Trouble shooting

When you run into troubles while working with openCryptoki, the information provided in this topic may help you to resolve your problem.

To react on error messages related to openCryptoki, perform a series of checks:

  1. Walk through a check list
  2. Checking the syslog messages
  3. Apply tracing
  4. Final check

In addition, you may find helpful information in the following topics:

Walk through a check list

  1. Is the current user authorized in the pkcs11 group?

    The pkcs11 group must be defined in file /etc/group of the system. An entry in this file, like for example: pkcs11:x:989:root, indicates that the root user is a member of the pkcs11 group. To add a user to this group, issue the following command: usermod -aG pkcs11 <user>.

    Every user of openCryptoki must be a member of this pkcs11 group. For more information, read General access control.

  2. Is the slot manager daemon pkcsslotd up and running?

    The pkcsslotd daemon must be active in the system to coordinate token accesses from multiple processes. For more information, read Slot manager.

  3. Is the host library of the token installed that you want to exploit?

    • For the CCA token, the host library and its default distribution location is /usr/lib64/libcsulcca.so.<v>.<r>.<m>.
    • For the ICA token, the library and its default distribution location is /usr/lib64/libica.so.<v>.<r>.<m>.
    • For the EP11 token, the library and its default distribution location is /usr/lib64/libep11.so.<v>.<r>.<m>.
    • For the Soft token, the library and its default distribution location is /usr/lib64/libcrypto.so.<v>.<r>.<m>.
  4. Are the required cryptographic coprocessors available and online?

    Use the lszcrypt command to display a list of available cryptographic devices and their online status.

    # lszcrypt
    
    CARD.DOMAIN TYPE  MODE        STATUS  REQUESTS
    ----------------------------------------------
    08          CEX7C CCA-Coproc  online     10484
    08.0031     CEX7C CCA-Coproc  online     10484
    09          CEX7C CCA-Coproc  online        34
    09.0031     CEX7C CCA-Coproc  online        34
    0a          CEX7P EP11-Coproc online     24766
    0a.0031     CEX7P EP11-Coproc online     24766
    0b          CEX7P EP11-Coproc online     15420
    0b.0031     CEX7P EP11-Coproc online     15420
    
     
  5. Are the slot definitions correctly specified in the openCryptoki configuration file (/etc/opencryptoki/opencryptoki.conf)?

    A list of all available tokens is required before you can use openCryptoki. This list is provided by the global configuration file called opencryptoki.conf. For more information, read Adjusting the openCryptoki configuration file.

Checking the syslog messages

openCryptoki issues the following syslog messages (alphabetically sorted). Numbers (placeholder x) and names like for example <file>, will be replaced in the real output. Check the messages and correct the mentioned error.


C_Initialize: Invalid number of functions passed in argument structure.
C_Initialize: Application specified that OS locking is invalid. 
              PKCS11 Module requires OS locking.
C_Initialize: Module failed to attach to shared memory. Verify that the slot management daemon 
              is running, errno=x
C_Initialize: Module failed to create a socket. 
              Verify that the slot management daemon is running.
C_Initialize: Module failed to retrieve slot infos from slot deamon.
C_Initialize: Application specified that library can't create OS threads. PKCS11 Module 
              requires to create threads when event support is enabled.

Cannot read size
Cannot read boolean
Cannot malloc x bytes to read in token object <file> (ignoring it)
Cannot read token object <file> (ignoring it)
Cannot restore token object <file> (ignoring it)
Cannot read header

chmod(<file>): <strerror>

connect_socket: failed to find socket file, errno=x
connect_socket: pkcs11 group does not exist, errno=x
connect_socket: incorrect permissions on socket file
connect_socket: failed to create socket, errno=x
connect_socket: failed to connect to slotmanager daemon, errno=x

Could not open <lockfilename>

<dlerror>

Directory(<dir>) missing: <strerror>

DL_Load: dlopen() failed for [<dll_location>]; dlerror = <dlerror>

ep11_load_host_lib: Error loading shared library <file>' [<strerror>]
ep11_load_host_lib: Error loading shared library 'libep11.so[.3|.2|.1]' [<strerror>]
ep11_login_handler: Error: VHSM-Pin blob of adapter <apqn> is not equal to other adapters 
                    for same session
ep11_login_handler: Error: Pin blob of adapter <apqn> is not equal to other adapters 
                    for same session
ep11_resolve_lib_sym: Error: <dlerror>

ep11tok_load_libica: Error loading shared library '<file>' [<strerror>]
ep11tok_load_libica: Failed to initialize the target lock
ep11tok_load_libica: Error: EP 11 library initialization failed
ep11tok_load_libica: Failed to get the EP11 library version rc=x
ep11tok_load_libica: Failed to get the target info rc=x
ep11tok_load_libica: Error: CKR_IBM_WK_NOT_INITIALIZED occurred, no master key set ?
ep11tok_load_libica: Error: CKR_FUNCTION_CANCELED occurred, control point 13 
                     (generate or derive symmetric keys including DSA parameters) disabled ?
ep11tok_load_libica: Warning: Could not get mk_vp, protected key support not available.
ep11tok_login_session: Error: A VHSM-PIN is required for VHSM_MODE.
ep11tok_handle_apqn_event: Failed to get the target info rc=x


fchmod(<file>): <strerror>
fchown(<file>): <strerror>
fchown(<file>,-1,pkcs11) failed: <strerror>. Tracing is disabled.

getgrnam() failed: <strerror>
getgrnam(pkcs11) failed: <strerror>. Tracing is disabled.
getgrnam(): <strerror>
getpwuid(): <strerror>

init_socket_data: read error on daemon socket, errno=x
init_socket_data: read returned with eof but we still expect x bytes from daemon

Invalid strength configuration in policy!

lock directory path too long
lock file path too long

mkdir(<file>): <strerror>

OPENCRYPTOKI_TRACE_LEVEL '<string>' is invalid. Tracing disabled.

open(<file>) failed: <strerror>. Tracing disabled.
open(<file>): <strerror>

Parsing policy configuration failed!

POLICY: Could not retrieve "pkcs11" group!
POLICY: Could not stat configuration file <file>: <strerror>
POLICY: Configuration file <file> should be owned by "root"
POLICY: Configuration file <file> should have group "pkcs11"!
POLICY: Configuration file <file> has wrong permissions!
POLICY: Unknown curve "<curve>" in line <line>
POLICY: allowedmechs has wrong type!
POLICY: allowedcurves has wrong type!
POLICY: allowedmgfs has wrong type!
POLICY: allowedkdfs has wrong type!
POLICY: allowedprfs has wrong type!
POLICY: Failed to open <file>: <strerror>
POLICY: Could not allocate policy private data!
POLICY: Strength definition <file> failed to parse!
POLICY: Failed to open <file>: <strerror>
POLICY: Policy definition <file> failed to parse!

POLICY VIOLATION: CKM_AES_KEY_GEN needed by Token-Store for slot <slot>
POLICY VIOLATION: CKM_AES_KEY_WRAP needed by Token-Store for slot <slot>
POLICY VIOLATION: CKM_AES_GCM needed by Token-Store for slot <slot>
POLICY VIOLATION: CKM_PKCS5_PBKD2 needed by Token-Store for slot <slot>
POLICY VIOLATION: CKP_PKCS5_PBKD2_HMAC_SHA512 needed by Token-Store for slot <slot>
POLICY VIOLATION: Token-Store encryption method not allowed for slot <slot>!
POLICY VIOLATION: Token-Store requires SHA1 for slot <slot>!
POLICY VIOLATION: Token-Store requires MD5 for slot <slot>!
POLICY VIOLATION: CKM_DES3_KEY_GEN needed by Token-Store for slot <slot>
POLICY VIOLATION: CKM_AES_KEY_GEN needed by Token-Store for slot <slot>
POLICY VIOLATION: Unknown Token-Store encryption method for slot <slot>!
POLICY VIOLATION: CKM_AES_KEY_GEN needed by Token-Store for slot <slot>
POLICY VIOLATION: CKM_AES_CBC needed by Token-Store for slot <slot>
POLICY VIOLATION: CKM_PKCS5_PBKD2 needed by Token-Store for slot <slot>
POLICY VIOLATION: CKP_PKCS5_PBKD2_HMAC_SHA256 needed by Token-Store for slot <slot>
POLICY VIOLATION: Token-Store encryption key too weak for slot <slot>!

read_adapter_config_file: Error: EP 11 config file ''<file>' not found
read_adapter_config_file: Error: EP 11 config file '<file>' is too large
read_adapter_config_file: Error: Expected APQN_ALLOWLIST, APQN_ANY, LOGLEVEL, FORCE_SENSITIVE, 
                          CPFILTER, STRICT_MODE, VHSM_MODE, OPTIMIZE_SINGLE_PART_OPERATIONS, 
                          PKEY_MODE, DIGEST_LIBICA, or USE_PRANDOM keyword, found '<token> 
                          in config file '<file>'
read_adapter_config_file: Error: Unexpected end of file found in config file '<file>', 
                          expected 'END' or adapter number
read_adapter_config_file: Error: Expected valid adapter number, found '<token>' 
                          in config file '<file>'
read_adapter_config_file: Error: Unexpected end of file found in config file '<file>, 
                          expected domain number (2nd number)
read_adapter_config_file: Error: Expected valid domain number (2nd number), found '<token>' 
                          in config file <file>
read_adapter_config_file: Error: Too many APQNs in config file '<file>'
read_adapter_config_file: Error: Unexpected end of file found in config file '<file>', 
                          expected LOGLEVEL value
read_adapter_config_file: Error: Invalid LOGLEVEL value '<token>' in config file <file>
read_adapter_config_file: Warning: LOGLEVEL setting is not supported any more. Use opencryptoki 
                          logging/tracing facilities instead.
read_adapter_config_file: Error: Unexpected end of file found in config file '<file>', 
                          expected CP-Filter file name
read_adapter_config_file: Error: CP-Filter config file name '<file>' is too long in 
                          config file '<file>'
read_adapter_config_file: Error: Unexpected end of file found in config file '<file>, 
                          expected libica path, 'DEFAULT', or 'OFF'
read_adapter_config_file: Error: libica path '<token>' is too long in config file '<file>'
read_adapter_config_file: Error: Unexpected end of file found in config file '<file>', 
                          expected pkey_mode 0 .. 3
read_adapter_config_file: Error: unsupported pkey mode '<token> in config file '<file>'
read_adapter_config_file: Error: At least one APQN mode needs to be present in config file 
                          '<file>': APQN_ALLOWLIST or APQN_ANY
read_adapter_config_file: Error: Only one APQN mode can be present in config file '<file>': 
                          APQN_ALLOWLIST or APQN_ANY
read_adapter_config_file: Error: At least one APQN needs to be defined in config file '<file>'
read_cp_filter_config_file: Warning: EP 11 CP-filter config file '<file>' does not exist, 
                            no filtering will be used
read_cp_filter_config_file: Error: Expected valid control point name or number, 
                            found '<ftoken>' in CP-filter config file '<file>'
read_cp_filter_config_file: Error: Expected valid mechanism name or number, found '<token>' 
                            in CP-filter config file '<file>'
read_cp_filter_config_file: Error: Out of memory while parsing CP-filter config file '<file>'

SHM segment has wrong gid/mode combination (expected: x/0x; got: x/0x)

start_event_thread: pthread_create failed, errno=x

token_specific_init: Error loading library: 'libcsulcca.so' [<dlerror>]

Trace level x is out of range. Tracing disabled.

Token object <file> appears corrupted (ignoring it)

Tspi_Key_GetPubKey failed: rc=x

Username(<name>) too long

Warning: CCA symmetric master key is not yet loaded
Warning: CCA asymmetric master key is not yet loaded 
Warning: Your TPM is not configured to allow reading the public SRK by anyone but the owner. 
         Use tpm_restrictsrk -a to allow reading the public SRK
Warning: Adapter <apqn1> has different control points than adapter <apqn2>, using minimum
Warning: Adapter <apqn1> has a different number of control points than adapter <apqn2>, 
         using maximum
Warning: Adapter <apqn1> has a different API versionversion than the previous CEXxP adapters: x
Warning: Adapter <apqn1> has a different firmware version than the previous CEXxP adapters: x.x
 

Apply tracing

If you successfully checked all issues as described in the previous sections, you may start to exploit the openCryptoki tracing capabilities. If a log level > 0 is activated by setting the environment variable OPENCRYPTOKI_TRACE_LEVEL, then log entries are written to file /var/log/opencryptoki/trace.<process_id>. Application programmers may apply the higher tracing log levels 4 and 5.

For detailed information, read Logging and tracing in openCryptoki.

Final check

Finally, if your openCryptoki environment is successfully set up, you can check your settings using the pkcsconf utility as described in Managing tokens - pkcsconf utility.

Re-initialize a token

In case you need to clean a token and initialize it freshly (for example, because you forgot the SO PIN, or the SO PIN got locked), you can either use the reset sub-command from the pkcstok_admin utility or manually perform the following actions:

  1. Remove all the files in the token directory (for example, /var/lib/opencryptoki/<token>/), that is, MK_SO, MK_USER, NVTOK.DAT, as well as all files inside TOK_OBJ (but do not remove the TOK_OBJ directory itself).
  2. Remove the shared memory segment under /dev/shm for that token using the command:
    rm /dev/shm/var.lib.opencryptoki.<token>
  3. Freshly initialize the token using the command pkcsconf -I.
  4. Set the SO PIN and the User PIN.
Attention: You will loose all token objects, and you need to setup the PINs freshly.

Live guest relocation

Do not use openCryptoki versions earlier than 3.24 if the Linux® system may be subject to live guest relocation or migration. This restriction is removed with openCryptoki version 3.24.

Versions of openCryptoki earlier than 3.24 can not support a live guest relocation and operations may fail if such an action is performed.

The reason for this is the use of protected keys which become invalid during such a relocation and will result in a verification pattern mismatch. The code of openCryptoki starting with version 3.24 is instrumented to react to this error by re-establishing the protected key from the key material it was derived from.

Because protected keys are only supported by CCA and EP11 tokens, other tokens are not affected.