Avatar

Level 2

So if I sum up, it is rather preferable to install LC ES2 SP2 on the  same machine which hosts the HSM setup and device (a PCI card for  example) and to use the Corba based IPC mechanism (no need of the HSMWS  middleware) if we want to really have 5 or more concurrent invocations.

Even the webservice mechanism works fine with 1 or more concurrent requests. But the CORBA based IPC mechanism is preferred since it allows online HSM Profile creation in LC Truststore and online monitoring of connectivity to HSM from LC.

So,  if we need to use a HSM Network Appliance (on which we could not  install LCES2 SP2) instead of a HSM PCI Card we do not have any no other  choice than using the HSMWS middleware webservice on the LCES2 SP2  server or possibly on an another machine. Is it correct ?

You are confusing the meaning of HSM installation. HSM installation refers to installation of HSM client which carries the PKCS#11 compliant vendor supplied library. Even for a network HSM device, if the client is installed on the LC server, the server would be able to talk to it as if it were a PCI card. The applications are agnostic to the HSM location. They only talk to the HSM vendor supplied client library which shield the application from intricate details.

About the Corba based IPC mechanism, do we need to do on LiveCycle ES2 SP2 server any other setup that the following ones :

1. Installing a  1.6.0.18 or superior Sun 32 bits JDK

2. Setting a JAVA_HOME_32 system env var.

3. Installing the HSM client setup (including the cryptoki.dll HSM client library for Luna SA for example)

4.  Setting up the HSM Credentials  inside the the LC TrustStore (by  choosing an alias and the PCKS#11 HSM client Library location)

5. Possibly raising up the com.adobe.livecycle.signatures.hsm.bmc.poolsize value

I would like to add another point of importance. The HSM client that needs to be installed needs to be a 32 bit client. This is since the way of operation is to spawn 32 bit Java processes to talk to the HSM. These processes can only talk to 32 bit shared libraries (.dll). Also I would recommend not to install in Program Files (x86) folder since special characters are not allowed in LC Admin Web UI. Its better to install in something like c:\lunasa\...

I  assume that if we want to set up a High Availibility mechanism with an  HSM Network Appliance, we are equally obliged to use the HSMWS  middleware on 2 machines hosting the HSM client setup with a  load-balancer located in front of them. Could you confirm ?

Safenet Luna device already provide High Availibility. In this case there are multiple network HSM devices which are accessed via a Luna HA Load Balancer. The application talks to the Load Balancer which load balances between the multiple HSM devices available. This would obviously lead to better throughput. Also the LoadBalancer has an autorecovery mode where it can detect devices which are no longer responsive and automatically cast them out of the cluster. You can also use LC clustering but that would not provide auto failure discovery.

About  the HSMWS tool, if I well understand, Adobe supports that tool if we  launch it as a stand-alone tool in a console but not with a third party  Java Wrapper installing it as a Windows service, am I right ? I think  Adobe should consider to support it equally in that case by testing and  recommending the best third party tool to do that because it never  happens in a real-life environment to launch a java stand-alone tool on a  windows production server which not be able to autostart at reboot of  the server.

Agreed. But then again, this is a very niche feature. It needs to be used only if say the HSM vendor does not supply a client for the platform that you choose to host your server. Say a vendor supplied am HSM client only for an Apple Mac which cannot host LC. In this case you can still leverage your HSM device which works only on Mac for signing on LC via the HSMWS webservice bridge. Since it might need to be run on such a niche platform, we decided not to provide OS specific hooks like service on Windows . It allows the bridge to be customised according to customer needs without binding to any particular platform.