[Opendnssec-user] Re: Migrating to SoftHSM2

Fred Zwarts, KVI, Groningen F.Zwarts at KVI.nl
Tue Dec 22 11:14:38 UTC 2015


I could get one step further by creating a softlink:
    ln -s libsofthsm2.so libsofthsm.so
Now "ods-ksmutil key list --verbose" shows reasonable output.
I tried to start the enforcer and the signer.
The enforcer seems to run OK, but in the log I see many complaints from the 
signer:

2015-12-22T12:01:38.815576+01:00 kvivs20 ods-signerd: 
SecureDataManager.cpp(359): Invalid IV in encrypted data
2015-12-22T12:01:38.815704+01:00 kvivs20 ods-signerd: [hsm] sign init: 
CKR_GENERAL_ERROR
2015-12-22T12:01:38.815834+01:00 kvivs20 ods-signerd: [hsm] error signing 
rrset with libhsm
2015-12-22T12:01:38.815963+01:00 kvivs20 ods-signerd: [rrset] unable to sign 
RRset[99]: lhsm_sign() failed
2015-12-22T12:01:38.816092+01:00 kvivs20 ods-signerd: 
SecureDataManager.cpp(359): Invalid IV in encrypted data
2015-12-22T12:01:38.816233+01:00 kvivs20 ods-signerd: [hsm] sign init: 
CKR_GENERAL_ERROR
2015-12-22T12:01:38.816367+01:00 kvivs20 ods-signerd: [hsm] error signing 
rrset with libhsm
2015-12-22T12:01:38.816498+01:00 kvivs20 ods-signerd: [rrset] unable to sign 
RRset[1]: lhsm_sign() failed

Then, after many of such logs:

2015-12-22T12:01:38.816628+01:00 kvivs20 ods-signerd: [worker[1]] sign zone 
KVI.nl failed: 102 RRsets failed
2015-12-22T12:01:38.816762+01:00 kvivs20 ods-signerd: [worker[1]] CRITICAL: 
failed to sign zone KVI.nl: General error
2015-12-22T12:01:38.816892+01:00 kvivs20 ods-signerd: [worker[1]] backoff 
task [sign] for zone KVI.nl with 60 seconds

So, I stopped the deamons. What am I missing?

-----Oorspronkelijk bericht----- 
From: Fred Zwarts, KVI, Groningen
Sent: Tuesday, December 22, 2015 11:21 AM
To: opendnssec-user at lists.opendnssec.org
Subject: Migrating to SoftHSM2

I am trying to try out an upgrade of our system and to migrate from SoftHSM
1 to SoftHSM 2.
I have not found much information about it, so I have the idea that I m
missing something.
This is what I tried:

I started with a test system running Suse Linux Enterprise Linux (SLES)
12.1, with OpenDNSSEC 1.4.8.2 with SoftHSM 1.3.7.
I want to migrate to a situation with OpenDNSSEC 1.4.8.2  and SoftHSM 2.0.0.
I downloaded the SoftHSM 2.0.0 tar kit, unpacked it and used
"./configure --with-migrate".
Than I use "make", which did not complain.
Than I stopped OpenDNSSEC and I used "make install".
I see that this did not override the SoftHSM 1.3.7 installation, but it
installs some new utilities.
The next step is to migrate our SoftHSM 1.3.7 database to SoftHSM 2..0.
The exact steps are not clear to me, but I found some questions in this
forum and I tried the following commands:

    softhsm2-util --init-token --slot 0 --label "OpenDNSSEC" --pin
1234 --so-pin 1234
    softhsm2-migrate --db /var/softhsm/slot0.db --pin 1234 --slot 0

I saw (with "softhsm2-util --show-slots") that the origal slot 0 in the
SoftSM 2 database has now been moved to slot 1 and that slot 0 is now
labelled "OpenDNSSEC". The migrate command logged the migration of several
objects.
I then tried "ods-ksmutil key list --verbose", which showed the normal
output.
But I was not sure whether OpenDNSsec now uses the old or the new SoftHSM.
Since the old SoftHSM database was now migrated to a new one, I thought the
I could remove the old database in /var/softhsm, so I moved it to a
different directory.
Then "softhsm2-util --show-slots" still shows both slots, so I thought that
this confirmed that SoftHSM 2.0.0 does not need the old database anymore.
But, when I tried "ods-ksmutil key list --verbose" again, it complained:

    hsm_get_slot_id(): No slots found in HSM
    Error: failed to list keys

What does it mean? Is the old database still used with the new SoftHSM
2.0.0, or do I need to change the OpenDNSSEC configuration to use SoftHSM
2.0.0 instead of SoftHSM 1.3.7, or is there something else?

Note that I tried everything as root, so I don't think file protections play
a role.

I am confused and I do not know how to proceed. Please, help. 




More information about the Opendnssec-user mailing list