[Opendnssec-user] Migrating to SoftHSM2

Fred Zwarts, KVI, Groningen F.Zwarts at KVI.nl
Tue Dec 22 10:21:16 UTC 2015

I am trying to try out an upgrade of our system and to migrate from SoftHSM 
1 to SoftHSM 2.
I have not found much information about it, so I have the idea that I m 
missing something.
This is what I tried:

I started with a test system running Suse Linux Enterprise Linux (SLES) 
12.1, with OpenDNSSEC with SoftHSM 1.3.7.
I want to migrate to a situation with OpenDNSSEC  and SoftHSM 2.0.0.
I downloaded the SoftHSM 2.0.0 tar kit, unpacked it and used 
"./configure --with-migrate".
Than I use "make", which did not complain.
Than I stopped OpenDNSSEC and I used "make install".
I see that this did not override the SoftHSM 1.3.7 installation, but it 
installs some new utilities.
The next step is to migrate our SoftHSM 1.3.7 database to SoftHSM 2..0.
The exact steps are not clear to me, but I found some questions in this 
forum and I tried the following commands:

    softhsm2-util --init-token --slot 0 --label "OpenDNSSEC" --pin 
1234 --so-pin 1234
    softhsm2-migrate --db /var/softhsm/slot0.db --pin 1234 --slot 0

I saw (with "softhsm2-util --show-slots") that the origal slot 0 in the 
SoftSM 2 database has now been moved to slot 1 and that slot 0 is now 
labelled "OpenDNSSEC". The migrate command logged the migration of several 
I then tried "ods-ksmutil key list --verbose", which showed the normal 
But I was not sure whether OpenDNSsec now uses the old or the new SoftHSM.
Since the old SoftHSM database was now migrated to a new one, I thought the 
I could remove the old database in /var/softhsm, so I moved it to a 
different directory.
Then "softhsm2-util --show-slots" still shows both slots, so I thought that 
this confirmed that SoftHSM 2.0.0 does not need the old database anymore.
But, when I tried "ods-ksmutil key list --verbose" again, it complained:

    hsm_get_slot_id(): No slots found in HSM
    Error: failed to list keys

What does it mean? Is the old database still used with the new SoftHSM 
2.0.0, or do I need to change the OpenDNSSEC configuration to use SoftHSM 
2.0.0 instead of SoftHSM 1.3.7, or is there something else?

Note that I tried everything as root, so I don't think file protections play 
a role.

I am confused and I do not know how to proceed. Please, help. 

Opendnssec-user mailing list
Opendnssec-user at lists.opendnssec.org

More information about the Opendnssec-user mailing list