Adobe Forums: Understanding HSM interaction

Skip navigation

Adobe

Products Solutions Learning Help Downloads Company

Store

Adobe Store for home and home office

Education Store for students, educators, and staff

Business Store for small and medium businesses

Other ways to buy

Info Sign in

My cart My shipments My support

Up to Discussions in Flash Access

224 Views 3 Replies Latest reply: Apr 5, 2011 6:22 PM by JRJADOBE

ぜったいクレグさん

38 posts since
Mar 15, 2011

Currently Being Moderated

Mar 30, 2011 9:30 AM

Understanding HSM interaction

All recommendations point to using an HSM, which sounds great operationally. Admittedly, i'm ignorant where HSMs are concerned.

When creating a ServerCredential from an HSM, the example code shows a KeyStore being loaded using the HSM, and then PrivateKeys being loaded from the KeyStore. As i understand it, the whole purpose of the HSM is to secure private keys, i.e. they never leave the HSM. What exactly is this PrivateKey then?

For license serving, the private key is needed to geneate a license, right?

What i'm really asking, is whether or not the HSM is going to be called on every license generation request? Or are the necessary keys cached within the ServerCredential so that license generation is autonomous once the ServerCredential is created?

The implications are whether the HSM is a point of failure after startup and whether the HSM is a scalability limitation to license generation.

Any insight is appreciated.

Thanks.

Like (0)

Katherine N.
37 posts since
Oct 12, 2010

Currently Being Moderated

1. Mar 30, 2011 4:06 PM (in response to ぜったいクレグさん)
Re: Understanding HSM interaction

The behavior may be vary for different HSM models, but typically, the PrivateKey object will contain a handle to the private key located on the HSM, not the actual private key. Cryptographic operations that require use of the private key would typically be performed on the HSM, so the license server never uses the private key directly. Therefore, if an HSM is used, it will be accessed each time the software needs to use the private key during the license generation process.

Report Abuse

Like (0)
ぜったいクレグさん
38 posts since
Mar 15, 2011

Currently Being Moderated

2. Apr 5, 2011 9:05 AM (in response to Katherine N.)
Re: Understanding HSM interaction

Does Adobe have a list of approved or preferred HSM vendors?

We will only be using these HSMs for FAXS and so do not need extended feature sets.
But they must be configurable for high availability.

Any community recommendations would also appreciated.

Report Abuse

Like (0)
JRJADOBE
8 posts since
Aug 18, 2010

Currently Being Moderated

3. Apr 5, 2011 6:22 PM (in response to ぜったいクレグさん)
Re: Understanding HSM interaction

While we don't maintain a list of supported HSM devices, I can state that internally we regularly test with the nCipher nShield 500e (PCIe HSM) and the Safenet LunaSA (network HSM).

--- JRJ

Report Abuse

Like (0)

Go to original post

Legend

Correct Answers - 10 points
Helpful Answers - 5 points

Choose your region

Security Contact Adobe Report piracy EULAs Permissions and trademarks Careers

Copyright © 2011 Adobe Systems Incorporated. All rights reserved.

Reviewed by TRUSTe: site privacy statement

Use of this website signifies your agreement to the Terms of Use and Online Privacy Policy (updated 07-14-2009).