[Opendnssec-user] problems starting ods 1.3.0b1 with Keyper

Rickard Bellgrim rickard.bellgrim at iis.se
Fri Apr 1 16:19:25 UTC 2011 

You are running the test commands as root but OpenDNSSEC drop privs to the user opendnssec, as you can see in the logs. Can the user opendnssec access the HSM?

1 apr 2011 kl. 18:13 skrev "Billy Glynn" <billy.glynn at iedr.ie>:

> Hi,
> 
> I'm having some trouble starting 1.3.0b1 with an AEP Keyper in our test lab.
> 
> Any suggestions/thoughts on the below would be great.
> 
> Thanks
> 
> Billy
> 
> --
> from conf.xml
> 
> <Repository name="AEPKeyper">
>            <Module>/opt/Keyper/PKCS11Provider/pkcs11.so</Module>
>        <TokenLabel>IEHSM</TokenLabel>
>            <PIN>9876</PIN>
>            <Capacity>1000</Capacity>
>            <RequireBackup/>
> </Repository>
> 
> 
> # ods-hsmutil test AEPKeyper
> Testing repository: AEPKeyper
> 
> Generating 512-bit RSA key...
> answer.GetCall(KEYGEN2) failed; error 1208Failed
> generate key pair: CKR_DEVICE_ERROR
> 
> Generating 768-bit RSA key...
> answer.GetCall(KEYGEN2) failed; error 1208Failed
> generate key pair: CKR_DEVICE_ERROR
> 
> Generating 1024-bit RSA key... OK
> Extracting key identifier... OK, fd2f2f605750419aa61550d9bb72b39e
> Signing (RSA/SHA1) with key... OK
> Signing (RSA/SHA256) with key... OK
> Signing (RSA/SHA512) with key... OK
> Deleting key... OK
> 
> Generating 1536-bit RSA key... OK
> Extracting key identifier... OK, a5e39022f279d9099c3b2ad4099b04c7
> Signing (RSA/SHA1) with key... OK
> Signing (RSA/SHA256) with key... OK
> Signing (RSA/SHA512) with key... OK
> Deleting key... OK
> 
> Generating 2048-bit RSA key... OK
> Extracting key identifier... OK, 4017b49d237dc41e7a31a7144169f42b
> Signing (RSA/SHA1) with key... OK
> Signing (RSA/SHA256) with key... OK
> Signing (RSA/SHA512) with key... OK
> Deleting key... OK
> 
> Generating 4096-bit RSA key... OK
> Extracting key identifier... OK, a63c9ebe2bc26dcdd16f96f0330fe720
> Signing (RSA/SHA1) with key... OK
> Signing (RSA/SHA256) with key... OK
> Signing (RSA/SHA512) with key... OK
> Deleting key... OK
> 
> Generating 1024 bytes of random data... OK
> Generating 32-bit random data... 979871116
> Generating 64-bit random data... 3108463339320388098
> [root at ie-dnssec-1 opendnssec]# ods-hsmutil info
> Repository: AEPKeyper
>    Module:        /opt/Keyper/PKCS11Provider/pkcs11.so
>    Slot:          0
>    Token Label:   IEHSM
>    Manufacturer:  AEP Networks
>    Model:         Keyper Ent 1126
>    Serial:        K5905001
> [root at ie-dnssec-1 opendnssec]# ods-control start
> Starting enforcer...
> OpenDNSSEC ods-enforcerd started (version 1.3.0b1), pid 15427
> Starting signer engine...
> Starting signer...
> OpenDNSSEC signer engine version 1.3.0b1
> Could not start signer
> 
> Apr  1 16:58:59 ie-dnssec-1 ods-enforcerd: opendnssec starting...
> Apr  1 16:58:59 ie-dnssec-1 ods-enforcerd: opendnssec forked OK...
> Apr  1 16:58:59 ie-dnssec-1 ods-enforcerd: group set to: opendnssec (505)
> Apr  1 16:58:59 ie-dnssec-1 ods-enforcerd: user set to: opendnssec (505)
> Apr  1 16:58:59 ie-dnssec-1 ods-enforcerd: opendnssec started (version
> 1.3.0b1), pid 15427
> Apr  1 16:58:59 ie-dnssec-1 ods-enforcerd: opendnssec Parent exiting...
> Apr  1 16:58:59 ie-dnssec-1 ods-enforcerd: hsm_get_slot_id(): could not
> find token with the name IEHSM
> Apr  1 16:58:59 ie-dnssec-1 ods-signerd: [engine] error initializing
> libhsm (errno 268435457)
> Apr  1 16:58:59 ie-dnssec-1 ods-signerd: [engine] setup failed: HSM error
> Apr  1 16:58:59 ie-dnssec-1 ods-signerd: [engine] signer shutdown
> 
> 
> _______________________________________________
> Opendnssec-user mailing list
> Opendnssec-user at lists.opendnssec.org
> https://lists.opendnssec.org/mailman/listinfo/opendnssec-user

More information about the Opendnssec-user mailing list