[Freeipa-users] DNS migration to FreeIPA and import of existing DNSSEC keys

Tue Aug 16 14:55:14 UTC 2016

On 16.8.2016 14:48, Guido Schmitz wrote:
>>
>> Any tool which can do key import from file into PKCS#11 token should work, in
>> theory.
> 
> I've tried pkcs11-tool from the OpenSC project and p11tool from GnuTLS.
> p11tool seems to be able to take some (undocumented?) flags from the
> command line when importing, but p11tool does not seem to work with
> SoftHSM. So I've tried the procedure you suggested:
> 
>>
>> If you do not find any such tool, it will be easiest to patch softhsm2-util to
>> set the flag to TRUE on import. I'm attaching quick and dirty patch which
>> should do the job (for softhsm compiled against OpenSSL).
>>
>> 1. Get the sources:
>> $ git clone https://github.com/opendnssec/SoftHSMv2.git
>>
>> 2. Apply the patch:
>> git am 0001-HACK-for-OpenSSL-version-import-all-keys-with-CKA_EX.patch
>>
>> 3. Use how-to
>> https://github.com/opendnssec/SoftHSMv2/#installation
>> to compile the tool.
>>
>> 4. You do not need to install the library into system paths, just execute the
>> softhsm2-util binary from the build directory to do import and use standard
>> library as before.
>>
>> I hope it will help. Please let me know your findings so I can submit improved
>> patch upstream (if we were successful).
>>
> 
> Your patch was not sufficient enough. I've added a patch (to be applied
> on top of your patch), which extends your patch to set the extractable flag.

Ah, I see! I modified the wrong table, thank you for noticing that.

> Now, after a new import, the keys are indeed marked as extractable in
> SoftHSM and (automatically) copied into the LDAP subtree
> cn=keys,cn=sec,cn=dns.
> 
> I've noticed that the following flags of the keys still differ in the
> output of "python2
> /usr/lib/python2.*/site-packages/ipapython/dnssec/localhsm.py":
> 'ipk11alwayssensitive': True for keys generated by IPA, False for
> imported keys
> 'ipk11local': True for keys generated by IPA, False for imported keys

These two should not make any difference in our case. (They indicate that the
keys were not created inside the HSM in question and could possibly be exposed
in plain text somewhere.)

> I do not know, if these flags are important for the whole process to
> work, but I also do not know how to set these flags.
> 
> The imported keys are still not used by BIND: The keys are not added to
> the zone subtree (cn=keys,idnsname=myzone.com,cn=dns) in LDAP, but the
> command "sudo -u ods SOFTHSM2_CONF=/etc/ipa/dnssec/softhsm2.conf
> ods-ksmutil key list --verbose" shows, that the newly imported key (I've
> carried out tests only with the KSK so far) is assigned to the zone and
> is in state "active".

Now it is getting interesting :-)

First of all, what version of FreeIPA packages and on what distro are you
using? There are significant differences between package versions.

The export is handled by ipa-ods-exporter service on IPA DNSSEC key master
server. Look at its logs and see if it reports any errors.

I'm not sure how OpenDNSSEC handles key import. IPA is waiting on OpenDNSSEC
signer's socket for events which indicate key state change. If this does not
happen the key is not exported.

You can trigger this manually by calling command
"ods-signer ipa-full-update"
or
"ods-signer update <zone name>"

Watch the ipa-ods-exporter service logs when you run this command and watch
out for any problems. You might add debug=True to /etc/ipa/default.conf if you
need to see more details about the process.

-- 
Petr^2 Spacek