Hi Advice from the HSM provider was to add the following option which disables the cache for C_FIND_OBJECTS: CKNFAST_ASSUME_SINGLE_PROCESS=0
I no longer get the key not found but I did get this: kernel: [ 204.880613] ods-signerd[1364]: segfault at 7f6a00000020 ip 000000000042cb25 sp 00007f6acc628c40 error 4 in ods-signerd[400000+5c000] Running it in debug now trying to get you more information, but otherwise appears finding the keys. Regards — David Peall On 11 Jun 2014, at 2:13 PM, David Peall <[email protected]> wrote: > Hi Rickard > > I appreciate the help. > > Its not timing as the key can be pulled before, it seems that the request for > the CKO_PRIVATE_KEY is failing. > > 2014-06-11 13:59:41 [4212] t002747eb417f0000: pkcs11: 000008DA > > CKA_CLASS: CKO_PRIVATE_KEY > vs > 2014-06-11 13:57:01 [4252] t40978d224f7f0000: pkcs11: 000008CB > > CKA_CLASS: CKO_PUBLIC_KEY > > Seems to be the issue? > > Regards > — > David Peall > > On 11 Jun 2014, at 12:57 PM, Rickard Bellgrim <[email protected]> wrote: > >> On Wed, Jun 11, 2014 at 12:15 PM, David Peall <[email protected]> wrote: >> Here is the log line: >> Jun 11 12:03:41 ods-signerd: [hsm] unable to get key: key >> 5a4cf5871ef16a77118283e8666f486b not found >> >> 2014-06-11 12:03:41 [6670] t0067acf3ff7f0000: pkcs11: 000008DB >> >> C_FindObjectsInit >> 2014-06-11 12:03:41 [6670] t0067acf3ff7f0000: pkcs11: 000008DB > hSession >> 0x000008DB >> 2014-06-11 12:03:41 [6670] t0067acf3ff7f0000: pkcs11: 000008DB > >> CKA_CLASS: CKO_PRIVATE_KEY >> 2014-06-11 12:03:41 [6670] t0067acf3ff7f0000: pkcs11: 000008DB > CKA_ID >> pAtt->pValue= 16 bytes >> 5a4cf587 1ef16a77 118283e8 666f486b >> >> 2014-06-11 12:03:41 [6670] t0067acf3ff7f0000: pkcs11: 000008DB < rv >> 0x00000000 (CKR_OK) >> 2014-06-11 12:03:41 [6670] t0067acf3ff7f0000: pkcs11: 000008DB >> >> C_FindObjects >> 2014-06-11 12:03:41 [6670] t0067acf3ff7f0000: pkcs11: 000008DB > hSession >> 0x000008DB >> 2014-06-11 12:03:41 [6670] t0067acf3ff7f0000: pkcs11: 000008DB > phObject >> 0x7ffff3ac5cd8 >> 2014-06-11 12:03:41 [6670] t0067acf3ff7f0000: pkcs11: 000008DB > >> ulMaxObjectCount 1 >> 2014-06-11 12:03:41 [6670] t0067acf3ff7f0000: pkcs11: 000008DB < >> *pulObjectCount 0 >> 2014-06-11 12:03:41 [6670] t0067acf3ff7f0000: pkcs11: 000008DB < rv >> 0x00000000 (CKR_OK) >> 2014-06-11 12:03:41 [6670] t0067acf3ff7f0000: pkcs11: 000008DB >> >> C_FindObjectsFinal >> 2014-06-11 12:03:41 [6670] t0067acf3ff7f0000: pkcs11: 000008DB > hSession >> 0x000008DB >> 2014-06-11 12:03:41 [6670] t0067acf3ff7f0000: pkcs11: 000008DB < rv >> 0x00000000 (CKR_OK) >> >> OpenDNSSEC (ods-signerd) is acting correctly because the HSM says that there >> is no key which match the search criteria. See the pulObjectCount returned >> from the HSM above. >> >> The issue is probably some synchronization problem with the HSM. E.g. object >> information not propagating fast enough between the two loaded instances of >> the PKCS#11 library or you are operating a HA-cluster and the object has not >> been synchronized to the second cluster member. The PKCS#11 library should >> not return from the key generation function until this has been done. >> >> // Rickard > > _______________________________________________ > Opendnssec-user mailing list > [email protected] > https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ Opendnssec-user mailing list [email protected] https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
