[Opendnssec-user] No Keys Generated Using AEP Keyper

Fri Feb 1 06:33:30 UTC 2013

On Wed, 30 Jan 2013, 刘硕 wrote:

> I'm testing opendnssec-1.4.0rc2 with AEP Keyper, I can start the service now, ods-signerd and ods-enforcerd are running.
> But when I use ods-ksmutil zone add -z dstest to add a new zone, I found no keys with ods-ksmuitl key list
>  
> I get logs like:
> Jan 30 10:03:06 CST-BJ-103 ods-signerd: [cmdhandler] received command update --all[12]
> Jan 30 10:03:06 CST-BJ-103 ods-signerd: [zonelist] read file /home/gtld/software/opendnssec-1.4.0rc2/etc/opendnssec/zonelist.xml
> Jan 30 10:03:06 CST-BJ-103 ods-signerd: [worker[2]] configure zone dstest
> Jan 30 10:03:06 CST-BJ-103 ods-signerd: [file] unable to stat file /home/gtld/software/opendnssec-1.4.0rc2/var/opendnssec/signconf/dste
> st.xml: ods_fopen() failed
> Jan 30 10:03:06 CST-BJ-103 ods-signerd: [zone] zone dstest signconf file /home/gtld/software/opendnssec-1.4.0rc2/var/opendnssec/signcon
> f/dstest.xml is unchanged since 2013-01-30 10:03:06
> Jan 30 10:03:06 CST-BJ-103 ods-signerd: [worker[2]] CRITICAL: failed to sign zone dstest: General error
> Jan 30 10:03:06 CST-BJ-103 ods-signerd: [worker[2]] backoff task [configure] for zone dstest with 60 seconds
>  
> And there is no dstest.xml in var/opendnssec/signconf/ at all, and no data in table keypairs of kasp.db.
>  
> It seems opendnssec could not generate keys using AEP Keyper, am I right?
>  
> Have you guys ever met this problem?

I have never seen this. But if you were missing the right PKCS#11
library, then you cannot talk to the HSM and thus cannot generate keys.

You can see if you can talk to the device using the following commands
(that come from the same source as the pkcs library):

inittoken
displaytoken

The displaytoken requires you to enter the slot number, so if you want
to automate this, use something like:

echo 0 | displaytoken

You might also need to add an /etc/machine file for your AEP keyper, like:

SlotList
{
NumSlots:REG_DWORD:1
SlotA:REG_SZ:HSMServerSlot
SlotA-ID:REG_DWORD:0
NumConnections:REG_DWORD:6
}
SlotA
{
TokenStore:REG_SZ:/var/local/Keyper/PKCS11Provider/keymap
Location:REG_SZ:192.168.0.2:5000
Timeout:REG_DWORD:300
}
Logging
{
Log:REG_DWORD:0
LogErrors:REG_DWORD:2
OutputFile:REG_SZ:/tmp/aep-pkcs11.log
ErrorLogFile:REG_SZ:/tmp/aep-pkcs11.err
}

Otherwise the homedirectory of whoever is reading the ~/Keyper directory
which the PKCS library generates needs to be readable by the user that
opendnssec runs as. And running "displaytoken" as root might not give
the same results as if run as the ods user.

And then you should also see log/errors in /tmp/aep*

Also make sure you have an entry for "hsm" in /etc/hosts, per default
I _think_ it is on 192.168.1.2, but I'd have to verify that. The PKCS
library uses that (or tries to resolve it via DNS)

Paul