[Opendnssec-user] Migrating to SoftHSM2

Fred Zwarts, KVI, Groningen F.Zwarts at KVI.nl
Wed Dec 23 08:51:26 UTC 2015

Hi Rick,

Thanks for taking the time and the effort to answer me.
There is some progress.

What I first did, was creating in conf.xml a second repository called 
SoftHSM2, using libsofthsm2.so.
In kasp.xml I changed SoftHSM into SoftHSM2 everywhere.
I used "ods-ksmutil update all", "ods-ksmutil update conf", "ods-ksmutil 
update kasp".
I moved away the libsofthsm.so fle, in order to be sure that the old version 
was not used.
Then "ods-ksmutil  key list --verbose" complained that it could not find 

I rebooted the system, removed the new SoftHSM2 repository in conf.xml and 
changed the SoftHSM repostitory to use libsofthsm2.so.
In kasp.xml I undid the changes, so all zones now use the SoftHSM repository 
I used "ods-ksmutil update all", "ods-ksmutil update conf", "ods-ksmutil 
update kasp".
Now "ods-ksmutil  key list --verbose" showed reasonable output.

It seems that the configuration is now using Softhsm 2.0.0.
(I am still confused why the earlier changes did not work, but let's forget 
about it.)

However, it still does not work.
I can start the enforcer and the signer. The enforcer does not complain.
But in the log file I see many problems with the signer. Here are a few of 

2015-12-23T09:27:09.152565+01:00 kvivs20 ods-signerd: [hsm] sign init: 
2015-12-23T09:27:09.152600+01:00 kvivs20 ods-signerd: [hsm] error signing 
rrset with libhsm
2015-12-23T09:27:09.152635+01:00 kvivs20 ods-signerd: [rrset] unable to sign 
RRset[99]: lhsm_sign() failed
2015-12-23T09:27:09.152671+01:00 kvivs20 ods-signerd: 
SecureDataManager.cpp(359): Invalid IV in encrypted data
2015-12-23T09:27:09.152706+01:00 kvivs20 ods-signerd: [hsm] sign init: 
2015-12-23T09:27:09.152741+01:00 kvivs20 ods-signerd: [hsm] error signing 
rrset with libhsm
2015-12-23T09:27:09.152780+01:00 kvivs20 ods-signerd: [rrset] unable to sign 
RRset[28]: lhsm_sign() failed
2015-12-23T09:27:09.152817+01:00 kvivs20 ods-signerd: [worker[2]] sign zone 
KVI.nl failed: 673 RRsets failed
2015-12-23T09:27:09.152852+01:00 kvivs20 ods-signerd: [worker[2]] CRITICAL: 
failed to sign zone KVI.nl: General error
2015-12-23T09:27:09.152887+01:00 kvivs20 ods-signerd: [worker[2]] backoff 
task [sign] for zone KVI.nl with 60 seconds

I checked that both the enforcer and the signer are running with username 
/var/lib/softhsm and all sub-directories therein are owned by root and have 
protection set to drwx------.
In /var/lib/softhsm/tokens/ is a directory with a very long cryptic name. In 
this directory are many files owned by root with protection -rw-------.
Most of those files come in pairs with long cryptic names ending in .lock 
and .object. Further there are three files generation, token.lock and 

Do you have any idea what can be done for further diagnosis, or for repair?


-----Oorspronkelijk bericht----- 
From: Rick van Rein
Sent: Tuesday, December 22, 2015 2:28 PM
To: Fred Zwarts, KVI, Groningen
Cc: opendnssec-user at lists.opendnssec.org
Subject: Re: [Opendnssec-user] Migrating to SoftHSM2

Hi Fred,
> Then "softhsm2-util --show-slots" still shows both slots, so I thought
> that this confirmed that SoftHSM 2.0.0 does not need the old database
> anymore.
> But, when I tried "ods-ksmutil key list --verbose" again, it complained:
>    hsm_get_slot_id(): No slots found in HSM
>    Error: failed to list keys
> What does it mean?

The PKCS #11 interaction starts by listing slots, and for each getting
the token inserted in it.  After that, login commences and further stuff
like signing.  But you are already stopped in this early phase, it seems.

> Note that I tried everything as root, so I don't think file
> protections play a role.

It is still my guess though.  PKCS #11 is loaded as a library, so it
runs under the uid of the ods-enforcer and ods-signer.  I don't know if
the ods-ksmutil cmdline drops privileges too, but it would not be
surprising if it did.  And it is the most likely cause of this kind of
errors that I can think of.

> Is the old database still used with the new SoftHSM 2.0.0, or do I
> need to change the OpenDNSSEC configuration to use SoftHSM 2.0.0
> instead of SoftHSM 1.3.7, or is there something else?
Did you set libsofthsm2.so in your configuration for OpenDNSSEC?

I hope this helps.


Opendnssec-user mailing list
Opendnssec-user at lists.opendnssec.org

More information about the Opendnssec-user mailing list