|
Home > |
|---|
As a general rule, it is best not to adjust timeout settings, either via the interface or in config files, unless instructed to do so by SafeNet Technical Support -- e-mail: support@safenet-inc.com or phone 800-545-6608 (+1 410-931-7520 International).
Changing some settings can appear to improve performance until a situation is encountered where a process does not have time to complete due to a shortened timeout value.
Making timeouts too long will usually not cause errors, but can cause apparent performance degradation in some situations (such as HA).
Default settings have been chosen with some care, and should not be modified without good reason and full knowledge of the consequences.
With that said, here is a summary of the various timeouts and how they interact and combine.
PEDTimeout1 is the timeout for PED detection - if your Luna PED was not connected at the time you launched a command, you have that amount of time, in milliseconds, for the PED to be connected, powered up, cycled through its startup self-test, and be detected as ready by the HSM. PEDTimeout1 starts when the HSM looks for the PED (before it tries to issue any PED commands). When the PED is detected, this timeout no longer has any effect.
PED Timeout2 is the timeout for the command from the HSM to the PED. This timeout starts to take effect when the PED is detected and stays in effect until the HSM has finished all interaction with the PED.
PEDTimeout3 is an overhead value added to PEDTimeout2, to allow additional time for PEDClient/PEDServer interaction over the network, when Remote PED is used.
The only situation where we have found a need to alter the PED timeouts is the case where we tested large MofN (16 of 16 keys). In that case we set PEDTimeout2 from a default 100 seconds to 600 seconds.
PEDTimeout1 was unchanged from its default value of 100 seconds.
PEDTimeout1 is the amount of time that the HSM will spend attempting to detect the existence of the PED before giving up. This should normally be nearly instantaneous
PEDTimeout2 is the amount of time that a command executed on the PED is allowed to take before the firmware times out. This is the timeout value that might be implicated if you are performing a PED-intensive action like HSM initialization with large numbers of MofN splits for your various PED Key secrets.
This affects your application, the Luna library, and the Luna driver, which together are treated as one entity when interacting with the HSM.
Every command has a timeout. Unless otherwise specified, all commands use DefaultTimeout in the [Luna] section of crystoki.ini (Windows) or chrystoki.conf (UNIX/Linux).
Any command that would/could use a PED (login, change pin, set pin, create challenge, initRPV, SRK resplit/restore/enable/disableā¦), is governed by CommandTimeoutPedSet. This value should exceed PEDTimout1+PEDTimeout2+PEDTimeout3. If CommandTimeoutPedSet does not exceed the combined duration of the three PEDTimeouts, then the Driver<->HSM command could timeout before the HSM<-> PED command times out.
For key pair generation commands, KeypairGenTimeout is used. This defaults to DefaultTimeout, unless you explicitly enter a distinct value (by adding KeypairGenTimeout=??? to the [Luna] section of the .ini/.conf file. You might wish to increase this value if you were calling for (say) 8192-bit RSA key pair generation which can potentially take a long time to return due to the sizes of the random components which must be generated and tested. Otherwise, keep the default value.
Nothing else is configurable.
As a general rule, do not modify the Chrystoki.conf/crystoki.ini file, unless directed to do so by SafeNet Customer Support. If you do modify the file, never insert TAB characters - use individual space characters. Avoid modifying the PED timeout settings. These are now hardcoded in the appliance, but the numbers in the Chrystoki.conf file must match.