Discussion:
[Opendnssec-user] OpenDNSSEC with SafeNet Luna HSM
Roman Serbski
2016-05-12 17:54:41 UTC
Permalink
Hello,

Anyone here using SafeNet Luna HSM?

We're using latest OpenDNSSEC 1.4.10 with SoftHSM under FreeBSD 10,
and I'm trying to integrate a pair of SafeNet Luna HSMs (network
based) for a newly created domains.

I managed to install SafeNet 6.2.0 software (lunacm, vtl, htl_client
and libcryptoki), register the server, create HA slot, and assign a
partition.

I understand that I'll have to modify conf.xml to include additional
repository (with the path to libCryptoki2_64.so and relevant partition
password), and then duplicate and adjust the policy in kasp.xml, but
before that I guess I need to initialize a slot?

Do I need to follow 'softhsm --init-token ...' procedure (I noticed
that there is --module <path> directive)? Or OpenDNSSEC has to be
recompiled with libCryptoki2_64.so support?

Many thanks and sorry in advance if it's too obvious.
Rickard Bellgrim
2016-05-12 20:17:13 UTC
Permalink
Post by Roman Serbski
Do I need to follow 'softhsm --init-token ...' procedure (I noticed
that there is --module <path> directive)? Or OpenDNSSEC has to be
recompiled with libCryptoki2_64.so support?
No, everything should work out of the box with OpenDNSSEC.

You initialize the PKCS#11 token when you create the partition, the users
and the HA slots in the SafeNet HSM.

The SoftHSM utils are primarily for SoftHSM, but there is an option, as you
say, to use another PKCS#11 provider. However, the initialization process
of an HSM is a bit more complicated then just using the PKCS#11 interface.

// Rickard
Rick van Rein
2016-05-12 20:32:40 UTC
Permalink
Hi Roman,
Post by Roman Serbski
I understand that I'll have to modify conf.xml to include additional
repository (with the path to libCryptoki2_64.so and relevant partition
password), and then duplicate and adjust the policy in kasp.xml, but
before that I guess I need to initialize a slot?
You probably need to do that, indeed, to "format" the partition. I'm
not 100% sure how we did it though. The documentation coming with
SAFEnet HSMs is extensive, I suggestion you read that carefully :) and
you should find the "vtl" utility useful to inspect the impact of your work.
Post by Roman Serbski
Do I need to follow 'softhsm --init-token ...' procedure (I noticed
that there is --module <path> directive)? Or OpenDNSSEC has to be
recompiled with libCryptoki2_64.so support?
As Rickard says, this is for another PKCS #11 implementation, named
SoftHSM. You should instead have a look at the lunasa prefix as you
installed it. On *BSD it's probably somewhere like /usr/local/lunasa/
Post by Roman Serbski
Many thanks and sorry in advance if it's too obvious.
If it's not obvious to you, then an exchange of knowledge seems like a
good use of a mailing list :) but you should really spend some good time
on the SAFEnet documentation; it is perhaps as patronising as it is
thorough.

-Rick
Roman Serbski
2016-05-15 16:07:38 UTC
Permalink
This post might be inappropriate. Click to display it.
Roman Serbski
2016-05-15 16:24:37 UTC
Permalink
And here is the output of vtl and lunacm commands:

# /usr/safenet/lunaclient/bin/vtl listSlots
Number of slots: 3

The following slots were found:

Slot Description Label Serial #
Status
==== ==================== ================================
================ ============
0 LunaNet Slot TEST 499171985
Present
1 LunaNet Slot TEST 455671429
Present
5 HA Virtual Card Slot TESTHA 1137913123
Present

# /usr/safenet/lunaclient/bin/lunacm
LunaCM v6.2.0-15. Copyright (c) 2006-2015 SafeNet, Inc.

Available HSMs:

Slot Id -> 0
HSM Label -> TEST
HSM Serial Number -> 499171985
HSM Model -> LunaSA 6.2.0
HSM Firmware Version -> 6.10.9
HSM Configuration -> Luna SA Slot (PED) Signing With Cloning Mode
HSM Status -> OK

Slot Id -> 1
HSM Label -> TEST
HSM Serial Number -> 455671429
HSM Model -> LunaSA 6.2.0
HSM Firmware Version -> 6.10.9
HSM Configuration -> Luna SA Slot (PED) Signing With Cloning Mode
HSM Status -> OK

Slot Id -> 5
HSM Label -> TESTHA
HSM Serial Number -> 1137913123
HSM Model -> LunaVirtual
HSM Firmware Version -> 6.10.9
HSM Configuration -> Luna Virtual HSM (PED) Signing With Cloning Mode
HSM Status -> N/A - HA Group

Current Slot Id: 0
Roman Serbski
2016-05-16 14:54:58 UTC
Permalink
Please disregard it -- everything is working fine now. I had a typo in
kasp.xml which prevented loading of the new policy.

Still have a couple of questions:

- in most of the examples I've found on the Internet people use HSM to
store KSKs and SoftHSM for ZSKs. Is it mainly to save some HSM space?

- in my case, a newly created domain consumed 2768 bytes (I store both
public and private keys for KSK and ZSK). With the current partition
size I should be able to handle up to 150 domains, but I guess I'll
also have to consider an overhead during roll-over which will
temporarily double the consumed space? Will OpenDNSSEC purge old
ZSK/KSKs after the roll-over is finished or I'll have to delete them
manually?

Thank you.
Post by Roman Serbski
# /usr/safenet/lunaclient/bin/vtl listSlots
Number of slots: 3
Slot Description Label Serial #
Status
==== ==================== ================================
================ ============
0 LunaNet Slot TEST 499171985
Present
1 LunaNet Slot TEST 455671429
Present
5 HA Virtual Card Slot TESTHA 1137913123
Present
# /usr/safenet/lunaclient/bin/lunacm
LunaCM v6.2.0-15. Copyright (c) 2006-2015 SafeNet, Inc.
Slot Id -> 0
HSM Label -> TEST
HSM Serial Number -> 499171985
HSM Model -> LunaSA 6.2.0
HSM Firmware Version -> 6.10.9
HSM Configuration -> Luna SA Slot (PED) Signing With Cloning Mode
HSM Status -> OK
Slot Id -> 1
HSM Label -> TEST
HSM Serial Number -> 455671429
HSM Model -> LunaSA 6.2.0
HSM Firmware Version -> 6.10.9
HSM Configuration -> Luna SA Slot (PED) Signing With Cloning Mode
HSM Status -> OK
Slot Id -> 5
HSM Label -> TESTHA
HSM Serial Number -> 1137913123
HSM Model -> LunaVirtual
HSM Firmware Version -> 6.10.9
HSM Configuration -> Luna Virtual HSM (PED) Signing With Cloning Mode
HSM Status -> N/A - HA Group
Current Slot Id: 0
Yuri Schaeffer
2016-05-17 07:51:16 UTC
Permalink
Hi Roman,
Post by Roman Serbski
- in my case, a newly created domain consumed 2768 bytes (I store both
public and private keys for KSK and ZSK). With the current partition
size I should be able to handle up to 150 domains, but I guess I'll
also have to consider an overhead during roll-over which will
temporarily double the consumed space? Will OpenDNSSEC purge old
ZSK/KSKs after the roll-over is finished or I'll have to delete them
manually?
OpenDNSSEC will do that. In the KASP you can define a purge delay in the
<Key> section. I believe of you set it to 0 it will never purge.

From the example kasp.xml, purge 14 days after rollover finished:

<Purge>P14D</Purge>


//Yuri
(Berry) A.W. van Halderen
2016-05-17 08:53:00 UTC
Permalink
Post by Rick van Rein
Hi Roman,
OpenDNSSEC will do that. In the KASP you can define a purge delay in the
<Key> section. I believe of you set it to 0 it will never purge.
You can (also) omit the <Purge> item, which means not to purge (unless
you explicitly do so).
Post by Rick van Rein
<Purge>P14D</Purge>
\Berry
--
N: (Berry) A.W. van Halderen
E: ***@nlnetlabs.nl
O: NLnet Labs
W: http://www.nlnetlabs.nl/
Loading...