> 0:/var/opendnssec/kasp.db > 1:/var/opendnssec/slot1.db > or > 0:/home/test/slot0 > 1:/var/opendnssec/slot1.db > I confused which is the right one, maybe the problem is that I fetched the > data in a wrong .db file .
You can use whatever you want. As long as SoftHSM has R/W privilege on that path. SoftHSM will create the file. However, you should not mix the database file for the Enforcer (/var/opendnssec/kasp.db) and the ones for SoftHSM. They are two separate programs. So do not try to use the KASP (Enforcer) database as a token database for SoftHSM. The install script will create some recommended configuration files for you. I think your issue was probably caused by mixing up two different databases. > But after I relogin, I wanted to initialize the slot 1, so I got the "Error: > The given slot does not exist. ", I wondered why it was wrong when there was > the 1:/var/opendnssec/slot1.db SoftHSM says this if it cannot find the slot in the configuration. > I'm sure the slot 0 is labeled "OpenDNSSEC",maybe I run ods-ksmutil setup > before? > But I get all the slots with softhsm --show-slots > [root@CST-BJ-103 bin]# ./softhsm --show-slots > Available slots: > Slot 0 > Token present: yes > Token initialized: no > User PIN initialized: no > Slot 1 > Token present: yes > Token initialized: yes > User PIN initialized: yes > Token label: slot1 > Slot 4 > Token present: yes > Token initialized: yes > User PIN initialized: yes > Token label: My token 1 > Slot 5 > Token present: yes > Token initialized: yes > User PIN initialized: yes > Token label: this is the 5th slot > How do I know whose name is OpenDNSSEC or something else? You do not have any token with OpenDNSSEC as its label according to the output above. You only have "slot1", "My token 1", and "this is the 5th slot". > <Repository name="SoftHSM"> > <Module>/usr/local/OpenDNSSEC-1.4.0/lib/softhsm/libsofthsm.so</Module> > <TokenLabel>OpenDNSSEC</TokenLabel> > <PIN>1234</PIN> > <SkipPublicKey/> > </Repository> > I think repository is bounded with slot<n> by TokenLabel,if the slot's label > is the TokenLabel then all the keys belong to the repository,right? OpenDNSSEC will create the keys in the repository that you have configured in kasp.xml. This is a reference to the RepositoryList in conf.xml. The Repository name is used internally for reference in the OpenDNSSEC configuration. Each repository in OpenDNSSEC corresponds to a HSM token. The TokenLabel in the conf.xml must correspond to the token label in the HSM token. > But how can use the slot and repository smartly? Any suggestions? Usually, you only use one repository. You can use multiple repositories if you e.g. have the KSK in a USB token and ZSK in SoftHSM. Or if you are migrating between two different HSMs by doing a key rollover. // Rickard _______________________________________________ Opendnssec-user mailing list [email protected] https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
