1

I am using PKCS11Interop to perform Key Management operations inside an HSM. The HSM I am using is a network HSM, Thales N-Shield. Here are the details of my setup:

1- HSM

1- RFS Server

3- Clients

My software application is distributed and is hosted over the 3 clients. The key will be generated in one of the clients and could be used by the application components present in other clients.

However, I have noticed that a key generated in one client machine is not accessible to other client machines until unless both clients do an rfs-sync.

Question: Is there a way to synchronize the client keys with the RFS using some PKCS11Interop API? If No, then in what way I can synchronize the keys between RFS and the Client machine.

I know that an exe can be execute using C# code but doesn't look like a clean apporach.

Cœur
  • 37,241
  • 25
  • 195
  • 267
Aashish Upadhyay
  • 840
  • 1
  • 7
  • 22

1 Answers1

3

What you are trying to do is not part of the PKCS#11 standard. So I doubt that PKCS11Interop will be able to achieve this (from looking at its documentation here).

When you generate an object on the token (Thales n-Shield) using PKCS#11 (PKCS11Interop), the Thale's security manager that's installed on the client is actually doing the generation on the HSM. If I remember correctly, the Thales stores these objects on the client machine as flat files encrypted by the security manager's master key. So technically it is not stored on the HSM. This is the reason you have to do a sync with the RFS, and then update your other clients to see the new keys/objects.

You will have to check with the Thales people to see if they can provide a way to automate this. Or you have to implement your own synching mechanism. Since the rfs-sync is a command line tool Thales provides, you will to see if you can execute the commands through C#. Or check with them if they have a C# library that does this for you.

always_a_rookie
  • 4,515
  • 1
  • 25
  • 46
  • Thanks, I understand and have seen what you are saying. I am sure this problem many other would have faced as well. I am just trying to find out the standard practice followed in such scenarios. – Aashish Upadhyay Aug 02 '17 at 07:25
  • 1
    @Aashish Since this is specific to Thales HSMs, there is no standard practice you can follow. I have worked with various HSMs at the same time, only the Thales HSMs were different. So i had to jump through hoops (I executed the rfs commands programmatically through java) to make Thales HSM work like other HSMs so that the PKCS11 framework i was writing is generic to all types of HSMs. – always_a_rookie Aug 02 '17 at 11:54