[Opendnssec-user] Interaction with Thales...

Klaus Darilion klaus.mailinglists at pernau.at
Wed May 28 12:17:43 UTC 2014


Ours are quite old too:

$ ls -l /opt/nfast/toolkits/pkcs11/
total 11540
-rwxr-xr-x 1 root root    32768 Nov 23  2012 ConfigPKCS11onCP
-rwxr-xr-x 1 root root 11780890 Nov 23  2012 libcknfast.so


We have added this to the ods init scripts:
CKNFAST_LOADSHARING=1
export CKNFAST_LOADSHARING

regards
Klaus


On 28.05.2014 13:16, Mark Elkins wrote:
> Still having problems with Thales integration.
> I've read the paper: "nShields ISC BIND DNSSEC UNIX ig.pdf"
> ...but its over two years old. Not sure how much of it is still
> relevant.
> 
> In my logfile on "start" - I get:
> 
> ods-enforcerd: opendnssec started (version 1.4.5), pid 12747
> ods-enforcerd: HSM opened successfully.
> ods-enforcerd: Checking database connection...
> ods-enforcerd: Database connection ok.
> ods-enforcerd: pidfile /var/run/opendnssec/enforcerd.pid already exists,
> but no process with pid 12729 is running. A previous instance didn't
> shutdown cleanly, this pidfile is stale.
> ods-enforcerd: Reading config "/etc/opendnssec/conf.xml"
> ods-enforcerd: Reading config schema
> "/usr/local/share/opendnssec/conf.rng"
> ods-enforcerd: Communication Interval: 3600
> ods-enforcerd: No DS Submit command supplied
> ods-enforcerd: MySQL database schema set to: KASP
> ods-enforcerd: MySQL database user set to: kaspuser
> ods-enforcerd: MySQL database password set
> ods-enforcerd: Log User set to: local0
> ods-enforcerd: Switched log facility to: local0
> ods-enforcerd: Connecting to Database...
> ods-enforcerd: Policy zacr-nsec3 found.
> ods-enforcerd: Key sharing is Off.
> ods-enforcerd: 2 zone(s) found on policy "zacr-nsec3"
> ods-enforcerd: 2 new KSK(s) (2048 bits) need to be created for policy
> zacr-nsec3: keys_to_generate(2) = keys_needed(2) - keys_available(0).
> ods-signerd: [hsm] libhsm connection opened succesfully
> ods-signerd: [engine] signer started (version 1.4.5), pid 12752
> ods-signerd: [worker[2]] CRITICAL: failed to sign zone web.za: General
> error
> ods-signerd: [worker[2]] backoff task [configure] for zone web.za with
> 60 seconds
> ods-signerd: [worker[1]] CRITICAL: failed to sign zone za: General error
> ods-signerd: [worker[1]] backoff task [configure] for zone za with 60
> seconds
> kernel: [681529.262759] ods-enforcerd[12747]: segfault at 0 ip
> 00007fa14d93bb14 sp 00007ffff7aeb4f0 error 4 in
> libcknfast.so[7fa14d892000+1ee000]
> 
> So - good news - I'm talking to the Thales, but it looks like the
> library supplied might be too old?
> 
> Looking at the supplied Library:
> root:/opt/nfast/toolkits/pkcs11# ls -l
> -rwxr-xr-x 1 mje mje    32768 May 20 15:46 ConfigPKCS11onCP
> -rwxr-xr-x 1 mje mje 11780890 May 20 15:46 libcknfast.so
> 
> root:pkcs11# ldd libcknfast.so 
> 	linux-vdso.so.1 =>  (0x00007fff797fe000)
> 	libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007f6b443d0000)
> 	libpthread.so.0 => /lib/x86_64-linux-gnu/libpthread.so.0
> (0x00007f6b441b2000)
> 	librt.so.1 => /lib/x86_64-linux-gnu/librt.so.1 (0x00007f6b43fa9000)
> 	libnsl.so.1 => /lib/x86_64-linux-gnu/libnsl.so.1 (0x00007f6b43d8f000)
> 	/lib64/ld-linux-x86-64.so.2 (0x00007f6b44adf000)
> 
> root:pkcs11# ls -l /lib/x86_64-linux-gnu/libc.so.6
> lrwxrwxrwx 1 root root 12 Apr 12 12:38 /lib/x86_64-linux-gnu/libc.so.6
> -> libc-2.19.so
> 
> root:pkcs11# ls /lib/x86_64-linux-gnu/libpthread.so.0
> /lib/x86_64-linux-gnu/libpthread.so.0
> 
> root:pkcs11# ls -l /lib/x86_64-linux-gnu/libpthread.so.0
> lrwxrwxrwx 1 root root 18 Apr 12
> 12:38 /lib/x86_64-linux-gnu/libpthread.so.0 -> libpthread-2.19.so
> 
> root:pkcs11# ls -l /lib/x86_64-linux-gnu/librt.so.1
> lrwxrwxrwx 1 root root 13 Apr 12 12:38 /lib/x86_64-linux-gnu/librt.so.1
> -> librt-2.19.so
> 
> root:pkcs11# ls -l /lib/x86_64-linux-gnu/libnsl.so.1
> lrwxrwxrwx 1 root root 14 Apr 12 12:38 /lib/x86_64-linux-gnu/libnsl.so.1
> -> libnsl-2.19.so
> 
> root:pkcs11# ls -l /lib64/ld-linux-x86-64.so.2
> lrwxrwxrwx 1 root root 32 Apr 12 12:38 /lib64/ld-linux-x86-64.so.2
> -> /lib/x86_64-linux-gnu/ld-2.19.so
> 
> The (virtual) server:
> Linux mjedev 3.13.0-24-generic #47-Ubuntu SMP Fri May 2 23:30:00 UTC
> 2014 x86_64 x86_64 x86_64 GNU/Linux
> 
> Anyone doing similar?
> Anyone with a newer thales library?
> 
> 
> 
> _______________________________________________
> Opendnssec-user mailing list
> Opendnssec-user at lists.opendnssec.org
> https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
> 



More information about the Opendnssec-user mailing list