Applying openCryptoki 2.4-0.11.1 Breaks Crypto Group Access

  • 7011884
  • 05-Mar-2013
  • 21-Mar-2013

Environment

SUSE Linux Enterprise Server 11 Service Pack 2

Situation

Applying the openCryptoki 2.4-0.11.1 patch breaks results in the following error when trying to access the crypto engine:

Error initializing the PKCS11 library: 0x6 (CKR_FUNCTION_FAILED)

Resolution

The issue has been reported to engineering, but the following workaround will remedy the issue:

Workaround
In a terminal logged in as root, browse to the /var/lock folder and change the permissions on the opencryptoki folder form 700 to 770.  This will allow group read/write/execute permissions to the folder, which the group needs for openCryptoki to work.
    1. cd /var/lock

2. chmod 770 opencryptoki

When looking at the long out put file permissions it should look like:

    drwxrwx--- 2 root pkcs11 4096 Nov 14 23:49 opencryptoki/

Cause

When installed openCryptoki 2.4-0.11.1 creates a folder /var/lock/opencryptoki.  Upon creation, the default permissions are set to 700:

    drwx------ 2 root pkcs11 4096 Nov 14 23:49 opencryptoki/

which does not allow group access to the directory for pksc11.  Without group access, root is the only user that can use the crypto engine.

Additional Information

Issue reported to engineering

Feedback service temporarily unavailable. For content questions or problems, please contact Support.