in the openCryptoki tarball itself. That
will make it much easier to handle updates among other things.

Thanks,

Read ya, Phil
Comment 12 IBM Bug Proxy 2004-01-09 11:12:13 EST
------ Additional Comments From yoder1@us.ibm.com  2004-01-09 11:01 -------
Yes, documentation is definitely one place where openCryptoki is in need of 
updates.  I'm working now on general updates to openCryptoki, so this will be 
added soon.  Check out the files section of the openCryptoki.spec file in the 
rpm directory of the tarball to see which files we package per arch..  As for now 
there is no init script, I'll try to include Suse's in the next release.  Please let 
me know if there are any more issues wrt this bug... 
Comment 13 IBM Bug Proxy 2004-01-09 15:09:05 EST
------ Additional Comments From yoder1@us.ibm.com  2004-01-09 14:54 -------
Hi, I can create an init script and post it here if that'd be a help. I'll do so 
unless told otherwise.... 
Comment 14 IBM Bug Proxy 2004-01-09 16:34:45 EST
Created attachment 96870 [details]
pkcsslotd.rh
Comment 15 IBM Bug Proxy 2004-01-09 16:35:00 EST
------ Additional Comments From yoder1@us.ibm.com  2004-01-09 16:22 -------
 
Prototype init script for RHEL on zSeries for pkcsslotd.

Since I've never written an init script and have no zSeries machine to test
this on, this script will need testing.  Someone with access to a Redhat
zSeries box please assist with FVT on this script.  After it can be verified to
work, please pass to redhat.  Feel free to contact me directly at (512)
838-8397 for any assistance needed. 
Comment 20 Bob Johnson 2004-01-12 13:47:14 EST
From: 	Mark Wisner <markwiz@us.ibm.com>
To: 	bjohnson@redhat.com
Subject: 	crypto docs
Date: 	Mon, 12 Jan 2004 13:33:09 -0500

	Bob,here is the link to the Cryto Docs. It should have the
information you requested. I also asked Kent to answer , "How do we
integrate/uses" the script question.He should put his answer into the bug.

Mark K. WisnerAdvisory Software EngineerIBM Linux Technology
Center3039 Cornwallis RdRTP, NC 27709Tel. 919-254-7191Fax
919-543-7575---------------------- Forwarded by Mark
Wisner/Raleigh/IBM on 01/12/2004 01:28 PM
---------------------------From: Ingolf Salm@IBMDE on 01/12/2004 12:50
PMTo: Mark Wisner/Raleigh/IBM@IBMUScc: Volker
Tosta/Germany/IBM@IBMDE@IBMDEFrom: Ingolf
Salm/Germany/IBM@IBMDESubject: crypto docs

Mark,As discussed: the crypto documentation is available on our web
sites: at our developerworks pages RH can find our device driver book:
http://www10.software.ibm.com/developerworks/opensource/linux390/docu/lx24jun03dd02.pdfit


describes the crypto device driver specifics in chapter "Generic
Cryptographic device driver" This chapter holds a pointer to the
opencryptoki howto, which also describes the opencryptoki
configuration requirements:

http://www-124.ibm.com/developerworks/oss/opencryptoki/

Best regards, / Mit freundlichen Gruessen,Ingolf SalmzSeries Design
(Linux, VSE/ESA)Senior Technical Staff Member, IBM Lab Boeblingen,
Germanye-mail: salm@de.ibm.com, phone: +49-(0)7031-16-3678
Comment 21 IBM Bug Proxy 2004-01-12 18:35:08 EST
Created attachment 96913 [details]
pkcsslotd.kent
Comment 22 IBM Bug Proxy 2004-01-12 18:35:22 EST
------ Additional Comments From chanphil@us.ibm.com  2004-01-12 18:17 -------
 
Modified working pkcsslotd script

The attached script has been verified and works fine on zSeries.  Kent, there's
a message that appears when running the script which I've forwarded to you to
have a look at. 
Comment 23 IBM Bug Proxy 2004-01-13 10:05:34 EST
----- Additional Comments From yoder1@us.ibm.com  2004-01-13 09:32 -------
The script should be dropped into /etc/init.d and can be added to any mulit-user runlevel.  It 
should run as any other init script, with start/restart/stop, etc.   
 
The message that's output the first time pkcs11_startup is run is a known bug, which has no 
effect and will be fixed in an upcoming release of openCryptoki. 
 
As for the packaging, please be sure that the packaging for zSeries is as follows: 
 
openCryptoki-2.1.3-0.s390.rpm 
  /usr/sbin/pkcsslotd 
  /usr/lib/pkcs11/methods/pkcs11_startup 
  /usr/lib/pkcs11/methods/pkcsconf 
  /usr/lib/pkcs11/methods/pkcs_slot 
 
openCryptoki-32bit-2.1.3-0.s390.rpm 
  /usr/lib/pkcs11/PKCS11_API.so 
  /usr/lib/pkcs11/stdll/PKCS11_ICA.so 
 
openCryptoki-64bit-2.1.3-0.s390x.rpm 
/usr/lib/pkcs11/PKCS11_API.so64 
/usr/lib/pkcs11/stdll/PKCS11_ICA.so64 
Comment 24 Phil Knirsch 2004-01-13 10:29:38 EST
OK, great!

Thank you for all the information and the initscript. I will make sure
the next packages contain the initscript and the file list and
packages contain the listed files.

Read ya, Phil
Comment 25 IBM Bug Proxy 2004-01-13 10:51:45 EST
----- Additional Comments From yoder1@us.ibm.com  2004-01-13 10:41 -------
One thing I forgot to mention -- pkcsslotd will not start until root has been added to the  
pkcs11 group.  The pkcs11 group will be created by the pkcs11_startup script, but will is not  
automatically added, that must be done by the administrator. 
Comment 27 Phil Knirsch 2004-02-18 11:48:12 EST
New package for testing are available from here:

http://people.redhat.com/pknirsch/

There are new openCryptoki as well as new openssl packages there.

Please test these packages and report back any problems you find with
them in this bugzilla entry.

Thanks,

Read ya, Phil
Comment 28 IBM Bug Proxy 2004-02-23 15:51:23 EST
Created attachment 97961 [details]
pkcsslotd
Comment 29 IBM Bug Proxy 2004-02-23 15:51:39 EST
------ Additional Comments From chanphil@us.ibm.com  2004-02-23 14:48 -------
 
Working pkcsslotd

We have downloaded and installed the new openCryptoki-2.1.3-6.s390.rpm from the
site above to our RHEL 3 U1 system.  Here are our concerns:

1)  The /etc/init.d/pkcsslotd script you have included with the packages seems
to be the orignal(broken version).  Please use the copy I am attaching now and
repackage.

2)  Also, please add the executable attribute to /etc/init.d/pkcsslotd, as it
only has 544 permission. 
Comment 30 Phil Knirsch 2004-02-26 12:22:20 EST
Will build fixed and updated versions of openCryptoki today and put
the new packages on the people.redhat.com page again.

Please verfify that these packages fix the above mentioned concerns.

Thanks,

Read ya, Phil
Comment 32 Brock Organ 2004-03-03 14:38:38 EST
latest internal packages (openCryptoki(0:2.1.3-9).s390 &
openCryptoki(0:2.1.3-9).s390x) have /etc/rc.d/init.d/pkcsslotd issues ...
Comment 33 IBM Bug Proxy 2004-03-08 18:43:57 EST
----- Additional Comments From chanphil@us.ibm.com  2004-03-08 18:41 -------
We downloaded and installed the new openCryptoki-2.1.3-10 rpms which became 
available on March 5th.

We downloaded and installed the new openCryptoki-2.1.3-10 rpms which became 
available on March 5th.

We verified script pkcsslotd.  It is fixed, and the pkcsslotd slot daemon is 
able to start.  
Next, we encounter a new problem when trying to display the token information 
using the following command:

[root@METLNX27 root]# /usr/lib/pkcs11/methods/pkcsconf -t
C_GetSlotCount returned 0 slots. Check that your tokens are installed correctly.

We found that 'pkcsconf' had worked in the original openCrytoki-2.1.3-1 
package. At some point afterward, changes were made which must have broke it. 
Comment 34 Florian La Roche 2004-03-09 02:43:13 EST
Should the initscript be at all part of the openCrytoki rpm or should
we leave this also to the configuration of local machines to setup
a startup script themselves?

Seems the initscript is still under flux and might have to wait
for RHEL3U3 to include.

greetings,

Florian La Roche
Comment 35 IBM Bug Proxy 2004-03-09 09:49:00 EST
----- Additional Comments From yoder1@us.ibm.com  2004-03-09 09:46 -------
The init script should be part of the openCryptoki rpm... at least that's how
its been done elsewhere. 
Comment 36 Phil Knirsch 2004-03-09 10:06:19 EST
Hi!

Glen, have you run /usr/lib/pkcs11/methods/pkcs11_startup prior to
starting up the pkcsslotd via the initscript? According to the HOWTO
of the openCryptoki package this needs to be done at least once.

What i've done is this:

modprobe z90crypt
/usr/lib/pkcs11/methods/pkcs11_startup
service pkcsslotd start

and that worked fine for me. I still get an error from
/usr/lib/pkcs11/methods/pkcsconf -t, too, but a different one than you
get, though i suspect it might be our configuration here.

If you could verify if these steps help to make it work for you i'd
greately appreciate it.

Read ya, Phil
Comment 37 IBM Bug Proxy 2004-03-09 10:19:06 EST
----- Additional Comments From yoder1@us.ibm.com  2004-03-09 10:16 -------
Sorry, I skipped over the pkcsslotd problem..  I downloaded the s390/x rpms in
the  pknirsch directory today and don't see any problems with them.  I have no
s390 access though, which I would need to debug.

I can say that this problem will happen if no hardware crypto is available
(driver not loaded, driver returned error, etc.), or if there are unresolved
symbols in the PKCS11_ICA.so that is being loaded.  Unresolved symbols are
unlikey in this case, since PKCS11_ICA.so only depends on libica, which I assume
is installed. 
Comment 38 IBM Bug Proxy 2004-03-09 10:27:12 EST
----- Additional Comments From yoder1@us.ibm.com  2004-03-09 10:25 -------
It looks to me like if the script is working correctly,
/usr/lib/pkcs11/methods/pkcs11_startup wil be called by the script automatically
before running the pkcsslotd, but the modprobe z90crypt is definitely needed..

Kent 
Comment 39 Phil Knirsch 2004-03-09 10:39:53 EST
OK. So it should be either documented that the modprobe has to be done
in /etc/rc.d/rc.local or that it has to be added to the initscript.

If the rest of the package looks good i'd be very happy. :-)

Read ya, Phil
Comment 43 Brock Organ 2004-03-25 14:45:36 EST
testing with internal package openCryptoki-2.1.3-11, I am able to
initialize a token and set the user PIN, and the only manual step
still required was changing /etc/group:

# diff -u /etc/group.orig /etc/group
--- /etc/group.orig     2004-03-25 10:47:00.000000000 -0500
+++ /etc/group  2004-03-25 10:44:59.000000000 -0500
@@ -53,4 +53,4 @@
 quaggavty:x:101:
 quagga:x:92:
 radvd:x:75:
-pkcs11:x:500:
+pkcs11:x:500:root
# 

Are there any other issues in this bug that are still open?
Comment 45 IBM Bug Proxy 2004-03-31 18:50:49 EST
----- Additional Comments From chanphil@us.ibm.com  2004-03-31 18:52 -------
We have tested openCryptoki-2.1.3-11 provided by Update 2.  All works well, 
except for starting the slot daemon pkcsslotd for the first time.  It will 
throw a message "chgrp: invalid group name 'g+rw'", but the daemon starts.  
Another bug has been opened to address this - LTIC bug 7125 - RH119363. Bug 
5697 can now be closed.

Thanks,
Phil 
Comment 46 Florian La Roche 2004-04-12 12:50:23 EDT
Thanks a lot for all the testing done for the mainframe crypto parts.
A fixed openCryptoki rpm has also been pushed out to the
Red Hat Network beta channel. 2.1.5-1

Setting this to modified to signal completion of all requested parts
for RHEL3U2.

greetings,

Florian La Roche
Comment 47 John Flanagan 2004-05-11 21:24:58 EDT
An errata has been issued which should help the problem described in this bug report. 
This report is therefore being closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files, please follow the link below. You may reopen 
this bug report if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2004-216.html
Comment 48 IBM Bug Proxy 2005-08-22 02:07:15 EDT
------- Additional Comments From amitarora@in.ibm.com  2005-08-22 02:01 EDT -------
(In reply to comment #31)
> We have tested openCryptoki-2.1.3-11 provided by Update 2.  All works well, 
> except for starting the slot daemon pkcsslotd for the first time.  It will 
> throw a message "chgrp: invalid group name 'g+rw'", but the daemon starts.  
> Another bug has been opened to address this - LTIC bug 7125 - RH119363. Bug 
> 5697 can now be closed.
> Thanks,
> Phil 

Marking this bug as resolved as per the comment above. 
Comment 49 IBM Bug Proxy 2005-08-22 02:12:10 EDT
changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|ACCEPTED                    |CLOSED
             Impact|------                      |Functionality




------- Additional Comments From amitarora@in.ibm.com  2005-08-22 02:05 EDT -------
Closing ... 

Note You need to log in before you can comment on or make changes to this bug.