[Opendnssec-user] Questions re: OpenDNSSEC using Safenet Luna

Jake Zack jake.zack at cira.ca
Thu Feb 16 21:13:20 UTC 2017 

Hey all,

I've mostly hobbled through the setup of a few Luna demo units by cobbling together their documentation and some previous posts to this list.

I feel like I'm close...but missing one step and hoping someone out there might be able to offer direction.

Configured the HSM for network, created a partition, etc.

   Partitions created on HSM:
   ==========================
   Partition: 535775014,     Name: dotCA
   Partition: 535775018,     Name: dotTLD

Added a new repository in conf.xml:

                <Repository name="dotCA">
                        <Module>/usr/lib/libCryptoki2_64.so</Module>
                        <TokenLabel>dotCA</TokenLabel>
                        <PIN>4xWA-E3q5-E/S3-5S9X</PIN>                                               (No clue if this is right, but when I created the partition it told me to record and use this later - so I used it during lunaclient setup, and now here as well)
                </Repository>

Added a new policy in kasp.xml:

        <Policy name="dotCA">
                <Description>Safenet Luna HSM</Description>
                ...
                <Repository>dotCA</Repository>

LunaCM says that it can talk to the HSM...

[root at dns-test-tld opendnssec]# /usr/safenet/lunaclient/bin/lunacm                  LunaCM v6.2.2-4. Copyright (c) 2006-2015 SafeNet, Inc.
        Available HSMs:
        Slot Id ->              0
        HSM Label ->            dotCA
        HSM Serial Number ->    <SNIP>
        HSM Model ->            LunaSA
        HSM Firmware Version -> 6.10.9
        HSM Configuration ->    Luna SA Slot (PED) Signing With Cloning Mode
        HSM Status ->           OK

And a (safenet) 'vtl verify' works:
[root at dns-test-tld bin]# ./vtl verify

The following Luna SA Slots/Partitions were found:

Slot    Serial #                Label
====    ================        =====
   0           <SNIP>        dotCA

If I look on the HSM itself, I see:
[PRD-HSM-01] lunash:>ntls info show

NTLS Information:

Operational Status:                               1 (up)
Connected Clients:                                1
Links:                                            1
Successful Client Connections:                   15
Failed Client Connections:                        0

...and in the syslog:

2017 Feb 16 15:32:26 PRD-HSM-01  local5 info  NTLS[2107]: info : 0 : NTLS Client "192.168.0.254" connected and authenticated : 192.168.0.254/41014.

And yet an "ods-hsmutil" comes back with:
[root at dns-test-tld opendnssec]# ods-hsmutil info
Unknown error

An "ods-ksmutil key generate" comes back with:
[root at dns-test-tld bin]# ods-ksmutil key generate --policy=dotCA --interval P5Y
Key sharing is On
Info: converting P5Y to seconds; M interpreted as 31 days, Y interpreted as 365 days
hsm_open() result: HSM error

Any guidance or ideas here would be appreciated.

Thanks all,
-Jacob Zack
DNS Architect - CIRA (.CA TLD)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20170216/e0dd165c/attachment.htm>

More information about the Opendnssec-user mailing list