On 15.8.2016 12:14, Guido Schmitz wrote:
> On 12.08.2016 13:58, Petr Spacek wrote:
>> On 12.8.2016 13:26, Guido Schmitz wrote:
>>> Hi!
>>>
>>> I want to migrate my existing DNS setup to FreeIPA. As this existing
>>> setup already uses DNSSEC, I want to import my current DNSSEC keys into
>>> FreeIPA to have a smooth transition over to IPA's DNS. (The authorative
>>> DNS servers for the zones are set up as slaves that get the zone via
>>> AXFR and can seamlessly switch to AXFR from IPA.)
>>>
>>> In my test migration, I have created the DNS zone I want to migrate in
>>> FreeIPA and have enabled DNSSEC.
>>>
>>> As far as I understand IPA's implementation of DNSSEC, OpenDNSSEC takes
>>> care of key management and key rollover [1]. Hence, I have imported my
>>> existing DNSSEC keys to OpenDNSSEC according to OpenDNSSEC's HOWTO [2]
>>> and OpenDNSSEC correctly shows the imported keys along with the DNSSEC
>>> keys generated by IPA.
>>>
>>> I thought that ipa-dnskeysyncd would take care of syncing the keys from
>>> OpenDNSSEC to 389 LDAP, but this does not happen: In 389 LDAP, only the
>>> keys initially created by IPA (while enabling DNSSEC for this zone)
>>> exist and hence, only these keys are used to sign the zone.
>>>
>>> Do I need to manually insert my existing DNSSEC keys into the LDAP or
>>> take some other additional steps?
>>
>> Hello!
>>
>> In theory ipa-dnskeysyncd should take care of it. The important step is to
>> ensure that all the imported keys have CKA_EXTRACTABLE PKCS#11 flag (in
>> SoftHSM) set to TRUE otherwise the synchronization will not work.
>
> That seems to be my problem: The CKA_EXTRACTABLE flag is not set on the
> imported keys. I do not have any clue on how to set this flag.
>
> I have used the following command to import the keys:
>
> sudo -u ods SOFTHSM2_CONF=/etc/ipa/dnssec/softhsm2.conf softhsm2-util
> --import ksk.pem --slot 0 --pin *PIN* --label ipaDNSSEC --id *ID*
>
> softhsm2-util does not seem to have any parameter to set the
> CKA_EXTRACTABLE flag.
>
> Are there other ways to import keys into the SoftHSM that allow setting
> this flag?
Any tool which can do key import from file into PKCS#11 token should work, in
theory.
If you do not find any such tool, it will be easiest to patch softhsm2-util to
set the flag to TRUE on import. I'm attaching quick and dirty patch which
should do the job (for softhsm compiled against OpenSSL).
1. Get the sources:
$ git clone https://github.com/opendnssec/SoftHSMv2.git
2. Apply the patch:
git am 0001-HACK-for-OpenSSL-version-import-all-keys-with-CKA_EX.patch
3. Use how-to
https://github.com/opendnssec/SoftHSMv2/#installation
to compile the tool.
4. You do not need to install the library into system paths, just execute the
softhsm2-util binary from the build directory to do import and use standard
library as before.
I hope it will help. Please let me know your findings so I can submit improved
patch upstream (if we were successful).
> Or is there a possibility to modify the flag later (although
> this would be contrary to the idea of an "HSM")?
It is not possible to change it after object creation for the reasons stated
above.
Petr^2 Spacek
>
>
> -Guido
>
>
>
>>
>> Please note that we never tested this so following text is just untested
>> theory:
>>
>> Start with usual DNSSEC debugging for FreeIPA:
>> http://www.freeipa.org/page/Troubleshooting#DNSSEC_signing_does_not_work
>>
>> Besides all other things, I would double-check that (on FreeIPA DNSSEC key
>> master server):
>> 1) ods-ksmutil key list --verbose
>> shows the imported keys in state active or publish
>>
>> 2) Command
>> python2 /usr/lib/python2.*/site-packages/ipapython/dnssec/localhsm.py
>> shows that keys are CKA_EXTRACTABLE.
>>
>> 3) If all of the above seems to be okay, check logs for ipa-dnskeysyncd and
>> ipa-ods-exporter services:
>> journalctl -u ipa-dnskeysyncd -u ipa-ods-exporter
>>
>> ipa-ods-exporter is the piece doing dirty export work.
>>
>> I hope it helps.
>>
>> Petr^2 Spacek
>>
>>
>>>
>>> Cheers,
>>> -Guido
>>>
>>>
>>>
>>> [1] https://www.freeipa.org/page/V4/DNSSEC_Support#Implementation
>>> [2] https://wiki.opendnssec.org/display/DOCS/Migrating+to+OpenDNSSEC
From aaf7a47f2d45d8b4f170a386a48898dae26e71b7 Mon Sep 17 00:00:00 2001
From: Petr Spacek <pspa...@redhat.com>
Date: Mon, 15 Aug 2016 13:41:38 +0200
Subject: [PATCH] HACK for OpenSSL version: import all keys with
CKA_EXTRACTABLE = TRUE
---
src/bin/util/softhsm2-util-ossl.cpp | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/src/bin/util/softhsm2-util-ossl.cpp b/src/bin/util/softhsm2-util-ossl.cpp
index eaec9ce..8e06e9f 100644
--- a/src/bin/util/softhsm2-util-ossl.cpp
+++ b/src/bin/util/softhsm2-util-ossl.cpp
@@ -260,7 +260,7 @@ int crypto_save_rsa
{ CKA_SENSITIVE, &ckTrue, sizeof(ckTrue) },
{ CKA_TOKEN, &ckTrue, sizeof(ckTrue) },
{ CKA_PRIVATE, &ckTrue, sizeof(ckTrue) },
- { CKA_EXTRACTABLE, &ckFalse, sizeof(ckFalse) },
+ { CKA_EXTRACTABLE, &ckFalse, sizeof(ckTrue) },
{ CKA_PUBLIC_EXPONENT, keyMat->bigE, keyMat->sizeE },
{ CKA_MODULUS, keyMat->bigN, keyMat->sizeN },
{ CKA_PRIVATE_EXPONENT, keyMat->bigD, keyMat->sizeD },
@@ -421,7 +421,7 @@ int crypto_save_dsa
{ CKA_SENSITIVE, &ckTrue, sizeof(ckTrue) },
{ CKA_TOKEN, &ckTrue, sizeof(ckTrue) },
{ CKA_PRIVATE, &ckTrue, sizeof(ckTrue) },
- { CKA_EXTRACTABLE, &ckFalse, sizeof(ckFalse) },
+ { CKA_EXTRACTABLE, &ckFalse, sizeof(ckTrue) },
{ CKA_PRIME, keyMat->bigP, keyMat->sizeP },
{ CKA_SUBPRIME, keyMat->bigQ, keyMat->sizeQ },
{ CKA_BASE, keyMat->bigG, keyMat->sizeG },
@@ -556,7 +556,7 @@ int crypto_save_ecdsa
{ CKA_SENSITIVE, &ckTrue, sizeof(ckTrue) },
{ CKA_TOKEN, &ckTrue, sizeof(ckTrue) },
{ CKA_PRIVATE, &ckTrue, sizeof(ckTrue) },
- { CKA_EXTRACTABLE, &ckFalse, sizeof(ckFalse) },
+ { CKA_EXTRACTABLE, &ckFalse, sizeof(ckTrue) },
{ CKA_EC_PARAMS, keyMat->derParams, keyMat->sizeParams },
{ CKA_VALUE, keyMat->bigD, keyMat->sizeD }
};
--
2.7.4
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
