Hi Fred I see that this did not override the SoftHSM 1.3.7 installation, but it > installs some new utilities. >
You can have both SoftHSMv1 and SoftHSMv2 installed on the same system. The library, configuration file, and binaries all have new names. The next step is to migrate our SoftHSM 1.3.7 database to SoftHSM 2..0. > The exact steps are not clear to me, but I found some questions in this > forum and I tried the following commands: > > softhsm2-util --init-token --slot 0 --label "OpenDNSSEC" --pin 1234 > --so-pin 1234 > softhsm2-migrate --db /var/softhsm/slot0.db --pin 1234 --slot 0 > The softhsm2-migrate command will read the data from the given SoftHSMv1 token database (the path can be found in SoftHSMv1 configuration file) and create the corresponding PKCS#11 objects in the given slot. The man page: https://github.com/opendnssec/SoftHSMv2/blob/develop/src/bin/migrate/softhsm2-migrate.1 > I saw (with "softhsm2-util --show-slots") that the origal slot 0 in the > SoftSM 2 database has now been moved to slot 1 and that slot 0 is now > labelled "OpenDNSSEC". The migrate command logged the migration of several > objects. > SoftHSMv2 will always have an uninitialized slot. If you initialize that one, a new one is added to the end of the slot list. The order (slot number) of the initialized tokens in the slot list can be changed if a new token is initialized. See the discussion in https://github.com/opendnssec/SoftHSMv2/issues/143 > I then tried "ods-ksmutil key list --verbose", which showed the normal > output. > But I was not sure whether OpenDNSsec now uses the old or the new SoftHSM. > Since the old SoftHSM database was now migrated to a new one, I thought > the I could remove the old database in /var/softhsm, so I moved it to a > different directory. > Then "softhsm2-util --show-slots" still shows both slots, so I thought > that this confirmed that SoftHSM 2.0.0 does not need the old database > anymore. > But, when I tried "ods-ksmutil key list --verbose" again, it complained: > > hsm_get_slot_id(): No slots found in HSM > Error: failed to list keys > > What does it mean? Is the old database still used with the new SoftHSM > 2.0.0, or do I need to change the OpenDNSSEC configuration to use SoftHSM > 2.0.0 instead of SoftHSM 1.3.7, or is there something else? > The data was not moved, but copied to SoftHSMv2. You must make an active configuration change in OpenDNSSEC to use SoftHSMv2 and not SoftHSMv1. Because of the PKCS#11 interface, there is a separation between the application (OpenDNSSEC) and the library (SoftHSM). They are not aware of each other, just that they are using the PKCS#11 interface. // Rickard
_______________________________________________ Opendnssec-user mailing list [email protected] https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
