[SOLVED] Why Cryptoki.C_OpenSession disconnect from HSM sometimes

Why Cryptoki.C_OpenSession disconnect from HSM sometimes

I' created a web service isAlive to check if I can create session with the HSM soft using the Cryptoki ,I automated the execution of my web service using SoapUI so I execute my service in a loop each 40s ,it work well but after a number of call I can't connect to my HSM until I restart my App : this the part of code that I used to connect to HSM

// create session handle 
        CK_SESSION_HANDLE session= new CK_SESSION_HANDLE();

        // return code
        CK_RV retcode;

        // get session
        retcode=Cryptoki.C_OpenSession(safeNetSlot, CKF.RW_SESSION, null, null, session);
        checkRetCode(retcode, "Could not open session on HSM");

        log.debug("Session [{}]",session.longValue());

        // do login 
        final String recovHsmPassword = PasswordManagement.recoverPassword(hsmPassword);
        retcode=Cryptoki.C_Login(session, CKU.USER, recovHsmPassword.getBytes(), recovHsmPassword.length());
        checkRetCode(retcode, "Could not login as user");

During the execution of my service I watch logs I look that the session.longValue() incremented with each calls :

This's the logs :

    INFO 5056 --- [nio-8191-exec-5] ccom.test.app.V1Controler  : Request for isAlive API
    DEBUG 5056 --- [nio-8191-exec-5] com.test.app.hsm.HsmService  : Session [1]
    INFO 5056 --- [nio-8191-exec-5] com.test.app.V1Controler  : Request for isAlive API
    DEBUG 5056 --- [nio-8191-exec-5] com.test.app.hsm.HsmService  : Session [2]
    INFO 5056 --- [nio-8191-exec-5] com.test.app.V1Controler  : Request for isAlive API
    DEBUG 5056 --- [nio-8191-exec-5] com.test.app.hsm.HsmService  : Session [3]
    INFO 5056 --- [nio-8191-exec-5] com.test.app.V1Controler  : Request for isAlive API
                                                     ......
    INFO 5056 --- [nio-8191-exec-5] com.test.app.V1Controler  : Request for isAlive API     
    DEBUG 5056 --- [nio-8191-exec-5] com.test.app.hsm.HsmService  : Session [1176]
INFO 5056 --- [nio-8191-exec-5] com.test.app.V1Controler  : Request for isAlive API
2018-08-14 10:39:06.550 ERROR 1 --- [nio-8443-exec-3] com.test.app.hsm.HsmService  : HSM return error [MSG_ERROR general error]

I ask if someone have an idea how Cryptoki.C_OpenSession works and why I desconnect from my HSM

Solution

Generally HSM's have a bounded number of sessions available. Currently you are opening sessions, but you are never closing them with C_CloseSession. You should handle sessions as if they are resources, and resources may be sparse.

Note that there is also a function called C_TokenInfo that can be used to check the token status. Make sure you are using the right function for the job. You don't want to use a password when not required.