[Opendnssec-develop] Refactoring of libhsm

Rickard Bellgrim rickard at opendnssec.org
Tue Aug 16 13:08:40 UTC 2011


>> Lost connections
>> -------------------------
>> Some HSMs will close down a session if it has not been used for some
>> time. The idea was to redesign libhsm to handle this. Most of the
>> actions in libhsm has something to do with a session, so it would be a
>> lot of work to be able to restore the session. I think it would more
>> suitable for the application to handle this. Like the Enforcer does
>> it, to reload libhsm or make sure to close down the connections if
>> they are not going to be used.
>>
>
> This works with the enforcer as it is now because the passphrase is
> available to it. If we move to a situation where user input is required then
> I think that keepalives would be desirable.

I remember that we did a solution like that in the Enforcer, but I
could not find that in the code when looking at it.

hsm_open:
http://trac.opendnssec.org/browser/trunk/OpenDNSSEC/enforcer/enforcerd/enforcer.c#L121

hsm_close when closing the daemon:
http://trac.opendnssec.org/browser/trunk/OpenDNSSEC/enforcer/enforcerd/enforcer.c#L298

I have also contacted the SafeNet support regarding the best way of
doing a heartbeat mechanism. They do however state that there is no
limitation on how long a session can be open. And that it is probably
a problem with a firewall closing down the connection. I have asked
SIDN for more feedback on this one.

// Rickard



More information about the Opendnssec-develop mailing list