I'm about to use thales hsm just for doing some aes encryption/decryption with using http://www.pkcs11interop.net/
But, I have one question raised in my mind. I have two ways to use thales hsm with my server application
One way is that: whenever i need to do aes operation, open a connection, do the job, close the connection.
The other way: open the connection at the start of the server application, do aes operations in the lifetime of the server application, close the connection whenever the server needs to be closed.
So my question is, which way is the correct (or suggested) way of using hsm?
It entirely depends on your needs and usage of HSM. If you send 1 message in 5 minutes it is better to open connection for every AES operation and close connection after finishing job. Generally if you send more then 1 message in a minute you should have persistent connections because HSM's limited connection resources could be depleted in a short time.
Thales HSMs default settings allow you to open max 64 connections and check those connections in 60 minutes intervals. If a connection is closed it could understand it after 60 minutes later.
If you open a connection for every request you can reach to 64 connection limit in a short time and generally HSM start to does not allow to open new connections anymore. To get rid of it you can change Hsm settings to 1 Minute check intervals for garbage collection of connections.
I suggest to use persistent connections(pool) for heavily use of HSMs and renew(close-open) all connections in 20 minutes intervals.