[Opendnssec-user] OpenDNSSEC with SafeNet Luna HSM

Roman Serbski mefystofel at gmail.com
Sun May 15 16:07:38 UTC 2016 

On Thu, May 12, 2016 at 10:32 PM, Rick van Rein <rick at openfortress.nl> wrote:
>
> If it's not obvious to you, then an exchange of knowledge seems like a
> good use of a mailing list :) but you should really spend some good time
> on the SAFEnet documentation; it is perhaps as patronising as it is
> thorough.

Rickard, Rick -- thank you for your reply.

I think I wasn't clear -- the HSM part is done (I think so :)), since
I can access HSM partition using SafeNet tools like vtl and lunacm
from the OpenDNSSEC server. My question was whether I need to
configure something else (apart from conf.xml and kasp.xml) in
OpenDNSSEC and this is where I got confused with softhsm --module.

Anyway, I modified conf.xml and kasp.xml, and tried to add one test
domain to be handled by SafeNet HSM but I get an error once I reboot
the server:

May 15 17:21:13 srv-signer-01 ods-enforcerd: opendnssec started
(version 1.4.10), pid 514
May 15 17:21:13 srv-signer-01 ods-signerd: [engine] signer started
(version 1.4.10), pid 521
May 15 17:21:14 srv-signer-01 ods-signerd: [hsm] hsm_get_slot_id(): No
slots found in HSM
May 15 17:21:14 srv-signer-01 ods-signerd: [engine] opening hsm failed
(for engine recover)
May 15 17:21:14 srv-signer-01 ods-signerd: [engine] signer shutdown
May 15 17:21:14 srv-signer-01 ods-enforcerd: pidfile
/usr/local/var/run/opendnssec/enforcerd.pid already exists, but no
process with pid 518 is running. A previous instance didn't shutdown
cleanly, this pidfile is stale.

ods-enforcerd takes 100% of CPU and if I try to 'ods-ksmutil key list
--verbose' I get:

SQLite database set to: /usr/local/var/opendnssec/kasp.db
/usr/local/var/opendnssec/kasp.db.our_lock already locked, sleep
couldn't get lock on /usr/local/var/opendnssec/kasp.db.our_lock;
Resource temporarily unavailable
Error getting db lock
Failed to connect to database

If I stop opendnssec, kill -9 ods-enforcerd, then start opendnssec I get:

May 15 17:46:25 srv-signer-01 ods-signerd: [xfrd] zone test.org
transfer done [notify acquired 0, serial on disk 2016033101, notify
serial 0
May 15 17:46:26 srv-signer-01 ods-signerd: [worker[1]] CRITICAL:
failed to sign zone test.org: General error
May 15 17:46:26 srv-signer-01 ods-signerd: [worker[1]] backoff task
[configure] for zone test.org with 60 seconds

Below is ods-hsmutil output that might help (along with conf.xml and kasp.xml):

# ods-hsmutil info
Repository: SoftHSM
        Module:        /usr/local/lib/softhsm/libsofthsm.so
        Slot:          0
        Token Label:   OpenDNSSEC
        Manufacturer:  SoftHSM
        Model:         SoftHSM
        Serial:        1

Repository: TESTHA
        Module:        /usr/lib/libCryptoki2_64.so
        Slot:          5
        Token Label:   TESTHA
        Manufacturer:  Safenet, Inc.
        Model:         LunaVirtual
        Serial:        1137913123

# ods-hsmutil list TESTHA

Listing keys in repository: TESTHA
3 keys found.

Repository            ID                                Type
----------            --                                ----
TESTHA                XXX  RSA/2048
TESTHA                XXX  RSA/4096
TESTHA                XXX  RSA/0


# ods-hsmutil test TESTHA

Testing repository: TESTHA

Generating 512-bit RSA key... OK
Extracting key identifier... OK, 41e2d05365bd5e36b85fbb3c87b09610
Signing (RSA/SHA1) with key... OK
Signing (RSA/SHA256) with key... OK
Deleting key... OK

Generating 768-bit RSA key... OK
Extracting key identifier... OK, a2a00adc711207ac1f9affbb0d182758
Signing (RSA/SHA1) with key... OK
Signing (RSA/SHA256) with key... OK
Deleting key... OK

Generating 1024-bit RSA key... OK
Extracting key identifier... OK, 42752cb9a1cde91b32479f36595e7165
Signing (RSA/SHA1) with key... OK
Signing (RSA/SHA256) with key... OK
Signing (RSA/SHA512) with key... OK
Deleting key... OK

Generating 1536-bit RSA key... OK
Extracting key identifier... OK, eaafb48b78aea6292c3ac68c78145d2a
Signing (RSA/SHA1) with key... OK
Signing (RSA/SHA256) with key... OK
Signing (RSA/SHA512) with key... OK
Deleting key... OK

Generating 2048-bit RSA key... OK
Extracting key identifier... OK, 367af92719f9f4612d9876c758ab2b8d
Signing (RSA/SHA1) with key... OK
Signing (RSA/SHA256) with key... OK
Signing (RSA/SHA512) with key... OK
Deleting key... OK

Generating 4096-bit RSA key... OK
Extracting key identifier... OK, 33d4118dc182705abb86f48b718cd58d
Signing (RSA/SHA1) with key... OK
Signing (RSA/SHA256) with key... OK
Signing (RSA/SHA512) with key... OK
Deleting key... OK

Generating 512-bit DSA key... Failed
generate domain parameters: CKR_ATTRIBUTE_TYPE_INVALID

Generating 768-bit DSA key... Failed
generate domain parameters: CKR_ATTRIBUTE_TYPE_INVALID

Generating 1024-bit DSA key... OK
Extracting key identifier... OK, 6cad4eb0ec30b2c3869befcaa5734be4
Signing (DSA/SHA1) with key... OK
Deleting key... OK

Generating 512-bit GOST key... Failed
generate key pair: CKR_TEMPLATE_INCONSISTENT

Segmentation fault (core dumped)

-=conf.xml=-

<Repository name="TESTHA">
 <Module>/usr/lib/libCryptoki2_64.so</Module>
  <TokenLabel>TESTHA</TokenLabel>
  <PIN>XXXX-XXXX-XXXX</PIN>
</Repository>

-=kasp.xml=-

<Policy name="TESTHA">

<Keys>
 <TTL>PT3600S</TTL>
 <RetireSafety>PT3600S</RetireSafety>
 <PublishSafety>PT3600S</PublishSafety>
 <Purge>P14D</Purge>

 <KSK>
  <Algorithm length="2048">8</Algorithm>
  <Lifetime>P1Y</Lifetime>
  <Repository>TESTHA</Repository>
 </KSK>

 <ZSK>
 <Algorithm length="1024">8</Algorithm>
 <Lifetime>P90D</Lifetime>
 <Repository>TESTHA</Repository>
 </ZSK>
</Keys>

Thank you.

More information about the Opendnssec-user mailing list