Using libhsm with multiple grants concurrently

In an automated build environment, there is a possibility that a single executor could be running multiple jobs at once. These jobs could be configured to potentially use different users and even different Trust Protection Platform end-points.

With the current grant storage, the registry or .libhsmconfig only stores a single grant. With this design, a Jenkins plugin would need to have a lock around its process to ensure .libhsmconfig is not manipulated by two concurrent jobs with conflicting data.

To allow concurrent jobs to process using different grants

If the environment variable LIBHSMINSTANCE is set to a string, all subsequent use of libhsm, pkcs11config, cspconfig, and venafipkcs11 will incorporate that string to the configuration file or registry node name. This allows two processes to set two different instance strings and use individual configuration files or registry nodes. Since that file or node determines URLs, grants, and so forth, this will avoid any interference between processes.

Simple example

Set the environment variable

Obtain grant

List certificates

Revoke grant

Reset environment

The above example will do the following:

• Create the configuration file ~/.libhsm-process1config
• Get a grant and store it in the file
• Use the grant to list available certificates
• Revoke the grant and, since -clear is specified, delete the ~/.libhsm-process1config file

Complex example

Set the environment variable for process1

Obtain grant for process1

Set the environment variable for process2

Obtain grant for process2

List Certificates for process2 (sample-cs-user)

Switch to process1

List Certificates for process1 (cs-key-user@venqa.venafi.com)

Revoke grant for process1

Switch to process2

Revoke grant for process2