[Opendnssec-user] OpenDNSSEC and thales

Emil Natan shlyoko at gmail.com
Mon Apr 21 15:46:51 UTC 2014


Hi,

I do not have experience with Thales HSM (probably the only one I did not
tested). With the HSM I'm currently using, it's the provider (the library
provided by the manufacturer) that knows to look for the "HSM" record in
/etc/hosts and resolve the IP address. Of course you can try "ods-hsmutil
list" and use sniffer to check if the signer machine tries to connect to
the HSM.

Emil


On Mon, Apr 21, 2014 at 4:43 PM, Mark Elkins <mje at posix.co.za> wrote:

> I'm wondering around in the dark....
>
> Config is OpenDNSSEC 1.4.3, Thales HSM and MySQL on Gentoo (up to date)
>
> Environment includes..
>
> export CKNFAST_LOADSHARING=1
> export PKCS11_NCIPHER=/opt/nfast/toolkits/pkcs11/libcknfast.so
>
> Admin and SoftKey have been generated on the HSM (story in itself)...
>          ---------------------
> # ppmk --new --non-recoverable OpenDNSSEC
>
> FIPS: insert OCS/ACS:
>  Module 1: 0 cards read
>  Module 1 slot 0: empty
> (rushed over to the HSM and stuck in an Admin card)
> Card reading
> complete.
>
> Enter new pass phrase: *mysecret*
> Enter new pass phrase again:
> New softcard created: HKLTU 8e1ae6104442f2a568c4fcf0b747b9ad112d7275
>
> (The above will only work once a "Security World" is created - so I
> believe that's OK)
>
>          ---------------------
> Configs have been updates (DB=Mysql, HSM=Thales)
>
> > <Repository name="thales">
> >   <Module>/opt/nfast/toolkits/pkcs11/libcknfast.so</Module>
> >   <TokenLabel>OpenDNSSEC</TokenLabel>
> >   <PIN>TheSameSecret</PIN>
> >   <Capacity>255</Capacity>
> > </Repository>
>
>
> OpenDNSSEC compiled clean...
>
> ods-ksmutil setup: appears to have run just fine.
> I have three zones in the system.
>
> Problem:
> ods-enforcerd started (version 1.4.3), pid 14122
> Could not start enforcer
>
> Tail of Log says:
> pr 21 15:12:15 vhost2 ods-enforcerd: 3 zone(s) found on policy "nsec3"
> Apr 21 15:12:15 vhost2 ods-enforcerd: 3 new KSK(s) (2048 bits) need to
> be created.
> Apr 21 15:12:15 vhost2 ods-enforcerd: Error creating key in repository
> thales
> Apr 21 15:12:15 vhost2 ods-enforcerd: generate key pair: Unknown error
>
>
> Where do I start and debug this?
>
> I really don't know if the HSM and OpenDNSSEC are talking together. I've
> seen no place where I tell OpenDNSSEC the IP address of the HSM. I can
> talk to the HSM using thales supplied software, which always needs an IP
> address. The OpenDNSSEC docs don't seem to have an HSP IP address.
>
> --
> Mark James ELKINS  -  Posix Systems - (South) Africa
> mje at posix.co.za       Tel: +27.128070590  Cell: +27.826010496
> For fast, reliable, low cost Internet in ZA: https://ftth.posix.co.za
>
> _______________________________________________
> Opendnssec-user mailing list
> Opendnssec-user at lists.opendnssec.org
> https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20140421/dcab7d34/attachment.htm>


More information about the Opendnssec-user mailing list