Trouble shooting
When you run into troubles while working with openCryptoki, the information provided in this topic may help you to resolve your problem.
To react on error messages related to openCryptoki, perform a series of checks:
In addition, you may find helpful information in the following topics:
Walk through a check list
-
Is the current user authorized in the pkcs11 group?
The pkcs11 group must be defined in file /etc/group of the system. An entry in this file, like for example:
pkcs11:x:989:root, indicates that the root user is a member of the pkcs11 group. To add a user to this group, issue the following command:usermod -aG pkcs11 <user>.Every user of openCryptoki must be a member of this pkcs11 group. For more information, read General access control.
-
Is the slot manager daemon pkcsslotd up and running?
The pkcsslotd daemon must be active in the system to coordinate token accesses from multiple processes. For more information, read Slot manager.
-
Is the host library of the token installed that you want to exploit?
- For the CCA token, the host library and its default distribution location is /usr/lib64/libcsulcca.so.<v>.<r>.<m>.
- For the ICA token, the library and its default distribution location is /usr/lib64/libica.so.<v>.<r>.<m>.
- For the EP11 token, the library and its default distribution location is /usr/lib64/libep11.so.<v>.<r>.<m>.
- For the Soft token, the library and its default distribution location is /usr/lib64/libcrypto.so.<v>.<r>.<m>.
-
Are the required cryptographic coprocessors available and online?
Use the lszcrypt command to display a list of available cryptographic devices and their online status.
# lszcrypt CARD.DOMAIN TYPE MODE STATUS REQUESTS ---------------------------------------------- 08 CEX7C CCA-Coproc online 10484 08.0031 CEX7C CCA-Coproc online 10484 09 CEX7C CCA-Coproc online 34 09.0031 CEX7C CCA-Coproc online 34 0a CEX7P EP11-Coproc online 24766 0a.0031 CEX7P EP11-Coproc online 24766 0b CEX7P EP11-Coproc online 15420 0b.0031 CEX7P EP11-Coproc online 15420
-
Are the slot definitions correctly specified in the openCryptoki configuration file (/etc/opencryptoki/opencryptoki.conf)?
A list of all available tokens is required before you can use openCryptoki. This list is provided by the global configuration file called opencryptoki.conf. For more information, read Adjusting the openCryptoki configuration file.
Checking the syslog messages
openCryptoki issues the following syslog messages (alphabetically sorted). Numbers (placeholder x) and names like for example <file>, will be replaced in the real output. Check the messages and correct the mentioned error.
C_Initialize: Invalid number of functions passed in argument structure.
C_Initialize: Application specified that OS locking is invalid.
PKCS11 Module requires OS locking.
C_Initialize: Module failed to attach to shared memory. Verify that the slot management daemon
is running, errno=x
C_Initialize: Module failed to create a socket.
Verify that the slot management daemon is running.
C_Initialize: Module failed to retrieve slot infos from slot deamon.
C_Initialize: Application specified that library can't create OS threads. PKCS11 Module
requires to create threads when event support is enabled.
Cannot read size
Cannot read boolean
Cannot malloc x bytes to read in token object <file> (ignoring it)
Cannot read token object <file> (ignoring it)
Cannot restore token object <file> (ignoring it)
Cannot read header
chmod(<file>): <strerror>
connect_socket: failed to find socket file, errno=x
connect_socket: pkcs11 group does not exist, errno=x
connect_socket: incorrect permissions on socket file
connect_socket: failed to create socket, errno=x
connect_socket: failed to connect to slotmanager daemon, errno=x
Could not open <lockfilename>
<dlerror>
Directory(<dir>) missing: <strerror>
DL_Load: dlopen() failed for [<dll_location>]; dlerror = <dlerror>
ep11_load_host_lib: Error loading shared library <file>' [<strerror>]
ep11_load_host_lib: Error loading shared library 'libep11.so[.3|.2|.1]' [<strerror>]
ep11_login_handler: Error: VHSM-Pin blob of adapter <apqn> is not equal to other adapters
for same session
ep11_login_handler: Error: Pin blob of adapter <apqn> is not equal to other adapters
for same session
ep11_resolve_lib_sym: Error: <dlerror>
ep11tok_load_libica: Error loading shared library '<file>' [<strerror>]
ep11tok_load_libica: Failed to initialize the target lock
ep11tok_load_libica: Error: EP 11 library initialization failed
ep11tok_load_libica: Failed to get the EP11 library version rc=x
ep11tok_load_libica: Failed to get the target info rc=x
ep11tok_load_libica: Error: CKR_IBM_WK_NOT_INITIALIZED occurred, no master key set ?
ep11tok_load_libica: Error: CKR_FUNCTION_CANCELED occurred, control point 13
(generate or derive symmetric keys including DSA parameters) disabled ?
ep11tok_load_libica: Warning: Could not get mk_vp, protected key support not available.
ep11tok_login_session: Error: A VHSM-PIN is required for VHSM_MODE.
ep11tok_handle_apqn_event: Failed to get the target info rc=x
fchmod(<file>): <strerror>
fchown(<file>): <strerror>
fchown(<file>,-1,pkcs11) failed: <strerror>. Tracing is disabled.
getgrnam() failed: <strerror>
getgrnam(pkcs11) failed: <strerror>. Tracing is disabled.
getgrnam(): <strerror>
getpwuid(): <strerror>
init_socket_data: read error on daemon socket, errno=x
init_socket_data: read returned with eof but we still expect x bytes from daemon
Invalid strength configuration in policy!
lock directory path too long
lock file path too long
mkdir(<file>): <strerror>
OPENCRYPTOKI_TRACE_LEVEL '<string>' is invalid. Tracing disabled.
open(<file>) failed: <strerror>. Tracing disabled.
open(<file>): <strerror>
Parsing policy configuration failed!
POLICY: Could not retrieve "pkcs11" group!
POLICY: Could not stat configuration file <file>: <strerror>
POLICY: Configuration file <file> should be owned by "root"
POLICY: Configuration file <file> should have group "pkcs11"!
POLICY: Configuration file <file> has wrong permissions!
POLICY: Unknown curve "<curve>" in line <line>
POLICY: allowedmechs has wrong type!
POLICY: allowedcurves has wrong type!
POLICY: allowedmgfs has wrong type!
POLICY: allowedkdfs has wrong type!
POLICY: allowedprfs has wrong type!
POLICY: Failed to open <file>: <strerror>
POLICY: Could not allocate policy private data!
POLICY: Strength definition <file> failed to parse!
POLICY: Failed to open <file>: <strerror>
POLICY: Policy definition <file> failed to parse!
POLICY VIOLATION: CKM_AES_KEY_GEN needed by Token-Store for slot <slot>
POLICY VIOLATION: CKM_AES_KEY_WRAP needed by Token-Store for slot <slot>
POLICY VIOLATION: CKM_AES_GCM needed by Token-Store for slot <slot>
POLICY VIOLATION: CKM_PKCS5_PBKD2 needed by Token-Store for slot <slot>
POLICY VIOLATION: CKP_PKCS5_PBKD2_HMAC_SHA512 needed by Token-Store for slot <slot>
POLICY VIOLATION: Token-Store encryption method not allowed for slot <slot>!
POLICY VIOLATION: Token-Store requires SHA1 for slot <slot>!
POLICY VIOLATION: Token-Store requires MD5 for slot <slot>!
POLICY VIOLATION: CKM_DES3_KEY_GEN needed by Token-Store for slot <slot>
POLICY VIOLATION: CKM_AES_KEY_GEN needed by Token-Store for slot <slot>
POLICY VIOLATION: Unknown Token-Store encryption method for slot <slot>!
POLICY VIOLATION: CKM_AES_KEY_GEN needed by Token-Store for slot <slot>
POLICY VIOLATION: CKM_AES_CBC needed by Token-Store for slot <slot>
POLICY VIOLATION: CKM_PKCS5_PBKD2 needed by Token-Store for slot <slot>
POLICY VIOLATION: CKP_PKCS5_PBKD2_HMAC_SHA256 needed by Token-Store for slot <slot>
POLICY VIOLATION: Token-Store encryption key too weak for slot <slot>!
read_adapter_config_file: Error: EP 11 config file ''<file>' not found
read_adapter_config_file: Error: EP 11 config file '<file>' is too large
read_adapter_config_file: Error: Expected APQN_ALLOWLIST, APQN_ANY, LOGLEVEL, FORCE_SENSITIVE,
CPFILTER, STRICT_MODE, VHSM_MODE, OPTIMIZE_SINGLE_PART_OPERATIONS,
PKEY_MODE, DIGEST_LIBICA, or USE_PRANDOM keyword, found '<token>
in config file '<file>'
read_adapter_config_file: Error: Unexpected end of file found in config file '<file>',
expected 'END' or adapter number
read_adapter_config_file: Error: Expected valid adapter number, found '<token>'
in config file '<file>'
read_adapter_config_file: Error: Unexpected end of file found in config file '<file>,
expected domain number (2nd number)
read_adapter_config_file: Error: Expected valid domain number (2nd number), found '<token>'
in config file <file>
read_adapter_config_file: Error: Too many APQNs in config file '<file>'
read_adapter_config_file: Error: Unexpected end of file found in config file '<file>',
expected LOGLEVEL value
read_adapter_config_file: Error: Invalid LOGLEVEL value '<token>' in config file <file>
read_adapter_config_file: Warning: LOGLEVEL setting is not supported any more. Use opencryptoki
logging/tracing facilities instead.
read_adapter_config_file: Error: Unexpected end of file found in config file '<file>',
expected CP-Filter file name
read_adapter_config_file: Error: CP-Filter config file name '<file>' is too long in
config file '<file>'
read_adapter_config_file: Error: Unexpected end of file found in config file '<file>,
expected libica path, 'DEFAULT', or 'OFF'
read_adapter_config_file: Error: libica path '<token>' is too long in config file '<file>'
read_adapter_config_file: Error: Unexpected end of file found in config file '<file>',
expected pkey_mode 0 .. 3
read_adapter_config_file: Error: unsupported pkey mode '<token> in config file '<file>'
read_adapter_config_file: Error: At least one APQN mode needs to be present in config file
'<file>': APQN_ALLOWLIST or APQN_ANY
read_adapter_config_file: Error: Only one APQN mode can be present in config file '<file>':
APQN_ALLOWLIST or APQN_ANY
read_adapter_config_file: Error: At least one APQN needs to be defined in config file '<file>'
read_cp_filter_config_file: Warning: EP 11 CP-filter config file '<file>' does not exist,
no filtering will be used
read_cp_filter_config_file: Error: Expected valid control point name or number,
found '<ftoken>' in CP-filter config file '<file>'
read_cp_filter_config_file: Error: Expected valid mechanism name or number, found '<token>'
in CP-filter config file '<file>'
read_cp_filter_config_file: Error: Out of memory while parsing CP-filter config file '<file>'
SHM segment has wrong gid/mode combination (expected: x/0x; got: x/0x)
start_event_thread: pthread_create failed, errno=x
token_specific_init: Error loading library: 'libcsulcca.so' [<dlerror>]
Trace level x is out of range. Tracing disabled.
Token object <file> appears corrupted (ignoring it)
Tspi_Key_GetPubKey failed: rc=x
Username(<name>) too long
Warning: CCA symmetric master key is not yet loaded
Warning: CCA asymmetric master key is not yet loaded
Warning: Your TPM is not configured to allow reading the public SRK by anyone but the owner.
Use tpm_restrictsrk -a to allow reading the public SRK
Warning: Adapter <apqn1> has different control points than adapter <apqn2>, using minimum
Warning: Adapter <apqn1> has a different number of control points than adapter <apqn2>,
using maximum
Warning: Adapter <apqn1> has a different API versionversion than the previous CEXxP adapters: x
Warning: Adapter <apqn1> has a different firmware version than the previous CEXxP adapters: x.x
Apply tracing
If you successfully checked all issues as described in the previous sections, you may start to exploit the openCryptoki tracing capabilities. If a log level > 0 is activated by setting the environment variable OPENCRYPTOKI_TRACE_LEVEL, then log entries are written to file /var/log/opencryptoki/trace.<process_id>. Application programmers may apply the higher tracing log levels 4 and 5.
For detailed information, read Logging and tracing in openCryptoki.
Final check
Finally, if your openCryptoki environment is successfully set up, you can check your settings using the pkcsconf utility as described in Managing tokens - pkcsconf utility.
Re-initialize a token
In case you need to clean a token and initialize it freshly (for example, because you forgot the SO PIN, or the SO PIN got locked), you can either use the reset sub-command from the pkcstok_admin utility or manually perform the following actions:
- Remove all the files in the token directory (for example, /var/lib/opencryptoki/<token>/), that is, MK_SO, MK_USER, NVTOK.DAT, as well as all files inside TOK_OBJ (but do not remove the TOK_OBJ directory itself).
- Remove the shared memory segment under /dev/shm for that token using the command:
rm /dev/shm/var.lib.opencryptoki.<token>
- Freshly initialize the token using the command pkcsconf -I.
- Set the SO PIN and the User PIN.
Live guest relocation
Do not use openCryptoki versions earlier than 3.24 if the Linux® system may be subject to live guest relocation or migration. This restriction is removed with openCryptoki version 3.24.
Versions of openCryptoki earlier than 3.24 can not support a live guest relocation and operations may fail if such an action is performed.
The reason for this is the use of protected keys which become invalid during such a relocation and will result in a verification pattern mismatch. The code of openCryptoki starting with version 3.24 is instrumented to react to this error by re-establishing the protected key from the key material it was derived from.
Because protected keys are only supported by CCA and EP11 tokens, other tokens are not affected.