Adobe LiveCycle (Archived)

Please find the answer to your questions inline

1 As the KB article talks only about Windows 64 bits platform, may  we assume that we do not need to use it on a LCES2 server using RHEL5 or  SuSE platform and that LC DS ES2.5 is able to adress the PKCS#11  library in a 64 bits environment?

Since LC ES2SP2, LiveCycle is able to support HSM signing on all platforms (Win64 included) without the need for the middleware webservice. The only case where one may might want to use the webservice is when the HSM needs to be installed on a remote machine. Please have a look at http://kb2.adobe.com/cps/875/cpsid_87543.html.

But that does not stop anyone to still go ahead with the HSMWS option even when the HSM setup is co-located with LiveCycle on the same server.

2 If we decide to  finally use a Windows 64bits platform fot the LC DS ES2.5, is it  preferable to use that HSMWS tool on a distant 32 bits Windows  PC with a  32 bits JDK installed or directly on the LiveCycle ES2.5 Windows 64  bits server. In this last case, we need to install a 32 bits JDK if I do  well understand but the document says to set a JAVA_HOME env variable.  How can we do that if the JAVA_HOME is already set for the 64 bits JDK  on the server, can we set a JAVA_HOME_32 env var instead for the 32bits  Sun JDK and will the HSMWS tool able to read that JAVA_HOME_32 env var?

If you still want to pursue the HSMWS option, it is always better to install it on the same server as LiveCycle since that combination is more performant since it shortcircuits the network stack as well as SSL layer. Also, this does not require setting up of any environment variable. You just need to run the HSMWS main jar from a 32 bit Java runtime.

3  Is the HSMWS tool sufficiently robust to resist to about five  invocations of the exposed Web Service by second without response speed  or memory leak issues ?

5 concurrent invocations should easily work with this option. But I would still suggest going the CORBA based IPC mechanism mentioned in the link i shared above.

4\ As the tool is launched only as  a Java client in a console in your document, is it possible to start  that tool as a windows service and what is the best way you can  recommend to us for doing that ?

There are open source tools which allow a command line java program to be run as a Windows Service. Java Service Wrapper    project from Tanukisoftware.org is one such tool. But anything apart from the default console mechanism is not officially supported.

5 Does it exist a WAR or  EAR version of that tool for deploying it on an Application Server like  jBoss 4.2.1 and if not could Adobe possibly provide us with the java  source code of that tool ?

The implementation has dependencies on certain proprietary crypto toolkits because of which it cannot be shared in source form. In any case running in a standalone fashion reduces maintainence overheads.

Hello,

Thank you very much kapss for all your useful answers.

So if I sum up, it is rather preferable to install LC ES2 SP2 on the same machine which hosts the HSM setup and device (a PCI card for example) and to use the Corba based IPC mechanism (no need of the HSMWS middleware) if we want to really have 5 or more concurrent invocations.

So, if we need to use a HSM Network Appliance (on which we could not install LCES2 SP2) instead of a HSM PCI Card we do not have any no other choice than using the HSMWS middleware webservice on the LCES2 SP2 server or possibly on an another machine. Is it correct ?

About the Corba based IPC mechanism, do we need to do on LiveCycle ES2 SP2 server any other setup that the following ones :

1. Installing a  1.6.0.18 or superior Sun 32 bits JDK

2. Setting a JAVA_HOME_32 system env var.

3. Installing the HSM client setup (including the cryptoki.dll HSM client library for Luna SA for example)

4. Setting up the HSM Credentials  inside the the LC TrustStore (by choosing an alias and the PCKS#11 HSM client Library location)

5. Possibly raising up the com.adobe.livecycle.signatures.hsm.bmc.poolsize value

I assume that if we want to set up a High Availibility mechanism with an HSM Network Appliance, we are equally obliged to use the HSMWS middleware on 2 machines hosting the HSM client setup with a load-balancer located in front of them. Could you confirm ?

About the HSMWS tool, if I well understand, Adobe supports that tool if we launch it as a stand-alone tool in a console but not with a third party Java Wrapper installing it as a Windows service, am I right ? I think Adobe should consider to support it equally in that case by testing and recommending the best third party tool to do that because it never happens in a real-life environment to launch a java stand-alone tool on a windows production server which not be able to autostart at reboot of the server.

Alexis.

So if I sum up, it is rather preferable to install LC ES2 SP2 on the  same machine which hosts the HSM setup and device (a PCI card for  example) and to use the Corba based IPC mechanism (no need of the HSMWS  middleware) if we want to really have 5 or more concurrent invocations.

Even the webservice mechanism works fine with 1 or more concurrent requests. But the CORBA based IPC mechanism is preferred since it allows online HSM Profile creation in LC Truststore and online monitoring of connectivity to HSM from LC.

So,  if we need to use a HSM Network Appliance (on which we could not  install LCES2 SP2) instead of a HSM PCI Card we do not have any no other  choice than using the HSMWS middleware webservice on the LCES2 SP2  server or possibly on an another machine. Is it correct ?

You are confusing the meaning of HSM installation. HSM installation refers to installation of HSM client which carries the PKCS#11 compliant vendor supplied library. Even for a network HSM device, if the client is installed on the LC server, the server would be able to talk to it as if it were a PCI card. The applications are agnostic to the HSM location. They only talk to the HSM vendor supplied client library which shield the application from intricate details.

About the Corba based IPC mechanism, do we need to do on LiveCycle ES2 SP2 server any other setup that the following ones :

1. Installing a  1.6.0.18 or superior Sun 32 bits JDK

2. Setting a JAVA_HOME_32 system env var.

3. Installing the HSM client setup (including the cryptoki.dll HSM client library for Luna SA for example)

4.  Setting up the HSM Credentials  inside the the LC TrustStore (by  choosing an alias and the PCKS#11 HSM client Library location)

5. Possibly raising up the com.adobe.livecycle.signatures.hsm.bmc.poolsize value

I would like to add another point of importance. The HSM client that needs to be installed needs to be a 32 bit client. This is since the way of operation is to spawn 32 bit Java processes to talk to the HSM. These processes can only talk to 32 bit shared libraries (.dll). Also I would recommend not to install in Program Files (x86) folder since special characters are not allowed in LC Admin Web UI. Its better to install in something like c:\lunasa\...

I  assume that if we want to set up a High Availibility mechanism with an  HSM Network Appliance, we are equally obliged to use the HSMWS  middleware on 2 machines hosting the HSM client setup with a  load-balancer located in front of them. Could you confirm ?

Safenet Luna device already provide High Availibility. In this case there are multiple network HSM devices which are accessed via a Luna HA Load Balancer. The application talks to the Load Balancer which load balances between the multiple HSM devices available. This would obviously lead to better throughput. Also the LoadBalancer has an autorecovery mode where it can detect devices which are no longer responsive and automatically cast them out of the cluster. You can also use LC clustering but that would not provide auto failure discovery.

About  the HSMWS tool, if I well understand, Adobe supports that tool if we  launch it as a stand-alone tool in a console but not with a third party  Java Wrapper installing it as a Windows service, am I right ? I think  Adobe should consider to support it equally in that case by testing and  recommending the best third party tool to do that because it never  happens in a real-life environment to launch a java stand-alone tool on a  windows production server which not be able to autostart at reboot of  the server.

Agreed. But then again, this is a very niche feature. It needs to be used only if say the HSM vendor does not supply a client for the platform that you choose to host your server. Say a vendor supplied am HSM client only for an Apple Mac which cannot host LC. In this case you can still leverage your HSM device which works only on Mac for signing on LC via the HSMWS webservice bridge. Since it might need to be run on such a niche platform, we decided not to provide OS specific hooks like service on Windows . It allows the bridge to be customised according to customer needs without binding to any particular platform.

Hi,

Thank you very much for all the tips kapss, your explanations are very clear.

Alexis.

I would just like to add that if you desire to use the HSMWS webservice mechanism, and want to use it as a Windows Service, you can get Adobe official support if you file a CCR with Adobe support team.

Hi Guys,

Im trying to find this article but I can't found it: Configuring HSM support for LiveCycle ES using Sun JDK on Windows 64-bit platform

Can you please help me?

Regards,

Carlos