[Opendnssec-user] OpenDNSSEC with SafeNet Luna HSM

Rick van Rein rick at openfortress.nl
Thu May 12 20:32:40 UTC 2016


Hi Roman,


> I understand that I'll have to modify conf.xml to include additional
> repository (with the path to libCryptoki2_64.so and relevant partition
> password), and then duplicate and adjust the policy in kasp.xml, but
> before that I guess I need to initialize a slot?
>
You probably need to do that, indeed, to "format" the partition.  I'm
not 100% sure how we did it though.  The documentation coming with
SAFEnet HSMs is extensive, I suggestion you read that carefully :) and
you should find the "vtl" utility useful to inspect the impact of your work.

> Do I need to follow 'softhsm --init-token ...' procedure (I noticed
> that there is --module <path> directive)? Or OpenDNSSEC has to be
> recompiled with libCryptoki2_64.so support?
>
As Rickard says, this is for another PKCS #11 implementation, named
SoftHSM.  You should instead have a look at the lunasa prefix as you
installed it.  On *BSD it's probably somewhere like /usr/local/lunasa/

> Many thanks and sorry in advance if it's too obvious.

If it's not obvious to you, then an exchange of knowledge seems like a
good use of a mailing list :) but you should really spend some good time
on the SAFEnet documentation; it is perhaps as patronising as it is
thorough.

-Rick



More information about the Opendnssec-user mailing list