HSM - cryptoki - Sessions - Timeout
https://stackoverflow.com/questions/3175580
-
02-10-2019 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
My application access the HSM via a ASP.NET web service through PKCS#11. I initialise the cryptoki library and obtain a session handle. Web-service hold on to this handle to perform encryption/decryption/signing/verifying in a batch mode.
The problem i am facing is The ASP.NET web service time-outs' after 20 minutes. This act- i think, unloads the cryptoki library and the session handle held by the web-service becomes invalid. Yes, i agree that the ASP.NET web-service can be reconfigured not to time-out, which will keep the cryptoki library always loaded.
My question is What happens to the session handle which i obtained in the first place from the HSM?. Will it be lost or will it be there unused? I am asking this because, i am not closing the opened session properly by calling c_closeSession.
The web-service is implemented via a Thread pool
Thanks
Solution
You are supposed to call C_Finalize() when you are done using the cryptoki library. A well-written implementation might be robust against you not doing so, but there are no guarantees. Your open sessions may be kept alive on the HSM and perhaps in the driver.
Strongly consider calling C_Finalize() from your Application_End().
OTHER TIPS
From the theoretical perspective, you should read the PKCS#11 spec, it is all written there, from section 6.6 onwards
From the practical perspecgive, an application becomes a cryptoki application after it calls C_Initialize. The concept of a session and its identifier may be relayed by a small wrapper library to a longrunning PKCS#11 process, that actually talks to the HSM, but may not. If the process that was a cryptoki application dies, so will do all the virtual resources (what a session is).
Where exactly is the problem? Opening a session could be a pretty cheap operation most of the time, unless you are sure (have measured) that it is the bottleneck, don't optimize and open and close a session for a request, if you can't control the lifespan of the cryptoki process.
if i understood that, you need to create a "global" login for that session. Furthermore you need to open/close session for each local session.
So, - Global variable with "Login" (Once on startup or when u want) - Check global login status when you will create a new sessión. - Create Individual sessions for each action (closing the "local" sessión not the global login)
With this you obtain a global variable with a logged session and individual session using that global login.
Good luck
