[Opendnssec-user] Migrating to SoftHSM2

Rick van Rein rick at openfortress.nl
Tue Dec 22 13:28:21 UTC 2015

Hi Fred,
> Then "softhsm2-util --show-slots" still shows both slots, so I thought
> that this confirmed that SoftHSM 2.0.0 does not need the old database
> anymore.
> But, when I tried "ods-ksmutil key list --verbose" again, it complained:
>    hsm_get_slot_id(): No slots found in HSM
>    Error: failed to list keys
> What does it mean?

The PKCS #11 interaction starts by listing slots, and for each getting
the token inserted in it.  After that, login commences and further stuff
like signing.  But you are already stopped in this early phase, it seems.

> Note that I tried everything as root, so I don't think file
> protections play a role.

It is still my guess though.  PKCS #11 is loaded as a library, so it
runs under the uid of the ods-enforcer and ods-signer.  I don't know if
the ods-ksmutil cmdline drops privileges too, but it would not be
surprising if it did.  And it is the most likely cause of this kind of
errors that I can think of.

> Is the old database still used with the new SoftHSM 2.0.0, or do I
> need to change the OpenDNSSEC configuration to use SoftHSM 2.0.0
> instead of SoftHSM 1.3.7, or is there something else?
Did you set libsofthsm2.so in your configuration for OpenDNSSEC?

I hope this helps.

Opendnssec-user mailing list
Opendnssec-user at lists.opendnssec.org

More information about the Opendnssec-user mailing list