[Opendnssec-user] ods-enforcerd: Error creating key in repository SoftHSM-KSK

Abdalmonem Tharwat Galila agalila at mcit.gov.eg
Mon Sep 1 07:45:32 UTC 2014 

Thnx Mekking , working now .
I have another questions posted to mailing list  could you advice of course of you can ?

Sent from my iPhone

> On Sep 1, 2014, at 10:31 AM, "Matthijs Mekking" <matthijs at nlnetlabs.nl> wrote:
> 
> Hi,
> 
> Make sure OpenDNSSEC has permission to access the SofthHSM token
> database. For example:
> 
> $ chown opendnssec /var/lib/softhsm/slot0.db
> $ chgrp opendnssec /var/lib/softhsm/slot0.db
> 
> You can configure user and group in conf.xml, for both the enforcer and
> signer with:
> 
>        <Privileges>
>            <User>opendnssec</User>
>            <Group>opendnssec</Group>
>        </Privileges>
> 
> See https://wiki.opendnssec.org/display/DOCS/conf.xml
> 
> Best regards,
> Matthijs
> 
> 
>> On 08/31/2014 11:25 AM, Abdalmonem Tharwat Galila wrote:
>> I think its a permission problem , could you help ?
>> If any clarifications needed replay me .
>> Thnx
>> ------------------------------------------------------------------------
>> *From:* opendnssec-user-bounces at lists.opendnssec.org
>> [opendnssec-user-bounces at lists.opendnssec.org] on behalf of Abdalmonem
>> Tharwat Galila [agalila at mcit.gov.eg]
>> *Sent:* Sunday, August 31, 2014 11:18 AM
>> *To:* opendnssec-user at lists.opendnssec.org
>> *Subject:* [Opendnssec-user] ods-enforcerd: Error creating key in
>> repository SoftHSM-KSK
>> 
>> I got the following error message and enforcer could not restarted
>> 
>> [root at ns2 ~]# ods-control start
>> Starting enforcer...
>> OpenDNSSEC ods-enforcerd started (version 1.4.5), pid 9473
>> Could not start enforcer
>> [root at stage-ns2 ~]# tail -f /var/log/messages
>> Aug 30 01:03:27 stage-ns2 ods-enforcerd: Connecting to Database...
>> Aug 30 01:03:27 stage-ns2 ods-enforcerd: Policy default found.
>> Aug 30 01:03:27 stage-ns2 ods-enforcerd: Key sharing is Off.
>> Aug 30 01:03:27 stage-ns2 ods-enforcerd: No zones on policy default,
>> skipping...
>> Aug 30 01:03:27 stage-ns2 ods-enforcerd: Policy DotMasr found.
>> Aug 30 01:03:27 stage-ns2 ods-enforcerd: Key sharing is Off.
>> Aug 30 01:03:27 stage-ns2 ods-enforcerd: 1 zone(s) found on policy "Dot2"
>> Aug 30 01:03:27 stage-ns2 ods-enforcerd: 1 new KSK(s) (2048 bits) need
>> to be created for policy Dot2: keys_to_generate(1) = keys_needed(1) -
>> keys_available(0).
>> Aug 30 01:03:27 stage-ns2 ods-enforcerd: Error creating key in
>> repository SoftHSM-KSK
>> Aug 30 01:03:27 stage-ns2 ods-enforcerd: generate key pair:
>> CKR_GENERAL_ERROR
>> 
>> 
>> [root at stage-ns2 ~]# ods-hsmutil test SoftHSM -v
>> Testing repository: SoftHSM
>> 
>> Generating 512-bit RSA key... OK
>> Extracting key identifier... OK, 1134ad3426577e59c44c60f2be8c6351
>> Signing (RSA/SHA1) with key... OK
>> Signing (RSA/SHA256) with key... OK
>> Deleting key... OK
>> 
>> Generating 768-bit RSA key... OK
>> Extracting key identifier... OK, 23a83e3a60cb2deaf108d40b2473cdd3
>> Signing (RSA/SHA1) with key... OK
>> Signing (RSA/SHA256) with key... OK
>> Deleting key... OK
>> 
>> Generating 1024-bit RSA key... OK
>> Extracting key identifier... OK, e27502cde45ad9594f4170c323277428
>> Signing (RSA/SHA1) with key... OK
>> Signing (RSA/SHA256) with key... OK
>> Signing (RSA/SHA512) with key... OK
>> Deleting key... OK
>> 
>> Generating 1536-bit RSA key... OK
>> Extracting key identifier... OK, 01d15dcaeff6862df8fd92477fa59023
>> Signing (RSA/SHA1) with key... OK
>> Signing (RSA/SHA256) with key... OK
>> Signing (RSA/SHA512) with key... OK
>> Deleting key... OK
>> 
>> Generating 2048-bit RSA key... OK
>> Extracting key identifier... OK, c5ac4f805cd3c11b7e7ed53616c6c345
>> Signing (RSA/SHA1) with key... OK
>> Signing (RSA/SHA256) with key... OK
>> Signing (RSA/SHA512) with key... OK
>> Deleting key... OK
>> 
>> Generating 4096-bit RSA key... OK
>> Extracting key identifier... OK, d728d0cbf867eebe912f1688d0f9cf6b
>> Signing (RSA/SHA1) with key... OK
>> Signing (RSA/SHA256) with key... OK
>> Signing (RSA/SHA512) with key... OK
>> Deleting key... OK
>> 
>> Generating 512-bit DSA key... Failed
>> generate domain parameters: CKR_FUNCTION_NOT_SUPPORTED
>> 
>> Generating 768-bit DSA key... Failed
>> generate domain parameters: CKR_FUNCTION_NOT_SUPPORTED
>> 
>> Generating 1024-bit DSA key... Failed
>> generate domain parameters: CKR_FUNCTION_NOT_SUPPORTED
>> 
>> Generating 512-bit GOST key... Failed
>> generate key pair: CKR_MECHANISM_INVALID
>> 
>> Generating 1024 bytes of random data... OK
>> Generating 32-bit random data... 2643190841
>> Generating 64-bit random data... 9844808495919432962
>> [root at stage-ns2 ~]#
>> 
>> 
>> and no keys :-
>> 
>> [root at stage-ns2 ~]# ods-hsmutil list
>> 
>> Listing keys in all repositories.
>> 0 keys found.
>> 
>> Repository            ID                                Type     
>> ----------            --                                ----     
>> [root at stage-ns2 ~]#
>> 
>> 
>> [root at stage-ns2 ~]# softhsm --show-slots
>> Available slots:
>> Slot 0
>>           Token present: yes
>>           Token initialized: yes
>>           User PIN initialized: yes
>>           Token label: OpenDNSSEC                     
>> Slot 1
>>           Token present: yes
>>           Token initialized: yes
>>           User PIN initialized: yes
>>           Token label: KSK                            
>> Slot 2
>>           Token present: yes
>>           Token initialized: yes
>>           User PIN initialized: yes
>>           Token label: ZSK                            
>> [root at stage-ns2 ~]#
>> 
>> 
>> Could you advice ?
>> 
>> 
>> _______________________________________________
>> Opendnssec-user mailing list
>> Opendnssec-user at lists.opendnssec.org
>> https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
>> 
>

More information about the Opendnssec-user mailing list