[Opendnssec-user] Re: ods-enforcerd: Error creating key in repository SoftHSM-KSK

Abdalmonem Tharwat Galila agalila at mcit.gov.eg
Sun Aug 31 15:54:40 UTC 2014 

Thnx a bundle Jarno .
I do not understand what opendnssec mean by : 

WARNING: New KSK has reached the ready state; please submit the DS for myTLD and use ods-ksmutil key ds-seen when the DS appears in the DNS.

Also when i run ods-ksmutil key list --verbose , i got that 

SQLite database set to: /var/opendnssec/kasp.db
Keys:
Zone:                           Keytype:      State:    Date of next transition (to):  Size:   Algorithm:  CKA_ID:                           Repository:                       Keytag:
xn--wgbh1c                      KSK           ready     waiting for ds-seen (active)   2048    8           105f92815149413be458e05138ba734f  SoftHSM-KSK                       60047
xn--wgbh1c                      ZSK           active    2014-08-31 20:26:54 (retire)   1024    8           91a2aa128ce554f23453dec10ce9833b  SoftHSM-ZSK                       56364

What does waiting for ds-seen (active) ?

thnx again for all your support

 
________________________________________
From: Jarno Huuskonen [jarno.huuskonen at uef.fi]
Sent: Sunday, August 31, 2014 4:32 PM
To: Abdalmonem Tharwat Galila
Cc: opendnssec-user at lists.opendnssec.org
Subject: Re: [Opendnssec-user] Re: ods-enforcerd: Error creating key in repository SoftHSM-KSK

Hi,

On Sun, Aug 31, Abdalmonem Tharwat Galila wrote:
> >> What do you have in softhsm.conf (/etc/softhsm.conf) ?
>
> 0:/var/softhsm/slot0.db
> 1:/var/softhsm/slot1.db
> 2:/var/softhsm/slot2.db
>
> >> Is the user account used for ods-enforcerd able to access the files defined in softhsm.conf (can change to the directory and read/write the files).
>
> How to get that user , you are talking about ?

What do you have in your opendnssec conf.xml
(/etc/opendnssec/conf.xml?):

Do you have something like:
        <Enforcer>
                <Privileges>
                        <User>ods</User>
                        <Group>ods</Group>
                </Privileges>

and something similar for <Signer> ?

So assuming you have <User>ods</User> can you try for example:
su - -s/bin/bash ods
and after su (as user ods)
cd /var/softhsm
ls -l slot*.db
ls -l .

Also after su can you check that your /var/named/zones/conf/ is
accessible:
(ls -l /var/named/zones/conf)
and
cd /var/named/zones/conf # if you get permission denied then
check that /var/named, /var/named/zones and /var/named/zones/conf
permissions allow access (for example ls -l).

-Jarno

--
Jarno Huuskonen

More information about the Opendnssec-user mailing list