[Opendnssec-user] Migrating to SoftHSM2

Fred Zwarts, KVI, Groningen F.Zwarts at KVI.nl
Tue Jan 5 10:38:44 UTC 2016 

Best wishes for the new year to everybody.

A few days before Christmas I sent the following message. I have not seen 
any response. I have been away myself during this period and I think many 
other people have been away as well, therefore, I send this as a reminder, 
since the problem is still there.

Do you have any idea what can be done for further diagnosis, or for repair?


-----Oorspronkelijk bericht----- 
From: Fred Zwarts, KVI, Groningen
Sent: Wednesday, December 23, 2015 9:51 AM
To: Rick van Rein
Cc: opendnssec-user at lists.opendnssec.org
Subject: Re: [Opendnssec-user] Migrating to SoftHSM2

Hi Rick,

Thanks for taking the time and the effort to answer me.
There is some progress.

What I first did, was creating in conf.xml a second repository called
SoftHSM2, using libsofthsm2.so.
In kasp.xml I changed SoftHSM into SoftHSM2 everywhere.
I used "ods-ksmutil update all", "ods-ksmutil update conf", "ods-ksmutil
update kasp".
I moved away the libsofthsm.so fle, in order to be sure that the old version
was not used.
Then "ods-ksmutil  key list --verbose" complained that it could not find
libsofthsm.so.

I rebooted the system, removed the new SoftHSM2 repository in conf.xml and
changed the SoftHSM repostitory to use libsofthsm2.so.
In kasp.xml I undid the changes, so all zones now use the SoftHSM repository
again.
I used "ods-ksmutil update all", "ods-ksmutil update conf", "ods-ksmutil
update kasp".
Now "ods-ksmutil  key list --verbose" showed reasonable output.

It seems that the configuration is now using Softhsm 2.0.0.
(I am still confused why the earlier changes did not work, but let's forget
about it.)

However, it still does not work.
I can start the enforcer and the signer. The enforcer does not complain.
But in the log file I see many problems with the signer. Here are a few of
them:

2015-12-23T09:27:09.152565+01:00 kvivs20 ods-signerd: [hsm] sign init:
CKR_GENERAL_ERROR
2015-12-23T09:27:09.152600+01:00 kvivs20 ods-signerd: [hsm] error signing
rrset with libhsm
2015-12-23T09:27:09.152635+01:00 kvivs20 ods-signerd: [rrset] unable to sign
RRset[99]: lhsm_sign() failed
2015-12-23T09:27:09.152671+01:00 kvivs20 ods-signerd:
SecureDataManager.cpp(359): Invalid IV in encrypted data
2015-12-23T09:27:09.152706+01:00 kvivs20 ods-signerd: [hsm] sign init:
CKR_GENERAL_ERROR
2015-12-23T09:27:09.152741+01:00 kvivs20 ods-signerd: [hsm] error signing
rrset with libhsm
2015-12-23T09:27:09.152780+01:00 kvivs20 ods-signerd: [rrset] unable to sign
RRset[28]: lhsm_sign() failed
2015-12-23T09:27:09.152817+01:00 kvivs20 ods-signerd: [worker[2]] sign zone
KVI.nl failed: 673 RRsets failed
2015-12-23T09:27:09.152852+01:00 kvivs20 ods-signerd: [worker[2]] CRITICAL:
failed to sign zone KVI.nl: General error
2015-12-23T09:27:09.152887+01:00 kvivs20 ods-signerd: [worker[2]] backoff
task [sign] for zone KVI.nl with 60 seconds

I checked that both the enforcer and the signer are running with username
root.
/var/lib/softhsm and all sub-directories therein are owned by root and have
protection set to drwx------.
In /var/lib/softhsm/tokens/ is a directory with a very long cryptic name. In
this directory are many files owned by root with protection -rw-------.
Most of those files come in pairs with long cryptic names ending in .lock
and .object. Further there are three files generation, token.lock and
token.object.

Do you have any idea what can be done for further diagnosis, or for repair?

Thanks,
Fred.Zwarts.


-----Oorspronkelijk bericht----- 
From: Rick van Rein
Sent: Tuesday, December 22, 2015 2:28 PM
To: Fred Zwarts, KVI, Groningen
Cc: opendnssec-user at lists.opendnssec.org
Subject: Re: [Opendnssec-user] Migrating to SoftHSM2

Hi Fred,
>
> Then "softhsm2-util --show-slots" still shows both slots, so I thought
> that this confirmed that SoftHSM 2.0.0 does not need the old database
> anymore.
> But, when I tried "ods-ksmutil key list --verbose" again, it complained:
>
>    hsm_get_slot_id(): No slots found in HSM
>    Error: failed to list keys
>
> What does it mean?

The PKCS #11 interaction starts by listing slots, and for each getting
the token inserted in it.  After that, login commences and further stuff
like signing.  But you are already stopped in this early phase, it seems.

> Note that I tried everything as root, so I don't think file
> protections play a role.

It is still my guess though.  PKCS #11 is loaded as a library, so it
runs under the uid of the ods-enforcer and ods-signer.  I don't know if
the ods-ksmutil cmdline drops privileges too, but it would not be
surprising if it did.  And it is the most likely cause of this kind of
errors that I can think of.

> Is the old database still used with the new SoftHSM 2.0.0, or do I
> need to change the OpenDNSSEC configuration to use SoftHSM 2.0.0
> instead of SoftHSM 1.3.7, or is there something else?
>
Did you set libsofthsm2.so in your configuration for OpenDNSSEC?

I hope this helps.

Cheers,
-Rick

More information about the Opendnssec-user mailing list