[Opendnssec-user] ods-enforcerd: Error creating key in repository SoftHSM-KSK

Matthijs Mekking matthijs at nlnetlabs.nl
Mon Sep 1 07:29:52 UTC 2014 

Hi,

Make sure OpenDNSSEC has permission to access the SofthHSM token
database. For example:

$ chown opendnssec /var/lib/softhsm/slot0.db
$ chgrp opendnssec /var/lib/softhsm/slot0.db

You can configure user and group in conf.xml, for both the enforcer and
signer with:

        <Privileges>
            <User>opendnssec</User>
            <Group>opendnssec</Group>
        </Privileges>

See https://wiki.opendnssec.org/display/DOCS/conf.xml

Best regards,
 Matthijs


On 08/31/2014 11:25 AM, Abdalmonem Tharwat Galila wrote:
> I think its a permission problem , could you help ?
> If any clarifications needed replay me .
> Thnx
> ------------------------------------------------------------------------
> *From:* opendnssec-user-bounces at lists.opendnssec.org
> [opendnssec-user-bounces at lists.opendnssec.org] on behalf of Abdalmonem
> Tharwat Galila [agalila at mcit.gov.eg]
> *Sent:* Sunday, August 31, 2014 11:18 AM
> *To:* opendnssec-user at lists.opendnssec.org
> *Subject:* [Opendnssec-user] ods-enforcerd: Error creating key in
> repository SoftHSM-KSK
> 
> I got the following error message and enforcer could not restarted
> 
> [root at ns2 ~]# ods-control start
> Starting enforcer...
> OpenDNSSEC ods-enforcerd started (version 1.4.5), pid 9473
> Could not start enforcer
> [root at stage-ns2 ~]# tail -f /var/log/messages
> Aug 30 01:03:27 stage-ns2 ods-enforcerd: Connecting to Database...
> Aug 30 01:03:27 stage-ns2 ods-enforcerd: Policy default found.
> Aug 30 01:03:27 stage-ns2 ods-enforcerd: Key sharing is Off.
> Aug 30 01:03:27 stage-ns2 ods-enforcerd: No zones on policy default,
> skipping...
> Aug 30 01:03:27 stage-ns2 ods-enforcerd: Policy DotMasr found.
> Aug 30 01:03:27 stage-ns2 ods-enforcerd: Key sharing is Off.
> Aug 30 01:03:27 stage-ns2 ods-enforcerd: 1 zone(s) found on policy "Dot2"
> Aug 30 01:03:27 stage-ns2 ods-enforcerd: 1 new KSK(s) (2048 bits) need
> to be created for policy Dot2: keys_to_generate(1) = keys_needed(1) -
> keys_available(0).
> Aug 30 01:03:27 stage-ns2 ods-enforcerd: Error creating key in
> repository SoftHSM-KSK
> Aug 30 01:03:27 stage-ns2 ods-enforcerd: generate key pair:
> CKR_GENERAL_ERROR
> 
> 
> [root at stage-ns2 ~]# ods-hsmutil test SoftHSM -v
> Testing repository: SoftHSM
> 
> Generating 512-bit RSA key... OK
> Extracting key identifier... OK, 1134ad3426577e59c44c60f2be8c6351
> Signing (RSA/SHA1) with key... OK
> Signing (RSA/SHA256) with key... OK
> Deleting key... OK
> 
> Generating 768-bit RSA key... OK
> Extracting key identifier... OK, 23a83e3a60cb2deaf108d40b2473cdd3
> Signing (RSA/SHA1) with key... OK
> Signing (RSA/SHA256) with key... OK
> Deleting key... OK
> 
> Generating 1024-bit RSA key... OK
> Extracting key identifier... OK, e27502cde45ad9594f4170c323277428
> Signing (RSA/SHA1) with key... OK
> Signing (RSA/SHA256) with key... OK
> Signing (RSA/SHA512) with key... OK
> Deleting key... OK
> 
> Generating 1536-bit RSA key... OK
> Extracting key identifier... OK, 01d15dcaeff6862df8fd92477fa59023
> Signing (RSA/SHA1) with key... OK
> Signing (RSA/SHA256) with key... OK
> Signing (RSA/SHA512) with key... OK
> Deleting key... OK
> 
> Generating 2048-bit RSA key... OK
> Extracting key identifier... OK, c5ac4f805cd3c11b7e7ed53616c6c345
> Signing (RSA/SHA1) with key... OK
> Signing (RSA/SHA256) with key... OK
> Signing (RSA/SHA512) with key... OK
> Deleting key... OK
> 
> Generating 4096-bit RSA key... OK
> Extracting key identifier... OK, d728d0cbf867eebe912f1688d0f9cf6b
> Signing (RSA/SHA1) with key... OK
> Signing (RSA/SHA256) with key... OK
> Signing (RSA/SHA512) with key... OK
> Deleting key... OK
> 
> Generating 512-bit DSA key... Failed
> generate domain parameters: CKR_FUNCTION_NOT_SUPPORTED
> 
> Generating 768-bit DSA key... Failed
> generate domain parameters: CKR_FUNCTION_NOT_SUPPORTED
> 
> Generating 1024-bit DSA key... Failed
> generate domain parameters: CKR_FUNCTION_NOT_SUPPORTED
> 
> Generating 512-bit GOST key... Failed
> generate key pair: CKR_MECHANISM_INVALID
> 
> Generating 1024 bytes of random data... OK
> Generating 32-bit random data... 2643190841
> Generating 64-bit random data... 9844808495919432962
> [root at stage-ns2 ~]#
> 
> 
> and no keys :-
> 
> [root at stage-ns2 ~]# ods-hsmutil list
> 
> Listing keys in all repositories.
> 0 keys found.
> 
> Repository            ID                                Type     
> ----------            --                                ----     
> [root at stage-ns2 ~]#
> 
> 
> [root at stage-ns2 ~]# softhsm --show-slots
> Available slots:
> Slot 0
>            Token present: yes
>            Token initialized: yes
>            User PIN initialized: yes
>            Token label: OpenDNSSEC                     
> Slot 1
>            Token present: yes
>            Token initialized: yes
>            User PIN initialized: yes
>            Token label: KSK                            
> Slot 2
>            Token present: yes
>            Token initialized: yes
>            User PIN initialized: yes
>            Token label: ZSK                            
> [root at stage-ns2 ~]#
> 
> 
> Could you advice ?
> 
> 
> _______________________________________________
> Opendnssec-user mailing list
> Opendnssec-user at lists.opendnssec.org
> https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
>

More information about the Opendnssec-user mailing list