[Opendnssec-user] HSM and SoftHSM Co-existence

Rick Zijlker rick.zijlker at sidn.nl
Wed Feb 3 11:12:14 UTC 2010

Hello Brett,


We have Red Hat 5.4 machines with the hardware HSM Luna SA installed and
even performed a rollover from SoftHSM (1.1.3) with Botan 1.8.8 to the
Luna SA which is no problem at all. The ods-ksmutil list displays keys
from different repositories. 


However, the Luna SA are standalone HSM's connected by network. Not an
internal card. We have some client software installed on the signing
machines. I do not think the behavior you mentioned is caused by the
fact there is a hardware HSM present next to SoftHSM, but I have no clue
what else can be the cause.



Rick Zijlker



From: opendnssec-user-bounces at lists.opendnssec.org
[mailto:opendnssec-user-bounces at lists.opendnssec.org] On Behalf Of B C
Sent: woensdag 3 februari 2010 12:03
To: opendnssec-user at lists.opendnssec.org
Subject: [Opendnssec-user] HSM and SoftHSM Co-existence


Has anybody managed to get softhsm and a real HSM to co-exist on the
same machine? 

We have a Centos5 based machine which is using a Sun SCA6000 HSM (and
the Sun Drivers/Modules) perfectly well to sign a zone, a similar
machine has softhsm 1.2.1 and the latest stable version of Botan (1.8.8)
and also performs without any issues. However when I install softhsm and
Botan on the server with the Sun SCA6000 card any interaction with the
HSM hangs, for example if I run "ods-hsmutil list" the command hangs
never to return and cannot be killed (even with a -9). After some
investigation it seems that this behaviour starts as soon as Botan is
installed (without softHSM) so I'm guessing Botan is causing the SCA6000
drivers/modules to fail somehow. Any ideas or previous experience in
this area greatly appreciated.





-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20100203/a52efbc0/attachment.htm>

More information about the Opendnssec-user mailing list