Hi Rick,
Thanks for taking the time and the effort to answer me.
There is some progress.
What I first did, was creating in conf.xml a second repository called
SoftHSM2, using libsofthsm2.so.
In kasp.xml I changed SoftHSM into SoftHSM2 everywhere.
I used "ods-ksmutil update all", "ods-ksmutil update conf", "ods-ksmutil
update kasp".
I moved away the libsofthsm.so fle, in order to be sure that the old version
was not used.
Then "ods-ksmutil key list --verbose" complained that it could not find
libsofthsm.so.
I rebooted the system, removed the new SoftHSM2 repository in conf.xml and
changed the SoftHSM repostitory to use libsofthsm2.so.
In kasp.xml I undid the changes, so all zones now use the SoftHSM repository
again.
I used "ods-ksmutil update all", "ods-ksmutil update conf", "ods-ksmutil
update kasp".
Now "ods-ksmutil key list --verbose" showed reasonable output.
It seems that the configuration is now using Softhsm 2.0.0.
(I am still confused why the earlier changes did not work, but let's forget
about it.)
However, it still does not work.
I can start the enforcer and the signer. The enforcer does not complain.
But in the log file I see many problems with the signer. Here are a few of
them:
2015-12-23T09:27:09.152565+01:00 kvivs20 ods-signerd: [hsm] sign init:
CKR_GENERAL_ERROR
2015-12-23T09:27:09.152600+01:00 kvivs20 ods-signerd: [hsm] error signing
rrset with libhsm
2015-12-23T09:27:09.152635+01:00 kvivs20 ods-signerd: [rrset] unable to sign
RRset[99]: lhsm_sign() failed
2015-12-23T09:27:09.152671+01:00 kvivs20 ods-signerd:
SecureDataManager.cpp(359): Invalid IV in encrypted data
2015-12-23T09:27:09.152706+01:00 kvivs20 ods-signerd: [hsm] sign init:
CKR_GENERAL_ERROR
2015-12-23T09:27:09.152741+01:00 kvivs20 ods-signerd: [hsm] error signing
rrset with libhsm
2015-12-23T09:27:09.152780+01:00 kvivs20 ods-signerd: [rrset] unable to sign
RRset[28]: lhsm_sign() failed
2015-12-23T09:27:09.152817+01:00 kvivs20 ods-signerd: [worker[2]] sign zone
KVI.nl failed: 673 RRsets failed
2015-12-23T09:27:09.152852+01:00 kvivs20 ods-signerd: [worker[2]] CRITICAL:
failed to sign zone KVI.nl: General error
2015-12-23T09:27:09.152887+01:00 kvivs20 ods-signerd: [worker[2]] backoff
task [sign] for zone KVI.nl with 60 seconds
I checked that both the enforcer and the signer are running with username
root.
/var/lib/softhsm and all sub-directories therein are owned by root and have
protection set to drwx------.
In /var/lib/softhsm/tokens/ is a directory with a very long cryptic name. In
this directory are many files owned by root with protection -rw-------.
Most of those files come in pairs with long cryptic names ending in .lock
and .object. Further there are three files generation, token.lock and
token.object.
Do you have any idea what can be done for further diagnosis, or for repair?
Thanks,
Fred.Zwarts.
-----Oorspronkelijk bericht-----
From: Rick van Rein
Sent: Tuesday, December 22, 2015 2:28 PM
To: Fred Zwarts, KVI, Groningen
Cc: [email protected]
Subject: Re: [Opendnssec-user] Migrating to SoftHSM2
Hi Fred,
Then "softhsm2-util --show-slots" still shows both slots, so I thought
that this confirmed that SoftHSM 2.0.0 does not need the old database
anymore.
But, when I tried "ods-ksmutil key list --verbose" again, it complained:
hsm_get_slot_id(): No slots found in HSM
Error: failed to list keys
What does it mean?
The PKCS #11 interaction starts by listing slots, and for each getting
the token inserted in it. After that, login commences and further stuff
like signing. But you are already stopped in this early phase, it seems.
Note that I tried everything as root, so I don't think file
protections play a role.
It is still my guess though. PKCS #11 is loaded as a library, so it
runs under the uid of the ods-enforcer and ods-signer. I don't know if
the ods-ksmutil cmdline drops privileges too, but it would not be
surprising if it did. And it is the most likely cause of this kind of
errors that I can think of.
Is the old database still used with the new SoftHSM 2.0.0, or do I
need to change the OpenDNSSEC configuration to use SoftHSM 2.0.0
instead of SoftHSM 1.3.7, or is there something else?
Did you set libsofthsm2.so in your configuration for OpenDNSSEC?
I hope this helps.
Cheers,
-Rick
_______________________________________________
Opendnssec-user mailing list
[email protected]
https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
