[Opendnssec-user] Migrating to SoftHSM2

Rickard Bellgrim rickard at opendnssec.org
Sun Jan 10 06:53:12 UTC 2016

Hi Fred

I see that this did not override the SoftHSM 1.3.7 installation, but it
> installs some new utilities.

You can have both SoftHSMv1 and SoftHSMv2 installed on the same system. The
library, configuration file, and binaries all have new names.

The next step is to migrate our SoftHSM 1.3.7 database to SoftHSM 2..0.
> The exact steps are not clear to me, but I found some questions in this
> forum and I tried the following commands:
>    softhsm2-util --init-token --slot 0 --label "OpenDNSSEC" --pin 1234
> --so-pin 1234
>    softhsm2-migrate --db /var/softhsm/slot0.db --pin 1234 --slot 0

The softhsm2-migrate command will read the data from the given SoftHSMv1
token database (the path can be found in SoftHSMv1 configuration file) and
create the corresponding PKCS#11 objects in the given slot.

The man page:

> I saw (with "softhsm2-util --show-slots") that the origal slot 0 in the
> SoftSM 2 database has now been moved to slot 1 and that slot 0 is now
> labelled "OpenDNSSEC". The migrate command logged the migration of several
> objects.

SoftHSMv2 will always have an uninitialized slot. If you initialize that
one, a new one is added to the end of the slot list.

The order (slot number) of the initialized tokens in the slot list can be
changed if a new token is initialized. See the discussion in

> I then tried "ods-ksmutil key list --verbose", which showed the normal
> output.
> But I was not sure whether OpenDNSsec now uses the old or the new SoftHSM.
> Since the old SoftHSM database was now migrated to a new one, I thought
> the I could remove the old database in /var/softhsm, so I moved it to a
> different directory.
> Then "softhsm2-util --show-slots" still shows both slots, so I thought
> that this confirmed that SoftHSM 2.0.0 does not need the old database
> anymore.
> But, when I tried "ods-ksmutil key list --verbose" again, it complained:
>    hsm_get_slot_id(): No slots found in HSM
>    Error: failed to list keys
> What does it mean? Is the old database still used with the new SoftHSM
> 2.0.0, or do I need to change the OpenDNSSEC configuration to use SoftHSM
> 2.0.0 instead of SoftHSM 1.3.7, or is there something else?

The data was not moved, but copied to SoftHSMv2. You must make an active
configuration change in OpenDNSSEC to use SoftHSMv2 and not SoftHSMv1.
Because of the PKCS#11 interface, there is a separation between the
application (OpenDNSSEC) and the library (SoftHSM). They are not aware of
each other, just that they are using the PKCS#11 interface.

// Rickard
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20160110/afdbe1ab/attachment.htm>

More information about the Opendnssec-user mailing list