[Opendnssec-user] OpenDNSSEC with AEP Keyper (resolved)

elsif jake at elsif.net
Thu May 10 18:51:47 UTC 2012 

OpenDNSSEC was configured to drop to user "ods" from user "root".

Because "ods" had no read access to /root/Keyper/PKCS11Provider/, 
ods-signerd and ods-enforcerd failed to use the HSM, while at the same 
time manually running an "ods-hsmutil list" as root had full access.

Resolved.

-jake

On Thu, 10 May 2012, elsif wrote:

> opendnssec-1.4.0-1.el6.x86_64 under Red Hat Enterprise Linux Server release 
> 6.2.
>
> I've done:
>
> 1) inittoken  (and specified token ID, passwords)
>
> 2) ods-ksmutil key generate --policy=lab --interval P30D
>
> When I do an "ods-hsmutil list", I get:
> [root at signer01 opendnssec]# ods-hsmutil list
> Listing keys in all repositories.
> 36 keys found.
>
> Repository            ID                                Type
> ----------            --                                ----
> AEP                   80dc4a8001695bdff1f7a08ec43f52c6  RSA/1024
> AEP                   9fa1ce73cebe61e6cc50e96ed1670db8  RSA/1024
> ...<snip>...
> AEP                   0dad0b4cd65276b511226f8be2f5e963  RSA/2048
> AEP                   33d2140710b3be6488ae95ca690d6f9f  RSA/2048
> AEP                   8226642cff8eceb64c05ee244831b55e  RSA/2048
>
> However, I'm unsure of the next steps.
>
> "ods-ksmutil key list" shows no keys.
>
> "ods-control start" fails to start both enforcerd and signerd:
>
> May 10 11:18:06 signer01 ods-enforcerd: opendnssec starting...
> May 10 11:18:06 signer01 ods-enforcerd: opendnssec Parent exiting...
> May 10 11:18:06 signer01 ods-enforcerd: opendnssec forked OK...
> May 10 11:18:06 signer01 ods-enforcerd: group set to: ods (494)
> May 10 11:18:06 signer01 ods-enforcerd: user set to: ods (497)
> May 10 11:18:06 signer01 ods-enforcerd: opendnssec started (version 
> 1.4.0-trunk), pid 15006
> May 10 11:18:06 signer01 ods-enforcerd: hsm_get_slot_id(): could not find 
> token with the name MYKSK
>
> May 10 11:18:11 signer01 ods-signerd: [engine] setup: error initializing 
> libhsm errno=268435457 (hsm_get_slot_id(): could not find token with the name 
> MYKSK)
> May 10 11:18:11 signer01 ods-signerd: [engine] setup failed: HSM error
> May 10 11:18:11 signer01 ods-signerd: [engine] signer shutdown
> May 10 11:18:11 signer01 ods-signerd: daemon/xfrhandler.c at 184 could not 
> pthread_kill(xfrhandler->thread_id, 1): No such process
> May 10 11:18:11 signer01 ods-signerd: daemon/engine.c at 284 could not 
> pthread_join(engine->xfrhandler->thread_id, NULL): No such process
>
> "displaytoken" shows:
> PKCS11 API v:2.11
> Manufacturer ID:AEP Networks. Release64 P4=60257
> 1 slots found
> The slots that are available are between 0 and 0
> Enter the slot number :0
>
>
> PKCS11 Slot     : 0
> PKCS11 Label    : MYKSK
> Keyper Model    : Keyper Pro 0405
> Keyper Serial   : K<deprecated by poster>
> Keyper version  : 2.0
> App             : 020
> ABL             : 029
> AL              : 02
>
> What do I need to do to make ksmutil see the keys generated, or detect the 
> right slot, or the right token, or error is indicating?
>
> Thanks,
>
> -Jake
> _______________________________________________
> Opendnssec-user mailing list
> Opendnssec-user at lists.opendnssec.org
> https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
>

More information about the Opendnssec-user mailing list