[Opendnssec-user] Interaction with Thales...

Mark Elkins mje at posix.co.za
Wed May 28 11:16:35 UTC 2014 

Still having problems with Thales integration.
I've read the paper: "nShields ISC BIND DNSSEC UNIX ig.pdf"
...but its over two years old. Not sure how much of it is still
relevant.

In my logfile on "start" - I get:

ods-enforcerd: opendnssec started (version 1.4.5), pid 12747
ods-enforcerd: HSM opened successfully.
ods-enforcerd: Checking database connection...
ods-enforcerd: Database connection ok.
ods-enforcerd: pidfile /var/run/opendnssec/enforcerd.pid already exists,
but no process with pid 12729 is running. A previous instance didn't
shutdown cleanly, this pidfile is stale.
ods-enforcerd: Reading config "/etc/opendnssec/conf.xml"
ods-enforcerd: Reading config schema
"/usr/local/share/opendnssec/conf.rng"
ods-enforcerd: Communication Interval: 3600
ods-enforcerd: No DS Submit command supplied
ods-enforcerd: MySQL database schema set to: KASP
ods-enforcerd: MySQL database user set to: kaspuser
ods-enforcerd: MySQL database password set
ods-enforcerd: Log User set to: local0
ods-enforcerd: Switched log facility to: local0
ods-enforcerd: Connecting to Database...
ods-enforcerd: Policy zacr-nsec3 found.
ods-enforcerd: Key sharing is Off.
ods-enforcerd: 2 zone(s) found on policy "zacr-nsec3"
ods-enforcerd: 2 new KSK(s) (2048 bits) need to be created for policy
zacr-nsec3: keys_to_generate(2) = keys_needed(2) - keys_available(0).
ods-signerd: [hsm] libhsm connection opened succesfully
ods-signerd: [engine] signer started (version 1.4.5), pid 12752
ods-signerd: [worker[2]] CRITICAL: failed to sign zone web.za: General
error
ods-signerd: [worker[2]] backoff task [configure] for zone web.za with
60 seconds
ods-signerd: [worker[1]] CRITICAL: failed to sign zone za: General error
ods-signerd: [worker[1]] backoff task [configure] for zone za with 60
seconds
kernel: [681529.262759] ods-enforcerd[12747]: segfault at 0 ip
00007fa14d93bb14 sp 00007ffff7aeb4f0 error 4 in
libcknfast.so[7fa14d892000+1ee000]

So - good news - I'm talking to the Thales, but it looks like the
library supplied might be too old?

Looking at the supplied Library:
root:/opt/nfast/toolkits/pkcs11# ls -l
-rwxr-xr-x 1 mje mje    32768 May 20 15:46 ConfigPKCS11onCP
-rwxr-xr-x 1 mje mje 11780890 May 20 15:46 libcknfast.so

root:pkcs11# ldd libcknfast.so 
	linux-vdso.so.1 =>  (0x00007fff797fe000)
	libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007f6b443d0000)
	libpthread.so.0 => /lib/x86_64-linux-gnu/libpthread.so.0
(0x00007f6b441b2000)
	librt.so.1 => /lib/x86_64-linux-gnu/librt.so.1 (0x00007f6b43fa9000)
	libnsl.so.1 => /lib/x86_64-linux-gnu/libnsl.so.1 (0x00007f6b43d8f000)
	/lib64/ld-linux-x86-64.so.2 (0x00007f6b44adf000)

root:pkcs11# ls -l /lib/x86_64-linux-gnu/libc.so.6
lrwxrwxrwx 1 root root 12 Apr 12 12:38 /lib/x86_64-linux-gnu/libc.so.6
-> libc-2.19.so

root:pkcs11# ls /lib/x86_64-linux-gnu/libpthread.so.0
/lib/x86_64-linux-gnu/libpthread.so.0

root:pkcs11# ls -l /lib/x86_64-linux-gnu/libpthread.so.0
lrwxrwxrwx 1 root root 18 Apr 12
12:38 /lib/x86_64-linux-gnu/libpthread.so.0 -> libpthread-2.19.so

root:pkcs11# ls -l /lib/x86_64-linux-gnu/librt.so.1
lrwxrwxrwx 1 root root 13 Apr 12 12:38 /lib/x86_64-linux-gnu/librt.so.1
-> librt-2.19.so

root:pkcs11# ls -l /lib/x86_64-linux-gnu/libnsl.so.1
lrwxrwxrwx 1 root root 14 Apr 12 12:38 /lib/x86_64-linux-gnu/libnsl.so.1
-> libnsl-2.19.so

root:pkcs11# ls -l /lib64/ld-linux-x86-64.so.2
lrwxrwxrwx 1 root root 32 Apr 12 12:38 /lib64/ld-linux-x86-64.so.2
-> /lib/x86_64-linux-gnu/ld-2.19.so

The (virtual) server:
Linux mjedev 3.13.0-24-generic #47-Ubuntu SMP Fri May 2 23:30:00 UTC
2014 x86_64 x86_64 x86_64 GNU/Linux

Anyone doing similar?
Anyone with a newer thales library?
-- 
Mark James ELKINS  -  Posix Systems - (South) Africa
mje at posix.co.za       Tel: +27.128070590  Cell: +27.826010496
For fast, reliable, low cost Internet in ZA: https://ftth.posix.co.za
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5810 bytes
Desc: not available
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20140528/96f06d13/attachment.bin>

More information about the Opendnssec-user mailing list