Using libhsm with multiple grants concurrently

In an automated build environment, there is a possibility that a single executor could be running multiple jobs at once. These jobs could be configured to potentially use different users and even different Trust Protection Platform end-points.

With the current grant storage, the registry or .libhsmconfig only stores a single grant. With this design, a Jenkins plugin would need to have a lock around its process to ensure .libhsmconfig is not manipulated by two concurrent jobs with conflicting data.

To allow concurrent jobs to process using different grants

If the environment variable LIBHSMINSTANCE is set to a string, all subsequent use of libhsm, pkcs11config, cspconfig, and venafipkcs11 will incorporate that string to the configuration file or registry node name. This allows two processes to set two different instance strings and use individual configuration files or registry nodes. Since that file or node determines URLs, grants, and so forth, this will avoid any interference between processes.

Simple example

Set the environment variable

set LIBHSMINSTANCE=process1

Obtain grant

pkcs11config getgrant \

 -hsm https://codesign-int-tpp/vedhsm/ \

 -auth https://codesign-int-tpp/vedauth/ \
 -user cs-key-user@venqa.venafi.com \

 -pass Passw0rd \

 -force

List certificates

pkcs11config listobjects

Revoke grant

pkcs11config revokegrant \

 -force \

 -clear

Reset environment

set LIBHSMINSTANCE=

The above example will do the following:

  • Create the configuration file ~/.libhsm-process1config
  • Get a grant and store it in the file
  • Use the grant to list available certificates
  • Revoke the grant and, since -clear is specified, delete the ~/.libhsm-process1config file

Complex example

Set the environment variable for process1

set LIBHSMINSTANCE=process1

Obtain grant for process1

pkcs11config getgrant \

 -hsm https://codesign-int-tpp/vedhsm/ \

 -auth https://codesign-int-tpp/vedauth/ \
 -user cs-key-user@venqa.venafi.com \

 -pass Passw0rd \

 -force

Set the environment variable for process2

set LIBHSMINSTANCE=process2

Obtain grant for process2

pkcs11config getgrant \

 -hsm https://codesign-int-tpp/vedhsm/ \

 -auth https://codesign-int-tpp/vedauth/ \
 -user sample-cs-user \

 -pass Passw0rd \

 -force

List Certificates for process2 (sample-cs-user)

pkcs11config listobjects

Switch to process1

set LIBHSMINSTANCE=process1

List Certificates for process1 (cs-key-user@venqa.venafi.com)

pkcs11config listobjects

Revoke grant for process1

pkcs11config revoke \

 -force \

 -clear

Switch to process2

set LIBHSMINSTANCE=process2

Revoke grant for process2

pkcs11config revoke \

 -force \

 -clear