You are running the test commands as root but OpenDNSSEC drop privs to the user opendnssec, as you can see in the logs. Can the user opendnssec access the HSM?
1 apr 2011 kl. 18:13 skrev "Billy Glynn" <[email protected]>: > Hi, > > I'm having some trouble starting 1.3.0b1 with an AEP Keyper in our test lab. > > Any suggestions/thoughts on the below would be great. > > Thanks > > Billy > > -- > from conf.xml > > <Repository name="AEPKeyper"> > <Module>/opt/Keyper/PKCS11Provider/pkcs11.so</Module> > <TokenLabel>IEHSM</TokenLabel> > <PIN>9876</PIN> > <Capacity>1000</Capacity> > <RequireBackup/> > </Repository> > > > # ods-hsmutil test AEPKeyper > Testing repository: AEPKeyper > > Generating 512-bit RSA key... > answer.GetCall(KEYGEN2) failed; error 1208Failed > generate key pair: CKR_DEVICE_ERROR > > Generating 768-bit RSA key... > answer.GetCall(KEYGEN2) failed; error 1208Failed > generate key pair: CKR_DEVICE_ERROR > > Generating 1024-bit RSA key... OK > Extracting key identifier... OK, fd2f2f605750419aa61550d9bb72b39e > Signing (RSA/SHA1) with key... OK > Signing (RSA/SHA256) with key... OK > Signing (RSA/SHA512) with key... OK > Deleting key... OK > > Generating 1536-bit RSA key... OK > Extracting key identifier... OK, a5e39022f279d9099c3b2ad4099b04c7 > Signing (RSA/SHA1) with key... OK > Signing (RSA/SHA256) with key... OK > Signing (RSA/SHA512) with key... OK > Deleting key... OK > > Generating 2048-bit RSA key... OK > Extracting key identifier... OK, 4017b49d237dc41e7a31a7144169f42b > Signing (RSA/SHA1) with key... OK > Signing (RSA/SHA256) with key... OK > Signing (RSA/SHA512) with key... OK > Deleting key... OK > > Generating 4096-bit RSA key... OK > Extracting key identifier... OK, a63c9ebe2bc26dcdd16f96f0330fe720 > Signing (RSA/SHA1) with key... OK > Signing (RSA/SHA256) with key... OK > Signing (RSA/SHA512) with key... OK > Deleting key... OK > > Generating 1024 bytes of random data... OK > Generating 32-bit random data... 979871116 > Generating 64-bit random data... 3108463339320388098 > [root@ie-dnssec-1 opendnssec]# ods-hsmutil info > Repository: AEPKeyper > Module: /opt/Keyper/PKCS11Provider/pkcs11.so > Slot: 0 > Token Label: IEHSM > Manufacturer: AEP Networks > Model: Keyper Ent 1126 > Serial: K5905001 > [root@ie-dnssec-1 opendnssec]# ods-control start > Starting enforcer... > OpenDNSSEC ods-enforcerd started (version 1.3.0b1), pid 15427 > Starting signer engine... > Starting signer... > OpenDNSSEC signer engine version 1.3.0b1 > Could not start signer > > Apr 1 16:58:59 ie-dnssec-1 ods-enforcerd: opendnssec starting... > Apr 1 16:58:59 ie-dnssec-1 ods-enforcerd: opendnssec forked OK... > Apr 1 16:58:59 ie-dnssec-1 ods-enforcerd: group set to: opendnssec (505) > Apr 1 16:58:59 ie-dnssec-1 ods-enforcerd: user set to: opendnssec (505) > Apr 1 16:58:59 ie-dnssec-1 ods-enforcerd: opendnssec started (version > 1.3.0b1), pid 15427 > Apr 1 16:58:59 ie-dnssec-1 ods-enforcerd: opendnssec Parent exiting... > Apr 1 16:58:59 ie-dnssec-1 ods-enforcerd: hsm_get_slot_id(): could not > find token with the name IEHSM > Apr 1 16:58:59 ie-dnssec-1 ods-signerd: [engine] error initializing > libhsm (errno 268435457) > Apr 1 16:58:59 ie-dnssec-1 ods-signerd: [engine] setup failed: HSM error > Apr 1 16:58:59 ie-dnssec-1 ods-signerd: [engine] signer shutdown > > > _______________________________________________ > Opendnssec-user mailing list > [email protected] > https://lists.opendnssec.org/mailman/listinfo/opendnssec-user _______________________________________________ Opendnssec-user mailing list [email protected] https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
