[Opendnssec-user] Re: ods-enforcerd: Error creating key in repository SoftHSM-KSK

Abdalmonem Tharwat Galila agalila at mcit.gov.eg
Sun Aug 31 10:24:11 UTC 2014 

-----Original Message-----
From: opendnssec-user-bounces at lists.opendnssec.org [mailto:opendnssec-user-bounces at lists.opendnssec.org] On Behalf Of Jarno Huuskonen
Sent: Sunday, August 31, 2014 12:32 PM
To: opendnssec-user at lists.opendnssec.org
Subject: [Opendnssec-user] Re: ods-enforcerd: Error creating key in repository SoftHSM-KSK

Hi,

> I got the following error message and enforcer could not restarted
> 
> [root at ns2 ~]# ods-control start
> Starting enforcer...
> OpenDNSSEC ods-enforcerd started (version 1.4.5), pid 9473 Could not 
> start enforcer
> [root at stage-ns2 ~]# tail -f /var/log/messages Aug 30 01:03:27 
> stage-ns2 ods-enforcerd: Connecting to Database...
> Aug 30 01:03:27 stage-ns2 ods-enforcerd: Policy default found.
> Aug 30 01:03:27 stage-ns2 ods-enforcerd: Key sharing is Off.
> Aug 30 01:03:27 stage-ns2 ods-enforcerd: No zones on policy default, skipping...
> Aug 30 01:03:27 stage-ns2 ods-enforcerd: Policy DotMasr found.
> Aug 30 01:03:27 stage-ns2 ods-enforcerd: Key sharing is Off.
> Aug 30 01:03:27 stage-ns2 ods-enforcerd: 1 zone(s) found on policy "Dot2"
> Aug 30 01:03:27 stage-ns2 ods-enforcerd: 1 new KSK(s) (2048 bits) need to be created for policy Dot2: keys_to_generate(1) = keys_needed(1) - keys_available(0).
> Aug 30 01:03:27 stage-ns2 ods-enforcerd: Error creating key in 
> repository SoftHSM-KSK Aug 30 01:03:27 stage-ns2 ods-enforcerd: 
> generate key pair: CKR_GENERAL_ERROR

>> What do you have in softhsm.conf (/etc/softhsm.conf) ?

0:/var/softhsm/slot0.db
1:/var/softhsm/slot1.db
2:/var/softhsm/slot2.db

>> Is the user account used for ods-enforcerd able to access the files defined in softhsm.conf (can change to the directory and read/write the files).

How to get that user , you are talking about ?

>> Does your opendnssec/conf.xml <Repository> / <TokenLabel> match what you get with "softhsm --show-slots" ?

Yes , matches

Available slots:
Slot 0
           Token present: yes
           Token initialized: yes
           User PIN initialized: yes
           Token label: OpenDNSSEC
Slot 1
           Token present: yes
           Token initialized: yes
           User PIN initialized: yes
           Token label: KSK
Slot 2
           Token present: yes
           Token initialized: yes
           User PIN initialized: yes
           Token label: ZSK


>> -Jarno

--
>> Jarno Huuskonen
_______________________________________________
Opendnssec-user mailing list
Opendnssec-user at lists.opendnssec.org
https://lists.opendnssec.org/mailman/listinfo/opendnssec-user

More information about the Opendnssec-user mailing list