[Opendnssec-user] OpenDNSSEC and thales

Mark Elkins mje at posix.co.za
Mon Apr 21 13:43:54 UTC 2014 

I'm wondering around in the dark....

Config is OpenDNSSEC 1.4.3, Thales HSM and MySQL on Gentoo (up to date)

Environment includes..

export CKNFAST_LOADSHARING=1
export PKCS11_NCIPHER=/opt/nfast/toolkits/pkcs11/libcknfast.so

Admin and SoftKey have been generated on the HSM (story in itself)...
         ---------------------
# ppmk --new --non-recoverable OpenDNSSEC
                                       
FIPS: insert OCS/ACS:
 Module 1: 0 cards read                
 Module 1 slot 0: empty
(rushed over to the HSM and stuck in an Admin card)                
Card reading
complete.                                                                                                                 
                                       
Enter new pass phrase: *mysecret*
Enter new pass phrase again: 
New softcard created: HKLTU 8e1ae6104442f2a568c4fcf0b747b9ad112d7275

(The above will only work once a "Security World" is created - so I
believe that's OK)

         ---------------------
Configs have been updates (DB=Mysql, HSM=Thales)

> <Repository name="thales">
>   <Module>/opt/nfast/toolkits/pkcs11/libcknfast.so</Module>
>   <TokenLabel>OpenDNSSEC</TokenLabel>
>   <PIN>TheSameSecret</PIN>
>   <Capacity>255</Capacity>
> </Repository>


OpenDNSSEC compiled clean...

ods-ksmutil setup: appears to have run just fine.
I have three zones in the system.

Problem:
ods-enforcerd started (version 1.4.3), pid 14122
Could not start enforcer

Tail of Log says:
pr 21 15:12:15 vhost2 ods-enforcerd: 3 zone(s) found on policy "nsec3"
Apr 21 15:12:15 vhost2 ods-enforcerd: 3 new KSK(s) (2048 bits) need to
be created.
Apr 21 15:12:15 vhost2 ods-enforcerd: Error creating key in repository
thales
Apr 21 15:12:15 vhost2 ods-enforcerd: generate key pair: Unknown error


Where do I start and debug this?

I really don't know if the HSM and OpenDNSSEC are talking together. I've
seen no place where I tell OpenDNSSEC the IP address of the HSM. I can
talk to the HSM using thales supplied software, which always needs an IP
address. The OpenDNSSEC docs don't seem to have an HSP IP address.

-- 
Mark James ELKINS  -  Posix Systems - (South) Africa
mje at posix.co.za       Tel: +27.128070590  Cell: +27.826010496
For fast, reliable, low cost Internet in ZA: https://ftth.posix.co.za
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3832 bytes
Desc: not available
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20140421/26bb9d3d/attachment.bin>

More information about the Opendnssec-user mailing list