[Opendnssec-user] OpenDNSSEC with AEP Keyper (resolved)

Jerry Lundström jerry at opendnssec.org
Fri May 11 06:31:24 UTC 2012 

Hi Jake,

I'm glad you solved it.

I see that you are using version 1.4.0-trunk and its an alpha release
of 1.4 with our new IXFR and AXFR support.

Is that something you might be testing?

If so please let us know how it goes. You can report bugs at
http://bugs.opendnssec.org .

/Jerry

On 10 maj 2012, at 20:52, elsif <jake at elsif.net> wrote:

> OpenDNSSEC was configured to drop to user "ods" from user "root".
>
> Because "ods" had no read access to /root/Keyper/PKCS11Provider/, ods-signerd and ods-enforcerd failed to use the HSM, while at the same time manually running an "ods-hsmutil list" as root had full access.
>
> Resolved.
>
> -jake
>
> On Thu, 10 May 2012, elsif wrote:
>
>> opendnssec-1.4.0-1.el6.x86_64 under Red Hat Enterprise Linux Server release 6.2.
>>
>> I've done:
>>
>> 1) inittoken  (and specified token ID, passwords)
>>
>> 2) ods-ksmutil key generate --policy=lab --interval P30D
>>
>> When I do an "ods-hsmutil list", I get:
>> [root at signer01 opendnssec]# ods-hsmutil list
>> Listing keys in all repositories.
>> 36 keys found.
>>
>> Repository            ID                                Type
>> ----------            --                                ----
>> AEP                   80dc4a8001695bdff1f7a08ec43f52c6  RSA/1024
>> AEP                   9fa1ce73cebe61e6cc50e96ed1670db8  RSA/1024
>> ...<snip>...
>> AEP                   0dad0b4cd65276b511226f8be2f5e963  RSA/2048
>> AEP                   33d2140710b3be6488ae95ca690d6f9f  RSA/2048
>> AEP                   8226642cff8eceb64c05ee244831b55e  RSA/2048
>>
>> However, I'm unsure of the next steps.
>>
>> "ods-ksmutil key list" shows no keys.
>>
>> "ods-control start" fails to start both enforcerd and signerd:
>>
>> May 10 11:18:06 signer01 ods-enforcerd: opendnssec starting...
>> May 10 11:18:06 signer01 ods-enforcerd: opendnssec Parent exiting...
>> May 10 11:18:06 signer01 ods-enforcerd: opendnssec forked OK...
>> May 10 11:18:06 signer01 ods-enforcerd: group set to: ods (494)
>> May 10 11:18:06 signer01 ods-enforcerd: user set to: ods (497)
>> May 10 11:18:06 signer01 ods-enforcerd: opendnssec started (version 1.4.0-trunk), pid 15006
>> May 10 11:18:06 signer01 ods-enforcerd: hsm_get_slot_id(): could not find token with the name MYKSK
>>
>> May 10 11:18:11 signer01 ods-signerd: [engine] setup: error initializing libhsm errno=268435457 (hsm_get_slot_id(): could not find token with the name MYKSK)
>> May 10 11:18:11 signer01 ods-signerd: [engine] setup failed: HSM error
>> May 10 11:18:11 signer01 ods-signerd: [engine] signer shutdown
>> May 10 11:18:11 signer01 ods-signerd: daemon/xfrhandler.c at 184 could not pthread_kill(xfrhandler->thread_id, 1): No such process
>> May 10 11:18:11 signer01 ods-signerd: daemon/engine.c at 284 could not pthread_join(engine->xfrhandler->thread_id, NULL): No such process
>>
>> "displaytoken" shows:
>> PKCS11 API v:2.11
>> Manufacturer ID:AEP Networks. Release64 P4=60257
>> 1 slots found
>> The slots that are available are between 0 and 0
>> Enter the slot number :0
>>
>>
>> PKCS11 Slot     : 0
>> PKCS11 Label    : MYKSK
>> Keyper Model    : Keyper Pro 0405
>> Keyper Serial   : K<deprecated by poster>
>> Keyper version  : 2.0
>> App             : 020
>> ABL             : 029
>> AL              : 02
>>
>> What do I need to do to make ksmutil see the keys generated, or detect the right slot, or the right token, or error is indicating?
>>
>> Thanks,
>>
>> -Jake
>> _______________________________________________
>> Opendnssec-user mailing list
>> Opendnssec-user at lists.opendnssec.org
>> https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
>>
> _______________________________________________
> Opendnssec-user mailing list
> Opendnssec-user at lists.opendnssec.org
> https://lists.opendnssec.org/mailman/listinfo/opendnssec-user

More information about the Opendnssec-user mailing list