Re: [Opendnssec-user] Key not found

Wed, 11 Jun 2014 03:58:34 -0700 

On Wed, Jun 11, 2014 at 12:15 PM, David Peall <[email protected]>
wrote:

> Here is the log line:
> Jun 11 12:03:41 ods-signerd: [hsm] unable to get key: key
> 5a4cf5871ef16a77118283e8666f486b not found
>
> 2014-06-11 12:03:41 [6670] t0067acf3ff7f0000: pkcs11: 000008DB >>
> C_FindObjectsInit
> 2014-06-11 12:03:41 [6670] t0067acf3ff7f0000: pkcs11: 000008DB >
>  hSession 0x000008DB
> 2014-06-11 12:03:41 [6670] t0067acf3ff7f0000: pkcs11: 000008DB >
>  CKA_CLASS:  CKO_PRIVATE_KEY
> 2014-06-11 12:03:41 [6670] t0067acf3ff7f0000: pkcs11: 000008DB >    CKA_ID
>   pAtt->pValue= 16 bytes
>                                         5a4cf587 1ef16a77 118283e8 666f486b
>
> 2014-06-11 12:03:41 [6670] t0067acf3ff7f0000: pkcs11: 000008DB <    rv
> 0x00000000 (CKR_OK)
> 2014-06-11 12:03:41 [6670] t0067acf3ff7f0000: pkcs11: 000008DB >>
> C_FindObjects
> 2014-06-11 12:03:41 [6670] t0067acf3ff7f0000: pkcs11: 000008DB >
>  hSession 0x000008DB
> 2014-06-11 12:03:41 [6670] t0067acf3ff7f0000: pkcs11: 000008DB >
>  phObject 0x7ffff3ac5cd8
> 2014-06-11 12:03:41 [6670] t0067acf3ff7f0000: pkcs11: 000008DB >
>  ulMaxObjectCount 1
> 2014-06-11 12:03:41 [6670] t0067acf3ff7f0000: pkcs11: 000008DB <
>  *pulObjectCount 0
> 2014-06-11 12:03:41 [6670] t0067acf3ff7f0000: pkcs11: 000008DB <    rv
> 0x00000000 (CKR_OK)
> 2014-06-11 12:03:41 [6670] t0067acf3ff7f0000: pkcs11: 000008DB >>
> C_FindObjectsFinal
> 2014-06-11 12:03:41 [6670] t0067acf3ff7f0000: pkcs11: 000008DB >
>  hSession 0x000008DB
> 2014-06-11 12:03:41 [6670] t0067acf3ff7f0000: pkcs11: 000008DB <    rv
> 0x00000000 (CKR_OK)
>

OpenDNSSEC (ods-signerd) is acting correctly because the HSM says that
there is no key which match the search criteria. See the pulObjectCount
returned from the HSM above.

The issue is probably some synchronization problem with the HSM. E.g.
object information not propagating fast enough between the two loaded
instances of the PKCS#11 library or you are operating a HA-cluster and the
object has not been synchronized to the second cluster member. The PKCS#11
library should not return from the key generation function until this has
been done.

// Rickard

_______________________________________________
Opendnssec-user mailing list
[email protected]
https://lists.opendnssec.org/mailman/listinfo/opendnssec-user

Reply via email to