[Opendnssec-user]Problem with ods-signerd and softhsm slot error

Rickard Bellgrim rickard at opendnssec.org
Thu Jul 5 13:00:56 UTC 2012

> 0:/var/opendnssec/kasp.db
> 1:/var/opendnssec/slot1.db
> or
> 0:/home/test/slot0
> 1:/var/opendnssec/slot1.db
> I confused which is the right one, maybe the problem is that I fetched the
> data in a wrong .db file .

You can use whatever you want. As long as SoftHSM has R/W privilege on
that path. SoftHSM will create the file. However, you should not mix
the database file for the Enforcer (/var/opendnssec/kasp.db) and the
ones for SoftHSM. They are two separate programs. So do not try to use
the KASP (Enforcer) database as a token database for SoftHSM.

The install script will create some recommended configuration files
for you. I think your issue was probably caused by mixing up two
different databases.

> But after I relogin, I wanted to initialize the slot 1, so I got the "Error:
> The given slot does not exist. ", I wondered why it was wrong when there was
> the 1:/var/opendnssec/slot1.db

SoftHSM says this if it cannot find the slot in the configuration.

> I'm sure the slot 0 is labeled "OpenDNSSEC",maybe I run ods-ksmutil setup
> before?
> But I get all the slots with softhsm --show-slots
> [root at CST-BJ-103 bin]# ./softhsm --show-slots
> Available slots:
> Slot 0
>            Token present: yes
>            Token initialized: no
>            User PIN initialized: no
> Slot 1
>            Token present: yes
>            Token initialized: yes
>            User PIN initialized: yes
>            Token label: slot1
> Slot 4
>            Token present: yes
>            Token initialized: yes
>            User PIN initialized: yes
>            Token label: My token 1
> Slot 5
>            Token present: yes
>            Token initialized: yes
>            User PIN initialized: yes
>            Token label: this is the 5th slot
> How do I know whose name is OpenDNSSEC or something else?

You do not have any token with OpenDNSSEC as its label according to
the output above. You only have "slot1", "My token 1", and "this is
the 5th slot".

> <Repository name="SoftHSM">
> <Module>/usr/local/OpenDNSSEC-1.4.0/lib/softhsm/libsofthsm.so</Module>
> <TokenLabel>OpenDNSSEC</TokenLabel>
> <PIN>1234</PIN>
> <SkipPublicKey/>
> </Repository>
> I think repository is bounded with slot<n> by TokenLabel,if the slot's label
> is the TokenLabel then all the keys belong to the repository,right?

OpenDNSSEC will create the keys in the repository that you have
configured in kasp.xml. This is a reference to the RepositoryList in
conf.xml. The Repository name is used internally for reference in the
OpenDNSSEC configuration. Each repository in OpenDNSSEC corresponds to
a HSM token. The TokenLabel in the conf.xml must correspond to the
token label in the HSM token.

> But how can use the slot and repository smartly? Any suggestions?

Usually, you only use one repository. You can use multiple
repositories if you e.g. have the KSK in a USB token and ZSK in
SoftHSM. Or if you are migrating between two different HSMs by doing a
key rollover.

// Rickard

More information about the Opendnssec-user mailing list