[Opendnssec-user] Key not found

Rickard Bellgrim rickard at opendnssec.org
Wed Jun 11 10:57:25 UTC 2014 

On Wed, Jun 11, 2014 at 12:15 PM, David Peall <david at dnservices.co.za>
wrote:

> Here is the log line:
> Jun 11 12:03:41 ods-signerd: [hsm] unable to get key: key
> 5a4cf5871ef16a77118283e8666f486b not found
>
> 2014-06-11 12:03:41 [6670] t0067acf3ff7f0000: pkcs11: 000008DB >>
> C_FindObjectsInit
> 2014-06-11 12:03:41 [6670] t0067acf3ff7f0000: pkcs11: 000008DB >
>  hSession 0x000008DB
> 2014-06-11 12:03:41 [6670] t0067acf3ff7f0000: pkcs11: 000008DB >
>  CKA_CLASS:  CKO_PRIVATE_KEY
> 2014-06-11 12:03:41 [6670] t0067acf3ff7f0000: pkcs11: 000008DB >    CKA_ID
>   pAtt->pValue= 16 bytes
>                                         5a4cf587 1ef16a77 118283e8 666f486b
>
> 2014-06-11 12:03:41 [6670] t0067acf3ff7f0000: pkcs11: 000008DB <    rv
> 0x00000000 (CKR_OK)
> 2014-06-11 12:03:41 [6670] t0067acf3ff7f0000: pkcs11: 000008DB >>
> C_FindObjects
> 2014-06-11 12:03:41 [6670] t0067acf3ff7f0000: pkcs11: 000008DB >
>  hSession 0x000008DB
> 2014-06-11 12:03:41 [6670] t0067acf3ff7f0000: pkcs11: 000008DB >
>  phObject 0x7ffff3ac5cd8
> 2014-06-11 12:03:41 [6670] t0067acf3ff7f0000: pkcs11: 000008DB >
>  ulMaxObjectCount 1
> 2014-06-11 12:03:41 [6670] t0067acf3ff7f0000: pkcs11: 000008DB <
>  *pulObjectCount 0
> 2014-06-11 12:03:41 [6670] t0067acf3ff7f0000: pkcs11: 000008DB <    rv
> 0x00000000 (CKR_OK)
> 2014-06-11 12:03:41 [6670] t0067acf3ff7f0000: pkcs11: 000008DB >>
> C_FindObjectsFinal
> 2014-06-11 12:03:41 [6670] t0067acf3ff7f0000: pkcs11: 000008DB >
>  hSession 0x000008DB
> 2014-06-11 12:03:41 [6670] t0067acf3ff7f0000: pkcs11: 000008DB <    rv
> 0x00000000 (CKR_OK)
>

OpenDNSSEC (ods-signerd) is acting correctly because the HSM says that
there is no key which match the search criteria. See the pulObjectCount
returned from the HSM above.

The issue is probably some synchronization problem with the HSM. E.g.
object information not propagating fast enough between the two loaded
instances of the PKCS#11 library or you are operating a HA-cluster and the
object has not been synchronized to the second cluster member. The PKCS#11
library should not return from the key generation function until this has
been done.

// Rickard
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20140611/037700e9/attachment.htm>

More information about the Opendnssec-user mailing list