Bug 1350957 - ipa named-pkcs11 failed to enumerate object store. Summary: ipa named-pkcs11 failed to enumerate object store Keywords. Disclaimer: This is my first experience learning about PKCS#11. This answer comes from reading docs for a few of the PKCS#11 wrappers listed on Wikipedia. Correlating those docs with the Java API, I think slot (aka 'Slot Id') is a slot identifier returned for a given slot within the list of slots returned by CGetSlotList.

Hi,
We are trying to create a new replica on RHEL 7.2
This completes but named-pkcs11 fails to start -
systemctl status named-pkcs11.service
● named-pkcs11.service - Berkeley Internet Name Domain (DNS) with native
PKCS#11
Loaded: loaded (/usr/lib/systemd/system/named-pkcs11.service;
disabled; vendor preset: disabled)
Active: failed (Result: exit-code) since Wed 2016-07-13 18:38:15 BST;
51min ago
Process: 25913 ExecStart=/usr/sbin/named-pkcs11 -u named $OPTIONS
(code=exited, status=1/FAILURE)
Process: 25910 ExecStartPre=/bin/bash -c if [ !
'$DISABLE_ZONE_CHECKING' 'yes' ]; then /usr/sbin/named-checkconf -z
/etc/named.conf; else echo 'Checking of zone files is disabled'; fi
(code=exited, status=0/SUCCESS)
Jul 13 18:38:15 ipa001.mgmt.local named-pkcs11[25916]: corporation.
Support and training for BIND 9 are
Jul 13 18:38:15 ipa001.mgmt.local named-pkcs11[25916]: available at
https://www.isc.org/support
Jul 13 18:38:15 ipa001.mgmt.local named-pkcs11[25916]:
----------------------------------------------------
Jul 13 18:38:15 ipa001.mgmt.local named-pkcs11[25916]: adjusted limit on
open files from 4096 to 1048576
Jul 13 18:38:15 ipa001.mgmt.local named-pkcs11[25916]: found 1 CPU,
using 1 worker thread
Jul 13 18:38:15 ipa001.mgmt.local named-pkcs11[25916]: using 1 UDP
listener per interface
Jul 13 18:38:15 ipa001.mgmt.local systemd[1]: named-pkcs11.service:
control process exited, code=exited status=1
Jul 13 18:38:15 ipa001.mgmt.local systemd[1]: Failed to start Berkeley
Internet Name Domain (DNS) with native PKCS#11.
Jul 13 18:38:15 ipa001.mgmt.local systemd[1]: Unit named-pkcs11.service

Pkcs11 Failed To Enumerate Slots List

entered failed state.
Jul 13 18:38:15 ipa001.mgmt.local systemd[1]: named-pkcs11.service failed.
# /usr/sbin/named-pkcs11 -d 9 -g
13-Jul-2016 19:31:01.283 starting BIND 9.9.4-RedHat-9.9.4-29.el7_2.1 -d 9 -g
13-Jul-2016 19:31:01.283 built with '--build=x86_64-redhat-linux-gnu'
'--host=x86_64-redhat-linux-gnu' '--program-prefix='
'--disable-dependency-tracking' '--prefix=/usr' '--exec-prefix=/usr'
'--bindir=/usr/bin' '--sbindir=/usr/sbin' '--sysconfdir=/etc'
'--datadir=/usr/share' '--includedir=/usr/include' '--libdir=/usr/lib64'
'--libexecdir=/usr/libexec' '--sharedstatedir=/var/lib'
'--mandir=/usr/share/man' '--infodir=/usr/share/info' '--with-libtool'
'--localstatedir=/var' '--enable-threads' '--enable-ipv6'
'--enable-filter-aaaa' '--enable-rrl' '--with-pic' '--disable-static'
'--disable-openssl-version-check' '--enable-exportlib'
'--with-export-libdir=/usr/lib64'
'--with-export-includedir=/usr/include'
'--includedir=/usr/include/bind9' '--enable-native-pkcs11'
'--with-pkcs11=/usr/lib64/pkcs11/libsofthsm2.so' '--with-dlopen=yes'
'--with-dlz-ldap=yes' '--with-dlz-postgres=yes' '--with-dlz-mysql=yes'
'--with-dlz-filesystem=yes' '--with-dlz-bdb=yes' '--with-gssapi=yes'
'--disable-isc-spnego' '--enable-fixed-rrset'
'--with-docbook-xsl=/usr/share/sgml/docbook/xsl-stylesheets'
'build_alias=x86_64-redhat-linux-gnu'
'host_alias=x86_64-redhat-linux-gnu' 'CFLAGS= -O2 -g -pipe -Wall
-Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong
--param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic'
'LDFLAGS=-Wl,-z,relro ' 'CPPFLAGS= -DDIG_SIGCHASE'
13-Jul-2016 19:31:01.283
----------------------------------------------------
13-Jul-2016 19:31:01.284 BIND 9 is maintained by Internet Systems
Consortium,
13-Jul-2016 19:31:01.284 Inc. (ISC), a non-profit 501(c)(3) public-benefit
13-Jul-2016 19:31:01.284 corporation. Support and training for BIND 9 are
13-Jul-2016 19:31:01.284 available at https://www.isc.org/support
13-Jul-2016 19:31:01.284
----------------------------------------------------
13-Jul-2016 19:31:01.284 adjusted limit on open files from 4096 to 1048576
13-Jul-2016 19:31:01.284 found 1 CPU, using 1 worker thread
13-Jul-2016 19:31:01.284 using 1 UDP listener per interface
13-Jul-2016 19:31:01.284 using up to 4096 sockets
13-Jul-2016 19:31:01.284 Registering DLZ_dlopen driver
13-Jul-2016 19:31:01.284 Registering SDLZ driver 'dlopen'
13-Jul-2016 19:31:01.284 Registering DLZ driver 'dlopen'
13-Jul-2016 19:31:01.287 initializing DST: PKCS#11 initialization failed
13-Jul-2016 19:31:01.287 exiting (due to fatal error)
# tail -2 /var/log
Jul 13 19:31:01 ipa001.mgmt.local named-pkcs11[27088]:
ObjectStore.cpp(59): Failed to enumerate object store in
/var/lib/softhsm/tokens/
Jul 13 19:31:01 ipa001.mgmt.local named-pkcs11[27088]: SoftHSM.cpp(456):
Could not load the object store
I've tried 'ipa-server-upgrade' and
mv /var/lib/ipa/dnssec/tokens /var/lib/ipa/dnssec/tokens-OLD
ipa-dns-install
But I haven't managed to fix it.
Using 'ipactl start -f' means the rest of the ipa services seem to work
properly, but without named.
Is there a way to fix the named issue or is it much simpler to
disconnect the replica, uninstall it and start again ?

Openssl Pkcs11 Failed To Enumerate Slots

Thanks
Bob Hinton