Hi, I do not have experience with Thales HSM (probably the only one I did not tested). With the HSM I'm currently using, it's the provider (the library provided by the manufacturer) that knows to look for the "HSM" record in /etc/hosts and resolve the IP address. Of course you can try "ods-hsmutil list" and use sniffer to check if the signer machine tries to connect to the HSM.
Emil On Mon, Apr 21, 2014 at 4:43 PM, Mark Elkins <[email protected]> wrote: > I'm wondering around in the dark.... > > Config is OpenDNSSEC 1.4.3, Thales HSM and MySQL on Gentoo (up to date) > > Environment includes.. > > export CKNFAST_LOADSHARING=1 > export PKCS11_NCIPHER=/opt/nfast/toolkits/pkcs11/libcknfast.so > > Admin and SoftKey have been generated on the HSM (story in itself)... > --------------------- > # ppmk --new --non-recoverable OpenDNSSEC > > FIPS: insert OCS/ACS: > Module 1: 0 cards read > Module 1 slot 0: empty > (rushed over to the HSM and stuck in an Admin card) > Card reading > complete. > > Enter new pass phrase: *mysecret* > Enter new pass phrase again: > New softcard created: HKLTU 8e1ae6104442f2a568c4fcf0b747b9ad112d7275 > > (The above will only work once a "Security World" is created - so I > believe that's OK) > > --------------------- > Configs have been updates (DB=Mysql, HSM=Thales) > > > <Repository name="thales"> > > <Module>/opt/nfast/toolkits/pkcs11/libcknfast.so</Module> > > <TokenLabel>OpenDNSSEC</TokenLabel> > > <PIN>TheSameSecret</PIN> > > <Capacity>255</Capacity> > > </Repository> > > > OpenDNSSEC compiled clean... > > ods-ksmutil setup: appears to have run just fine. > I have three zones in the system. > > Problem: > ods-enforcerd started (version 1.4.3), pid 14122 > Could not start enforcer > > Tail of Log says: > pr 21 15:12:15 vhost2 ods-enforcerd: 3 zone(s) found on policy "nsec3" > Apr 21 15:12:15 vhost2 ods-enforcerd: 3 new KSK(s) (2048 bits) need to > be created. > Apr 21 15:12:15 vhost2 ods-enforcerd: Error creating key in repository > thales > Apr 21 15:12:15 vhost2 ods-enforcerd: generate key pair: Unknown error > > > Where do I start and debug this? > > I really don't know if the HSM and OpenDNSSEC are talking together. I've > seen no place where I tell OpenDNSSEC the IP address of the HSM. I can > talk to the HSM using thales supplied software, which always needs an IP > address. The OpenDNSSEC docs don't seem to have an HSP IP address. > > -- > Mark James ELKINS - Posix Systems - (South) Africa > [email protected] Tel: +27.128070590 Cell: +27.826010496 > For fast, reliable, low cost Internet in ZA: https://ftth.posix.co.za > > _______________________________________________ > Opendnssec-user mailing list > [email protected] > https://lists.opendnssec.org/mailman/listinfo/opendnssec-user > >
_______________________________________________ Opendnssec-user mailing list [email protected] https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
