Using libhsm with multiple grants concurrently
In an automated build environment, there is a possibility that a single executor could be running multiple jobs at once. These jobs could be configured to potentially use different users and even different Trust Protection Platform end-points.
With the current grant storage, the registry or .libhsmconfig only stores a single grant. With this design, a Jenkins plugin would need to have a lock around its process to ensure .libhsmconfig is not manipulated by two concurrent jobs with conflicting data.
To allow concurrent jobs to process using different grants
If the environment variable LIBHSMINSTANCE is set to a string, all subsequent use of libhsm, pkcs11config, cspconfig, and venafipkcs11 will incorporate that string to the configuration file or registry node name. This allows two processes to set two different instance strings and use individual configuration files or registry nodes. Since that file or node determines URLs, grants, and so forth, this will avoid any interference between processes.
Simple example
Set the environment variable
set LIBHSMINSTANCE=process1
Obtain grant
pkcs11config getgrant \
-hsm https://codesign-int-tpp/vedhsm/ \
-auth https://codesign-int-tpp/vedauth/ \
-user cs-key-user@venqa.venafi.com \
-pass Passw0rd \
-force
List certificates
pkcs11config listobjects
Revoke grant
pkcs11config revokegrant \
-force \
-clear
Reset environment
set LIBHSMINSTANCE=
The above example will do the following:
- Create the configuration file ~/.libhsm-process1config
- Get a grant and store it in the file
- Use the grant to list available certificates
- Revoke the grant and, since
-clear
is specified, delete the ~/.libhsm-process1config file
Complex example
Set the environment variable for process1
set LIBHSMINSTANCE=process1
Obtain grant for process1
pkcs11config getgrant \
-hsm https://codesign-int-tpp/vedhsm/ \
-auth https://codesign-int-tpp/vedauth/ \
-user cs-key-user@venqa.venafi.com \
-pass Passw0rd \
-force
Set the environment variable for process2
set LIBHSMINSTANCE=process2
Obtain grant for process2
pkcs11config getgrant \
-hsm https://codesign-int-tpp/vedhsm/ \
-auth https://codesign-int-tpp/vedauth/ \
-user sample-cs-user \
-pass Passw0rd \
-force
List Certificates for process2 (sample-cs-user)
pkcs11config listobjects
Switch to process1
set LIBHSMINSTANCE=process1
List Certificates for process1 (cs-key-user@venqa.venafi.com)
pkcs11config listobjects
Revoke grant for process1
pkcs11config revoke \
-force \
-clear
Switch to process2
set LIBHSMINSTANCE=process2
Revoke grant for process2
pkcs11config revoke \
-force \
-clear