1

I' created a web service isAlive to check if I can create session with the HSM soft using the Cryptoki ,I automated the execution of my web service using SoapUI so I execute my service in a loop each 40s ,it work well but after a number of call I can't connect to my HSM until I restart my App : this the part of code that I used to connect to HSM 

// create session handle 
        CK_SESSION_HANDLE session= new CK_SESSION_HANDLE();

        // return code
        CK_RV retcode;

        // get session
        retcode=Cryptoki.C_OpenSession(safeNetSlot, CKF.RW_SESSION, null, null, session);
        checkRetCode(retcode, "Could not open session on HSM");

        log.debug("Session [{}]",session.longValue());

        // do login 
        final String recovHsmPassword = PasswordManagement.recoverPassword(hsmPassword);
        retcode=Cryptoki.C_Login(session, CKU.USER, recovHsmPassword.getBytes(), recovHsmPassword.length());
        checkRetCode(retcode, "Could not login as user");

During the execution of my service I watch logs I look that the session.longValue() incremented with each calls :

This's the logs : 

    INFO 5056 --- [nio-8191-exec-5] ccom.test.app.V1Controler  : Request for isAlive API
    DEBUG 5056 --- [nio-8191-exec-5] com.test.app.hsm.HsmService  : Session [1]
    INFO 5056 --- [nio-8191-exec-5] com.test.app.V1Controler  : Request for isAlive API
    DEBUG 5056 --- [nio-8191-exec-5] com.test.app.hsm.HsmService  : Session [2]
    INFO 5056 --- [nio-8191-exec-5] com.test.app.V1Controler  : Request for isAlive API
    DEBUG 5056 --- [nio-8191-exec-5] com.test.app.hsm.HsmService  : Session [3]
    INFO 5056 --- [nio-8191-exec-5] com.test.app.V1Controler  : Request for isAlive API
                                                     ......
    INFO 5056 --- [nio-8191-exec-5] com.test.app.V1Controler  : Request for isAlive API     
    DEBUG 5056 --- [nio-8191-exec-5] com.test.app.hsm.HsmService  : Session [1176]
INFO 5056 --- [nio-8191-exec-5] com.test.app.V1Controler  : Request for isAlive API
2018-08-14 10:39:06.550 ERROR 1 --- [nio-8443-exec-3] com.test.app.hsm.HsmService  : HSM return error [MSG_ERROR general error]

I ask if someone have an idea how Cryptoki.C_OpenSession works and why I desconnect from my HSM

e2rabi
  • 4,728
  • 9
  • 42
  • 69

1 Answers1

3

Generally HSM's have a bounded number of sessions available. Currently you are opening sessions, but you are never closing them with C_CloseSession. You should handle sessions as if they are resources, and resources may be sparse.

Note that there is also a function called C_TokenInfo that can be used to check the token status. Make sure you are using the right function for the job. You don't want to use a password when not required.

Maarten Bodewes
  • 90,524
  • 13
  • 150
  • 263
  • In my code I return the session created to a method and I use the C_CloseSession to close the session but is C_CloseSession enough to close an hsm session ,there also C_logout and C_finalize ? – e2rabi Oct 13 '18 at 17:52
  • `C_Logout` is performed on a session, and `C_CloseSession` already gets rid of the session. `C_Finalize` is used to close the connection to the token altogether. It should be called before you are going to call `C_Initialize` again, and of course as soon as possible after you don't require the connection to the HSM anymore. Note that HSM connections may be broken (networking issues for instance would do this). It may be a good idea to re-connect if the HSM doesn't reply, but beware of state-keeping issues and memory leaks. – Maarten Bodewes Oct 13 '18 at 18:33
  • 2
    And **bugs**. HSM software can be quite crappy, ask for vendor support (you'll need it, don't let your IT department get away with buying an HSM without support). – Maarten Bodewes Oct 16 '18 at 12:52