Skip navigation
ぜったいクレグさん
ぜったいクレグさんCalculating status...
Currently Being Moderated

Understanding HSM interaction

Mar 30, 2011 9:30 AM

All recommendations point to using an HSM, which sounds great operationally.  Admittedly, i'm ignorant where HSMs are concerned.

 

When creating a ServerCredential from an HSM, the example code shows a KeyStore being loaded using the HSM, and then PrivateKeys being loaded from the KeyStore.  As i understand it, the whole purpose of the HSM is to secure private keys, i.e. they never leave the HSM.  What exactly is this PrivateKey then?

 

For license serving, the private key is needed to geneate a license, right?

 

What i'm really asking, is whether or not the HSM is going to be called on every license generation request?  Or are the necessary keys cached within the ServerCredential so that license generation is autonomous once the ServerCredential is created?

 

The implications are whether the HSM is a point of failure after startup and whether the HSM is a scalability limitation to license generation.

 

Any insight is appreciated.

Thanks.

  • Katherine N.
    Currently Being Moderated
    Katherine N.,
    Adobe Employee
    Mar 30, 2011 4:06 PM
    Report

    The behavior may be vary for different HSM models, but typically, the PrivateKey object will contain a handle to the private key located on the HSM, not the actual private key. Cryptographic operations that require use of the private key would typically be performed on the HSM, so the license server never uses the private key directly. Therefore, if an HSM is used, it will be accessed each time the software needs to use the private key during the license generation process.

    |
    Mark as:
  • ぜったいクレグさん
    Currently Being Moderated
    ぜったいクレグさん,
    Community Member
    Apr 5, 2011 9:05 AM
    Report

    Does Adobe have a list of approved or preferred HSM vendors?

     

    We will only be using these HSMs for FAXS and so do not need extended feature sets.

    But they must be configurable for high availability.

     

    Any community recommendations would also appreciated.

    |
    Mark as:
  • JRJADOBE
    Currently Being Moderated
    JRJADOBE,
    Adobe Employee
    Apr 5, 2011 6:22 PM
    Report

    While we don't maintain a list of supported HSM devices, I can state that internally we regularly test with the nCipher nShield 500e (PCIe HSM) and the Safenet LunaSA (network HSM).

     

       --- JRJ

    |
    Mark as:
Actions

More Like This

  • Retrieving data ...

Bookmarked By (0)

Legend

  • Correct Answers - 10 points
  • Helpful Answers - 5 points
Choose your region
Security Contact Adobe Report piracy EULAs Permissions and trademarks Careers

Copyright © 2012 Adobe Systems Incorporated. All rights reserved.

Reviewed by TRUSTe: site privacy statement

Use of this website signifies your agreement to the Terms of Use and Online Privacy Policy (updated 07-14-2009).