On 15.8.2016 12:14, Guido Schmitz wrote: > On 12.08.2016 13:58, Petr Spacek wrote: >> On 12.8.2016 13:26, Guido Schmitz wrote: >>> Hi! >>> >>> I want to migrate my existing DNS setup to FreeIPA. As this existing >>> setup already uses DNSSEC, I want to import my current DNSSEC keys into >>> FreeIPA to have a smooth transition over to IPA's DNS. (The authorative >>> DNS servers for the zones are set up as slaves that get the zone via >>> AXFR and can seamlessly switch to AXFR from IPA.) >>> >>> In my test migration, I have created the DNS zone I want to migrate in >>> FreeIPA and have enabled DNSSEC. >>> >>> As far as I understand IPA's implementation of DNSSEC, OpenDNSSEC takes >>> care of key management and key rollover [1]. Hence, I have imported my >>> existing DNSSEC keys to OpenDNSSEC according to OpenDNSSEC's HOWTO [2] >>> and OpenDNSSEC correctly shows the imported keys along with the DNSSEC >>> keys generated by IPA. >>> >>> I thought that ipa-dnskeysyncd would take care of syncing the keys from >>> OpenDNSSEC to 389 LDAP, but this does not happen: In 389 LDAP, only the >>> keys initially created by IPA (while enabling DNSSEC for this zone) >>> exist and hence, only these keys are used to sign the zone. >>> >>> Do I need to manually insert my existing DNSSEC keys into the LDAP or >>> take some other additional steps? >> >> Hello! >> >> In theory ipa-dnskeysyncd should take care of it. The important step is to >> ensure that all the imported keys have CKA_EXTRACTABLE PKCS#11 flag (in >> SoftHSM) set to TRUE otherwise the synchronization will not work. > > That seems to be my problem: The CKA_EXTRACTABLE flag is not set on the > imported keys. I do not have any clue on how to set this flag. > > I have used the following command to import the keys: > > sudo -u ods SOFTHSM2_CONF=/etc/ipa/dnssec/softhsm2.conf softhsm2-util > --import ksk.pem --slot 0 --pin *PIN* --label ipaDNSSEC --id *ID* > > softhsm2-util does not seem to have any parameter to set the > CKA_EXTRACTABLE flag. > > Are there other ways to import keys into the SoftHSM that allow setting > this flag?
Any tool which can do key import from file into PKCS#11 token should work, in theory. If you do not find any such tool, it will be easiest to patch softhsm2-util to set the flag to TRUE on import. I'm attaching quick and dirty patch which should do the job (for softhsm compiled against OpenSSL). 1. Get the sources: $ git clone https://github.com/opendnssec/SoftHSMv2.git 2. Apply the patch: git am 0001-HACK-for-OpenSSL-version-import-all-keys-with-CKA_EX.patch 3. Use how-to https://github.com/opendnssec/SoftHSMv2/#installation to compile the tool. 4. You do not need to install the library into system paths, just execute the softhsm2-util binary from the build directory to do import and use standard library as before. I hope it will help. Please let me know your findings so I can submit improved patch upstream (if we were successful). > Or is there a possibility to modify the flag later (although > this would be contrary to the idea of an "HSM")? It is not possible to change it after object creation for the reasons stated above. Petr^2 Spacek > > > -Guido > > > >> >> Please note that we never tested this so following text is just untested >> theory: >> >> Start with usual DNSSEC debugging for FreeIPA: >> http://www.freeipa.org/page/Troubleshooting#DNSSEC_signing_does_not_work >> >> Besides all other things, I would double-check that (on FreeIPA DNSSEC key >> master server): >> 1) ods-ksmutil key list --verbose >> shows the imported keys in state active or publish >> >> 2) Command >> python2 /usr/lib/python2.*/site-packages/ipapython/dnssec/localhsm.py >> shows that keys are CKA_EXTRACTABLE. >> >> 3) If all of the above seems to be okay, check logs for ipa-dnskeysyncd and >> ipa-ods-exporter services: >> journalctl -u ipa-dnskeysyncd -u ipa-ods-exporter >> >> ipa-ods-exporter is the piece doing dirty export work. >> >> I hope it helps. >> >> Petr^2 Spacek >> >> >>> >>> Cheers, >>> -Guido >>> >>> >>> >>> [1] https://www.freeipa.org/page/V4/DNSSEC_Support#Implementation >>> [2] https://wiki.opendnssec.org/display/DOCS/Migrating+to+OpenDNSSEC
From aaf7a47f2d45d8b4f170a386a48898dae26e71b7 Mon Sep 17 00:00:00 2001 From: Petr Spacek <pspa...@redhat.com> Date: Mon, 15 Aug 2016 13:41:38 +0200 Subject: [PATCH] HACK for OpenSSL version: import all keys with CKA_EXTRACTABLE = TRUE --- src/bin/util/softhsm2-util-ossl.cpp | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/src/bin/util/softhsm2-util-ossl.cpp b/src/bin/util/softhsm2-util-ossl.cpp index eaec9ce..8e06e9f 100644 --- a/src/bin/util/softhsm2-util-ossl.cpp +++ b/src/bin/util/softhsm2-util-ossl.cpp @@ -260,7 +260,7 @@ int crypto_save_rsa { CKA_SENSITIVE, &ckTrue, sizeof(ckTrue) }, { CKA_TOKEN, &ckTrue, sizeof(ckTrue) }, { CKA_PRIVATE, &ckTrue, sizeof(ckTrue) }, - { CKA_EXTRACTABLE, &ckFalse, sizeof(ckFalse) }, + { CKA_EXTRACTABLE, &ckFalse, sizeof(ckTrue) }, { CKA_PUBLIC_EXPONENT, keyMat->bigE, keyMat->sizeE }, { CKA_MODULUS, keyMat->bigN, keyMat->sizeN }, { CKA_PRIVATE_EXPONENT, keyMat->bigD, keyMat->sizeD }, @@ -421,7 +421,7 @@ int crypto_save_dsa { CKA_SENSITIVE, &ckTrue, sizeof(ckTrue) }, { CKA_TOKEN, &ckTrue, sizeof(ckTrue) }, { CKA_PRIVATE, &ckTrue, sizeof(ckTrue) }, - { CKA_EXTRACTABLE, &ckFalse, sizeof(ckFalse) }, + { CKA_EXTRACTABLE, &ckFalse, sizeof(ckTrue) }, { CKA_PRIME, keyMat->bigP, keyMat->sizeP }, { CKA_SUBPRIME, keyMat->bigQ, keyMat->sizeQ }, { CKA_BASE, keyMat->bigG, keyMat->sizeG }, @@ -556,7 +556,7 @@ int crypto_save_ecdsa { CKA_SENSITIVE, &ckTrue, sizeof(ckTrue) }, { CKA_TOKEN, &ckTrue, sizeof(ckTrue) }, { CKA_PRIVATE, &ckTrue, sizeof(ckTrue) }, - { CKA_EXTRACTABLE, &ckFalse, sizeof(ckFalse) }, + { CKA_EXTRACTABLE, &ckFalse, sizeof(ckTrue) }, { CKA_EC_PARAMS, keyMat->derParams, keyMat->sizeParams }, { CKA_VALUE, keyMat->bigD, keyMat->sizeD } }; -- 2.7.4
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project