Re: Using a HSM card to sign zone
Did you configure bind with the patched version of openssl ? On 14 Feb 2014, at 19:43, Sergio Ramirez srami...@seciu.edu.uy wrote: Hi, We want to sign zones with bind using an HSM Luna PCI Safenet card. The command 'dnssec- keyfromlabel' fails: # /usr/local/sbin/dnssec-keyfromlabel -v 9 -E LunaCA3 -a RSASHA1 -l KSK1-testdnssec -f KSK testdnssec. dnssec-keyfromlabel: warning: ENGINE_load_private_key failed dnssec-keyfromlabel: info: error:2609707D:engine routines:ENGINE_load_public_key:no load function:eng_pkey.c:155: dnssec-keyfromlabel: info: error:2609607D:engine routines:ENGINE_load_private_key:no load function:eng_pkey.c:119: dnssec-keyfromlabel: fatal: failed to get key testdnssec/RSASHA1: not found It was installed on Debian 4 Linux 2.6.18-6-686 server with: - openssl-1.0.0e - patch provided by vendor of the HSM (openssl-lunaca3-patch-1.0.0e.tar.gz) - bind 9.9.2 -P1 ** The commands pkcs11-keygen, pkcs11-list and ohter pkcs11-* distributed with bind, are working OK. ** The key 'KSK1-testdnssec' was generated with pkcs11-keygen command. We would like to know if anyone are using this HSM or similar. Furthermore we would like to get some guidance to solve this problem. Thanks in advance. -- Sergio Ramírez ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users signature.asc Description: Message signed with OpenPGP using GPGMail ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Using a HSM card to sign zone
Yes, ./configure --enable-threads --with-openssl=/usr/local/ssl --with-pkcs11=/usr/lunapci/lib/libCryptoki2.so In /usr/local/ssl directory is the patched (vendor + bind) openssl. A detail: the openssl version 1.0.0e and the bind patch is for 1.0.0f -- Sergio R. - Mensaje original - De: Billy Glynn billy.gl...@iedr.ie Para: bind-users@lists.isc.org Enviados: Lunes, 17 de Febrero 2014 9:32:44 Asunto: Re: Using a HSM card to sign zone Did you configure bind with the patched version of openssl ? On 14 Feb 2014, at 19:43, Sergio Ramirez srami...@seciu.edu.uy wrote: Hi, We want to sign zones with bind using an HSM Luna PCI Safenet card. The command 'dnssec- keyfromlabel' fails: # /usr/local/sbin/dnssec-keyfromlabel -v 9 -E LunaCA3 -a RSASHA1 -l KSK1-testdnssec -f KSK testdnssec. dnssec-keyfromlabel: warning: ENGINE_load_private_key failed dnssec-keyfromlabel: info: error:2609707D:engine routines:ENGINE_load_public_key:no load function:eng_pkey.c:155: dnssec-keyfromlabel: info: error:2609607D:engine routines:ENGINE_load_private_key:no load function:eng_pkey.c:119: dnssec-keyfromlabel: fatal: failed to get key testdnssec/RSASHA1: not found It was installed on Debian 4 Linux 2.6.18-6-686 server with: - openssl-1.0.0e - patch provided by vendor of the HSM (openssl-lunaca3-patch-1.0.0e.tar.gz) - bind 9.9.2 -P1 ** The commands pkcs11-keygen, pkcs11-list and ohter pkcs11-* distributed with bind, are working OK. ** The key 'KSK1-testdnssec' was generated with pkcs11-keygen command. We would like to know if anyone are using this HSM or similar. Furthermore we would like to get some guidance to solve this problem. Thanks in advance. -- Sergio Ramírez ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Using a HSM card to sign zone
pc1# /usr/local/ssl/bin/openssl engine (dynamic) Dynamic engine loading support (4758cca) IBM 4758 CCA hardware engine support (aep) Aep hardware engine support (atalla) Atalla hardware engine support (cswift) CryptoSwift hardware engine support (LunaCA3) Luna CA3 engine support (chil) CHIL hardware engine support (nuron) Nuron hardware engine support (sureware) SureWare hardware engine support (ubsec) UBSEC hardware engine support (padlock) VIA PadLock (no-RNG, no-ACE) (gost) Reference implementation of GOST engine pc1# pc1#/usr/local/ssl/bin/openssl engine LunaCA3 -t (LunaCA3) Luna CA3 engine support [ available ] pc1# In the openssl.cnf we have: --- [ Openssl_init ] # Extra OBJECT IDENTIFIER info: oid_section = new_oids engines = engine_section [ engine_section ] LunaCA3 = luna_section [ luna_section ] dynamic_path = /usr/lunapci/lib/libCryptoki2.so --- It is required that there is a section labeled 'pkcs11' to use from bind or dnssec-* commands ? -- Sergio R. - Mensaje original - De: Alan Clegg a...@clegg.com Para: bind-users@lists.isc.org Enviados: Domingo, 16 de Febrero 2014 9:33:21 Asunto: Re: Using a HSM card to sign zone On 2/14/14, 10:43 PM, Sergio Ramirez wrote: Hi, We want to sign zones with bind using an HSM Luna PCI Safenet card. The command 'dnssec- keyfromlabel' fails: # /usr/local/sbin/dnssec-keyfromlabel -v 9 -E LunaCA3 -a RSASHA1 -l KSK1-testdnssec -f KSK testdnssec. dnssec-keyfromlabel: warning: ENGINE_load_private_key failed dnssec-keyfromlabel: info: error:2609707D:engine routines:ENGINE_load_public_key:no load function:eng_pkey.c:155: dnssec-keyfromlabel: info: error:2609607D:engine routines:ENGINE_load_private_key:no load function:eng_pkey.c:119: dnssec-keyfromlabel: fatal: failed to get key testdnssec/RSASHA1: not found It was installed on Debian 4 Linux 2.6.18-6-686 server with: - openssl-1.0.0e - patch provided by vendor of the HSM (openssl-lunaca3-patch-1.0.0e.tar.gz) - bind 9.9.2 -P1 ** The commands pkcs11-keygen, pkcs11-list and ohter pkcs11-* distributed with bind, are working OK. ** The key 'KSK1-testdnssec' was generated with pkcs11-keygen command. We would like to know if anyone are using this HSM or similar. Furthermore we would like to get some guidance to solve this problem. I'm not familiar with that HSM, but have used both Thales and AEP with no problem. Does openssl engine show pkcs11? If so, does openssl engine pkcs11 -t show that the engine is available? Having played with OpenSSL patches over the last few days, I can tell you that when it works, it works well, but when it fails, you are pretty much out-of-luck as far as error messages go. 8-\ AlanC ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Using a HSM card to sign zone
On 2/14/14, 10:43 PM, Sergio Ramirez wrote: Hi, We want to sign zones with bind using an HSM Luna PCI Safenet card. The command 'dnssec- keyfromlabel' fails: # /usr/local/sbin/dnssec-keyfromlabel -v 9 -E LunaCA3 -a RSASHA1 -l KSK1-testdnssec -f KSK testdnssec. dnssec-keyfromlabel: warning: ENGINE_load_private_key failed dnssec-keyfromlabel: info: error:2609707D:engine routines:ENGINE_load_public_key:no load function:eng_pkey.c:155: dnssec-keyfromlabel: info: error:2609607D:engine routines:ENGINE_load_private_key:no load function:eng_pkey.c:119: dnssec-keyfromlabel: fatal: failed to get key testdnssec/RSASHA1: not found It was installed on Debian 4 Linux 2.6.18-6-686 server with: - openssl-1.0.0e - patch provided by vendor of the HSM (openssl-lunaca3-patch-1.0.0e.tar.gz) - bind 9.9.2 -P1 ** The commands pkcs11-keygen, pkcs11-list and ohter pkcs11-* distributed with bind, are working OK. ** The key 'KSK1-testdnssec' was generated with pkcs11-keygen command. We would like to know if anyone are using this HSM or similar. Furthermore we would like to get some guidance to solve this problem. I'm not familiar with that HSM, but have used both Thales and AEP with no problem. Does openssl engine show pkcs11? If so, does openssl engine pkcs11 -t show that the engine is available? Having played with OpenSSL patches over the last few days, I can tell you that when it works, it works well, but when it fails, you are pretty much out-of-luck as far as error messages go. 8-\ AlanC signature.asc Description: OpenPGP digital signature ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Using a HSM card to sign zone
Hi, I have tested Safenet's Luna SA (the network appliance and not the card) a year ago. It did not work using the openssl patch provided with BIND, but at the end with some assistance from the Safenet's engineers and a proprietary engine provided by them we made it work. I presume it'll work also with the PCI card because the appliance is generally the same card in a box. I had very similar issues, the pkcs11-* commands worked and the dnssec-* ones did not. I had no issues with the HSMs from Utimaco, AEP and ARX. ena On Fri, Feb 14, 2014 at 9:43 PM, Sergio Ramirez srami...@seciu.edu.uywrote: Hi, We want to sign zones with bind using an HSM Luna PCI Safenet card. The command 'dnssec- keyfromlabel' fails: # /usr/local/sbin/dnssec-keyfromlabel -v 9 -E LunaCA3 -a RSASHA1 -l KSK1-testdnssec -f KSK testdnssec. dnssec-keyfromlabel: warning: ENGINE_load_private_key failed dnssec-keyfromlabel: info: error:2609707D:engine routines:ENGINE_load_public_key:no load function:eng_pkey.c:155: dnssec-keyfromlabel: info: error:2609607D:engine routines:ENGINE_load_private_key:no load function:eng_pkey.c:119: dnssec-keyfromlabel: fatal: failed to get key testdnssec/RSASHA1: not found It was installed on Debian 4 Linux 2.6.18-6-686 server with: - openssl-1.0.0e - patch provided by vendor of the HSM (openssl-lunaca3-patch-1.0.0e.tar.gz) - bind 9.9.2 -P1 ** The commands pkcs11-keygen, pkcs11-list and ohter pkcs11-* distributed with bind, are working OK. ** The key 'KSK1-testdnssec' was generated with pkcs11-keygen command. We would like to know if anyone are using this HSM or similar. Furthermore we would like to get some guidance to solve this problem. Thanks in advance. -- Sergio Ramírez ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Using a HSM card to sign zone
Hi, We want to sign zones with bind using an HSM Luna PCI Safenet card. The command 'dnssec- keyfromlabel' fails: # /usr/local/sbin/dnssec-keyfromlabel -v 9 -E LunaCA3 -a RSASHA1 -l KSK1-testdnssec -f KSK testdnssec. dnssec-keyfromlabel: warning: ENGINE_load_private_key failed dnssec-keyfromlabel: info: error:2609707D:engine routines:ENGINE_load_public_key:no load function:eng_pkey.c:155: dnssec-keyfromlabel: info: error:2609607D:engine routines:ENGINE_load_private_key:no load function:eng_pkey.c:119: dnssec-keyfromlabel: fatal: failed to get key testdnssec/RSASHA1: not found It was installed on Debian 4 Linux 2.6.18-6-686 server with: - openssl-1.0.0e - patch provided by vendor of the HSM (openssl-lunaca3-patch-1.0.0e.tar.gz) - bind 9.9.2 -P1 ** The commands pkcs11-keygen, pkcs11-list and ohter pkcs11-* distributed with bind, are working OK. ** The key 'KSK1-testdnssec' was generated with pkcs11-keygen command. We would like to know if anyone are using this HSM or similar. Furthermore we would like to get some guidance to solve this problem. Thanks in advance. -- Sergio Ramírez ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
