<div dir="ltr"><div class="gmail_extra"><div class="gmail_quote">On Wed, Jun 11, 2014 at 12:15 PM, David Peall <span dir="ltr"><<a href="mailto:david@dnservices.co.za" target="_blank">david@dnservices.co.za</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">Here is the log line:<br>
Jun 11 12:03:41 ods-signerd: [hsm] unable to get key: key 5a4cf5871ef16a77118283e8666f486b not found<br>
<br>2014-06-11 12:03:41 [6670] t0067acf3ff7f0000: pkcs11: 000008DB >> C_FindObjectsInit<br>
2014-06-11 12:03:41 [6670] t0067acf3ff7f0000: pkcs11: 000008DB > hSession 0x000008DB<br>
2014-06-11 12:03:41 [6670] t0067acf3ff7f0000: pkcs11: 000008DB > CKA_CLASS: CKO_PRIVATE_KEY<br>
2014-06-11 12:03:41 [6670] t0067acf3ff7f0000: pkcs11: 000008DB > CKA_ID<br>
pAtt->pValue= 16 bytes<br>
5a4cf587 1ef16a77 118283e8 666f486b<br>
<br>
2014-06-11 12:03:41 [6670] t0067acf3ff7f0000: pkcs11: 000008DB < rv 0x00000000 (CKR_OK)<br>
2014-06-11 12:03:41 [6670] t0067acf3ff7f0000: pkcs11: 000008DB >> C_FindObjects<br>
2014-06-11 12:03:41 [6670] t0067acf3ff7f0000: pkcs11: 000008DB > hSession 0x000008DB<br>
2014-06-11 12:03:41 [6670] t0067acf3ff7f0000: pkcs11: 000008DB > phObject 0x7ffff3ac5cd8<br>
2014-06-11 12:03:41 [6670] t0067acf3ff7f0000: pkcs11: 000008DB > ulMaxObjectCount 1<br>
2014-06-11 12:03:41 [6670] t0067acf3ff7f0000: pkcs11: 000008DB < *pulObjectCount 0<br>
2014-06-11 12:03:41 [6670] t0067acf3ff7f0000: pkcs11: 000008DB < rv 0x00000000 (CKR_OK)<br>
2014-06-11 12:03:41 [6670] t0067acf3ff7f0000: pkcs11: 000008DB >> C_FindObjectsFinal<br>
2014-06-11 12:03:41 [6670] t0067acf3ff7f0000: pkcs11: 000008DB > hSession 0x000008DB<br>
2014-06-11 12:03:41 [6670] t0067acf3ff7f0000: pkcs11: 000008DB < rv 0x00000000 (CKR_OK)<br></blockquote><div><br></div><div>OpenDNSSEC (ods-signerd) is acting correctly because the HSM says that there is no key which match the search criteria. See the pulObjectCount returned from the HSM above.</div>
<div><br></div><div>The issue is probably some synchronization problem with the HSM. E.g. object information not propagating fast enough between the two loaded instances of the PKCS#11 library or you are operating a HA-cluster and the object has not been synchronized to the second cluster member. The PKCS#11 library should not return from the key generation function until this has been done.</div>
<div><br></div><div>// Rickard</div></div></div></div>