[Opendnssec-user] Migrating to SoftHSM2
Fred Zwarts, KVI, Groningen
F.Zwarts at KVI.nl
Tue Dec 22 10:21:16 UTC 2015
I am trying to try out an upgrade of our system and to migrate from SoftHSM
1 to SoftHSM 2.
I have not found much information about it, so I have the idea that I m
missing something.
This is what I tried:
I started with a test system running Suse Linux Enterprise Linux (SLES)
12.1, with OpenDNSSEC 1.4.8.2 with SoftHSM 1.3.7.
I want to migrate to a situation with OpenDNSSEC 1.4.8.2 and SoftHSM 2.0.0.
I downloaded the SoftHSM 2.0.0 tar kit, unpacked it and used
"./configure --with-migrate".
Than I use "make", which did not complain.
Than I stopped OpenDNSSEC and I used "make install".
I see that this did not override the SoftHSM 1.3.7 installation, but it
installs some new utilities.
The next step is to migrate our SoftHSM 1.3.7 database to SoftHSM 2..0.
The exact steps are not clear to me, but I found some questions in this
forum and I tried the following commands:
softhsm2-util --init-token --slot 0 --label "OpenDNSSEC" --pin
1234 --so-pin 1234
softhsm2-migrate --db /var/softhsm/slot0.db --pin 1234 --slot 0
I saw (with "softhsm2-util --show-slots") that the origal slot 0 in the
SoftSM 2 database has now been moved to slot 1 and that slot 0 is now
labelled "OpenDNSSEC". The migrate command logged the migration of several
objects.
I then tried "ods-ksmutil key list --verbose", which showed the normal
output.
But I was not sure whether OpenDNSsec now uses the old or the new SoftHSM.
Since the old SoftHSM database was now migrated to a new one, I thought the
I could remove the old database in /var/softhsm, so I moved it to a
different directory.
Then "softhsm2-util --show-slots" still shows both slots, so I thought that
this confirmed that SoftHSM 2.0.0 does not need the old database anymore.
But, when I tried "ods-ksmutil key list --verbose" again, it complained:
hsm_get_slot_id(): No slots found in HSM
Error: failed to list keys
What does it mean? Is the old database still used with the new SoftHSM
2.0.0, or do I need to change the OpenDNSSEC configuration to use SoftHSM
2.0.0 instead of SoftHSM 1.3.7, or is there something else?
Note that I tried everything as root, so I don't think file protections play
a role.
I am confused and I do not know how to proceed. Please, help.
_______________________________________________
Opendnssec-user mailing list
Opendnssec-user at lists.opendnssec.org
https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
More information about the Opendnssec-user
mailing list