Will the Pkcs11Interop Cryptoki application, which is registered as HSM client to more than one HSMs) detects and sends requests to active HSM

Question

We are using Pkcs11Interop API in our application to sign digest using the private keys stored in Thales nShield HSM.

To cater the DR Scenarios, our digital signatures application hosted server is enrolled as HSM client to both Primary Thales nShield HSM and DR(Secondary) Thales nShield HSM. Here, the IP Addresses for the both Thales nShield HSMs are different based on the assumption that the secure world software installed will detect the active HSM before creating HSM connection.

While we are testing the DR(fail-over) scenario by switching off the Primary Thales nShield HSM, the Pkcs11Interop is giving error:

Method C_Initialize returned CKR_FUNCTION_FAILED.

I would like to know whether the code written using Pkcs11Interop should check which HSM is active then send requests to active HSM OR the secure world software installed on the server should check the active HSM before opening active connection.

Please advise us the right direction to handle this scenario.

Answer 1

I would like to know whether the code written using Pkcs11Interop should check which HSM is active then send requests to active HSM OR the secure world software installed on the server should check the active HSM before opening active connection

IMO you should first ask Thales support whether their PKCS#11 library can perform automatic failover. If their answer is yes then you don't need to add any failover related code into your application.