<div dir="ltr">Hi Fred<br><div class="gmail_extra"><div class="gmail_quote"><br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
I see that this did not override the SoftHSM 1.3.7 installation, but it installs some new utilities.<br>
</blockquote><div><br></div><div>You can have both SoftHSMv1 and SoftHSMv2 installed on the same system. The library, configuration file, and binaries all have new names.</div><div><br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">The next step is to migrate our SoftHSM 1.3.7 database to SoftHSM 2..0.<br>
The exact steps are not clear to me, but I found some questions in this forum and I tried the following commands:<br>
<br>
softhsm2-util --init-token --slot 0 --label "OpenDNSSEC" --pin 1234 --so-pin 1234<br>
softhsm2-migrate --db /var/softhsm/slot0.db --pin 1234 --slot 0<br></blockquote><div><br></div><div>The softhsm2-migrate command will read the data from the given SoftHSMv1 token database (the path can be found in SoftHSMv1 configuration file) and create the corresponding PKCS#11 objects in the given slot.</div><div><br></div><div>The man page:</div><div><a href="https://github.com/opendnssec/SoftHSMv2/blob/develop/src/bin/migrate/softhsm2-migrate.1">https://github.com/opendnssec/SoftHSMv2/blob/develop/src/bin/migrate/softhsm2-migrate.1</a><br></div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
I saw (with "softhsm2-util --show-slots") that the origal slot 0 in the SoftSM 2 database has now been moved to slot 1 and that slot 0 is now labelled "OpenDNSSEC". The migrate command logged the migration of several objects.<br></blockquote><div><br></div><div>SoftHSMv2 will always have an uninitialized slot. If you initialize that one, a new one is added to the end of the slot list.</div><div><br></div><div>The order (slot number) of the initialized tokens in the slot list can be changed if a new token is initialized. See the discussion in <a href="https://github.com/opendnssec/SoftHSMv2/issues/143">https://github.com/opendnssec/SoftHSMv2/issues/143</a></div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
I then tried "ods-ksmutil key list --verbose", which showed the normal output.<br>
But I was not sure whether OpenDNSsec now uses the old or the new SoftHSM.<br>
Since the old SoftHSM database was now migrated to a new one, I thought the I could remove the old database in /var/softhsm, so I moved it to a different directory.<br>
Then "softhsm2-util --show-slots" still shows both slots, so I thought that this confirmed that SoftHSM 2.0.0 does not need the old database anymore.<br>
But, when I tried "ods-ksmutil key list --verbose" again, it complained:<br>
<br>
hsm_get_slot_id(): No slots found in HSM<br>
Error: failed to list keys<br>
<br>
What does it mean? Is the old database still used with the new SoftHSM 2.0.0, or do I need to change the OpenDNSSEC configuration to use SoftHSM 2.0.0 instead of SoftHSM 1.3.7, or is there something else?<br></blockquote><div><br></div><div>The data was not moved, but copied to SoftHSMv2. You must make an active configuration change in OpenDNSSEC to use SoftHSMv2 and not SoftHSMv1. Because of the PKCS#11 interface, there is a separation between the application (OpenDNSSEC) and the library (SoftHSM). They are not aware of each other, just that they are using the PKCS#11 interface.</div><div><br></div><div>// Rickard</div></div></div></div>