[Opendnssec-user] ods-signer - create_dnskey stderr: Error initializing libhsm
[Mailclub] - Laurent Bauer
l.bauer at mailclub.fr
Fri Nov 5 14:19:38 UTC 2010
On 05/11/2010 12:53, Rickard Bellgrim wrote:
> Yes, in order to use SoftHSM, you need to have read/write privileges to
> the directory/file where it stores the token. You can find the
> location of directory/file in /etc/softhsm.conf
>
> Then you need to run both the Enforcer and the Signer with the correct
> privileges. Apparently it works for the Enforcer but not the Signer. It
> thus sounds like you have configured different users/groups in the
> /etc/opendnssec/conf.xml. Make sure that user/group for both the
> Signer and the Enforcer have read/write to the token in SoftHSM.
Thanks to all, you were right about the privileges problem.
Actually I initialized the token as root, but the standard
/etc/opendnssec.conf.xml has a <Privileges> node for the signer
configuration (only the one related to the enforcer is commented, unless
I missed it or did not remember), so it would run as user "opendnssec".
That's why only the enforcer would work fine, because it ran as root.
I now have another problem with the signed zone not being written in the
"signed" directory (only temp files in tmp) but I'll try to figure that out.
I might as well go on compiling and installing the latest version anyway
(I started this morning but had a problem with some dependencies)
Thank you all for your help
Laurent
More information about the Opendnssec-user
mailing list