- Mark as New
- Follow
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report
So if I sum up, it is rather preferable to install LC ES2 SP2 on the same machine which hosts the HSM setup and device (a PCI card for example) and to use the Corba based IPC mechanism (no need of the HSMWS middleware) if we want to really have 5 or more concurrent invocations.
Even the webservice mechanism works fine with 1 or more concurrent requests. But the CORBA based IPC mechanism is preferred since it allows online HSM Profile creation in LC Truststore and online monitoring of connectivity to HSM from LC.
So, if we need to use a HSM Network Appliance (on which we could not install LCES2 SP2) instead of a HSM PCI Card we do not have any no other choice than using the HSMWS middleware webservice on the LCES2 SP2 server or possibly on an another machine. Is it correct ?
You are confusing the meaning of HSM installation. HSM installation refers to installation of HSM client which carries the PKCS#11 compliant vendor supplied library. Even for a network HSM device, if the client is installed on the LC server, the server would be able to talk to it as if it were a PCI card. The applications are agnostic to the HSM location. They only talk to the HSM vendor supplied client library which shield the application from intricate details.
About the Corba based IPC mechanism, do we need to do on LiveCycle ES2 SP2 server any other setup that the following ones :
1. Installing a 1.6.0.18 or superior Sun 32 bits JDK
2. Setting a JAVA_HOME_32 system env var.
3. Installing the HSM client setup (including the cryptoki.dll HSM client library for Luna SA for example)
4. Setting up the HSM Credentials inside the the LC TrustStore (by choosing an alias and the PCKS#11 HSM client Library location)
5. Possibly raising up the com.adobe.livecycle.signatures.hsm.bmc.poolsize value
I would like to add another point of importance. The HSM client that needs to be installed needs to be a 32 bit client. This is since the way of operation is to spawn 32 bit Java processes to talk to the HSM. These processes can only talk to 32 bit shared libraries (.dll). Also I would recommend not to install in Program Files (x86) folder since special characters are not allowed in LC Admin Web UI. Its better to install in something like c:\lunasa\...
I assume that if we want to set up a High Availibility mechanism with an HSM Network Appliance, we are equally obliged to use the HSMWS middleware on 2 machines hosting the HSM client setup with a load-balancer located in front of them. Could you confirm ?
Safenet Luna device already provide High Availibility. In this case there are multiple network HSM devices which are accessed via a Luna HA Load Balancer. The application talks to the Load Balancer which load balances between the multiple HSM devices available. This would obviously lead to better throughput. Also the LoadBalancer has an autorecovery mode where it can detect devices which are no longer responsive and automatically cast them out of the cluster. You can also use LC clustering but that would not provide auto failure discovery.
About the HSMWS tool, if I well understand, Adobe supports that tool if we launch it as a stand-alone tool in a console but not with a third party Java Wrapper installing it as a Windows service, am I right ? I think Adobe should consider to support it equally in that case by testing and recommending the best third party tool to do that because it never happens in a real-life environment to launch a java stand-alone tool on a windows production server which not be able to autostart at reboot of the server.
Agreed. But then again, this is a very niche feature. It needs to be used only if say the HSM vendor does not supply a client for the platform that you choose to host your server. Say a vendor supplied am HSM client only for an Apple Mac which cannot host LC. In this case you can still leverage your HSM device which works only on Mac for signing on LC via the HSMWS webservice bridge. Since it might need to be run on such a niche platform, we decided not to provide OS specific hooks like service on Windows . It allows the bridge to be customised according to customer needs without binding to any particular platform.
Views
Replies
Total Likes