You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@santuario.apache.org by paul <pp...@yahoo.com> on 2012/03/15 22:05:06 UTC
signing using a network device and timeouts
If I sign an xml doc using a filesystem cert, then errors like timeouts and
server not found are not an issue, but I'm starting to look an architecture
where a locked down network device (net hsm) holds the private key. In this
case the keystore is initialized w/ a special provider name. For this flow a
network roundtrip happens during signing and errors could occur. Is there
anyway to specify things like timeouts? Or is this hidden in the provider code
and only exposed thru exceptions?
thanks,
Paul.
Re: signing using a network device and timeouts
Posted by Arshad Noor <ar...@strongauth.com>.
While I cannot speak for the innards of santuario too much, parameters
related to cryptographic hardware modules are provider-specific details.
Every hardware vendor has parameters that work only with their provider
library. Cryptographic application libraries - like santuario - only
pass through these details and report in exceptions what the hardware
provider reports.
You can always configure the HSM to log its communications with the
XMLSignature library in detail while you're developing/debugging your
application code. Once done, you can ramp down the logging to suit
your operational needs.
Arshad Noor
StrongAuth, Inc.
On 03/15/2012 02:05 PM, paul wrote:
>
> If I sign an xml doc using a filesystem cert, then errors like timeouts and
> server not found are not an issue, but I'm starting to look an architecture
> where a locked down network device (net hsm) holds the private key. In this
> case the keystore is initialized w/ a special provider name. For this flow a
> network roundtrip happens during signing and errors could occur. Is there
> anyway to specify things like timeouts? Or is this hidden in the provider code
> and only exposed thru exceptions?
>
> thanks,
> Paul.
>