|
Replies:
20
-
Last Post:
Feb 20, 2008 5:12 AM
by: carlsonj
|
|
|
Posts:
9
From:
Registered:
6/27/06
|
|
|
|
kcfd cpu usage
Posted:
Aug 16, 2007 10:49 AM
To: Communities » security » discuss
|
|
Is there a baseline amount of cpu usage I can expect from kcfd? On most systems prstat shows 0.0 for kcfd. One of my systems the cpu percentage is 4.2. Not a large amount but it is more than what I see on the other systems.
Thanks.
|
|
|
Posts:
241
From:
US
Registered:
3/9/05
|
|
|
|
Re: kcfd cpu usage
Posted:
Aug 16, 2007 11:53 AM
in response to: dwconsul
To: Communities » security » discuss
Cc: Projects » crypto » discuss
|
|
> Is there a baseline amount of cpu usage I can expect
> from kcfd?
There is no baseline because it varies depending on
what is running on the system.
> On most systems prstat shows 0.0 for kcfd.
> One of my systems the cpu percentage is 4.2. Not a
> large amount but it is more than what I see on the
> other systems.
kcfd does the signature verification on a PKCS #11
library when ever a PKCS #11 application runs. This
consumes CPU cycles as it is a RSA verify operation.
Is the system running any PKCS #11 applications?
These can be commands like encrypt(1), digest(1)
or apps like SJS web server. You could use a
DTrace script to find out if you don't know which
process(es) is causing kcfd to do the verification.
-Krishna
|
|
|
|
|
Posts:
9
From:
Registered:
6/27/06
|
|
|
|
Re: kcfd cpu usage
Posted:
Aug 16, 2007 2:14 PM
in response to: krishna
To: Communities » security » discuss
|
|
Krishna:
Thanks for the info. Is there a system call to watch via dtrace that process(es) would use to cause kcfd to do verification?
Thanks.
|
|
|
|
|
Posts:
241
From:
US
Registered:
3/9/05
|
|
|
|
Re: kcfd cpu usage
Posted:
Aug 16, 2007 2:39 PM
in response to: dwconsul
|
|
Dan Weinman wrote:
> Krishna:
>
> Thanks for the info. Is there a system call to watch via dtrace that process(es) would use to cause kcfd to do verification?
>
You can run
# ./opensnoop -f /var/run/kcfd_door
and see which process is causing kcfd activitiy.
You can get opensnoop from the DTrace tool kit at
http://opensolaris.org/os/community/dtrace/dtracetoolkit/
-Krishna
_______________________________________________
security-discuss mailing list
security-discuss at opensolaris dot org
|
|
|
|
|
Posts:
433
From:
CN
Registered:
9/14/06
|
|
|
|
How could community users download SUNWcry
package
Posted:
Aug 16, 2007 6:26 PM
in response to: krishna
|
|
Hi,
A community user (outside SWAN) need to download the snv_66 releated
SUNWcry package,
where could he download?
Thanks,
--
Quaker
_______________________________________________
security-discuss mailing list
security-discuss at opensolaris dot org
|
|
|
|
|
Valerie Bubb Fe...
Valerie.Fenwick@Sun....
|
|
|
|
Re: How could community users download SUNWcry
package
Posted:
Aug 16, 2007 9:53 PM
in response to: quaker
|
|
On Fri, 17 Aug 2007, Quaker Fang wrote:
> Hi,
>
> A community user (outside SWAN) need to download the snv_66 releated
> SUNWcry package,
> where could he download?
We don't have those up anywhere for download at this time... there
is a project in the works (it's on my plate now) to make that package
obsolete. I hope to make some progress on that soon, so community
users won't need it.
Valerie
--
Now appearing as "Lady with Baby" and an enchanted "Plate" in
"Beauty and the Beast" at SDG http://www.saratogadramagroup.com/
Sept 22 - Oct 13. Tickets: (408) 266-4734
http://blogs.sun.com/bubbva
_______________________________________________
security-discuss mailing list
security-discuss at opensolaris dot org
|
|
|
|
|
Posts:
33
From:
US
Registered:
6/27/06
|
|
|
|
Re: How could community users download SUNWcry
package
Posted:
Aug 28, 2007 11:20 AM
in response to: Valerie Bubb Fe...
|
|
On 8/16/07, Valerie Bubb Fenwick < Valerie dot Fenwick at sun dot com> wrote:
On Fri, 17 Aug 2007, Quaker Fang wrote:
> Hi,
>
> A community user (outside SWAN) need to download the snv_66 releated
> SUNWcry package,
> where could he download?
We don't have those up anywhere for download at this time... there
is a project in the works (it's on my plate now) to make that package
obsolete. I hope to make some progress on that soon, so community
users won't need it.
Valerie
--
Valerie,
In the mean time, is it possible to use the released S8 SUNWcry(*) for snv_*? S10 happily accepted it, the last time I tried - it also resolved patch signature verification problems.
Cheers,
/David
|
|
|
|
|
Posts:
3,795
From:
GB
Registered:
3/9/05
|
|
|
|
Re: How could community users download SUNWcry
package
Posted:
Aug 29, 2007 1:29 AM
in response to: davidk
|
|
David Kleiner wrote:
> In the mean time, is it possible to use the released S8 SUNWcry(*) for
> snv_*? S10 happily accepted it, the last time I tried - it also
> resolved patch signature verification problems.
No the contents of SUNWcry in Solaris 8 and Solaris 9 were things that
were restricted from export from the US. For Solaris 10 the US export
law had changed so that was no longer an issue. However at the time of
development there was still an import issue for some countries with
symetric ciphers that have keylength > 128 bit. We reprovisioned the
SUNWcry/SUWNcryr packages to mean "import restricted" rather than "US
export restricted" (the reason we did this was because of how Solaris
assembled in the RE process).
While the S8 or S9 or even S10 packages may well install on snv they
will not work properly. The S8/S9 ones will very likely damage the
kerberos install. The S10 ones on Nevada will break OpenSSL (depending
on the application you may see "random" core dumps that are very hard to
explain). Installing the S10 ones on Nevada will leave you with a
working pkcs11_softtoken but it won't have the bug fixes and features
added in Nevada.
--
Darren J Moffat
_______________________________________________
security-discuss mailing list
security-discuss at opensolaris dot org
|
|
|
|
|
Posts:
3,795
From:
GB
Registered:
3/9/05
|
|
|
|
Re: [crypto-discuss] How could community users
download SUNWcry package
Posted:
Dec 6, 2007 2:43 AM
in response to: davidk
|
|
David Kleiner wrote:
> On 8/16/07, *Valerie Bubb Fenwick* <Valerie dot Fenwick at sun dot com
> <mailto:Valerie dot Fenwick at sun dot com>> wrote:
>
> On Fri, 17 Aug 2007, Quaker Fang wrote:
>
> > Hi,
> >
> > A community user (outside SWAN) need to download the snv_66 releated
> > SUNWcry package,
> > where could he download?
>
> We don't have those up anywhere for download at this time... there
> is a project in the works (it's on my plate now) to make that package
> obsolete. I hope to make some progress on that soon, so community
> users won't need it.
>
> Valerie
> --
>
>
> Valerie,
>
> In the mean time, is it possible to use the released S8 SUNWcry(*) for
> snv_*? S10 happily accepted it, the last time I tried - it also
> resolved patch signature verification problems.
I don't know if this was answered or not but not only can you not use
Solaris 8 packages on Nevada you MUST use the ones that *exactly* match
the Nevada build you are running. If you don't you are running a very
high risk of getting crashes in at least applications using OpenSSL and
possibly in some cases a kernel panic too.
--
Darren J Moffat
_______________________________________________
security-discuss mailing list
security-discuss at opensolaris dot org
|
|
|
|
|
Valerie Bubb Fe...
Valerie.Fenwick@Sun....
|
|
|
|
Re: [crypto-discuss] How could community users
download SUNWcry package
Posted:
Dec 6, 2007 11:20 AM
in response to: darrenm
|
|
On Thu, 6 Dec 2007, Darren J Moffat wrote:
> David Kleiner wrote:
>> On 8/16/07, *Valerie Bubb Fenwick* <Valerie dot Fenwick at sun dot com
>> <mailto:Valerie dot Fenwick at sun dot com>> wrote:
>>
>> On Fri, 17 Aug 2007, Quaker Fang wrote:
>>
>> > Hi,
>> >
>> > A community user (outside SWAN) need to download the snv_66 releated
>> > SUNWcry package,
>> > where could he download?
>>
>> We don't have those up anywhere for download at this time... there
>> is a project in the works (it's on my plate now) to make that package
>> obsolete. I hope to make some progress on that soon, so community
>> users won't need it.
>>
>> Valerie
>> --
>>
>>
>> Valerie,
>>
>> In the mean time, is it possible to use the released S8 SUNWcry(*) for
>> snv_*? S10 happily accepted it, the last time I tried - it also
>> resolved patch signature verification problems.
>
> I don't know if this was answered or not but not only can you not use
> Solaris 8 packages on Nevada you MUST use the ones that *exactly* match
> the Nevada build you are running. If you don't you are running a very
> high risk of getting crashes in at least applications using OpenSSL and
> possibly in some cases a kernel panic too.
Hi David & Darren -
I'm not sure if this was ever responded to, I'm sorry about that.
You might be able to install S8 SUNWcry(*) packages on S10, but they
won't have the desired effect - they contain completely different
binaries than what shipped in the S10 SUNWcry* packages.
But, the best solution for you in the mean time is to get these binaries
from the SUNWcry & SUNWcryr packages in the on-closed-bins.*.tar files.
(which is a slight misnomer, because these are not actually closed
source files, but they are not normally included in the distribution)
Those are available here:
http://dlc.sun.com/osol/on/downloads/current/
Valerie
--
Valerie Fenwick, http://blogs.sun.com/bubbva
Solaris Security Technologies, Developer, Sun Microsystems, Inc.
17 Network Circle, Menlo Park, CA, 94025. 650-786-0461
_______________________________________________
security-discuss mailing list
security-discuss at opensolaris dot org
|
|
|
|
|
Posts:
433
From:
CN
Registered:
9/14/06
|
|
|
|
Re: [crypto-discuss] How could community users
download SUNWcry package
Posted:
Dec 10, 2007 10:11 PM
in response to: Valerie Bubb Fe...
|
|
Hi Valerie,
Valerie Bubb Fenwick wrote:
> ... But, the best solution for you in the mean time is to get these
> binaries
> from the SUNWcry & SUNWcryr packages in the on-closed-bins.*.tar files.
> (which is a slight misnomer, because these are not actually closed
> source files, but they are not normally included in the distribution)
>
> Those are available here:
> http://dlc.sun.com/osol/on/downloads/current/
I download the on-closed-bins.*.tar, but I couldn't find the
libssl_extra.so.0.9.8
and libcrypto_extra.so.0.9.8 under usr/sfw/lib, did I miss something?
Thanks
--
Quaker
>
> Valerie
_______________________________________________
security-discuss mailing list
security-discuss at opensolaris dot org
|
|
|
|
|
Valerie Bubb Fe...
Valerie.Fenwick@Sun....
|
|
|
|
Re: [crypto-discuss] How could community users
download SUNWcry package
Posted:
Dec 12, 2007 5:30 PM
in response to: quaker
|
|
On Tue, 11 Dec 2007, Quaker Fang wrote:
> Hi Valerie,
>
> Valerie Bubb Fenwick wrote:
>
>> ... But, the best solution for you in the mean time is to get these
>> binaries
>> from the SUNWcry & SUNWcryr packages in the on-closed-bins.*.tar files.
>> (which is a slight misnomer, because these are not actually closed
>> source files, but they are not normally included in the distribution)
>>
>> Those are available here:
>> http://dlc.sun.com/osol/on/downloads/current/
>
> I download the on-closed-bins.*.tar, but I couldn't find the
> libssl_extra.so.0.9.8
> and libcrypto_extra.so.0.9.8 under usr/sfw/lib, did I miss something?
Hi Quaker -
Ah, I'm sorry - it looks like it is missing from there. The rest
of the bits seem to be there, though. I'll see if I can find out who
maintains those packages now that stevel isn't doing it anymore.
Thanks!
Valerie
--
Valerie Fenwick, http://blogs.sun.com/bubbva
Solaris Security Technologies, Developer, Sun Microsystems, Inc.
17 Network Circle, Menlo Park, CA, 94025. 650-786-0461
_______________________________________________
security-discuss mailing list
security-discuss at opensolaris dot org
|
|
|
|
|
Posts:
7
From:
Denmark
Registered:
2/15/08
|
|
|
|
Re: How could community users download SUNWcry
package
Posted:
Feb 19, 2008 6:22 AM
in response to: quaker
To: Communities » security » discuss
|
|
Hiyall :)
I've just had the exact same problem of downloading the SUNWcry packages. I'm fortunate enought to have a support contract with sun through my company! So i called up tech support. And it turns out that if you create an account at sunsolve.sun.com you can get it.
Download -> See All >> -> Cryptography & Encryption.
Here you should choose the "Solaris 10 Encryption Kit" ! Thats the name of the three package iso containing the SUNWcry* packages.
I burned the iso to cd and installed the 3 packages from there. After that i've had no problems at all getting a dhcp ip on my wpi0 interface on a WPA protected wifi.
Thought i should clarify :) Let me know if you have requests / questions ;)
|
|
|
|
|
Darren J Moffat
darrenm@opensolaris....
|
|
|
|
Re: How could community users download SUNWcry package
Posted:
Feb 19, 2008 6:29 AM
in response to: saurion
|
|
Kim Tingkær wrote:
> Hiyall :)
>
> I've just had the exact same problem of downloading the SUNWcry packages. I'm fortunate enought to have a support contract with sun through my company! So i called up tech support. And it turns out that if you create an account at sunsolve.sun.com you can get it.
>
> Download -> See All >> -> Cryptography & Encryption.
>
> Here you should choose the "Solaris 10 Encryption Kit" ! Thats the name of the three package iso containing the SUNWcry* packages.
>
> I burned the iso to cd and installed the 3 packages from there. After that i've had no problems at all getting a dhcp ip on my wpi0 interface on a WPA protected wifi.
>
DO NOT install the S10 packages on Solaris Express or Indiana builds it
WILL break you WILL get application core dumps and maybe even a kernel
panic.
--
Darren J Moffat
_______________________________________________
security-discuss mailing list
security-discuss at opensolaris dot org
|
|
|
|
|
Posts:
7
From:
Denmark
Registered:
2/15/08
|
|
|
|
Re: How could community users download SUNWcry package
Posted:
Feb 19, 2008 6:52 AM
in response to: Darren J Moffat
To: Communities » security » discuss
|
|
Hi Darren :)
It is the first time i hear that, and i will take your word for it! But i installed the packages before your response and it seems to work. My laptop crashed 2 times - once yesterday (before the SUNWcry install) and once today after the installation. Both times right when i move the mouse trying to get the desktop from behind the screensaver.
Doesnt seem related. But what kind of problem should i expect? Have you seen this breaking before?
And shouldent someone have mentioned this, as strongly as you do here, earlier in some of the other discussions about dhcp over wpa protected wifi?
Best regards.
|
|
|
|
|
Darren J Moffat
darrenm@opensolaris....
|
|
|
|
Re: How could community users download SUNWcry package
Posted:
Feb 19, 2008 7:03 AM
in response to: saurion
|
|
Kim Tingkær wrote:
> Hi Darren :)
>
> It is the first time i hear that, and i will take your word for it!
Since I was the one that designed and created the SUNWcry stuff for
Solaris 10 (we reused the same package names from earlier releases but
for a different purpose).
> But i installed the packages before your response and it seems to work. My laptop crashed 2 times - once yesterday (before the SUNWcry install) and once today after the installation. Both times right when i move the mouse trying to get the desktop from behind the screensaver.
> Doesnt seem related. But what kind of problem should i expect? Have you seen this breaking before?
Applications using OpenSSL may core dump.
The kernel my crash in the aes,blowfish,arcfour providers or in the kcf
framework.
Without seeing the actual dumps you got (assuming there was any) I can't
say if your symptoms are caused my mismatched SUNWcry.
> And shouldent someone have mentioned this, as strongly as you do here, earlier in some of the other discussions about dhcp over wpa protected wifi?
I and others have several times.
It is also documented
http://opensolaris.org/os/project/crypto/Documentation/sunwcry/
(though under Solaris Updates rather than Nevada).
Hopefully the SUNWcry stuff will be gone soon - it is being actively
worked on.
--
Darren J Moffat
_______________________________________________
security-discuss mailing list
security-discuss at opensolaris dot org
|
|
|
|
|
Posts:
7
From:
Denmark
Registered:
2/15/08
|
|
|
|
Re: How could community users download SUNWcry package
Posted:
Feb 19, 2008 10:35 PM
in response to: Darren J Moffat
To: Communities » security » discuss
|
|
Hi everyone,
sorry about all the fuzz! :) I didnt see that document, no wonder people were so quiet about how to get the SUNWcry similar functions to work in nevada.
When i got home from work and startet testing on my wpa protected wifi there i didnt get the result i wanted. Infact the situation was exactly the same. It took a reboot to get dladm to connect, and ifconfig wpi0 auto-dhcp didnt get an ip at all. I had to configure it manually.
So the conclusion is that i'll uninstall the packages :) And hope my system is still alive after.
And i'm new to nevada so in time i think i'll learn to use the ressource hehe
|
|
|
|
|
Posts:
289
From:
US
Registered:
3/9/05
|
|
|
|
Re: How could community users download SUNWcry package
Posted:
Feb 19, 2008 5:42 PM
in response to: Darren J Moffat
|
|
On Tue, Feb 19, 2008 at 02:29:49PM +0000, Darren J Moffat wrote:
> Kim Tingkær wrote:
> > Hiyall :)
> >
> > I've just had the exact same problem of downloading the SUNWcry packages. I'm fortunate enought to have a support contract with sun through my company! So i called up tech support. And it turns out that if you create an account at sunsolve.sun.com you can get it.
> >
> > Download -> See All >> -> Cryptography & Encryption.
> >
> > Here you should choose the "Solaris 10 Encryption Kit" ! Thats the name of the three package iso containing the SUNWcry* packages.
> >
> > I burned the iso to cd and installed the 3 packages from there. After that i've had no problems at all getting a dhcp ip on my wpi0 interface on a WPA protected wifi.
> >
>
> DO NOT install the S10 packages on Solaris Express or Indiana builds it
> WILL break you WILL get application core dumps and maybe even a kernel
> panic.
I'm surprised the packaging allowed S10 packages that are not forward
compat to be installed on Solaris Express. Bug?
--
Will Fiveash
Sun Microsystems Inc.
Austin, TX, USA (TZ=CST6CDT)
_______________________________________________
security-discuss mailing list
security-discuss at opensolaris dot org
|
|
|
|
|
Posts:
7
From:
Denmark
Registered:
2/15/08
|
|
|
|
Re: How could community users download SUNWcry package
Posted:
Feb 19, 2008 10:45 PM
in response to: willf
To: Communities » security » discuss
|
|
I was wondering, is there no cross compatibility with S10 at all? Or are there restrictions on what base code can be changes in opensolaris so that some cross compatibility remains?
I mean wont it, if opensolaris branches off to far, present a problem porting futur software to S10? I kind of understood from the "Project Overview" page that opensolaris somehow is a platform for developing new functionality for S10... Or have i got it all wrong?
Best regards
|
|
|
|
|
Posts:
6,813
From:
US
Registered:
3/9/05
|
|
|
|
Re: How could community users download SUNWcry package
Posted:
Feb 20, 2008 5:12 AM
in response to: saurion
|
|
Kim Tingkær writes:
> I was wondering, is there no cross compatibility with S10 at all? Or are there restrictions on what base code can be changes in opensolaris so that some cross compatibility remains?
The restriction is fairly simple: unless otherwise specified, no core
OS package from any part of any release of Solaris or OpenSolaris is
supported on any other release of Solaris or OpenSolaris.
This is just a restriction on the core OS packages.
For third party packages, something compiled on an old release of
Solaris will install and run on a new release. We support
compatibility for third-party applications, not for random hunks of
the OS implementation itself.
> I mean wont it, if opensolaris branches off to far, present a problem porting futur software to S10? I kind of understood from the "Project Overview" page that opensolaris somehow is a platform for developing new functionality for S10... Or have i got it all wrong?
The issues aren't really related. The issue here is that you can't
take a core part of the OS implementation and install it on a
different release of the OS and expect that to work.
Applications developed on S10 will work on OpenSolaris-based
releases. And something developed on (say) S7 will work on S8, S9,
S10, and so on.
As for the web page you're looking at, I think that's a marketing
position paper. The idea is that OpenSolaris-based distributions are
friendlier for developers, so you should do your work there and then
recompile on S10. Binary compatibility actually works in the other
direction, though -- applications from old releases work on new ones,
not the reverse.
--
James Carlson, Solaris Networking <james dot d dot carlson at sun dot com>
Sun Microsystems / 35 Network Drive 71.232W Vox +1 781 442 2084
MS UBUR02-212 / Burlington MA 01803-2757 42.496N Fax +1 781 442 1677
_______________________________________________
security-discuss mailing list
security-discuss at opensolaris dot org
|
|
|
|
|
Darren J Moffat
darrenm@opensolaris....
|
|
|
|
Re: How could community users download SUNWcry package
Posted:
Feb 20, 2008 3:55 AM
in response to: willf
|
|
Will Fiveash wrote:
> On Tue, Feb 19, 2008 at 02:29:49PM +0000, Darren J Moffat wrote:
>> Kim Tingkær wrote:
>>> Hiyall :)
>>>
>>> I've just had the exact same problem of downloading the SUNWcry packages. I'm fortunate enought to have a support contract with sun through my company! So i called up tech support. And it turns out that if you create an account at sunsolve.sun.com you can get it.
>>>
>>> Download -> See All >> -> Cryptography & Encryption.
>>>
>>> Here you should choose the "Solaris 10 Encryption Kit" ! Thats the name of the three package iso containing the SUNWcry* packages.
>>>
>>> I burned the iso to cd and installed the 3 packages from there. After that i've had no problems at all getting a dhcp ip on my wpi0 interface on a WPA protected wifi.
>>>
>> DO NOT install the S10 packages on Solaris Express or Indiana builds it
>> WILL break you WILL get application core dumps and maybe even a kernel
>> panic.
>
> I'm surprised the packaging allowed S10 packages that are not forward
> compat to be installed on Solaris Express. Bug?
Not a bug there is to my knowlege no such concept in the SVR4 packaging
- at least the way we use it for Solaris - that would actually catch this.
Given SRV4 is not the future and the opensolaris.org pkg project is I
don't see this changing.
--
Darren J Moffat
_______________________________________________
security-discuss mailing list
security-discuss at opensolaris dot org
|
|
|
|
|
