Skip to content
New issue
Jump to bottom

Upgrade cloudhsm drivers #12

Closed
iay opened this issue Jun 30, 2020 · 2 comments
Closed

Upgrade cloudhsm drivers #12

iay opened this issue Jun 30, 2020 · 2 comments
Assignees
@iay
Milestone
incommon-v10

Comments

@iay
Copy link
Contributor

iay commented Jun 30, 2020

AWS have notified us that we need to update the client libraries for use with the HSM.

We are currently using version 1.1.1 of the respective artifact, we need to move to a minimum of version 3.1 before August 30, 2020.
@iay iay added this to the incommon-v10 milestone Jun 30, 2020
@iay iay self-assigned this Jun 30, 2020
@iay
Copy link
Contributor Author

iay commented Jun 30, 2020

Shannon brought up the old development system and we confirmed my tests still worked there on the old version.

Upgrading that system to the latest software resulted as expected in a failure, as we embed the cloudhsm-1.1.1.jar artifact and it is no longer compatible.

I have uploaded the cloudhsm-3.1.1.jar to my Nexus; re-testing my hsm-playground project with that version brings things back to working with no apparent issues. Summary of outout:

Got key 85: com.cavium.key.CaviumRSAPrivateKey@55
signature time (millis): 2433
   per iteration: 24.33

I don't seem to have saved off results from this from the previous version, but that doesn't seem unreasonable.

@iay
Copy link
Contributor Author

iay commented Jul 2, 2020

This is done in commit 25e0044.

Steps:

  • Uploaded the new provider artifact to my Nexus
  • Updated my hsm-playground project to verify that this fixes the issue on the new system.
  • Updated the inc-mda-cloudhsm project likewise, version 1.1.0, and uploaded that to Nexus
  • Unpacked the resulting .zip into tools/inc-mda-cloudhsm.
  • Tested using the ant inc.mdq.generate.cloudhsm target.

This seems to work, in that a full set of per-entity files are generated using key 85. I will note that the spurious errors we observed in production before are still there, so the Cavium drivers are still using the log-and-throw anti-pattern. It's possible that the message generated will be different than it was before, so any filtering that was being done may need to be revised:

[java] 10:15:26.745 [main] ERROR CaviumRSAPrivateKey - Catching
[java] com.cavium.cfm2.CFM2Exception: A call to the API getRSAPrivateKeyComponents for size failed with error code ffffffff : Error: new error from underlying FW/SW, might need to upgrade to new SW to decode
...

I'm still at a bit of a loss to explain why these log lines don't appear in my hsm-playground test, which is running the same software. It may be something to do with Maven's default logging settings, which in turn might mean that there was a route to suppressing them explicitly. That's something to investigate in a new ticket, though.

This will of course all need to be verified in an upgraded clone of the production system. Nevertheless I will close this as done and if the user acceptance test fails then we can open another issue at that point.

@iay iay closed this as completed Jul 2, 2020
Sign in to join this conversation on GitHub.
Assignees

@iay iay

Labels
None yet
Projects
None yet
Milestone
incommon-v10
Development

No branches or pull requests
1 participant
@iay