[Opendnssec-user] ods-enforcerd: Error creating key in repository SoftHSM-KSK

Abdalmonem Tharwat Galila agalila at mcit.gov.eg
Sun Aug 31 09:18:48 UTC 2014


I got the following error message and enforcer could not restarted

[root at ns2 ~]# ods-control start
Starting enforcer...
OpenDNSSEC ods-enforcerd started (version 1.4.5), pid 9473
Could not start enforcer
[root at stage-ns2 ~]# tail -f /var/log/messages
Aug 30 01:03:27 stage-ns2 ods-enforcerd: Connecting to Database...
Aug 30 01:03:27 stage-ns2 ods-enforcerd: Policy default found.
Aug 30 01:03:27 stage-ns2 ods-enforcerd: Key sharing is Off.
Aug 30 01:03:27 stage-ns2 ods-enforcerd: No zones on policy default, skipping...
Aug 30 01:03:27 stage-ns2 ods-enforcerd: Policy DotMasr found.
Aug 30 01:03:27 stage-ns2 ods-enforcerd: Key sharing is Off.
Aug 30 01:03:27 stage-ns2 ods-enforcerd: 1 zone(s) found on policy "Dot2"
Aug 30 01:03:27 stage-ns2 ods-enforcerd: 1 new KSK(s) (2048 bits) need to be created for policy Dot2: keys_to_generate(1) = keys_needed(1) - keys_available(0).
Aug 30 01:03:27 stage-ns2 ods-enforcerd: Error creating key in repository SoftHSM-KSK
Aug 30 01:03:27 stage-ns2 ods-enforcerd: generate key pair: CKR_GENERAL_ERROR


[root at stage-ns2 ~]# ods-hsmutil test SoftHSM -v
Testing repository: SoftHSM

Generating 512-bit RSA key... OK
Extracting key identifier... OK, 1134ad3426577e59c44c60f2be8c6351
Signing (RSA/SHA1) with key... OK
Signing (RSA/SHA256) with key... OK
Deleting key... OK

Generating 768-bit RSA key... OK
Extracting key identifier... OK, 23a83e3a60cb2deaf108d40b2473cdd3
Signing (RSA/SHA1) with key... OK
Signing (RSA/SHA256) with key... OK
Deleting key... OK

Generating 1024-bit RSA key... OK
Extracting key identifier... OK, e27502cde45ad9594f4170c323277428
Signing (RSA/SHA1) with key... OK
Signing (RSA/SHA256) with key... OK
Signing (RSA/SHA512) with key... OK
Deleting key... OK

Generating 1536-bit RSA key... OK
Extracting key identifier... OK, 01d15dcaeff6862df8fd92477fa59023
Signing (RSA/SHA1) with key... OK
Signing (RSA/SHA256) with key... OK
Signing (RSA/SHA512) with key... OK
Deleting key... OK

Generating 2048-bit RSA key... OK
Extracting key identifier... OK, c5ac4f805cd3c11b7e7ed53616c6c345
Signing (RSA/SHA1) with key... OK
Signing (RSA/SHA256) with key... OK
Signing (RSA/SHA512) with key... OK
Deleting key... OK

Generating 4096-bit RSA key... OK
Extracting key identifier... OK, d728d0cbf867eebe912f1688d0f9cf6b
Signing (RSA/SHA1) with key... OK
Signing (RSA/SHA256) with key... OK
Signing (RSA/SHA512) with key... OK
Deleting key... OK

Generating 512-bit DSA key... Failed
generate domain parameters: CKR_FUNCTION_NOT_SUPPORTED

Generating 768-bit DSA key... Failed
generate domain parameters: CKR_FUNCTION_NOT_SUPPORTED

Generating 1024-bit DSA key... Failed
generate domain parameters: CKR_FUNCTION_NOT_SUPPORTED

Generating 512-bit GOST key... Failed
generate key pair: CKR_MECHANISM_INVALID

Generating 1024 bytes of random data... OK
Generating 32-bit random data... 2643190841
Generating 64-bit random data... 9844808495919432962
[root at stage-ns2 ~]#


and no keys :-

[root at stage-ns2 ~]# ods-hsmutil list

Listing keys in all repositories.
0 keys found.

Repository            ID                                Type
----------            --                                ----
[root at stage-ns2 ~]#


[root at stage-ns2 ~]# softhsm --show-slots
Available slots:
Slot 0
           Token present: yes
           Token initialized: yes
           User PIN initialized: yes
           Token label: OpenDNSSEC
Slot 1
           Token present: yes
           Token initialized: yes
           User PIN initialized: yes
           Token label: KSK
Slot 2
           Token present: yes
           Token initialized: yes
           User PIN initialized: yes
           Token label: ZSK
[root at stage-ns2 ~]#


Could you advice ?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20140831/fbc6d3e3/attachment.htm>


More information about the Opendnssec-user mailing list