Saturday, August 25, 2012

AIX: cfgmgr returning cfgpkcs11 -l pkcs11 0514-040 Error initializing a device into the kernel after clonning AIX from mksysb over a NIM

When cloning AIX 6.1 TL7 SP4 from mksysb receiving error message during first boot and boot process takes too long:

         0 Method error (/usr/lib/methods/cfgpkcs11 -l pkcs11 ):               
         0      0514-040 Error initializing a device into the kernel.

When running cfgmgr receiving this error:

cfgmgr
Method error (/usr/lib/methods/cfgpkcs11 -l pkcs11 ):
          0514-040 Error initializing a device into the kernel.


cfgmgr -v



----------------
attempting to configure device 'pkcs11'
Time: 1 LEDS: 0x7fff
invoking /usr/lib/methods/cfgpkcs11 -l pkcs11 Number of running methods: 1
----------------
Completed method for: pkcs11, Elapsed time = 3 return code = 40
****************** no stdout ***********
****************** stderr ***********
cfgpkcs11: configure driver
cfgpkcs11: retrieving CuAt and PdAt attributes
cfgpkcs11: Failed to query Y4 device, driver is NOT loaded (pci/y4cryptdd)
cfgpkcs11: errno = 109
cfgpkcs11: kernel module id = 50c73000
cfgpkcs11: Calling genmajor()
cfgpkcs11: Returned major number: 42
cfgpkcs11: Calling getminor()
cfgpkcs11: Calling genminor()
cfgpkcs11: Returned from genminor()
cfgpkcs11: minor number: 0
cfgpkcs11: Calling mk_sp_file()
cfgpkcs11: Returned from mk_sp_file()
cfgpkcs11: Pass DDS to driver via sysconfig()
cfgpkcs11: configuring device, errno =22

Listing defined devices shows pkcs11 device:

asrv01lpar12:/ # lsdev -Cc adapter | grep Defined
pkcs11 Defined         PKCS#11 Device

These steps helps to resolve problem with cfgmgr:

    cfgmgr
    Method error (/usr/lib/methods/cfgpkcs11 -l pkcs11 ):
           0514-040 Error initializing a device into the kernel.
    rmdev -l pkcs11
      pkcs11 Defined
    mv /var/security/pkcs11/meta /tmp/pkcs11_meta
    ll /var/security/pkcs11/tokens
    total 0
    dr-x------    2 root     system          256 Jan 28 2012  .
    dr-x------    3 root     system          256 Aug 14 19:55 ..
    mkdev -l pkcs11
    pkcs11 Available
    cfgmgr

Conclusion:

Seem to be bug in AIX because the file /var/security/pkcs11/meta file is host-specific after pkcs11 is initialized and it should not be restored during mksysb restore with option recover device set to no.
The meta file from one host will be totally invalid on other hosts.
The meta file shouldn't be existed in a NEW complete system installation.
It is created when pkcs11 device driver is loaded and configured very first time on that host.

Solution:

So in order to ensure NIM mksysb image works on installing hosts, we need exclude /var/security/pkcs11/meta and /var/security/pkcs11/tokens when creating mksysb image for NIM installation.
But /var/security/pkcs11/meta and /var/security/pkcs11/tokens should be included in mksysb when it is used for backup purpose only.


No comments:

Post a Comment